The EU AI Act is in force — but many deadlines are already running

The EU AI Act entered into force on 2 August 2024. What that means in practice, however, is still unclear to many organisations — because the regulation does not become applicable all at once. It rolls out in successive waves. Not everything applied immediately. Some provisions have been in effect since February 2025. And the most consequential deadline arrives in August 2026.

This article provides a practical overview of the key dates and explains what applies when — so you can prepare in time rather than react under pressure.

The five key milestones

1. February 2025: The first prohibitions apply

Since 2 February 2025, the prohibitions on certain AI practices have been in force (Chapters I and II of the regulation). These concern AI systems that pose an unacceptable level of risk: social scoring by public authorities, manipulative AI that exploits the vulnerabilities of individuals, or real-time biometric surveillance in publicly accessible spaces.

For most private-sector organisations, these prohibitions are not directly relevant. But they establish something important: the EU AI Act is no longer a theoretical framework. Violations of these provisions can already be sanctioned today.

2. August 2025: General-Purpose AI models and governance

Since August 2025, obligations apply to providers of General-Purpose AI (GPAI) models—large language models and similar systems, such as GPT, Claude, or Gemini—offered in Europe. Providers of these models are subject to specific transparency and documentation requirements.
At the same time, the institutional governance structure became operational: national AI authorities began their work, and the European Commission’s AI Office is now active. Codes of Practice for GPAI providers were due to be finalized by May 2025.

For organizations that do not develop their own AI models but use GPAI tools, you are not yet directly addressed at this stage, but the obligations are coming.

3. August 2026: Full application — high-risk AI in focus

From 2 August 2026, the EU AI Act applies in full. This is the decisive deadline for all organisations that deploy or develop AI systems classified as high-risk under Annex III of the regulation.

What counts as high-risk? Systems in the following areas are affected:

• Employment and workforce management (AI-assisted recruiting, performance assessment)
• Access to education and vocational training
• Essential private services (credit scoring, insurance, social benefits)
• Critical infrastructure (energy, water, transport)
• Law enforcement, migration and border management
• Administration of justice and democratic processes

Organisations deploying high-risk AI must be able to demonstrate, by August 2026:

• A complete AI inventory with documented risk classification
• Technical documentation (Art. 11)
• A risk management system (Art. 9)
• Data governance practices and data quality documentation (Art. 10)
• Transparency and explainability obligations towards users (Art. 13)
• Verifiable human oversight (Art. 14)
• Accuracy, robustness and cybersecurity (Art. 15)
• A declaration of conformity and — where required — CE marking (Art. 48, 49)

What many organizations underestimate: The EU AI Act does not only apply to AI developers. Deployers — organizations that use a high-risk system, even if they simply purchased it — carry their own obligations. This applies explicitly to mid-sized companies that use AI for recruitment, credit decisions, or performance evaluations. Buying a compliant product does not make your deployment compliant.

4. August 2027: High-risk AI embedded in regulated products

For AI systems embedded in products already governed by existing EU harmonisation legislation — such as machinery, medical devices, or vehicles — a transitional period applies until 2 August 2027. This is when the classification obligation under Art. 6(1) becomes effective for these product categories.

5. End of 2030: Public authorities and large-scale systems

Public authorities and operators of large-scale governmental infrastructure systems (in areas such as law enforcement or border control) have until the end of 2030 to achieve full compliance. For private-sector organisations, this deadline is generally not relevant.

What does this mean for your organization?

The EU AI Act likely affects you more than you expect — though the scope depends on the risk profile of your AI systems. Three questions worth asking today:

1. Which AI systems are we using — and do we have a complete, documented inventory?
2. Which of these systems fall under the high-risk categories in Annex III of the EU AI Act?
3. Do we have the necessary documentation, governance structures, and human oversight demonstrably in place before August 2026?

If you cannot answer one or more of these questions clearly, now is the right time to change that. Not primarily out of concern about fines — although penalties of up to 3% of global annual turnover are significant. But because documented, auditable AI governance builds trust: with clients, investors, and employees alike. And because organizations that treat responsible AI as a principled stance rather than a compliance checklist retain a structural advantage — before and after the deadline.

For more on what responsible AI governance looks like in practice, see our articles What is Responsible AI? and ISO 42001 in plain language.

Your next step

Use our free EU AI Act Readiness Checklist to get an initial assessment of what steps you need to take. Sign up for our newsletter and stay informed about all relevant developments—practical, concise, and without scaremongering.

Or book a free 30-minute initial consultation to understand where your organisation currently stands.

Valentin José Mayr is the founder and managing director of waveImpact GmbH, a Responsible AI consultancy based in Bremen, Germany. He holds a Doctor of Business Administration (Data Science) and is an IHK-certified AI Compliance Manager.

Last updated: April 2026. This article is for general information purposes only and does not constitute legal advice.

Legal basis: Regulation (EU) 2024/1689 — EU AI Act, Art. 113 (EUR-Lex)