EU AI Act Timeline — Key Dates for US Organizations

Every compliance date US organizations need on their calendar — updated after the Digital Omnibus provisional agreement of 7 May 2026, which proposes to delay the high-risk obligations.

The phased implementation schedule

The EU AI Act entered into force on 1 August 2024, with obligations applying on a staggered timeline. The Digital Omnibus on AI, provisionally agreed on 7 May 2026, proposes to extend the most operationally significant deadline (Annex III high-risk systems) by approximately 16 months. Other deadlines remain unchanged.

Already in force

2 February 2025 — Prohibited practices and AI literacy. Article 5 prohibitions are enforceable: social scoring, manipulative AI, emotion recognition in workplaces and schools, real-time biometric identification in public spaces (with narrow law enforcement exceptions), untargeted scraping of facial images from the internet or CCTV. Article 4 AI literacy obligations are active for all providers and deployers. Penalties for prohibited practices violations are up to €35M or 7% of global turnover.

2 August 2025 — GPAI and governance. Chapter V obligations for general-purpose AI models: technical documentation, copyright compliance, training data summaries. Governance structures (Chapter VII), confidentiality rules, and sanctions provisions became applicable. National competent authorities were designated by this date.

Upcoming deadlines (as currently in force)

2 August 2026 — Full enforcement powers and penalty regime. The AI Office and national market surveillance authorities obtain full enforcement powers, including the ability to request information, mandate mitigations, and impose administrative fines across all applicable provisions. The penalty regime under Article 99 becomes fully operational. Member States must have at least one operational AI regulatory sandbox by this date. This date is not affected by the Omnibus and remains binding.

2 August 2026 — High-risk systems under Annex III (current regime). Under the AI Act as currently in force, high-risk AI systems used in employment, finance, education, healthcare, law enforcement, and other Annex III sectors must achieve full compliance by this date: conformity assessments completed, technical documentation finalized, risk management systems operational, human oversight mechanisms in place, EU database registration filed. The Digital Omnibus provisional agreement of 7 May 2026 proposes to defer this deadline to 2 December 2027. Until the Omnibus is formally adopted and published in the Official Journal, organizations should plan against the 2 August 2026 deadline as legally binding.

Proposed new dates under the Digital Omnibus (provisional agreement, 7 May 2026)

2 December 2026 — Article 50 transparency and new Article 5 prohibition. Article 50 transparency obligations for synthetic content (watermarking of AI-generated images, audio, video, and text) take effect. The Digital Omnibus introduces a new Article 5 prohibition on AI systems designed to generate child sexual abuse material and on nudifier applications, with the same date of application. This is the nearest live obligation under the new regime and applies regardless of risk classification.

2 December 2027 — Annex III high-risk systems (proposed new date). If the Omnibus is formally adopted, the compliance deadline for high-risk AI systems listed in Annex III moves from 2 August 2026 to 2 December 2027. This covers systems used in employment, education, finance, law enforcement, migration, justice, and access to essential services.

2 August 2028 — Annex I product safety (proposed new date). AI systems embedded in regulated products under Annex I (medical devices, machinery, vehicles, toys, radio equipment) move from 2 August 2027 to 2 August 2028. GPAI models placed on the market before 2 August 2025 also have until this date to achieve full compliance.

31 December 2030 — Large-scale IT systems. AI components of large-scale IT systems listed in Annex X must be brought into compliance. This date is unchanged by the Omnibus.

Enforcement timeline

National market surveillance authorities have been actively supervising GPAI and prohibited practices since 2 August 2025. Full enforcement powers across all provisions begin on 2 August 2026 regardless of whether the Omnibus is adopted. The European Commission will evaluate the AI Office's functioning by August 2028 and review the Act's impact every four years starting August 2029.

What this means for US organizations

Three operational conclusions follow from the current state of the file. First, the 2 December 2026 date is the nearest binding obligation under the proposed new regime — if your AI generates synthetic content (text, image, audio, video), Article 50 transparency obligations apply to you, and the new Article 5 prohibition on nudifiers and AI-generated CSAM is enforceable from this date.

Second, until the Omnibus is formally adopted and published, the 2 August 2026 deadline for Annex III high-risk systems remains legally binding. Building a compliance program around the proposed 2 December 2027 date is a planning bet, not a legal certainty. Professional prudence requires preparing for the original deadline and treating the deferral, if it materializes, as a supervening benefit.

Third, even under the new dates, the time horizon is shorter than it appears. A typical high-risk compliance program requires 4 to 6 months from initiation to completion. Organizations starting now have sufficient runway under either timeline. Those waiting until late 2026 or 2027 will face compressed timelines under the new regime as well.

Related reading

Article 2 Scope · EU AI Act Fines · Database Registration · EU Authorised Representative

Assess your exposure

Take our free 5-minute assessment to determine how these obligations apply to your organization under both the current and proposed regimes.

Start the assessment