EU AI Act enforcement timeline (2024 to 2027)

1 August 2024: entry into force

The Act entered into force 20 days after its publication in the Official Journal on 12 July 2024. The countdown for every subsequent application date is measured from this point.

2 February 2025: Article 5 prohibitions

The eight categories of unacceptable-risk AI became prohibited across the EU. National competent authorities can take enforcement action against prohibited practices from this date. AI literacy obligations for providers and deployers (Article 4) also became applicable.

2 August 2025: GPAI, governance, and penalties

Obligations for general-purpose AI models (Chapter V) became applicable. The Code of Practice for GPAI providers, drawn up under Article 56, took effect. Governance bodies (the AI Office at Commission level, the AI Board with member-state representatives, the Advisory Forum, the Scientific Panel) became operational. The penalty framework in Chapter XII also applies from this date.

2 August 2026: the bulk of the high-risk regime

The main body of obligations for high-risk AI systems under Chapter III, Title II becomes applicable. Risk management, data governance, technical documentation, record-keeping, transparency to deployers, human oversight, accuracy and robustness, cybersecurity, conformity assessment, and post-market monitoring all become enforceable.

This is the milestone most SME compliance work in 2026 is pointed at. If your product touches an Annex III use case, this is the deadline.

2 August 2027: Annex I high-risk systems

The remaining high-risk obligations apply, specifically those for AI systems that are safety components of products already covered by EU sectoral legislation listed in Annex I. The longer runway reflects the cost of aligning with existing CE-marking processes.

What this timeline means in practice

• If your product is limited-risk, you have ongoing transparency obligations under Article 50 today. Confirm your AI-system disclosure and synthetic-content labelling are in place.
• If you are a GPAI provider or are downstream of one with substantial modification, the obligations have applied since 2 August 2025. Documentation, copyright policy, training-data summary.
• If your product is high-risk under Annex III, the conformity assessment, documentation, and quality-management infrastructure need to be in place by 2 August 2026. Building the technical documentation set takes the longest of any deliverable.
• If your product is a safety component of an Annex I product, you have until 2 August 2027, but you are also stacked on existing sectoral conformity workflows.