EU AI Act timeline and key dates: what's enforceable when

The EU AI Act does not switch on all at once. It enters into force on a single date, but its substantive obligations apply in phases across a three-year window, with different rules for different tiers of AI system. This staged approach gives providers and deployers time to prepare, and it gives Member States time to designate authorities, set up notified bodies, and put the supervisory architecture in place.

This article walks through every key date, in order, with what becomes enforceable on each one and what you should have in place at that point. Use it as a compliance calendar and pin the dates that apply to your situation.

1 August 2024: entry into force

Regulation (EU) 2024/1689 — the EU AI Act — entered into force on 1 August 2024, the twentieth day after its publication in the Official Journal of the European Union on 12 July 2024. Entry into force makes the regulation part of EU law; it does not yet make the substantive obligations binding. That happens in phases via the application dates that follow.

What entry into force did trigger: the start of the clock for the various six-month, twelve-month, twenty-four-month and thirty-six-month transition periods that determine when each substantive provision applies.

2 February 2025: prohibitions and AI literacy

Six months after entry into force. Two sets of provisions become enforceable:

• Article 5 — prohibited AI practices. All eight prohibitions apply from this date. AI systems within the prohibited categories cannot be placed on the market, put into service, or used. See the prohibited practices article for the full list.
• Article 4 — AI literacy. Providers and deployers must take measures to ensure that, to their best extent, their staff and other persons dealing with the operation and use of AI systems have a sufficient level of AI literacy, taking into account their technical knowledge, experience, education and training, the context the AI systems are to be used in, and the persons or groups on whom the AI systems are to be used.

What you needed in place by this date:

• An inventory check for any AI systems that might fall within Article 5. If anything is borderline, get external counsel on the carve-outs and document the conclusion.
• A basic AI-literacy programme: who needs training, what they need to know, how it is delivered, how completion is tracked. The level depends on role — engineers building AI need deeper material than business users.
• Communication to the organisation that AI procurement, deployment and use now sit under a defined compliance regime.

2 August 2025: GPAI obligations and governance

Twelve months after entry into force. Multiple provisions apply:

• GPAI obligations (Article 53) for newly placed general-purpose AI models. Baseline obligations on technical documentation, downstream-developer information, copyright-compliance policy, public training-data summary, and cooperation with authorities. Systemic-risk GPAI providers additionally face the obligations under Article 55. See the GPAI article for detail.
• Governance provisions apply: Member States must designate national competent authorities (including the market surveillance authority and the notifying authority). The European AI Office at the Commission becomes operational for GPAI supervision.
• Penalties under Article 99 apply from this date for the provisions that are already in force (Articles 4 and 5 — AI literacy and prohibitions).
• Confidentiality obligations under Article 78 apply.

What you needed in place by this date:

• If you are a GPAI provider: the full set of GPAI artefacts — model card to Annex XI Section 2, technical documentation to Annex XI Section 1, copyright-compliance policy, public training-data summary. Sign the Code of Practice or have an alternative compliance demonstration.
• If you are a GPAI deployer (building on top of a third-party model): no obligations specifically triggered on this date, but check your suppliers — your contracts should reference the GPAI documentation they owe you.

GPAI models placed on the market before 2 August 2025 have a transition to 2 August 2027 to bring them into compliance. New models from this date forward must be compliant from launch.

2 August 2026: the main application date

Two years after entry into force. The bulk of the Act applies. This is the date most organisations should be planning for, because it is when the high-risk regime under Annex III kicks in.

What becomes enforceable:

• High-risk AI system obligations under Annex III (Article 6(2) and Articles 8–17). Providers of high-risk systems in the eight Annex III areas (biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice and democratic processes) must comply with the full provider regime: quality management system, technical documentation, risk management, data governance, transparency to deployers, human oversight, accuracy, robustness, cybersecurity, post-market monitoring, conformity assessment, registration in the EU AI database, CE marking.
• Deployer obligations for high-risk Annex III systems (Article 26). Use according to instructions, ensure human oversight, monitor operation, retain logs, report serious incidents, complete a Fundamental Rights Impact Assessment if you are a public-sector deployer or a deployer of certain private-sector high-risk systems.
• Transparency obligations under Article 50. Chatbots must disclose AI; deepfakes must be labelled; emotion recognition and biometric categorisation systems must inform exposed persons; generative AI must mark its output as artificially generated in machine-readable form.
• Notified bodies become operational where required for conformity assessment (mainly biometric high-risk systems).
• Codes of conduct under Article 95 — Member States and the Commission encourage voluntary codes covering minimal-risk systems and additional commitments by high-risk system providers.

What you need in place by this date:

• A full AI system inventory with risk-tier classification per system.
• For each high-risk Annex III system you provide: the technical documentation file, the quality management system, the risk-management process, the data-governance documentation, the conformity assessment, the EU database registration, the CE marking.
• For each high-risk Annex III system you deploy: human-oversight measures, monitoring, log retention, FRIA where required, incident-reporting channel set up.
• For limited-risk systems: the relevant transparency disclosures live in your product UI.
• For GPAI integrations: the downstream-system obligations attached to your AI system (which is separate from the GPAI model provider's obligations).

This is the date that drives the bulk of compliance programmes. Working backwards: an organisation with several high-risk systems in development should be working on technical documentation in 2025 and aiming to complete conformity assessments by Q1 2026 to be safely placed on the market before the deadline.

2 August 2027: high-risk Annex I integration

Three years after entry into force. The final main application date:

• High-risk AI systems that are components of Annex I products (Article 6(1)) become subject to the AI Act. This is the longer transition recognising that integration with existing product-safety regulation (medical devices, machinery, aviation, vehicles, etc.) requires coordination with sectoral law and notified bodies.
• AI systems placed on the market before 2 August 2026 that have been substantially modified after that date must be brought into full compliance.
• GPAI models placed on the market before 2 August 2025 must achieve compliance.

The substantial-modification test in Article 111(2) is worth flagging. AI systems already on the market on 2 August 2026 are not automatically dragged into the regime; they only become subject to the high-risk obligations if they are substantially modified, or if they fall into Annex I-integrated products. A high-risk Annex III system that has been on the market since 2023 and continues unchanged is not retroactively bound by Articles 8–17 — though deployer obligations under Article 26 still apply prospectively.

What you need in place by this date:

• Any Annex I high-risk systems brought into compliance (often coordinated with the existing CE-marking process under sectoral law).
• Pre-existing GPAI models brought into full compliance.
• Pre-existing AI systems that have been substantially modified since 2 August 2026 brought into full high-risk compliance.

2 August 2030: public authority AI systems

Six years after entry into force. The last specific application date:

• AI systems used by public authorities that have been placed on the market or put into service before 2 August 2026 must be brought into full compliance by this date, even without substantial modification.

This longer transition recognises that public-sector procurement cycles for legacy systems are particularly long.

What this means in calendar terms

Reading the timeline forward as a compliance officer, here is roughly how a 12-month plan looks for the typical SMB at this point:

• Q2 2026: AI system inventory complete, classifications run, FRIAs scheduled for any high-risk deployments.
• Q3 2026: For high-risk Annex III systems: technical documentation drafted, conformity assessment process running. For limited-risk: transparency UI changes in production.
• End of Q3 2026: deadline. All Annex III obligations active.
• Q4 2026 onwards: post-market monitoring in production, incident-reporting channels live, technical documentation kept current.
• 2027: Continue post-market monitoring. For Annex I-integrated systems, the August 2027 deadline.
• Ongoing: AI literacy training refresh, annual classification review for material changes, supplier-contract review for GPAI obligations.

If you are not on this track today, the practical advice is to start with the smallest viable version of an AI compliance programme: an inventory, a classification log, an AI literacy module, and a designated owner. The technical-documentation and conformity-assessment work for high-risk systems is where the real effort sits and where most organisations under-estimate the duration. Twelve weeks per high-risk system is a reasonable planning assumption for a first-time programme; teams that have been through CE-marking under medical-device or machinery regulation typically run faster.

What can still change

The Act is in force and the dates above are binding, but two things can shift the picture:

• Delegated acts. The Commission can add use cases to the Annex III high-risk list, update technical standards, and adjust thresholds. Each delegated act follows a defined procedure with European Parliament and Council scrutiny.
• Harmonised standards. CEN/CENELEC are developing the harmonised standards that will make conformity assessment more concrete. Compliance with a harmonised standard creates a presumption of conformity with the corresponding AI Act requirement. The current expectation is for the first wave of harmonised standards to publish in late 2025 / early 2026.

Neither moves the headline application dates. They affect how you comply, not when.

The simplest summary: 2 February 2025 — prohibitions and AI literacy. 2 August 2025 — GPAI and governance. 2 August 2026 — Annex III high-risk and the rest of the Act. 2 August 2027 — Annex I high-risk and transitions for pre-existing systems. Plan against those four dates and you have the calendar in hand.