Complete EU AI Act compliance timeline updated for the 2026 Digital Omnibus amendments. Prohibited practices: 2 February 2025. GPAI: 2 August 2025. Annex III standalone: 2 December 2027. Annex I embedded: 2 August 2028.
AI Act compliance timeline: what applies when
The EU AI Act entered into force on 1 August 2024. Application is phased: the prohibited practice bans came first, then GPAI rules, with high-risk AI obligations last. The 2026 Digital Omnibus extended the high-risk deadlines but left everything else unchanged.
Reading the table: "Original date" = what was in the 2024 Act. "New date" = post-omnibus. Where they are the same, no extension was granted.
Already in force — act now
These obligations are not deferred and enforcement is live:
Prohibited practices (Art. 5) — since 2 February 2025. Any AI system that manipulates users subliminally, exploits vulnerabilities, performs social scoring for public authorities, conducts real-time biometric identification in public spaces (with narrow law enforcement exceptions), or generates NCII/CSAM is banned. Fines: up to €35 million or 7% of global annual turnover.
GPAI model rules (Chapter 5) — since 2 August 2025. All providers of general-purpose AI models (including open-source models above the threshold) must maintain technical documentation, provide summaries of training data, and comply with copyright law. Models with systemic risk (>10²⁵ FLOPs training compute) face additional adversarial testing and incident reporting obligations.
Transparency for AI-generated content — since 2 August 2025. Providers of GPAI systems that generate synthetic audio, video, image, or text content must mark that content as AI-generated. This applies to chatbots (must disclose AI nature), deepfake generators, and synthetic media tools.
Upcoming deadlines: prepare now
2 December 2027 — High-risk AI, Annex III standalone systems. Providers must have completed conformity assessments, implemented a QMS, compiled technical documentation, registered in the EU AI database, and affixed CE marking. Deployers must have implemented human oversight and (for public bodies) completed fundamental rights impact assessments.
2 August 2028 — High-risk AI, Annex I embedded. AI safety components embedded in products under existing EU product safety legislation (medical devices, machinery, aviation, toys) must comply via the existing conformity assessment pathway for that product.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
If your organisation uses AI systems covered by Annex III (standalone high-risk AI such as recruitment AI, credit scoring, or biometric categorisation), the deadline is 2 December 2027. However, prohibited practices under Art. 5 have applied since 2 February 2025 — non-compliance is already actionable.
No. The 2026 Digital Omnibus only extended two deadlines: Annex III standalone systems (to 2 December 2027) and Annex I embedded systems (to 2 August 2028). All other deadlines — prohibited practices, GPAI rules, transparency obligations — remain on their original dates.
Now. The conformity assessment, quality management system, technical documentation, and EU database registration for high-risk AI systems require 12–24 months of preparation. Organisations targeting the December 2027 deadline should begin scoping and gap assessment in 2026.