The Four Phases of the EU AI Act Timeline
In short
The EU AI Act rolls out in four mandatory phases between August 2024 and August 2027, each activating a new layer of obligations based on AI risk category.
The EU AI Act was published in the Official Journal of the EU on 12 July 2024 and entered into force on 1 August 2024 — 20 days after publication, as required by Regulation (EU) 2024/1689.
Entry into force is not the same as application. Most substantive obligations apply on a staggered schedule running through 2027.
The Four Implementation Phases at a Glance
- Phase 1 — 1 Aug 2024 (0 months): Act enters into force. EU AI Office established. No substantive provider or deployer obligations yet.
- Phase 2 — 2 Feb 2025 (6 months): Article 5 prohibited AI practices become enforceable for all providers and deployers operating in the EU.
- Phase 3 — 2 Aug 2025 (12 months): Chapter V GPAI model obligations apply. National competent authorities must be designated. AI Office fully operational. Codes of practice for GPAI published.
- Phase 4 — 2 Aug 2026 (24 months): Core high-risk AI obligations under Annexes III and IV apply. Conformity assessments, registration, transparency, and human oversight requirements activated.
- Extended deadline — 2 Aug 2027 (36 months): AI embedded in products subject to existing EU product safety law (e.g. medical devices, machinery) gets a final 12-month extension.
According to the European Parliament EPRS implementation brief (2025), the staggered structure was deliberately designed to give organisations time to build compliance infrastructure before the most demanding obligations activate.
The European Commission's AI Act Service Desk maintains a live timeline page confirming each phase's activation dates.
Master Implementation Timeline
| Phase | Date | What Applies | Who Is Affected |
|---|---|---|---|
| 1 — Entry into force | 1 Aug 2024 | Act effective; EU AI Office established | All actors |
| 2 — Prohibited practices | 2 Feb 2025 | Article 5 bans on unacceptable-risk AI | All providers & deployers in EU |
| 3 — GPAI obligations | 2 Aug 2025 | Chapter V transparency & systemic-risk rules; national authority designation | GPAI model providers |
| 4 — High-risk (Annex III) | 2 Aug 2026 | Conformity assessments, registration, monitoring, human oversight | High-risk AI providers & deployers |
| 4b — High-risk (Annex IV / product safety) | 2 Aug 2027 | AI in regulated products (medical devices, machinery) | Product manufacturers & importers |
| Full enforcement active | 2 Aug 2026 onward | All penalties active across all tiers | All in-scope entities |
📌 Entry into Force ≠ Application
The Act 'entered into force' on 1 August 2024 but most obligations only 'apply' from 2025–2027. These are legally distinct concepts under EU law — violation penalties only attach once an obligation's application date has passed.
Entry into Force vs. Application: Why the Distinction Matters
Under EU law, 'entry into force' means a regulation is legally valid and exists on the statute books. 'Application' means obligations are actively enforceable and penalties can attach for non-compliance.
For the EU AI Act, entry into force occurred on 1 August 2024 but the general application date is 2 August 2026. This matters immediately: auditors, investors, and procurement teams are already asking about compliance posture — the correct answer depends entirely on which phase's obligations are currently in application.
As noted in the EPRS 2025 implementation brief, organisations must track both the entry-into-force date and each phase's individual application date when building compliance roadmaps.
Phase 2 Deadline: Prohibited AI Practices (2 February 2025)
In short
From 2 February 2025, eight categories of AI practices are banned outright in the EU under Article 5. Any system deploying these practices is illegal regardless of use case.
2 February 2025 was the first major enforcement deadline — exactly six months after the Act entered into force. Article 5 of Regulation (EU) 2024/1689 lists AI practices banned outright as incompatible with EU fundamental rights.
These are not future obligations. They have been enforceable since February 2025, and any organisation currently deploying a matching system is in active violation.
⚠️ Already Enforceable Since February 2025
These bans are not future obligations — they have been enforceable since 2 February 2025. Organisations deploying any system matching these categories are currently in violation and subject to the highest penalty tier.
The Eight Prohibited AI Practices Under Article 5
- 1. Subliminal or manipulative techniques: AI systems that use techniques below conscious awareness to distort a person's behaviour in ways that cause harm.
- 2. Exploitation of vulnerabilities: AI that exploits vulnerabilities related to age, disability, or social or economic situation to distort behaviour harmfully.
- 3. Social scoring by public authorities: AI used by public bodies to evaluate or classify individuals based on social behaviour, leading to detrimental or discriminatory treatment.
- 4. Real-time remote biometric identification in public spaces: Law enforcement use of live biometric identification in publicly accessible spaces — with narrow judicial-authorisation exceptions only.
- 5. Retrospective biometric identification databases: AI systems used to compile facial recognition databases by scraping images from the internet or CCTV footage indiscriminately.
- 6. Emotion recognition in workplaces and education: AI that infers emotional states of individuals in workplace or educational institution contexts.
- 7. Biometric categorisation to infer sensitive attributes: AI that categorises individuals by race, political opinion, trade union membership, religious beliefs, or sexual orientation based on biometric data.
- 8. Predictive policing based solely on profiling: AI that assesses individual risk of criminal offending based purely on profiling, without any objective and verifiable facts pointing to criminal activity.
The narrow exceptions for real-time biometric surveillance — such as searches for missing persons or prevention of imminent terrorist attacks — require prior judicial authorisation in all cases, per Article 5(2) of the Official Journal text.
Prohibited Practice Penalties
| Prohibited Practice | Description | Penalty Tier |
|---|---|---|
| Subliminal manipulation | Techniques below conscious awareness that distort behaviour and cause harm | Up to €35M or 7% global turnover |
| Vulnerability exploitation | Targeting age, disability, or socioeconomic vulnerability to distort decisions | Up to €35M or 7% global turnover |
| Social scoring (public authorities) | Evaluating individuals based on social behaviour with detrimental consequences | Up to €35M or 7% global turnover |
| Real-time biometric ID in public | Live facial recognition by law enforcement in publicly accessible spaces | Up to €35M or 7% global turnover |
| Retrospective biometric databases | Scraping internet or CCTV images to build facial recognition databases | Up to €35M or 7% global turnover |
| Emotion recognition (workplace/education) | Inferring emotional states of employees or students in institutional settings | Up to €35M or 7% global turnover |
| Sensitive attribute categorisation | Inferring race, political opinion, religion, or sexual orientation from biometrics | Up to €35M or 7% global turnover |
| Predictive policing by profiling | Assessing criminal risk based solely on profiling without verifiable facts | Up to €35M or 7% global turnover |
At Alice Labs, across our work advising 100+ enterprise AI implementations, the prohibited practices review is the first step in every EU AI Act compliance checklist we run. Most enterprise AI systems are not in these categories — but some HR and security AI tools warrant close scrutiny under points 6 and 8.
Phase 3 Deadline: GPAI Model Obligations (2 August 2025)
In short
From 2 August 2025, providers of General Purpose AI models must comply with Chapter V transparency obligations, and those with systemic risk face additional requirements.
The 12-month mark — 2 August 2025 — activates obligations for General Purpose AI (GPAI) model providers under Chapter V of the EU AI Act. GPAI models are AI models trained on large volumes of data, capable of performing a wide range of tasks, and made available to other businesses to build upon.
GPT-4, Claude, Gemini, and Mistral are canonical examples. The rules apply to providers placing these models on the EU market regardless of where the provider is established.
Two Tiers of GPAI Obligation
The Act creates two tiers of GPAI obligation based on training compute, as clarified by the IAPP EU AI Act implementation guide (2024).
- All GPAI models: Must provide technical documentation, comply with EU copyright law, and publish a summary of training data.
- GPAI models with systemic risk (trained on more than 10²⁵ FLOPs): Must additionally conduct model evaluations, adversarial testing, report serious incidents to the EU AI Office, ensure cybersecurity protections, and report energy consumption.
What Must Happen by 2 August 2025
- National competent authorities designated: Each EU member state must have appointed its national supervisory authority for AI Act enforcement.
- EU AI Office fully operational: The Office, established within the European Commission, takes primary supervisory responsibility for GPAI models.
- Codes of practice published: Industry codes of practice for GPAI models, developed with stakeholder input, should be published and available for voluntary adoption.
- GPAI provider compliance active: All GPAI model providers must be in compliance with Chapter V obligations from this date.
According to the EPRS 2025 brief, the GPAI obligations represent the most novel element of the Act — no prior EU legislation directly regulated foundation model providers at the model level.
For organisations building enterprise applications on top of GPAI models (deployers rather than providers), the Phase 3 obligations primarily attach to your model vendor. However, you retain obligations under your own system's risk classification — which activates fully in Phase 4.
📌 GPAI Deployers vs. Providers
If your organisation uses a GPAI model via API to build a product, you are a deployer — not a GPAI provider. Phase 3 obligations sit with your model vendor. Your own obligations depend on how your application is classified under the risk tiers.
Phase 4 Deadline: High-Risk AI Obligations (2 August 2026)
In short
From 2 August 2026, providers and deployers of high-risk AI systems under Annexes III and IV must comply with conformity assessments, registration, transparency, and human oversight requirements.
2 August 2026 is the most consequential date for the majority of European enterprises. It activates the full suite of high-risk AI obligations — the core of the EU AI Act's compliance framework.
High-risk AI is defined by reference to Annex III (areas of use) and Annex IV (products under EU product safety legislation). The Annex III list covers eight critical sectors.
Annex III: High-Risk AI Sectors
- 1. Biometric identification and categorisation (not already prohibited under Article 5)
- 2. Critical infrastructure — water, gas, heating, electricity, road traffic, and digital infrastructure
- 3. Education and vocational training — access determination, grading, and proctoring systems
- 4. Employment and workers management — recruitment, CV screening, promotion decisions, task allocation, and performance monitoring
- 5. Access to essential private and public services — credit scoring, insurance risk assessment, emergency dispatch
- 6. Law enforcement — AI used by police and justice authorities for individual risk assessment and crime analysis
- 7. Migration, asylum, and border control — security risk profiling, document verification, application processing
- 8. Administration of justice and democratic processes — AI assisting courts and in electoral contexts
What High-Risk AI Providers Must Do by 2 Aug 2026
| Obligation | Who It Applies To | Key Requirement |
|---|---|---|
| Risk management system | Providers | Documented, continuous risk identification and mitigation process |
| Data governance | Providers | Training data quality, relevance, and bias mitigation practices documented |
| Technical documentation | Providers | Comprehensive technical file per Annex IV requirements |
| Record-keeping & logging | Providers & deployers | Automatic logs of system operation for post-market monitoring |
| Transparency to deployers | Providers | Instructions for use with capabilities, limitations, and risk information |
| Human oversight | Providers & deployers | Technical measures enabling human intervention and override |
| Accuracy, robustness & cybersecurity | Providers | Documented performance benchmarks and security architecture |
| Conformity assessment | Providers | Internal or third-party assessment before market placement |
| EU database registration | Providers & deployers (public sector) | Registration in the EU's public AI systems database before deployment |
| Post-market monitoring | Providers | Ongoing system performance monitoring and serious incident reporting |
In our experience across 100+ enterprise AI implementations at Alice Labs, the conformity assessment and technical documentation requirements are the longest-lead-time obligations. Organisations that have not started documentation by Q3 2025 are unlikely to be compliant by August 2026.
For a structured approach to meeting these requirements, our EU AI Act compliance checklist and EU AI Act compliance guide walk through each obligation with implementation steps.
Penalty Structure for High-Risk Violations
The EU AI Act establishes three fine tiers under Article 99, as published in the Official Journal.
- Tier 1 — Prohibited practices (Article 5): Up to €35 million or 7% of total worldwide annual turnover, whichever is higher.
- Tier 2 — Other obligations violations: Up to €15 million or 3% of total worldwide annual turnover, whichever is higher.
- Tier 3 — Provision of incorrect information: Up to €7.5 million or 1.5% of total worldwide annual turnover, whichever is higher.
Ready to accelerate your AI journey?
Book a free 30-minute consultation with our AI strategists.
Book ConsultationFinal Deadline: AI in Regulated Products (2 August 2027)
In short
AI systems embedded in products already governed by EU product safety law — including medical devices, machinery, and automotive systems — have until 2 August 2027 to comply.
The 36-month deadline on 2 August 2027 is the final hard compliance date in the EU AI Act timeline. It applies specifically to AI systems that are safety components of, or themselves constitute, products covered by existing EU harmonisation legislation.
These products were already subject to regulatory compliance processes. The extra 12 months acknowledges that integrating AI Act obligations into established product certification workflows takes additional time.
Which Product Categories Get the Extension
- Medical devices and in vitro diagnostic devices — covered by Regulations (EU) 2017/745 and 2017/746
- Machinery — covered by the Machinery Regulation (EU) 2023/1230
- Radio equipment — covered by the Radio Equipment Directive 2014/53/EU
- Recreational craft and personal watercraft
- Civil aviation — already subject to EASA regulation
- Agricultural tractors and forestry vehicles
- Motor vehicles — type-approval regulation
According to ComplyOne's EU AI Act timeline analysis (May 2026), manufacturers of AI-enabled medical devices in particular face complex dual compliance: both the Medical Device Regulation and the AI Act require conformity assessments, and aligning these timelines is a significant operational challenge.
What Is Not Extended to 2027
The 2027 extension applies only to AI in products under existing EU product safety legislation. It does not extend prohibited practice obligations (2 Feb 2025) or GPAI rules (2 Aug 2025). If a regulated-product AI system also involves a prohibited practice, the Article 5 prohibition applies from February 2025 regardless.
📌 2027 Extension Is Sector-Specific
The August 2027 deadline applies only to AI systems that are safety components of products already regulated under specific EU harmonisation legislation. Standalone high-risk AI applications — including HR tools, credit scoring, and educational assessment — must comply by 2 August 2026, with no extension available.
What the EU AI Act Timeline Means for Your Compliance Planning
In short
With high-risk obligations applying from 2 August 2026, organisations need 12–18 months of lead time to complete risk classification, technical documentation, conformity assessments, and governance infrastructure.
The phased timeline is not a grace period — it is a structured runway. Each phase builds on the previous one, and organisations that treat early deadlines as distant still have near-term obligations to act on.
Based on our work supporting enterprise AI strategy and governance across 100+ implementations, the following sequencing is realistic for most organisations.
Recommended Compliance Sequencing by Quarter
| Period | Priority Actions | Phase Trigger |
|---|---|---|
| Now (2025) | Complete AI system inventory; screen all systems for Article 5 prohibited practices; assign risk classifications | Phase 2 already active |
| Q3–Q4 2025 | Verify GPAI model vendor compliance; begin technical documentation for high-risk systems; appoint AI governance lead | Phase 3 active from Aug 2025 |
| Q1 2026 | Complete conformity assessments; implement human oversight mechanisms; establish post-market monitoring processes | Prepare for Phase 4 |
| Q2 2026 | Register high-risk AI systems in EU database; finalise deployer transparency obligations; conduct staff training | Final preparation |
| 2 Aug 2026 | Full compliance required for all Annex III high-risk AI systems | Phase 4 enforcement active |
Building an AI Governance Infrastructure
The EU AI Act compliance timeline overlaps directly with the broader AI governance infrastructure most organisations need regardless of regulation. Governance frameworks, risk registers, and model documentation are foundational requirements that serve compliance and strategic risk management simultaneously.
Organisations with no existing AI governance structure face a longer runway. Our AI implementation roadmap framework typically requires 6–9 months to establish baseline governance before compliance documentation can begin in earnest.
The enforcement structure is also worth noting for supply chain implications. If you procure AI systems from third-party vendors, you have deployer obligations under the Act — and you need contractual assurances that your vendors are meeting their provider obligations on the same timeline.
Frequently Asked Questions: EU AI Act Timeline
In short
Key questions about EU AI Act deadlines, scope, penalties, and compliance obligations — answered directly.
When did the EU AI Act enter into force?
The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024, exactly 20 days after it was published in the Official Journal of the EU on 12 July 2024. Entry into force means the regulation is legally valid — most obligations apply on later staggered dates.
When did the EU AI Act prohibited practices ban come into effect?
The Article 5 prohibited AI practices ban became enforceable on 2 February 2025 — six months after entry into force. These bans are already active. Any organisation currently deploying a prohibited AI system is in violation and subject to fines up to €35 million or 7% of global annual turnover.
When do GPAI model obligations apply under the EU AI Act?
General Purpose AI (GPAI) model obligations under Chapter V apply from 2 August 2025 — 12 months after the Act entered into force. This covers all GPAI providers placing models on the EU market, with additional systemic-risk requirements for models trained on more than 10²⁵ FLOPs.
When do high-risk AI obligations apply?
High-risk AI system obligations under Annex III apply from 2 August 2026. AI embedded in products already regulated under EU product safety legislation (Annex IV) has until 2 August 2027. These are the core compliance deadlines for most enterprise AI providers and deployers.
What counts as a 'high-risk' AI system under the EU AI Act?
High-risk AI systems are those listed in Annex III of Regulation (EU) 2024/1689. The eight categories include: biometric identification, critical infrastructure AI, educational assessment, employment and HR AI, financial services risk scoring, law enforcement tools, migration and border control AI, and administration of justice AI. A safety self-assessment exemption applies to some systems that pose genuinely minimal risk despite falling within a listed category.
What are the maximum fines under the EU AI Act?
The EU AI Act has three fine tiers under Article 99. Prohibited practice violations: up to €35 million or 7% of global annual turnover. Other obligation violations: up to €15 million or 3%. Providing incorrect information to authorities: up to €7.5 million or 1.5%. The higher amount applies in each case.
Does the EU AI Act apply to companies outside the EU?
Yes. The EU AI Act applies to any provider placing AI systems on the EU market or putting them into service in the EU, regardless of where the provider is established. It also applies to AI deployers established in the EU, and to providers and deployers outside the EU where the output of their AI system is used in the EU. This extraterritorial scope mirrors the GDPR model.
What is the EU AI Office and when was it established?
The EU AI Office is a body within the European Commission responsible for overseeing the implementation of the EU AI Act, with specific supervisory authority over GPAI model providers. It was established following the Act's entry into force on 1 August 2024 and became fully operational during the 12-month Phase 3 window leading up to August 2025.
About the Authors & Reviewers

Co-Founder, Alice Labs
Co-Founder at Alice Labs. Builds AI automation, agent workflows and integration systems that hold up in real business operations.
- AI automation & agent systems lead
- Workflow design across 100+ deployments
- Specialist in RAG, integrations & APIs

Co-Founder, Alice Labs
Co-Founder at Alice Labs. Author of 7 research reports on AI adoption, governance and labor markets cited across EU, OECD and US benchmarks.
- 8+ years in AI strategy & implementation
- Top-5 AI Speaker, Sweden (Mindley 2025)
- 100+ enterprise AI engagements
Frequently Asked Questions
When did the EU AI Act enter into force?
The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024, 20 days after publication in the Official Journal of the EU on 12 July 2024.
When did the EU AI Act prohibited practices ban come into effect?
The Article 5 prohibited AI practices ban became enforceable on 2 February 2025, six months after entry into force. These bans are currently active.
When do GPAI model obligations apply under the EU AI Act?
General Purpose AI (GPAI) model obligations under Chapter V apply from 2 August 2025, 12 months after entry into force.
When do high-risk AI obligations apply?
High-risk AI system obligations under Annex III apply from 2 August 2026. AI in regulated products (Annex IV) has until 2 August 2027.
What are the maximum fines under the EU AI Act?
Prohibited practice violations: up to €35M or 7% of global turnover. Other violations: up to €15M or 3%. Incorrect information: up to €7.5M or 1.5%.
Does the EU AI Act apply to companies outside the EU?
Yes. The Act applies to any provider placing AI on the EU market regardless of establishment location, mirroring the GDPR extraterritorial model.
What is the EU AI Office?
The EU AI Office is a European Commission body overseeing AI Act implementation and supervising GPAI model providers. It was established after the Act entered into force on 1 August 2024.
What counts as a high-risk AI system under the EU AI Act?
High-risk AI systems are listed in Annex III and include: biometric ID, critical infrastructure AI, educational assessment, HR/recruitment AI, credit scoring, law enforcement tools, border control AI, and judicial AI.
EU AI Act for Financial Services: What Banks & Insurers Must Do
Next in AI Governance & ComplianceEU AI Act Risk Categories: Unacceptable, High & Limited Risk
Further reading
- Regulation (EU) 2024/1689· eur-lex.europa.eu
- European Commission AI Act Service Desk timeline· ai-act-service-desk.ec.europa.eu
- EPRS AI Act implementation brief (2025)· europarl.europa.eu
- IAPP EU AI Act implementation guide· iapp.org
- ComplyOne EU AI Act timeline· complyone.io
Related services
Related reading
EU AI Act Compliance Checklist 2026: 10-Step Guide
Learn more about eu ai act compliance checklist 2026: 10-step guide.
howtoEU AI Act Compliance Guide: Step-by-Step for Enterprises
Learn more about eu ai act compliance guide: step-by-step for enterprises.
glossaryWhat Is AI Governance? Frameworks & Compliance (2026)
Learn more about what is ai governance? frameworks & compliance (2026).
howtoEnterprise AI Strategy: 6-Step Framework for 2026
Learn more about enterprise ai strategy: 6-step framework for 2026.
howtoAI Implementation Roadmap: From Pilot to Production
Learn more about ai implementation roadmap: from pilot to production.
Sources
- Official Journal of the EU — Regulation (EU) 2024/1689
- European Commission AI Act Service Desk — Implementation Timeline
- European Parliament EPRS — AI Act Implementation Timeline Brief (EPRS_ATA(2025)772906)
- IAPP — EU AI Act: Next Steps for Implementation
- ComplyOne — EU AI Act Implementation Timeline
Next scheduled review: