The EU AI Act timeline and what to prepare first

Regulation (EU) 2024/1689 entered into force on 1 August 2024, twenty days after publication in the Official Journal. But entry into force is not the same as application. The Act is structured with transition periods that allow organisations, notified bodies, and regulators time to prepare before each set of obligations becomes enforceable.

The phases broadly reflect the urgency of the risks addressed:

• Prohibited practices — the highest-urgency provisions — applied first, with a six-month transition.
• GPAI obligations applied twelve months after entry into force.
• High-risk AI obligations under Annex III apply twenty-four months after entry into force.
• High-risk AI obligations for Annex I safety-component systems apply thirty-six months after entry into force.

There are also sector-specific and embedded system provisions with longer timelines — see the final entry in the timeline for the 2030 deadline for systems already on the market.

Article 5 — the prohibited AI practices — applied from February 2025, six months after the Act's entry into force. These are the hardest provisions in the Act: systems in scope cannot be placed on the market or put into service. There are no risk management or documentation alternatives.

The prohibited categories that are most likely to catch organisations by surprise are the emotion recognition restrictions (in workplaces and educational institutions), the biometric categorisation inferences restrictions (inferring political opinions, religious beliefs, sexual orientation, or race), and the predictive policing restrictions. These are areas where commercial AI products may have features that touch the prohibited categories without being obviously within them.

Chapter V obligations for GPAI model providers applied from August 2025. This matters for enterprise organisations in two ways:

First, if your organisation provides a GPAI model — an open-weight model or a model made available to third parties — Chapter V obligations apply now. Technical documentation, downstream provider information, and copyright compliance are all required.

Second, if your organisation uses GPAI models from external providers, the providers are now obligated to publish the downstream provider information and technical documentation that Chapter V requires. This creates an opportunity to use that disclosure to populate the data governance section of your Annex IV documentation for high-risk systems built on GPAI models.

The European AI Office has been developing codes of practice for GPAI providers to facilitate compliance. The codes are voluntary guidance, not hard law, but they represent the practical framework within which major foundation model providers are operating.

The full provider obligations for Annex III high-risk AI systems — Articles 9–15 and Annex IV technical documentation — apply from August 2026. This is the central compliance deadline for most enterprise organisations.

August 2026 is the point at which high-risk AI systems must not be placed on the market or put into service without satisfying the conformity obligations. For systems already in production before that date, the obligations apply from that date — “already deployed” is not an exemption.

Conformity assessment for high-risk AI systems involves either a notified body assessment (for certain Annex III categories) or a self-assessment with technical documentation. The categories that require notified body involvement are those covered by existing harmonisation legislation with third-party conformity assessment requirements. For the majority of enterprise Annex III systems — employment, credit, essential services — self-assessment with internal technical documentation is the likely route.

The August 2026 deadline is not a point at which you start preparing. It is the point at which preparation must be complete. For high-risk systems with complex documentation requirements, 18–24 months of lead time is realistic.

Article 50 transparency obligations for limited-risk systems — chatbots, AI-generated content, emotion recognition — also apply from August 2026. These are operationally simpler than the high-risk obligations: they primarily require disclosure to users and labelling of AI-generated content, rather than pre-market documentation.

The practical implementation for most organisations involves updating user interfaces and terms of service to disclose AI interaction, adding labels to AI-generated content in public communications, and reviewing customer-facing chatbots and virtual assistants for compliance with the disclosure requirement.

The preparation sequence that delivers the most value in order of deadline urgency starts with inventory and prohibited AI review, proceeds through GPAI documentation and gap analysis for high-risk systems, and concludes with conformity assessment completion before August 2026.

If your organisation has not yet begun EU AI Act preparation, the two tasks with the highest return on effort right now are:

1. Build the AI system inventory. Everything else depends on knowing which systems you have and which tier each falls into. The inventory is the prerequisite for prohibited AI review, GPAI documentation, and high-risk obligation assessment. Without it, any other preparation work is being done blind. See the system inventory guide for the structured discovery process.

2. Classify each system and identify the high-risk ones.Once you have the inventory, tier classification tells you which systems face the August 2026 obligations. For those systems, a gap analysis against Articles 9–15 and Annex IV identifies the documentation work required. The gap analysis is what turns the inventory from an administrative exercise into a compliance programme.

For a structured approach to mapping existing review evidence to EU AI Act obligations and identifying remaining gaps, see the evidence mapping guide.