When does the EU AI Act fully apply?

The Act is fully applicable from 2 August 2027, when the obligations for high-risk AI systems that are safety components of Annex I products and the obligations for pre-existing GPAI models also become enforceable.

Are prohibited practices already illegal?

Yes. The Article 5 prohibitions have applied since 2 February 2025 and supervisory authorities can impose fines under Article 99 for breaches occurring after that date.

When do penalties under the EU AI Act start?

From 2 August 2025 for the obligations in force at that point (prohibited practices, AI literacy, GPAI), and from 2 August 2026 for the obligations that activate on that date.

What happens to AI systems already on the market in August 2026?

High-risk systems already on the market before 2 August 2026 do not need to comply unless they undergo a significant change. Public-sector use of such systems must be brought into compliance by 2 August 2030.

When do GPAI obligations apply to existing models?

GPAI models placed on the market before 2 August 2025 must be brought into full compliance with Chapter V by 2 August 2027. New models placed on the market from 2 August 2025 must comply at the point of being placed on the market.

Will the Commission delay any deadlines?

There is no formal mechanism for blanket postponement, but the Commission has signalled flexibility on enforcement priorities and standards readiness. Plan against the published dates rather than anticipated delays.

Last reviewed: May 2026 · 8 min read

EU AI Act Timeline: Every Deadline From 2024 to 2027

Why a phased timeline?

The Act's obligations are spread out so organisations can build compliance programmes, so harmonised standards under CEN-CENELEC JTC 21 can be finalised, and so notified bodies and national authorities have time to scale up. The phasing also lets the European AI Office stand up its enforcement function and the EU database for high-risk systems go live before registration is mandatory.

1 August 2024 — Entry into force

Regulation (EU) 2024/1689 entered into force, starting the clock on every subsequent deadline. The text became binding but most operational obligations remained dormant during transitional periods.

2 February 2025 — Prohibitions and AI literacy

Two sets of provisions became applicable:

Article 5 prohibited practices: subliminal manipulation, exploitation of vulnerabilities, social scoring by public authorities, predictive policing based purely on profiling, untargeted scraping of facial images, emotion recognition in workplaces and schools, biometric categorisation inferring sensitive attributes, and real-time remote biometric identification in public spaces for law enforcement (with narrow exceptions).
Article 4 AI literacy: providers and deployers must ensure a sufficient level of AI literacy among staff and other persons dealing with the operation and use of AI systems on their behalf.

2 August 2025 — Governance, GPAI and penalties

This is the most consequential milestone for organisations placing AI on the EU market:

Chapter V (general-purpose AI models) — providers of new GPAI models placed on the market from this date must meet the GPAI obligations: technical documentation, downstream provider information, EU copyright compliance, and training-content summary. Models with systemic risk (Article 51) additionally require model evaluation, systemic risk assessment, incident reporting and cybersecurity protection.
Notifying authorities and notified bodies (Chapter III, Section 4) — Member States designate their authorities so conformity assessment infrastructure is ready.
Governance (Chapter VII) — the European AI Office is fully operational, the European AI Board takes effect, and national competent authorities are designated.
Penalties (Chapter XII) — the Article 99 administrative fine regime begins to apply for the obligations already in force.
Confidentiality (Article 78).

2 February 2026 — Commission guidance

The Commission must adopt guidelines on the practical implementation of Article 6, particularly the high-risk classification flow and the Article 6(3) exemption. These guidelines anchor the self-assessment that providers have to document.

2 August 2026 — High-risk systems and most provisions

The bulk of the Act becomes applicable:

Annex III high-risk systems — providers and deployers of high-risk systems in the eight Annex III areas (biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice and democracy) must comply with the full obligation set in Chapter III.
Article 50 transparency obligations for limited-risk systems — chatbots must disclose they are AI, synthetic media must be labelled, emotion recognition and biometric categorisation systems must inform exposed persons, and deep fakes must be disclosed.
Post-market monitoring, information sharing and market surveillance (Chapter IX).
Member States must have laid down the rules on penalties and apply them.

2 August 2027 — Full application

The remaining categories become subject to the Act:

Annex I high-risk systems — AI systems that are safety components of products listed in Annex I (machinery, toys, medical devices, in-vitro diagnostics, civil aviation, motor vehicles, marine equipment, etc.) must comply when placed on the market.
GPAI models placed on the market before 2 August 2025 — providers must bring those existing models into compliance with Chapter V by this date.

31 December 2030 — Large-scale IT systems

High-risk AI systems that are components of large-scale EU IT systems listed in Annex X (Schengen Information System, Visa Information System, Eurodac, ETIAS, Entry/Exit System, ECRIS-TCN) must be brought into compliance by this date if they were placed on the market or put into service before 2 August 2027.

Transitional provisions worth knowing

High-risk systems already on the market before 2 August 2026 are not subject to the new obligations unless they undergo a "significant change" to their design after that date. A material redesign restarts the clock.
High-risk systems used by public authorities placed on the market before 2 August 2026 must comply by 2 August 2030 even without a significant change.
GPAI models placed on the market before 2 August 2025 get until 2 August 2027 to comply — providers should not assume they can stay grandfathered.

What to do before each milestone

A practical sequencing: by Q3 2025, complete AI inventories and prohibited-practice screening. By Q1 2026, classify each system against Annex III with documented Article 6(3) assessments. By Q2 2026, finalise risk management, technical documentation and quality management evidence for each high-risk system. By Q3 2026, complete conformity assessment, EU database registration and CE marking for systems placed on the market after 2 August 2026. See the breakdown of obligations in our high-risk AI systems guide.