EU AI Act Implementation Tracker 2026-2027: Deadlines, Obligations and the State of Implementation
The EU AI Act Implementation Tracker consolidates the binding implementation deadlines of the AI Regulation (EU 2024/1689) for 2026 and 2027. Key points: Art. 50 transparency obligations from 2 August 2026, technical labelling of generative content by 2 December 2026, Annex III high-risk from 2 December 2027, Annex I product safety AI from 2 August 2028. As of 2026, many dates are provisional.
Key Takeaways
- ✓Art. 50 (transparency for chatbots, voice agents, deepfakes, synthetic content) applies from 2 August 2026; the technical labelling and watermarking must be operational by 2 December 2026 (grace period shortened from six to three months by the Digital Omnibus).
- ✓The Digital Omnibus (political agreement on 7 May 2026) has postponed Annex III high-risk to 2 December 2027 and Annex I product safety AI to 2 August 2028 - but in legal terms this only applies once formally adopted before 2 August 2026.
- ✓Already in force and NOT postponed: Art. 5 (prohibitions) and Art. 4 (AI literacy) since 2 February 2025, GPAI obligations (Art. 51-55) since 2 August 2025; GPAI fines (Art. 101) from 2 August 2026.
- ✓Fines range from EUR 7.5 million / 1.5 per cent (including Art. 4) through EUR 15 million / 3 per cent (Art. 26, Art. 50) up to EUR 35 million / 7 per cent of global annual turnover (Art. 5).
- ✓Living document: All 2027 dates and national implementing laws (KI-MIG in Germany, AT implementing act) are provisional as of 2026 and should be verified each quarter before any decision.
The EU AI Act Implementation Tracker summarises the binding implementation milestones of the AI Regulation (Regulation (EU) 2024/1689) for the years 2026 and 2027. The central anchors: The transparency obligations under Article 50 apply from 2 August 2026, the technical labelling of generative content must be in place by 2 December 2026, and the Annex III high-risk obligations take effect - following the Digital Omnibus - only from 2 December 2027. All information is as of 2026; many dates are provisional.
This article is set up as a living document: As of 2026, the AI Regulation is in the middle of its implementation phase, the so-called Digital Omnibus has postponed several deadlines, and national implementing laws in Germany and Austria are not yet final. We therefore consistently flag what already applies and what is provisional.
Three quick answers for decision-makers
- What is immediately relevant? Art. 50 transparency from 2 August 2026, technical labelling/watermarking by 2 December 2026. Anyone deploying chatbots, voice agents or generative AI in customer-facing settings is affected - regardless of high-risk status.
- What was postponed? Through the Digital Omnibus (political agreement on 7 May 2026), Annex III high-risk slips to 2 December 2027 and Annex I product safety AI to 2 August 2028. This only becomes legally effective once formally adopted before 2 August 2026.
- What remains unaffected? Prohibitions (Art. 5) and AI literacy (Art. 4) since 2 February 2025, GPAI obligations since 2 August 2025, the entire fines regime. The postponement is no licence to defer AI governance.
The Implementation Tracker: date, obligation, status
The following table maps the central milestones of AI Regulation implementation for the 2026-2028 period. The status reflects the position in 2026 following the political agreement on the Digital Omnibus. Provisional dates are explicitly marked.
Date | Obligation / milestone | Status (as of 2026) |
|---|---|---|
2 Feb 2025 | Art. 5 prohibitions + Art. 4 AI literacy | In force |
2 Aug 2025 | GPAI obligations (Art. 51-55), governance chapter (AI Office, AI Board), majority of the penalty provisions | In force |
2 Feb 2026 | Commission guidelines on high-risk classification (Art. 6(5)) due | Overdue / still outstanding |
2 Aug 2026 | Art. 50 transparency, Art. 26 deployer obligations, Art. 27 FRIA, Art. 73 reporting obligation, full fines regime, GPAI fines (Art. 101) | Date of application; partially overlaid by the Omnibus |
2 Dec 2026 | Art. 50 technical labelling / watermarking (grace period shortened to 3 months); market withdrawal of NCII/CSAM tools (9th prohibition) | Provisional (Omnibus-dependent) |
2 Aug 2027 | Compliance deadline for GPAI models placed on the market before 2 Aug 2025 (Art. 111(3)); AI regulatory sandboxes to be established | Provisional |
2 Dec 2027 | Annex III high-risk obligations (postponed from 2 Aug 2026) | Provisional (Omnibus-dependent) |
2 Aug 2028 | Annex I product safety AI (postponed from 2 Aug 2027) | Provisional (Omnibus-dependent) |
A note on interpretation: As long as the Digital Omnibus has not been formally adopted (the European Parliament and the Council have committed to adoption before 2 August 2026), the original dates - in particular 2 August 2026 for Annex III - remain the statutory default. For any compliance roadmap, this is a critical safeguard.
What the Digital Omnibus changes - and what it does not
The political agreement of 7 May 2026 is the most important implementation event of the year. It postpones the majority of the substantive high-risk obligations:
- Annex III (stand-alone high-risk systems) - for example AI in HR (CV screening, performance evaluation), creditworthiness assessment, insurance pricing, education, critical infrastructure - from 2 August 2026 to 2 December 2027.
- Annex I (AI as a safety component of regulated products) - medical devices, machinery, lifts - from 2 August 2027 to 2 August 2028. In addition, the Omnibus narrows the definition of "safety component".
- AI regulatory sandboxes: national authorities must establish these by 2 August 2027 (postponed from 2 August 2026).
Equally important is what the Omnibus expressly does not touch: Art. 4 (AI literacy), Art. 5 (prohibitions), the GPAI rules (Art. 51-55), the Art. 50 transparency (only the technical grace period was shortened to three months, ending 2 December 2026) as well as the fines regime. Leading law firms consistently warn against reading the postponement as an invitation to pause AI governance. Newly added is a 9th prohibition: AI systems for generating non-consensual intimate content and AI-generated child sexual abuse material ("nudification apps") must be removed from the EU market by 2 December 2026.
Art. 50: the transparency obligations in detail
For most DACH companies - and in particular for marketing agencies - Art. 50 is the operationally most relevant deadline in 2026, because it takes effect regardless of high-risk status. The Regulation sets out four obligations:
Article | Trigger | Addressee | Obligation |
|---|---|---|---|
50(1) | AI system interacts directly with humans | Provider | Disclosure that AI is being interacted with (unless obvious) |
50(2) | Generation of synthetic audio, image, video or text content | Provider | Machine-readable labelling as artificially generated |
50(3) | Emotion recognition or biometric categorisation | Deployer | Information to the affected persons |
50(4) | Deepfakes or AI-generated text on matters of public interest | Deployer | Disclosure of AI generation (exception where editorial control applies) |
In practical terms this means: Anyone operating a chatbot or voice agent must ensure AI disclosure (the "obvious from the context" exception is interpreted narrowly - a human-sounding voice must disclose itself). Anyone serving generative content needs machine-readable labelling. For deepfake-style product or influencer videos, the deployer disclosure applies in full.
GPAI obligations: already live
The obligations for general-purpose AI models (Art. 51-55) apply since 2 August 2025 and concern the model layer underneath practically every agent stack. Key dates: The GPAI fines (Art. 101, up to EUR 15 million or 3 per cent) become enforceable from 2 August 2026 - this date was expressly confirmed unchanged by the Omnibus. Legacy models placed on the market before 2 August 2025 (such as GPT-4 class) have until 2 August 2027 to become fully compliant (Art. 111(3)).
The distinction between GPAI and GPAI-with-systemic-risk is based on compute: from 10 to the power of 25 FLOP of cumulative training effort, systemic risk is presumed (Art. 51(2)). Signing the GPAI Code of Practice (10 July 2025) creates a presumption of compliance - and, under Art. 99(7), is a direct mitigating factor in fine proceedings.
A concrete practical example: voice agent in customer service
A DACH mid-sized company is planning a voice agent for its inbound service hotline for October 2026. Which deadlines are binding?
- Art. 50(1) from 2 August 2026: The agent must identify itself as AI at the start of the conversation. Disclosure is already mandatory at go-live in October 2026.
- Art. 4 since 2 February 2025: The staff entrusted with the system need a documented AI literacy programme. Breach risk: up to EUR 7.5 million or 1.5 per cent.
- Art. 26(7) - co-determination: Before deployment, the works council (Germany, including under Section 87(1) no. 6 BetrVG) or the staff representation (Austria) must be informed and consulted. This typically adds 3-6 months to the rollout timeline.
- High-risk assessment: As long as the agent performs pure triage/routing and makes no decisions about access to essential services, it remains outside Annex III. If it accesses HR or credit data, it can tip into Annex III(4) or III(5) - in which case the full high-risk regime would apply from 2 December 2027.
In calculation terms, the most critical deadline is therefore not 2027 but 2 August 2026 for transparency, plus the parallel co-determination process, which - for an October go-live - must be initiated by spring 2026 at the latest.
National implementation in DACH (as of 2026, provisional)
- Germany: The AI Market Surveillance and Innovation Promotion Act (KI-MIG) is available as a cabinet draft dated 11 February 2026; the parliamentary procedure is ongoing. The Federal Network Agency (BNetzA) is envisaged as the central market surveillance authority and SPoC, with DAkkS as the notifying body. Enactment is expected for H2 2026.
- Austria: The AI Service Centre (KI-Servicestelle) at RTR/KommAustria has so far been advisory/coordinating; a dedicated implementing act is in preparation, and the authority designation under Art. 70 was still incomplete in early 2026. The FMA provides sectoral support for the financial sector.
- Switzerland: No direct AI Act fine; FINMA (Guidance 08/2024) and Swissmedic remain sectorally competent, with the NCSC responsible for cyber incident reporting. An implementing law for the Council of Europe AI Convention is due to go into consultation by the end of 2026. Under Art. 2(1)(c), Swiss companies whose AI outputs are used in the EU are covered.
Note: This editorial assessment does not replace legal advice. In particular, all 2027 dates, the Digital Omnibus and the national implementing laws are provisional as of 2026 and should be verified each quarter before any decision.
For agencies and B2B: operationalise compliance now
For marketing agencies, the most immediate obligation moves forward: Anyone building chatbots, voice agents or generative campaign assets for clients shares the transparency responsibility from 2 August 2026 and the labelling responsibility from 2 December 2026 - and in the white-label model, the "rebranding" trap of Art. 25 can trigger the full provider role. For B2B decision-makers, the rule is: the postponed high-risk deadlines are no reason to sound the all-clear, but a planning window. At Blck Alpaca, we support DACH companies in inventorying their agent estate, mapping deadlines per system, and setting up transparency, labelling and co-determination processes in good time. Talk to us for a structured compliance check before the 2026 deadlines become binding.
FAQ
From when do the transparency obligations under Article 50 apply?
Were the high-risk deadlines postponed by the Digital Omnibus?
Which obligations already apply and were not postponed?
How high are the fines for breaches?
Who is the competent authority in Germany and Austria?
Does this tracker replace legal advice?
Want to go deeper?
Get new analyses straight to your inbox – or see how we put this knowledge to work for companies.