EU AI Act: Timeline and Deadlines 2024–2027 (as of 2026)

The EU AI Act timeline phases in the application of Regulation (EU) 2024/1689 over several years: entry into force on 1 August 2024, prohibited practices and AI literacy since 2 February 2025, GPAI obligations since 2 August 2025, general application from 2 August 2026, and high-risk obligations staggered through to 2028. For AI-agent projects, the crucial point is to separate binding dates from provisional ones.

• Already in full force: prohibitions (Art. 5) and AI literacy (Art. 4) since 2 February 2025; GPAI obligations (Art. 51–55) since 2 August 2025 — legally binding, not postponed.
• Next hard deadline: 2 August 2026 — deployer obligations (Art. 26), fundamental rights impact assessment (Art. 27), transparency (Art. 50) and the full penalty regime.
• Postponed, but provisional: high-risk obligations under Annex III to 2 December 2027, under Annex I to 2 August 2028 — as of 2026, subject to change through the Digital Omnibus.

Legal basis and entry into force

The EU AI Act is Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence. It was published in the Official Journal on 12 July 2024 and entered into force on 1 August 2024. As a directly applicable regulation, it applies in all EU Member States without national transposition. Entry into force merely started the clock — no immediate obligations arose at that point.

The actual mechanism lies in Art. 113: the AI Act activates its obligations in several waves. It is precisely these staggered AI Act deadlines that make the timeline relevant for decision-makers, because depending on the role (provider, deployer, GPAI provider) and risk class, a different date applies.

The milestone table: KI-Verordnung timeline at a glance

The following overview shows each application date under Art. 113, including the adjustments made by the political agreement on the Digital Omnibus of 7 May 2026. Provisional dates are clearly marked.

Phase 1 (since Feb 2025): prohibitions and AI literacy

Since 2 February 2025, two blocks have applied that affect every deployer — regardless of whether a system qualifies as high-risk at all.

First, the prohibited practices (Art. 5): eight categories that are entirely banned in the EU. Particularly relevant for DACH companies is Art. 5(1)(f) — emotion recognition in the workplace and in educational institutions (with narrow exceptions for medical and safety purposes). An HR analytics agent that infers employees' mood, concentration or stress from video, audio or biometrics is prohibited in the workplace. On 7 May 2026, the Digital Omnibus added a ninth prohibition for AI systems that generate non-consensual intimate content or AI-generated abuse material, with a deadline for market removal by 2 December 2026.

Second, AI literacy (Art. 4): providers and deployers must ensure a sufficient level of AI literacy among their staff. This obligation applies across all risk levels, and therefore also to minimal-risk internal agents. No certificate is required, but documentation of the training programme is expected — it is the basis on which a supervisory authority will assess compliance.

Phase 2 (since Aug 2025): GPAI obligations

Since 2 August 2025, the obligations for providers of general-purpose AI models (Art. 51–55) have applied. They concern the model layer on which practically every modern agent is built. A model qualifies as a GPAI model if it has an indicative training compute of around 10^23 FLOP or more plus language generation capability; it qualifies as GPAI with systemic risk if cumulative training compute exceeds 10^25 FLOP (Art. 51(2)). Fines for GPAI providers (Art. 101) became enforceable on 2 August 2026; legacy models placed on the market before 2 August 2025 have until 2 August 2027 to adapt (Art. 111(3)).

Phase 3 (from Aug 2026): general application and transparency

Under the original timeline, 2 August 2026 is the central cut-off date for deployers. This is when Art. 26 (twelve operational deployer obligations), Art. 27 (fundamental rights impact assessment, FRIA), Art. 50 (transparency) and the full penalty regime take effect. For Art. 50 labelling, a technical transition period applies: watermarks and machine-readable markings must be operational by 2 December 2026 — this deadline was shortened from six to three months by the Omnibus.

Phase 4 (from 2027/2028): high-risk systems — provisional

This is where the distinction between binding and provisional becomes business-critical. Originally, the substantive high-risk obligations were due to take effect on 2 August 2026. The political agreement on the Digital Omnibus of 7 May 2026 postpones them:

• Annex III (stand-alone high-risk categories such as HR, credit, insurance, critical infrastructure): to 2 December 2027.
• Annex I (AI as a safety component in regulated products, such as medical devices and machinery): to 2 August 2028.

Importantly, both dates are as of 2026, subject to change. They only apply once the Omnibus is formally adopted before 2 August 2026. Until formal adoption, the original 2 August 2026 remains the legally binding default date. Equally important: the postponement affects only the substantive high-risk obligations. What is not postponed: Art. 4 (literacy), Art. 5 (prohibitions), the GPAI rules, the Art. 50 labelling requirements (technical solutions by December 2026) and the penalty regime.

Transition periods and sanctions: a worked example

The AI Act transition periods only take full effect through the penalty regime. The three tiers under Art. 99:

In each case, the higher amount applies. Concrete numerical example: a DACH mid-sized company with EUR 40 million annual turnover and 180 employees (an SME in the EU sense) has, since February 2025, deployed an AI agent without a documented literacy programme. An Art. 4 breach falls into Tier 3 — the percentage value would yield 1.5% of EUR 40 million = EUR 600,000, the absolute value EUR 7.5 million. For companies in general, the higher amount would be decisive, i.e. up to EUR 7.5 million. For SMEs and start-ups, however, the special rule of Art. 99(6) applies: here the lower of the two values applies, i.e. EUR 600,000 in this example. The Digital Omnibus extends this protection (as of 2026, subject to adoption) to small mid-cap companies (SMCs). Since Art. 4 has been binding since February 2025 and is easily verifiable in any routine inspection, this is the most likely real sanction risk for mid-sized companies.

For agencies and B2B decision-makers

The message for the roadmap is clear: do not wait for the Digital Omnibus. The postponement concerns only the substantive high-risk obligations and only takes effect after formal adoption. As long as this is outstanding, 2 August 2026 remains binding. Practitioners unanimously advise against reading the postponement as an invitation to pause. Marketing agencies and B2B teams should implement two things now: a documented AI literacy programme (Art. 4, due since February 2025) and an inventory of all customer-facing AI interaction points for Art. 50 transparency. Blck Alpaca supports DACH companies in securing agent stacks against the binding part of the timeline and cleanly separating provisional deadlines from obligations with a fixed cut-off date.

Note: This article is provided for general information purposes and does not constitute legal advice. For a binding assessment of your specific AI use case, please seek qualified legal counsel.