EU AI Act Timeline: Compliance Deadlines to 2027

The EU AI Act does not arrive on a single date. It applies in stages between 2024 and 2027, and each stage switches on a different set of obligations for the organizations that build or use AI systems in Europe.

Two of those stages are already live. The next one, the high-risk regime, lands on 2 August 2026, which makes the remaining months the window most compliance teams are working against right now.

The EU AI Act timeline is the staged schedule that brings Regulation (EU) 2024/1689 into force between 2024 and 2027. The law entered into force on 1 August 2024. Prohibited practices and AI literacy duties applied on 2 February 2025, the general-purpose AI rules on 2 August 2025, and the high-risk obligations on 2 August 2026.

The dates are fixed in the regulation itself, so they apply uniformly across all 27 Member States. The table below is the fastest way to see which obligation switches on when.

Date	What applies	Who it reaches	Top penalty tier
1 Aug 2024	Regulation enters into force	Everyone in scope	Not yet enforceable
2 Feb 2025	Prohibited practices (Article 5) and AI literacy (Article 4)	Every provider and deployer	€35M or 7% turnover
2 Aug 2025	General-purpose AI model rules, governance, and penalties (Article 99)	GPAI providers, authorities	€15M or 3% turnover
2 Aug 2026	High-risk obligations for Annex III systems and most remaining rules	High-risk providers and deployers	€15M or 3% turnover
2 Aug 2027	High-risk systems embedded in regulated products (Annex I)	Product manufacturers	€15M or 3% turnover

The Artificial Intelligence Act, formally Regulation (EU) 2024/1689, entered into force on 1 August 2024. It is the first horizontal AI law in the world, and it governs providers, deployers, importers, and distributors of AI systems used inside the European Union.

Entry into force did not mean immediate enforcement. The regulation set a staged calendar so organizations and national authorities had time to build the supervisory architecture and adapt their systems.

The reach extends past EU borders. The Act applies when the output of an AI system is used in the Union, which pulls a large share of the global AI market into scope even for companies headquartered elsewhere.

Two obligations switched on first, and both carry weight. The Article 5 ban on prohibited AI practices and the Article 4 AI literacy duty became enforceable on 2 February 2025.

The prohibited list covers eight categories, including social scoring, untargeted facial-image scraping, manipulative or exploitative systems, and emotion recognition in workplaces and schools. These cannot be placed on the EU market at all, and breaching the ban carries the highest penalty tier of €35 million or 7% of global annual turnover. Product, procurement, and legal teams need to recognize a prohibited use before it ships, which is the focus of the prohibited AI practices exercise.

Article 4 is the broadest obligation in the whole regulation. It requires providers and deployers to ensure a sufficient level of AI literacy among staff and anyone operating AI on their behalf, regardless of the risk tier of the systems involved.

The AI literacy essentials exercise trains the three behaviors the article actually expects: critical evaluation of AI output, verification before action, and disciplined data handling. For the full Article 4 breakdown, see our EU AI Act training guide.

The second stage added the rules for general-purpose AI and the enforcement machinery behind the whole regulation. On 2 August 2025, the GPAI model obligations, the governance chapter, and the Article 99 penalty regime became applicable.

General-purpose AI providers now carry documentation, transparency, and copyright duties, with extra obligations for models that pose systemic risk. Deployers who build on top of these models inherit downstream responsibilities, a split that the general-purpose AI model obligations exercise maps out role by role.

The same date stood up the EU AI Office inside the European Commission and required Member States to name national competent authorities. The EU AI Act penalties and enforcement exercise walks through the three-tier fine structure so teams understand which obligations sit behind which financial exposure.

This is the deadline closest on the calendar, and it is the heaviest. On 2 August 2026, the high-risk obligations apply for the AI systems listed in Annex III, and most of the remaining provisions of the regulation become applicable.

Annex III covers eight domains where AI is high-risk by default: biometrics, critical infrastructure, education, employment, essential public and private services, law enforcement, migration and border control, and the administration of justice. Providers and deployers of these systems face the deepest controls in the Act, from risk management and data governance to human oversight and post-market monitoring. The high-risk AI deployer obligations exercise tests whether a launch is ready across the seven areas an auditor will check first.

Most enterprises are deployers of several high-risk systems and providers of a few. A bank running a credit-scoring model, a hospital using a triage tool, and a recruiter screening CVs with an AI shortlister all sit inside Annex III, so the August 2026 date is not a niche concern.

One category extends beyond 2026. High-risk AI systems that are embedded as safety components in products already regulated under EU law, listed in Annex I, have until 2 August 2027 to comply.

Annex I covers products such as machinery, medical devices, toys, and vehicles, where existing product-safety law already requires conformity assessment. The extra year recognizes that AI obligations have to be folded into established certification processes rather than bolted on.

If your AI is a feature inside a regulated physical product, 2027 is your date. For everything in Annex III, the operative deadline is still 2 August 2026.

Yes, in many cases. The Act reaches providers and deployers established outside the EU when they place AI systems on the EU market or when the output produced by the system is used in the Union.

A US software vendor selling an AI hiring tool to European customers is a provider in scope. A company headquartered outside Europe whose AI generates results consumed by an EU branch can be a deployer in scope. The territorial reach mirrors the extraterritorial logic that made GDPR a global standard.

Non-EU organizations in scope generally need an authorized representative established in the Union. The practical takeaway is simple: location does not exempt you if your AI touches the European market.

There is no single curriculum the Commission endorses, but the steps below match what national authorities and audit firms look for in a defensible program. Each one produces documentation that feeds the deadlines still ahead.

Step 1: Build an AI system inventory. List every AI system your organization builds or uses, who owns it, and what data it touches. The AI governance exercise shows how to build the registry and shut down shadow AI before it reaches a regulator’s attention.

Step 2: Classify each system by risk tier. Sort every entry in the inventory into prohibited, high-risk, limited-risk, or minimal-risk. The tier decides which obligations apply, and our EU AI Act risk categories guide explains how to make each call.

Step 3: Run AI literacy training across the workforce. Article 4 is enforceable now, so this is the cheapest first step toward overall readiness. Train general staff on safe daily use and give technical and oversight roles deeper modules.

Step 4: Assign human oversight and incident handling. Name the people responsible for overseeing high-risk systems and define how staff report AI failures. The AI incident reporting exercise and responsible AI use exercise rehearse both routines.

Step 5: Document everything. Keep records of who trained on what, when systems were classified, and which oversight measures are in place. Authorities sample records, so the documentation is the compliance evidence.

The AI Act rarely arrives alone. EU organizations usually have to align it with GDPR, NIS2, and other frameworks at the same time, and the training content overlaps more than most teams expect.

Framework	Training-relevant obligation	Overlap with the AI Act
GDPR (EU 2016/679)	Lawful processing, data subject rights, breach response	Data governance, AI systems that process personal data
NIS2 (EU 2022/2555)	Cyber risk management, incident reporting, management training	Incident handling, governance, supply chain
EU AI Act (EU 2024/1689)	AI literacy, risk classification, human oversight	The core obligation set

A GDPR employee training program already covers data handling that high-risk AI systems depend on. A NIS2 training program covers incident reporting routines the AI Act reuses. Organizations that build one awareness program mapped across frameworks spend far less than those running parallel trainings, a pattern we cover in our compliance training guide.

RansomLeak training is interactive, scenario-based, and documented in a way supervisors recognize. The dedicated EU AI Act course covers the regulation, the staged timeline, the four risk tiers, and the day-to-day practices Article 4 expects, and every module exports as SCORM for the LMS an authority will inspect.

The privacy and compliance catalogue carries the full EU AI Act course alongside GDPR scenarios. The AI security catalogue covers prompt injection, deepfakes, and LLM manipulation that the shadow AI problem brings into scope. Role-based tracks produce the calibrated, documented literacy the regulation explicitly requires.

If you want to see how scenario-based training maps to each AI Act deadline, book a walkthrough with our team.

The regulation entered into force on 1 August 2024 and applies in stages. Prohibited practices and AI literacy applied on 2 February 2025, general-purpose AI rules on 2 August 2025, and high-risk obligations for Annex III systems on 2 August 2026. High-risk systems embedded in regulated products under Annex I have until 2 August 2027. Full applicability is reached on that final date.

For most organizations it is 2 August 2026, when high-risk obligations for Annex III systems apply and most remaining provisions become enforceable. Banks, hospitals, recruiters, and public-service operators using AI in those domains face the deepest controls in the Act on that date. The Article 4 AI literacy duty is already enforceable, so it should be in progress already.

Article 99 sets three tiers. Prohibited-practice breaches reach up to €35 million or 7% of global annual turnover. Most other obligations, including AI literacy, transparency, and deployer duties, reach up to €15 million or 3%. Supplying misleading information to authorities reaches up to €7.5 million or 1.5%. Small and medium enterprises face the lower of the two values rather than the higher.

Yes. The obligations apply based on the role you play and the risk tier of your AI systems, not your company size. Small and medium enterprises and start-ups do get proportionate treatment, including the lower end of the penalty ranges and simplified technical documentation, but the AI literacy duty under Article 4 applies regardless of headcount.

Enforcement runs through national competent authorities in each Member State and the EU AI Office inside the European Commission. The AI Office supervises general-purpose AI directly and coordinates the European Artificial Intelligence Board. National authorities handle market surveillance, can request documentation, and can impose the Article 99 fines.

Build an inventory of every AI system you use or build, classify each one by risk tier, and start AI literacy training across the workforce. The literacy duty is enforceable now and produces documentation that feeds the deeper obligations arriving in 2026 and 2027. Our EU AI Act risk categories guide explains how to classify each system.

The EU AI Act is a staged regulation, and treating it as a single future deadline is the fastest way to fall behind. Two stages are already enforceable, the high-risk regime lands on 2 August 2026, and the final product-embedded systems follow in 2027.

The work that satisfies the early stages also builds the evidence for the later ones. Start with an AI inventory, classify by risk, train the workforce on AI literacy, and document every step.

If your organization operates AI in Europe and wants scenario-based training mapped to each deadline, explore the privacy and compliance catalogue or talk to our team.

• Regulation (EU) 2024/1689 (AI Act) - Official Journal
• European Commission: AI Act
• European Commission: AI Act implementation timeline
• EU AI Office