The EU AI Act applies in stages: prohibitions and AI literacy from February 2, 2025; general-purpose AI rules and governance from August 2, 2025; the main high-risk and transparency obligations from August 2, 2026; and product-embedded high-risk AI plus legacy GPAI models by August 2, 2027. Each date carries its own to-do list, set out below.
EU AI Act Implementation Timeline 2025-2027: Every Date and What to Do
How Does the EU AI Act Timeline Work
Regulation (EU) 2024/1689 entered into force on August 1, 2024, but almost none of it applied on that day. Article 113 staggers application across three years so that operators, standards bodies, and regulators could build capacity in sequence: the bans first because they require no infrastructure, the general-purpose model regime second, the broad mass of obligations third, and product-embedded cases last to align with existing conformity cycles. This article lays out the full 2025 to 2027 calendar with the action items attached to each date, so a business can place itself on the timeline and see exactly what should already be finished and what remains. For the August 2026 items specifically, a separate detailed checklist exists; here the focus is the whole arc and the sequencing logic between milestones.
The Complete Date Table
| Date | What applies | Who is affected |
|---|---|---|
| August 1, 2024 | Entry into force; clocks start | Everyone |
| February 2, 2025 | Article 5 prohibitions; Article 4 AI literacy; general provisions | All providers and deployers |
| August 2, 2025 | General-purpose AI model obligations; governance structures including the AI Office and national authority designation; penalties framework for the applicable parts; confidentiality rules | GPAI model providers; member states; indirectly everyone |
| August 2, 2026 | General application: Annex III high-risk regime, Article 50 transparency, deployer duties, registration, national enforcement; member states must have at least one AI regulatory sandbox operational | Most businesses |
| August 2, 2027 | High-risk rules for AI as safety components of Annex I regulated products; compliance deadline for GPAI models placed on the market before August 2, 2025 | Product manufacturers; legacy model providers |
Two legacy rules round out the picture. High-risk systems already placed on the market before August 2, 2026 are caught when they undergo significant design changes, with public-sector deployments subject to alignment by 2030. And GPAI models marketed before August 2, 2025 must reach compliance by August 2, 2027.
February 2, 2025: What Should Already Be Done
Since this date, two obligations have been live for every organisation in scope. The prohibitions: no system you provide or deploy may perform the banned practices, harmful manipulation, vulnerability exploitation, social scoring, individual criminal prediction from profiling alone, untargeted facial scraping, workplace and school emotion recognition outside medical and safety uses, sensitive biometric categorisation, or live public biometric identification for law enforcement outside listed exceptions. The literacy duty: staff operating AI systems must have sufficient AI understanding for their roles. If either is unfinished today, the to-do is immediate: run an Article 5 screen across products and vendor tools, stop anything caught, and stand up a recorded, role-appropriate training programme. Both items are also the cheapest in the whole calendar, which makes gaps here the hardest to explain later.
August 2, 2025: The Model Layer and the Regulators Arrive
From this date, providers placing general-purpose AI models on the EU market owe technical documentation, information for downstream system builders, a copyright policy, and a published training-content summary, with model evaluation, adversarial testing, risk mitigation, incident reporting, and cybersecurity added for models posing systemic risk. The governance machine also switched on: the AI Office at the Commission, the European Artificial Intelligence Board, national competent authority designations, and the penalty framework attached to these parts. To-dos that flow from this milestone for ordinary businesses are indirect but real: identify which of your products and tools sit on top of general-purpose models, request the downstream documentation those model providers now owe, and find out which national authority will supervise you, since its guidance and communication channels are where your future enforcement relationship begins.
August 2, 2026: The Broad Wave
The general application date brings the high-risk regime for Annex III use cases, the transparency duties for chatbots, synthetic content, and deepfakes, deployer obligations including oversight, log retention, worker information, and the fundamental rights impact assessment where required, registration in the EU database, and active market surveillance with the full fine tiers. Member states must also have at least one operational AI regulatory sandbox. The before-this-date to-do list, in compressed form: complete the inventory and classification; providers of high-risk systems finish risk management, data governance, technical documentation, conformity assessment, CE marking, and registration; deployers gather instructions for use, assign and train overseers, configure logging, and prepare notices; everyone fixes transparency wording on public-facing AI. The sequencing insight is that provider items have the longest lead times, several months for documentation and assessment, so a provider starting after early 2026 is already compressing.
August 2, 2027: Products and Legacy Models
The final milestone serves two constituencies. Manufacturers whose AI is a safety component of products regulated under Annex I legislation, machinery, medical devices, toys, lifts, radio equipment, vehicles and more, where third-party conformity assessment already applies, get until this date because their AI compliance rides inside established product certification cycles. And providers of general-purpose models that were already on the market before August 2, 2025 must have brought those models into compliance. To-dos for product manufacturers between now and then: integrate AI Act requirements into the existing technical file and quality system rather than building a parallel structure, brief notified bodies early about AI components, and watch the harmonised standards under development, because conformity will be demonstrated largely through them. Model providers with legacy models should treat 2026 as the documentation year rather than betting on the final months.
Reading the Timeline as a Planning Instrument
Three planning rules fall out of the calendar. Work backward, not forward: pick your binding date, August 2026 for most, August 2027 for product-embedded cases, subtract realistic durations for assessment, documentation, and vendor dependencies, and the start date computes itself, usually earlier than instinct suggests. Sequence by tier liveness, not severity: the banned tier and literacy are already enforceable, so close those gaps before perfecting 2026 paperwork. And build for change: guidelines, harmonised standards, and national enforcement practice are still arriving, and public debate has included proposals to adjust parts of the schedule, so assign a named owner to track official announcements, while planning on the dates in the regulation as they stand. Organisations that treat the timeline as a project plan rather than a news topic consistently arrive at each milestone with days to spare instead of weeks of arrears.
What Slipping Each Milestone Costs
The dates carry different enforcement weights, and knowing them prices each risk correctly. The February 2025 items sit at the extremes of the penalty scale: a prohibited practice is exposed to the top tier, 35 million euros or 7 percent of worldwide turnover, whichever is higher, the heaviest sanction the Act knows, while the AI literacy duty has no dedicated fine tier of its own but surfaces in supervision and in how authorities weigh an operator's diligence. The August 2025 layer is enforced by the Commission against general-purpose model providers, with fines of up to 15 million euros or 3 percent of worldwide turnover. The August 2026 wave activates the full national machinery: 15 million euros or 3 percent for breaches of high-risk and transparency obligations and 7.5 million euros or 1 percent for misleading answers to authorities, with the SME rule capping each fine at the lower of the two figures for small businesses. Beyond fines, market surveillance powers from 2026 include orders to correct, restrict, or withdraw systems, which for a software business is often the larger commercial threat.
The Four Quarters Before Your Binding Date
Whatever your binding milestone, the working calendar backward from it looks similar. Four quarters out: complete the inventory and classification, screen for prohibited practices, and fix roles, provider or deployer, per system, because everything else hangs on this map. Three quarters out: providers begin or refresh technical documentation and the risk management system, while deployers send vendor evidence requests, the step with the longest external latency. Two quarters out: build the operating controls, human oversight appointments and training, log retention, fundamental rights impact assessments where required, and, for providers, the conformity assessment route and registration plan. The final quarter: fix public-facing transparency, deliver literacy training, assemble the audit file, and leave deliberate buffer, because vendor responses and internal sign-offs consume more of the last quarter than anyone budgets. Product manufacturers working toward August 2027 should overlay this sequence on their existing conformity cycle and brief their notified body about AI components early rather than presenting them at the end.
How the Staggering Differs from GDPR's Single Date
GDPR offered one cliff: adopted in 2016, applicable in full on May 25, 2018, with a two-year run-in that much of the market famously spent waiting, producing a compressed scramble in the final months. The AI Act deliberately avoided a single cliff by sequencing the bans, the model layer, the broad wave, and the product-embedded cases. The benefit is that no single date demands everything; the hazard is that each date invites its own miniature version of the 2018 scramble, and the August 2026 milestone is, for most ordinary businesses, the GDPR-sized one. The organisations that absorbed GDPR cheaply were those that treated the run-in as the project window rather than as a grace period, and the same division is already visible around the AI Act's calendar.
Common Misreadings of the Calendar
Five misreadings recur. First, treating entry into force as applicability: August 1, 2024 started the clocks and created no operational duties by itself. Second, assuming that not being high-risk postpones everything: the prohibitions and the literacy duty have applied to everyone in scope since February 2025, and the transparency duties arrive with the 2026 wave regardless of risk tier. Third, reading the legacy rules as blanket exemptions: a pre-2026 high-risk system is caught as soon as it undergoes a significant design change, public-sector deployments must align by 2030, and models marketed before August 2025 must comply by August 2027. Fourth, believing 2027 is the deadline for all high-risk AI: it covers the Annex I product-embedded route, while Annex III use cases were due in August 2026. Fifth, waiting for harmonised standards as a reason to delay: standards, once available and cited, will ease how providers demonstrate conformity, but the obligations bind on the regulation's dates whether or not a convenient standard exists yet.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.