EU AI Act
Key deadlines
The EU AI Act applies in phases. Different obligations kick in on different dates between 2024 and 2027. This article maps the timeline and what mid-market companies should plan for at each milestone.
1 August 2024 — entered into force
Regulation (EU) 2024/1689 entered into force. Adoption phase. No operational obligations on companies yet, but the clock started for everyone.
What to do: nothing required. Companies that started inventories and policies early at this point have a smoother path through 2026.
2 February 2025 — prohibitions and AI literacy
Chapter I (general provisions) and Chapter II (prohibited AI practices) start applying. Article 4 (AI literacy) is in Chapter II.
What this means in practice:
- Prohibited practices (Article 5) are illegal from this date. Most mid-market companies are nowhere near these (social scoring, real-time biometric ID for law enforcement, exploitative manipulation of vulnerable groups). If you are uncertain, talk to counsel.
- Article 4 (AI literacy) technically starts applying. There is no enforcement mechanism with teeth until later, but the obligation exists. Many companies treat 2 August 2026 as the practical deadline because that is when penalties under Article 99 kick in.
What to do by this date: at minimum, an inventory of AI tools your company uses, and a written commitment to a training plan. Even an informal “we will run our first session by Q3 2025” plan with named owners is better than nothing on paper.
2 August 2025 — GPAI provider obligations
Chapter V (general-purpose AI models) starts applying for general-purpose AI providers. Notification of competent authorities, member-state-level governance bodies must be set up, codes of practice ready.
What this means for mid-market companies: if you are a deployer (most of you), nothing operational changes. If you are a provider of a general-purpose AI model — i.e., you have trained or fine-tuned a substantial model that is available for downstream use — additional obligations attach. Unusual at mid-market.
2 August 2026 — full applicability of most obligations
Chapters III (high-risk AI systems), IV (transparency), VII (governance), IX (post-market monitoring), X (codes of conduct) start applying. Article 99 penalties enforce.
This is the date everyone references. From 2 August 2026:
- High-risk AI system obligations (Annex III) apply to providers and deployers of those systems. If you are a deployer of a system listed as high-risk, you have specific obligations: appropriate technical and organisational measures, human oversight, monitoring of operation, retention of automatically generated logs.
- Transparency obligations (Article 50) apply to providers and deployers — for example, obligations to disclose AI-generated content (deep fakes, AI-generated text presented as factual).
- Penalties under Article 99 are enforceable. Fines up to €35M or 7% of worldwide turnover for the most serious violations; lower tiers for less severe.
- Article 4 (AI literacy) continues to apply. The combination of “Article 4 applies + Article 99 fines apply” is what makes 2 August 2026 the practical deadline for AI literacy training programmes.
What to do by this date:
- AI inventory complete and live.
- AI usage policy adopted.
- Article 4 training programme run at least once for in-scope staff with evidence captured.
- Role declaration done; readiness checklist worked through to a defensible state per role.
- Snapshot PDF generated and stored as point-in-time evidence.
This is the v1 deliverable shape AIRegistra is built around.
2 August 2027 — high-risk obligations for embedded systems
Article 6(1) (high-risk AI systems that are safety components of products) starts applying for products subject to existing EU product-safety legislation. Toys, machinery, medical devices, etc.
What this means for mid-market companies: unless you build hardware products subject to EU product-safety regulation, this date is unlikely to apply to you. If you do build such products and they include AI components, this is a date to plan around with your product compliance team.
2 August 2030 — public-sector legacy systems
Article 111 — high-risk AI systems already placed on the market by public-sector entities before 2 August 2026 must be brought into compliance by this date. Long tail provision; rarely relevant to mid-market private-sector companies.
Summary table
| Date | What applies | Who is affected |
|---|---|---|
| 1 Aug 2024 | Regulation enters into force | Everyone — clock starts |
| 2 Feb 2025 | Prohibitions, AI literacy (Article 4) | Providers and deployers |
| 2 Aug 2025 | GPAI provider obligations | GPAI providers |
| 2 Aug 2026 | Most obligations + penalties | Providers, deployers, importers, distributors |
| 2 Aug 2027 | High-risk safety-component obligations | Product-safety-regulated industries |
| 2 Aug 2030 | Legacy public-sector systems | Public-sector deployers |
Where to go next
- Article 4 explained — the literacy obligation in detail.
- Role declaration — figure out which role(s) you play.
- Evidence basics — what to keep on file.
This is general information, not legal advice. Application to your company depends on your specific facts; consult your own counsel. Dates summarised from Regulation (EU) 2024/1689 — refer to the official Official Journal text for canonical wording.
4 min read · Last updated