EU AI Act Regulation 2024/1689 entered into force on 1 August 2024. But it does not apply all at once. A phased implementation schedule means that different obligations have become -- and will become -- enforceable at different dates. As of April 2026, the most consequential enforcement deadline is four months away.
The Full Timeline
| Date | What becomes applicable |
|---|---|
| 1 August 2024 | Regulation enters into force |
| 2 February 2025 | Chapter I (general provisions) and Chapter II (prohibited AI practices, Article 5) apply. AI systems that manipulate, exploit vulnerabilities, or perform social scoring are prohibited from this date. |
| 2 August 2025 | Chapter V (GPAI models) and Chapter XII (penalties) apply. GPAI providers must comply with transparency, documentation, and copyright obligations. Systemic risk providers face additional obligations. |
| 2 August 2026 | High-risk AI systems under Annex III apply. This is the deadline most AI teams are working toward. All provider obligations (Articles 8-17) and deployer obligations (Articles 26-29) for Annex III systems become enforceable. Penalties up to €35M or 7% of global annual turnover apply. |
| 2 August 2027 | High-risk AI systems covered by Annex I (safety components of regulated products such as medical devices and machinery) apply. These were given the longer transition to align with existing product safety regulation update cycles. |
What Is Already Enforceable Today
As of April 2026, the following are already live obligations:
- Prohibited AI practices (Article 5): Systems that use subliminal techniques, exploit vulnerabilities of specific groups, perform social scoring, or conduct real-time remote biometric identification in public spaces are prohibited and enforceable since February 2025.
- GPAI obligations (Chapter V): Since August 2025, GPAI providers must maintain technical documentation, publish a policy regarding compliance with EU copyright law, and make summaries of training data publicly available. Systemic risk providers face model evaluation and incident reporting obligations.
- Penalties: The enforcement and penalty regime (Chapter XII) has applied since August 2025. Fines for prohibited AI practices can reach €35M or 7% of global annual turnover.
What August 2026 Means in Practice
The 2 August 2026 deadline is the most significant for the majority of AI teams. From this date:
- Every provider of a high-risk AI system listed in Annex III must have a conformity assessment completed (Article 43)
- Technical documentation (Annex IV) must be complete and current
- Risk management systems (Article 9) must be operational and evidenced
- Automatic logging (Article 12) must be in place
- Human oversight mechanisms (Article 14) must be implemented and documented
- EU database registration (Article 49) must be complete for providers
- Deployers must have implemented human oversight assignments (Article 26)
The Four-Month Gap
With four months remaining to August 2026, the realistic compliance trajectory for most organisations depends on where they start:
| Starting position | August 2026 reachability |
|---|---|
| No compliance work started, no risk assessment done | Extremely difficult. A full provider compliance programme takes 6-12 months minimum. Prioritise classification, risk management, and logging first -- they are most likely to be inspected. |
| Risk assessment done, no technical controls | Difficult but possible for core obligations. Focus on Articles 9, 12, and 14 first. Logging and human oversight are the most defensible quick wins. |
| Technical controls partially in place, no documentation | Achievable. Prioritise Annex IV documentation and conformity assessment process. Use existing engineering artefacts as evidence. |
| Documentation done, no ongoing evidence collection | Achievable. Wire post-market monitoring and continuous evidence collection before the deadline. |
Enforcement Reality
Market surveillance authorities in most EU Member States are in the process of building their AI enforcement capabilities. Initial enforcement is expected to focus on sectors where AI is already regulated -- financial services, medical devices, and employment -- and on organisations that have made public representations about their AI compliance. Organisations with documented, good-faith compliance efforts are in a materially better position than those with no programme at all, even if the programme is incomplete.
The question is not whether you will be ready on 2 August 2026. The question is how much evidence of compliance effort you can generate before then. Start with classifying your AI system -- it takes six questions and is free.
Frequently Asked Questions
Are EU AI Act penalties already applicable?
Yes. The penalty regime (Chapter XII) has applied since 2 August 2025. Fines for prohibited AI practices can reach EUR 35 million or 7% of global annual turnover, whichever is higher. Fines for non-compliance with high-risk AI obligations can reach EUR 15 million or 3% of global annual turnover.
Is there a grace period for organisations that are not yet compliant by August 2026?
The regulation does not provide a formal grace period beyond the phase-in schedule. However, enforcement approach and prioritisation is at the discretion of national market surveillance authorities. Organisations that can demonstrate a documented, good-faith compliance programme are in a substantially better position than those with no programme, even if the programme is incomplete by August 2026.