Guide9 min read

EU AI Act Compliance Timeline: Every Deadline from 2024 to 2028

A complete breakdown of the phased application dates — what applies when, and what you should be doing right now

P

Paul McCormack

AI Governance & Compliance · 28 February 2026

The EU AI Act doesn't switch on all at once. Regulation (EU) 2024/1689 entered into force on 1 August 2024, but its provisions apply in phases. This article maps every key deadline, explains what becomes applicable at each stage, and helps you prioritise your compliance effort — including the major deferral of the high-risk obligations under the Digital Omnibus.

"Editor's update (19 June 2026): the Digital Omnibus on AI — approved by the European Parliament on 16 June 2026 — defers the high-risk obligations and FRIA from 2 August 2026 to 2 December 2027 (Annex III) and 2 August 2028 (Annex I), and adds a new Article 5 ban on 'nudifier'/CSAM tools from 2 December 2026. Until the amendment is published in the Official Journal, the original dates remain the binding law. This guide reflects the post-Omnibus timeline; see our dedicated guide, 'The Digital Omnibus: The New EU AI Act Deadlines Explained', for the full picture."

EU AI Act — Phased Application Timeline (post-Digital Omnibus)

1 August 2024 — Entry into force
LIVE2 February 2025 — Prohibited practices (Art. 5) and AI literacy (Art. 4)Already in effect
LIVE2 August 2025 — GPAI (Arts. 51-55), governance (Arts. 64-70), notified bodiesAlready in effect
2 August 2026 — Transparency obligations (Art. 50): disclose AI; mark synthetic contentUpcoming
2 December 2027 — Annex III high-risk obligations and FRIA (Art. 27)Pending OJ — deferred from Aug 2026
20282 August 2028 — Annex I product-embedded high-risk (Art. 6(1))Pending OJ — deferred from Aug 2027

From entry into force to full application of product safety requirements. High-risk dates are pending Official Journal publication of the Digital Omnibus.

Phase 1: 2 February 2025 — Prohibited Practices and AI Literacy

The first provisions to apply were the prohibited AI practices under and the AI literacy obligation under . This was deliberately front-loaded — the EU wanted the most harmful AI practices banned as quickly as possible.

bans eight categories of AI practice outright, including subliminal manipulation, social scoring, predictive policing based solely on profiling, untargeted facial image scraping, workplace emotion recognition, and real-time biometric identification in public spaces (with narrow law enforcement exceptions).

requires all providers and deployers to ensure sufficient AI literacy among staff and personnel who operate or oversee AI systems. This is a broad, ongoing obligation — not a one-time training exercise.

"Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf." — Article 4

Phase 2: 2 August 2025 — GPAI, Governance, and Notified Bodies

The second wave brought the general-purpose AI model framework into effect. This includes:

  • Articles 51-55: All GPAI provider obligations — technical documentation, downstream information, copyright compliance, training data summaries, and additional obligations for models with systemic risk
  • Articles 64-70: The governance framework — the AI Office, the European AI Board, the Advisory Forum, the Scientific Panel, and national competent authority designations
  • Articles 28-39: The notified body framework — rules for conformity assessment bodies, notification procedures, and requirements for performing conformity assessments
  • : Fines for GPAI providers who violate their obligations

Phase 3: 2 August 2026 — Transparency Obligations (Article 50)

This date was originally billed as 'full application' for high-risk AI. Under the Digital Omnibus that is no longer correct: 2 August 2026 is now essentially the transparency date. The provisions that apply are obligations:

  • : providers must disclose when content is AI-generated and ensure synthetic output is machine-readable as artificially generated
  • : deployers must inform people when they interact with AI (e.g. chatbots) and label deepfakes and AI-generated text on matters of public interest

The high-risk system obligations (Articles 8-15), the operator duties (Articles 16-27), conformity assessment, the FRIA under , and the broader enforcement framework do not apply on this date. The Digital Omnibus moves them to 2 December 2027 (Annex III) and 2 August 2028 (Annex I).

"Important: until the Digital Omnibus is published in the Official Journal, the original AI Act dates remain the binding law. The deferral is approved by the European Parliament but not yet legally in force — so continue preparing to the original schedule while planning to the new one."

Phase 4: 2 December 2026 — New Prohibition & Watermarking Grace Ends

The Digital Omnibus adds a new prohibition, effective 2 December 2026, on AI systems designed to generate non-consensual intimate imagery ('nudifier' apps) and child sexual abuse material. The same date ends the grace period: machine-readable marking of AI-generated content must be in place even for systems placed on the market before 2 August 2026.

Phase 5: 2 August 2027 — Legacy GPAI & National Sandboxes

Two obligations land here. GPAI models placed on the market before 2 August 2025 must be brought into compliance by this date under — this is unchanged by the Digital Omnibus. And each Member State must have at least one operational AI regulatory sandbox under (moved here from the original 2 August 2026 deadline).

Phase 6: 2 December 2027 — High-Risk (Annex III) & FRIA

This is the date that now matters most for the majority of organisations using AI. Stand-alone high-risk systems listed in Annex III — recruitment, credit, insurance, education, essential services and more — must comply from 2 December 2027 (pending Official Journal publication). The obligations that apply include:

  • Articles 6-7: High-risk AI classification rules (Annex III use-case pathway)
  • Articles 8-15: All requirements for high-risk AI systems — risk management, data governance, documentation, logging, transparency, human oversight, accuracy, robustness, cybersecurity
  • Articles 16-27: All operator obligations — providers, deployers, importers, distributors, and authorised representatives
  • : Fundamental rights impact assessment (FRIA) for public bodies, public service providers, and credit/insurance deployers
  • Articles 71-84: The full market surveillance framework, including post-market monitoring, incident reporting, and the EU database
  • Articles 85-87: Rights provisions — right to complaint, right to explanation, whistleblower protection
  • : Full penalty framework — up to EUR 35M or 7% turnover for prohibited practice violations, EUR 15M or 3% for other infringements

Phase 7: 2 August 2028 — Product Safety Alignment (Annex I)

The final phase applies to AI systems classified as high-risk under — those that are safety components of products covered by EU harmonisation legislation listed in Annex I. The Digital Omnibus defers this from the original 2 August 2027 to 2 August 2028 (pending Official Journal publication).

This affects AI in medical devices, machinery, vehicles, toys, lifts, radio equipment, civil aviation, and other regulated product categories. If your AI system is embedded in a physical product covered by Annex I legislation, your deadline is August 2028, not 2026.

What You Should Be Doing Right Now (June 2026)

1

Confirm Article 5 compliance

The prohibited practices have been in force since February 2025. If you haven't audited your AI systems against the banned categories, do it immediately — and check exposure to the new 'nudifier'/CSAM ban arriving December 2026.

2

Verify AI literacy measures

is live. Ensure staff have adequate AI literacy training relevant to their roles (the Digital Omnibus softens but does not remove this duty).

3

Prepare for Article 50 transparency

Transparency is the next live deadline (2 August 2026). Build AI-interaction disclosures and synthetic-content marking into your products now.

4

Keep classifying your AI systems

Use the deferral to mature your work: classify every AI system as prohibited, high-risk, limited-risk, or minimal-risk using and Annex III.

5

Continue FRIA preparation

If you're a public body, public service provider, or credit/insurance deployer using high-risk AI, keep your FRIA preparation moving toward the new 2 December 2027 date — don't pause it.

6

Engage your supply chain

If you're a deployer relying on a provider for high-risk AI, confirm that your provider is preparing for obligations — documentation, conformity assessment, CE marking.

7

Watch the Official Journal

When the Digital Omnibus is published, the deferred dates become law. Re-baseline your roadmap from 'pending' to 'confirmed' at that point.

Key Takeaways

Prohibited practices () and AI literacy () are in force since February 2025; GPAI obligations since August 2025

2 August 2026 is now the transparency date — not 'full application'

A new ban on 'nudifier'/CSAM tools takes effect 2 December 2026

Under the Digital Omnibus, high-risk obligations and FRIA move to 2 December 2027 (Annex III) and 2 August 2028 (Annex I)

These deferrals are pending Official Journal publication; until then the original dates remain the binding law

Don't pause — use the extra time to mature classification, transparency and FRIA work

Tags

TimelineCompliance DeadlinesPhased ApplicationArticle 113

Not sure if you need a FRIA?

Use our free FRIA Screening Tool to find out in under 5 minutes.

Built by Paul McCormack — lawyer, product leader, and founder of Kormoon. This site is an independent informational resource only and does not constitute legal advice. No reliance should be placed on its contents. For the authoritative text, refer to the official EUR-Lex source linked in the Annexes tab, or consult your legal advisor.