AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

Not sure where to start? Answer 3 questions and get a tailored compliance action plan.

What applies to me? →
Must ComplyRegulationEUHigh riskLimited riskMinimal riskUnacceptable risk

EU AI Act Implementation Timeline Update

Issued by

European Commission

liveEffective 2024-08-01EU-AIA-TLVerified July 2026
Official document →

The EU AI Act enters full applicability on 2 August 2026, with a further extension to 2 August 2028 for high-risk AI systems embedded in regulated products under existing EU sectoral legislation. The regulation applies to providers, deployers, importers, and distributors of AI systems operating in the EU market. It mandates risk classification, transparency obligations, fundamental rights impact assessments, and AI literacy measures across the affected lifecycle.

Applies To

Large enterpriseSMBPublic sectorAI developerAI deployer

Overview

The EU AI Act (Regulation EU 2024/1689) was published in the Official Journal on 12 July 2024 and entered into force on 1 August 2024, initiating a phased applicability schedule. Prohibitions on unacceptable-risk AI practices became applicable on 2 February 2025, and obligations for general-purpose AI (GPAI) models applied from 2 August 2025. Full applicability for the majority of high-risk AI system obligations takes effect on 2 August 2026, representing the primary compliance deadline for most enterprises. A deferred applicability date of 2 August 2028 applies specifically to high-risk AI systems that are safety components or products covered by existing EU product safety and sectoral regulations listed in Annex I. Enforcement is carried out by national market surveillance authorities and, for GPAI models, by the AI Office within the European Commission. Penalties for non-compliance reach up to EUR 35 million or 7% of global annual turnover for violations of prohibited practice provisions, and up to EUR 15 million or 3% for other infringements.

Key Requirements

  • Classify all AI systems by risk tier (unacceptable, high, limited, minimal) and apply the corresponding obligations by 2 August 2026 for most systems, or 2 August 2028 for high-risk systems embedded in Annex I regulated products.
  • Conduct conformity assessments and maintain technical documentation for high-risk AI systems prior to market placement or deployment.
  • Implement fundamental rights impact assessments (FRIAs) before deploying high-risk AI systems in public-sector or publicly funded contexts.
  • Ensure AI literacy training is in place for all staff operating or overseeing AI systems, as required under Article 4.
  • Register high-risk AI systems in the EU-wide AI database maintained by the European Commission before deployment.
  • Non-compliance penalties: up to EUR 35 million or 7% of global turnover for prohibited practices; up to EUR 15 million or 3% for high-risk system violations; up to EUR 7.5 million or 1% for provision of incorrect information.

What Your Organization Must Do

  • Audit all AI systems currently in use and classify each by risk tier against the Act's Annex III criteria and any applicable Annex I sectoral legislation to determine whether the 2026 or 2028 deadline applies.
  • Assign accountability for AI Act compliance to a named officer or cross-functional team and document that governance structure before 2 August 2026.
  • Establish and document conformity assessment procedures, technical documentation templates, and version control processes for all high-risk AI systems in scope of the 2026 deadline.
  • Implement a structured AI literacy programme covering staff who use, oversee, or make decisions informed by AI outputs, and retain records of completion.
  • Update procurement and vendor contracts to require conformity documentation, CE marking where applicable, and audit rights for any high-risk AI system sourced from third-party providers.
  • Initiate a gap analysis specifically for AI systems embedded in Annex I regulated products to determine whether the 2028 extension applies and plan a separate compliance workstream accordingly.

Playbook Guidance

Step-by-step implementation guidance for compliance teams.

Frequently Asked Questions

What is the primary compliance deadline for high-risk AI systems under the EU AI Act?
Most high-risk AI system obligations under the EU AI Act take effect on 2 August 2026. This is the primary deadline for conformity assessments, technical documentation, FRIA completion, and registration in the EU AI database for the majority of in-scope enterprises.
Which high-risk AI systems qualify for the 2028 extended deadline under the EU AI Act?
The 2 August 2028 deadline applies only to high-risk AI systems that function as safety components or are embedded in products regulated under existing EU sectoral legislation listed in Annex I, such as medical devices or machinery. Organizations must verify Annex I applicability to determine whether the extension covers their specific systems.
When did EU AI Act prohibitions on unacceptable-risk AI practices become enforceable?
Prohibitions on unacceptable-risk AI practices became applicable on 2 February 2025, six months after the Act entered into force. Organizations deploying any AI systems that could fall into this category, such as social scoring or certain biometric identification uses, should have ceased those practices by that date.
What are the maximum penalties for violating the EU AI Act's prohibited practice provisions?
Non-compliance with prohibited practice provisions carries penalties of up to EUR 35 million or 7% of global annual turnover, whichever is higher. Violations of high-risk system obligations carry penalties up to EUR 15 million or 3%, and supplying incorrect information to authorities carries penalties up to EUR 7.5 million or 1%.
Who enforces the EU AI Act and which body oversees general-purpose AI model compliance?
National market surveillance authorities are responsible for enforcement at the member state level for most AI systems. Compliance for general-purpose AI models is overseen by the AI Office within the European Commission, which has authority across all EU member states for GPAI-related obligations.
Does the EU AI Act's Article 4 AI literacy requirement apply to all companies deploying AI, not just developers?
Yes, Article 4 requires all providers and deployers, not just developers, to ensure staff who operate or oversee AI systems have adequate AI literacy training in place. This obligation applies regardless of company size and should be documented with completion records to demonstrate compliance.