EU AI Act Deadlines and Timeline (2025-2027)

When does the EU AI Act apply?

The EU AI Act, Regulation (EU) 2024/1689, entered into force on 1 August 2024 but does not apply all at once: its obligations switch on in stages, with the first bans live since 2 February 2025 and most high-risk rules arriving on 2 August 2026. This phased approach gives organisations time to prepare, but it also means you can be subject to one part of the law today while another part has not yet started.

Which date binds you depends on the role you play (provider, deployer, importer or distributor) and the risk category of your system. The table below lists the enacted milestones in the order they take effect.

Milestone timeline

These are the dates fixed in the Regulation as adopted. Use them as your planning baseline.

What each milestone means for SMBs

• Prohibited practices and AI literacy (since 2 February 2025): you may not use banned systems such as untargeted facial-recognition scraping or certain manipulative or social-scoring uses, and every business deploying AI must ensure staff who operate it have a sufficient level of AI literacy. This applies even to small teams using off-the-shelf tools.
• GPAI and governance (since 2 August 2025): if you build on a general-purpose model, your upstream provider now carries documentation and transparency duties, and you should obtain the technical information you need to meet your own obligations downstream.
• High-risk obligations (from 2 August 2026): if your system falls under Annex III, for example AI used in recruitment, employee management, access to essential services or creditworthiness, you will need a risk-management system, data governance, technical documentation, logging, human oversight and a conformity assessment before it stays on the market.
• Regulated-product AI (from 2 August 2027): if your AI is a safety component of a product already covered by EU product law, your timeline runs to 2027, but the underlying engineering work overlaps heavily with the 2026 high-risk requirements.

The proposed Digital Omnibus deferral

In late 2025 the European Commission put forward a Digital Omnibus simplification package that would, among other measures, delay parts of the high-risk regime beyond 2 August 2026. This is a PROPOSAL and is NOT yet adopted law. It would still need to pass through the ordinary EU legislative process, and its scope, conditions and final dates could change or be dropped entirely.

Treat any reported deferral as speculative until it is published in the Official Journal. The legally binding deadlines remain the enacted dates in the table above, and planning to those dates protects you whether or not a deferral is ever adopted.

What SMBs should do now regardless

1. Inventory every AI system you build, buy or embed, and record who supplies it, what it does and where the data comes from.
2. Classify each system against the Act's risk tiers (prohibited, high-risk under Annex III, limited-risk transparency, or minimal) so you know which deadline applies to it.
3. Close the AI-literacy gap now, since Article 4 is already enforceable: give staff who operate AI role-appropriate training and keep a record of it.
4. Confirm none of your current uses fall under the prohibited practices in Article 5, which carry the heaviest penalties of up to EUR 35 million or 7% of worldwide annual turnover.
5. For anything that looks high-risk, start building the technical documentation, risk-management and human-oversight controls well ahead of 2 August 2026, because other breaches still attract fines of up to EUR 15 million or 3% of turnover.
6. Map your AI Act controls once and reuse the evidence for NIST AI RMF and ISO/IEC 42001, so a single classification effort covers all three frameworks.