EU AI Act Timeline 2025-2027: Every Deadline That Matters

The EU AI Act is a single regulation with a staggered enforcement calendar, and one of the more expensive mistakes companies made in 2025 was treating it as a single 2026 deadline. The Act entered into force on August 1, 2024, and its obligations land in waves between February 2025 and August 2027. Each wave catches a different population of companies, and several of the waves have already passed without much of the AI-using world noticing.

This is the practical timeline — what came into force when, what comes next, and what to do in the months leading up to each date. It complements the operational read in our EU AI Act compliance overview, and the practical execution sequence in the 2026 compliance checklist.

August 1, 2024 — Entry into force

The Act formally entered into force twenty days after publication in the Official Journal. None of the operational obligations were immediately applicable, but two things started running on this date. First, the clock began on every subsequent deadline. Second, the supervisory infrastructure — the AI Office at the European Commission, the AI Board with member-state representatives, national supervisory authorities — began organizing for enforcement. Companies that started reading the Act after August 2024 were, in effect, already behind a Commission that had been preparing since the political agreement in December 2023.

February 2, 2025 — Prohibited practices and AI literacy

The first set of operational obligations applied. Two categories matter:

• Prohibited AI practices. Eight categories of AI use are now flatly illegal in the EU: social scoring of natural persons by public or private actors; manipulation through subliminal techniques causing significant harm; exploitation of vulnerabilities of specific groups; untargeted scraping of facial images to build biometric databases; emotion recognition in workplaces and education; biometric categorization to infer sensitive attributes (race, political opinion, sexual orientation); real-time remote biometric identification in publicly accessible spaces by law enforcement (with narrow exceptions); and predictive policing based solely on profiling. Any system doing any of these had to be off by February 2, 2025.
• AI literacy obligation. Providers and deployers of AI systems are required to ensure their staff and others operating AI systems have sufficient AI literacy. This is not training in a narrow sense — it is a documented competence standard for the people interacting with AI in a professional capacity. Most companies under-invested here in 2025 and now have a backfill task.

If a company was still running an emotion-recognition tool in HR or an untargeted facial-scraping pipeline in March 2025, the regulatory exposure was already live — and remediation needs to be on the file.

August 2, 2025 — General-purpose AI (GPAI) obligations

Obligations on providers of general-purpose AI models came into force. Two tiers apply:

• All GPAI providers must publish a sufficiently detailed summary of training data, maintain technical documentation, respect EU copyright (including text-and-data-mining opt-outs), and provide downstream deployers with documentation needed to use the model in compliance with the Act.
• GPAI with systemic risk — currently defined as models trained with more than 10^25 FLOPs of compute, with discretion for the Commission to designate others — additionally must run model evaluations, perform adversarial testing, mitigate systemic risks, report serious incidents to the AI Office, and ensure adequate cybersecurity.

The systemic-risk tier captured the major foundation-model providers — OpenAI, Anthropic, Google DeepMind, Meta, and the larger European labs. Most companies are downstream of these providers and inherit the documentation through procurement contracts. The 2026 problem is that many companies did not update procurement contracts to extract the now-available documentation — and the AI Act puts the downstream documentation burden on the deployer.

August 2, 2026 — The high-risk deadline (the big one)

The largest wave of obligations applies. High-risk AI systems — those listed in Annex III, and AI embedded in products already regulated under EU product-safety law — must comply with the full set of requirements: risk-management system, data and data-governance documentation, technical documentation, logging, transparency, human oversight, accuracy and robustness testing, cybersecurity, post-market monitoring, and conformity assessment. EU representative appointment is required for non-EU providers. Registration in the EU AI database is required before market placement.

This is the date the compliance industry has been organizing around. The work for August 2026 starts in February 2026 at the latest and runs through July; the companies starting in May or June will not finish on time. The 2026 sequence is the entire subject of the compliance checklist — the short version is: inventory and classification before June, the six core artifacts in parallel sprints across June and July, vendor re-papering throughout, post-market monitoring infrastructure live before August.

A specific note for regulated sectors. AI in financial services intersects with existing model-risk-management programs (SR 11-7 in the US, similar frameworks across the EU). The AI Act overlap is substantial but not complete — the gap analysis is itself a quarter of work for any firm with material AI in credit, insurance, or trading.

August 2, 2027 — High-risk AI in regulated products

The final major wave catches AI systems that are safety components of products already covered by the EU's product-safety regulations listed in Annex I — medical devices, in-vitro diagnostics, machinery, toys, radio equipment, marine equipment, civil aviation, vehicles, agricultural vehicles, recreational craft, and others. These systems were granted an extra year to align AI Act requirements with the existing conformity-assessment cycles under the sectoral regulations.

Companies in medical devices and machinery should not read this as "we have an extra year." The integrated assessment that the 2027 date enables is more complex than the standalone Annex III assessment, and the documentation needs to be ready for the regulated-product re-certification cycles, which often run on multi-year clocks. Practical sequence: classify in 2025, do the AI Act gap analysis through 2026, integrate into the next product-conformity cycle.

What is still being clarified — and how to handle the uncertainty

Several aspects of the Act remain in active rulemaking. The Commission has published guidance throughout 2024 and 2025 and continues to issue clarifications. Significant open items include: the precise scope of the GPAI threshold, the technical specifications for the EU AI database registration, harmonized standards being developed by CEN-CENELEC for high-risk AI conformity, and clarifications on the boundary between deployer and provider obligations when AI is integrated.

The practical posture is to follow the latest Commission guidance and the published harmonized standards as they are issued, and to document the company's interpretation of any open items as part of the risk-management file. A documented good-faith interpretation backed by reasoned analysis is a defensible posture; silence on the open items is not.

The 2026 working calendar

For a typical mid-market company sitting on the August 2026 high-risk deadline, the working calendar looks like:

• February–March 2026: Name the AI-governance owner. Stand up the committee. Pull together the initial AI inventory across in-house systems, embedded SaaS features, and customer-facing AI.
• April–May 2026: Complete the inventory. Run the Annex III classification with documented rationale on every entry. Identify the high-risk subset.
• May–June 2026: Start the six core artifact streams in parallel — risk management, data governance, technical documentation, logging, human oversight, testing. Each takes six-to-twelve weeks; starting in May lands them in mid-July.
• June–August 2026: Vendor re-papering. Extract documentation, update contracts, identify any vendors that cannot meet AI Act obligations and replace them or geo-restrict their use.
• July 2026: Stand up post-market monitoring infrastructure. Define incident triggers. Run a tabletop exercise simulating a serious incident and the 15-day reporting workflow.
• Late July 2026: EU representative appointment if non-EU. Register applicable systems in the EU database. Internal sign-off by legal and the AI-governance owner.
• August 2, 2026 and beyond: The post-market monitoring clock is now running. Quarterly review of every artifact. Continuous classification of new AI use cases through a documented intake process.

The August 2026 deadline is real, but the calendar is bounded — a company starting now with a named owner and a structured plan finishes in time. The companies that miss are the ones that wait for clarity that does not come and start work that does have a defined shape.

For organizations sitting on the working calendar above and trying to figure out how to operate it without rebuilding the team, our AI compliance and risk automation work is structured around exactly this — the inventory, the classification, the artifact templates, and the post-market monitoring layer, sequenced against the calendar above and adapted to the specific high-risk systems each company is carrying into August.