AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

Not sure where to start? Answer 3 questions and get a tailored compliance action plan.

What applies to me? →
Must ComplyRegulationEUHigh riskLimited riskMinimal riskUnacceptable risk

EU Artificial Intelligence Act Implementation Timeline Update

Issued by

European Commission

liveEffective 2026-08-02EU-AIA-TLVerified July 2026
Official document →

The EU AI Act entered full applicability on August 2, 2026, establishing binding obligations across risk tiers for AI systems placed on or used in the EU market. Certain high-risk AI systems embedded in regulated products benefit from an extended transition period until August 2, 2028, and specific high-risk application areas face a compliance deadline of December 2, 2027. The update also clarifies obligations for general-purpose AI (GPAI) model providers and revises the phased timeline affecting enterprise governance programs.

Applies To

Large enterpriseSMBPublic sectorAI developerAI deployer

Overview

The EU AI Act (Regulation (EU) 2024/1689) is the European Union's comprehensive binding regulation on artificial intelligence, establishing a risk-based compliance framework that applies to developers, deployers, and importers of AI systems operating in EU markets. The Act entered into full force on August 1, 2024, with a phased applicability schedule: prohibitions on unacceptable-risk AI applied from February 2, 2025; GPAI model obligations applied from August 2, 2025; and the Act became fully applicable on August 2, 2026. High-risk AI systems that are safety components of, or themselves constitute, products covered by existing EU product safety legislation (Annex I) benefit from a further transition period running to August 2, 2028, while high-risk AI systems listed under Annex III in specific sectors must comply by December 2, 2027. Enforcement is delegated to national market surveillance and competent authorities in each EU member state, with the European AI Office overseeing GPAI model compliance at the EU level. Penalties for non-compliance can reach EUR 35 million or 7 percent of global annual turnover for violations involving prohibited AI practices, EUR 15 million or 3 percent for other breaches, and EUR 7.5 million or 1.5 percent for providing incorrect information.

Key Requirements

  • Prohibitions on unacceptable-risk AI systems (e.g., social scoring, real-time remote biometric identification in public spaces with narrow exceptions) have been enforceable since February 2, 2025.
  • Providers of GPAI models must comply with transparency, documentation, and copyright policy obligations as of August 2, 2025; providers of GPAI models with systemic risk face additional adversarial testing and incident reporting duties.
  • High-risk AI systems under Annex III (e.g., biometric identification, critical infrastructure, employment, education, law enforcement uses) must meet full conformity assessment, registration, and post-market monitoring requirements by December 2, 2027.
  • High-risk AI systems that are safety components of or constitute products under Annex I product legislation (e.g., machinery, medical devices) must achieve full compliance by August 2, 2028.
  • Non-compliance penalties are tiered: up to EUR 35 million or 7% of global turnover for prohibited AI violations; up to EUR 15 million or 3% for other substantive breaches; up to EUR 7.5 million or 1.5% for information-related violations.
  • Organizations deploying high-risk AI systems must register those systems in the EU AI Act public database prior to market placement, unless specific exemptions apply.

What Your Organization Must Do

  • Audit all AI systems currently in use or under procurement and classify each by the Act's risk tier, distinguishing between Annex I product-embedded systems and Annex III application-area systems to assign the correct compliance deadline.
  • Establish a GPAI model inventory if the organization uses or deploys foundation or large language models, and verify that provider contracts include required transparency documentation and copyright policy representations effective August 2025.
  • Map high-risk AI systems subject to the December 2, 2027 deadline and initiate conformity assessment procedures, technical documentation, and EU database registration now to allow adequate lead time.
  • For AI embedded in regulated products (Annex I), coordinate with product compliance and engineering teams to schedule conformity assessments within the August 2, 2028 extended window, treating 2027 as an internal target to absorb delays.
  • Update third-party and vendor contracts to require suppliers to provide conformity documentation, declarations of conformity, and notification of material changes for any AI system supplied to the organization.
  • Designate an EU AI Act compliance owner or responsible AI function with authority to coordinate across legal, procurement, product, and data science teams, and establish an internal incident reporting procedure aligned with GPAI systemic risk and high-risk post-market monitoring obligations.