The EU AI Act is not a single deadline — it rolled out in four enforcement phases between 2024 and 2027. Three phases are already in effect. Here's exactly what applies when, and whether your business is already behind.
Most businesses focus only on August 2, 2026 — but three deadlines have already passed.
If your company uses any AI tools, two sets of obligations have been enforceable since February 2025. If you deploy AI built on a foundation model (ChatGPT, Claude, Gemini), a third set has applied since August 2025. This guide explains what's already in effect and what the August 2026 deadline actually adds.
| Date | Status | What Applies | Who Is Affected |
|---|---|---|---|
| Aug 1, 2024 | In force | Regulation entered into force; EU AI Office created | Regulators begin implementation |
| Feb 2, 2025 | Enforceable | Prohibited practices (Article 5) + AI literacy (Article 4) | All businesses using or building any AI |
| Aug 2, 2025 | Enforceable | General-purpose AI (GPAI) model rules; governance structure | GPAI providers; deployers using foundation-model APIs |
| Aug 2, 2026 ⚡ | 51 days away | High-risk AI obligations; transparency requirements (Article 50); most of the Act | Businesses operating high-risk AI; anyone using chatbots or AI-generated media |
| Aug 2, 2027 | Future | High-risk AI embedded in regulated safety products (Annex I) | Medical devices, aviation, automotive, industrial machinery with AI |
The EU AI Act (Regulation (EU) 2024/1689) was published in the Official Journal of the European Union on July 12, 2024, and entered into force on August 1, 2024 — 20 days after publication, as required by EU legislative procedure.
This date did not trigger any compliance obligations for businesses. It was a structural milestone: the regulation became law, the EU AI Office was formally established within the European Commission, and the clock started on subsequent enforcement phases.
What this meant in practice:
This is the deadline most businesses do not know about. Six months after entry into force, two substantive sets of obligations became enforceable for all businesses — not just high-risk AI operators.
Eight categories of AI system are banned outright under Article 5. These prohibitions have applied since February 2, 2025 — they are not part of the August 2026 high-risk framework. Violations expose businesses to the highest fine tier: up to €35 million or 7% of global annual turnover.
Already banned since February 2025:
For detailed coverage of each prohibition including what IS permitted and SMB-specific implications, see our Article 5 Prohibited Practices guide.
Article 4 requires that businesses ensure their staff who deploy or operate AI systems have "sufficient AI literacy" — appropriate training and understanding of the AI tools they use. This obligation applies to every company using AI, regardless of the AI system's risk classification. It has been in force since February 2, 2025.
What "sufficient AI literacy" means in practice:
See our Article 4 AI Literacy guide for the full scope of this obligation.
One year after entry into force, the rules for general-purpose AI (GPAI) models became enforceable. These rules primarily target GPAI model providers (the companies that train and release foundation models — OpenAI, Anthropic, Google, Meta, Mistral, etc.), but they also create indirect obligations for deployers: businesses that build products or workflows on top of GPAI APIs.
Providers of GPAI models (the model itself, not just its use in a product) must now:
If your company uses ChatGPT, Claude, Gemini, Copilot, or any other GPAI API to build products or workflows, you are a deployer under the Act. Since August 2025, deployer obligations include:
For the full deployer vs provider breakdown and a step-by-step list of obligations, see our GPAI and LLMs guide.
August 2, 2026 is when the majority of the EU AI Act comes into full effect. This is the deadline that has driven most compliance activity and the one most businesses mean when they say "the EU AI Act deadline". It covers three major areas.
The most demanding obligations under the Act apply to AI systems in eight categories of high-risk application defined in Annex III:
Biometric identification
Facial recognition, emotion detection (not already banned)
Critical infrastructure
AI managing electricity, water, transport networks
Education and training
Exam scoring, student admission decisions
Employment and HR
CV screening, interview analysis, performance monitoring
Essential private services
Credit scoring, insurance underwriting
Law enforcement
Polygraph tools, evidence reliability assessment
Migration and asylum
Document verification, risk assessment
Administration of justice
Legal dispute research tools
High-risk system providers (companies that develop and sell these systems) must by August 2, 2026:
High-risk system deployers (businesses that use and operate these systems, even if they did not build them) must:
See our High-Risk Systems guide for the full Annex III list with real-world examples and a provider/deployer obligation breakdown.
Article 50 imposes disclosure obligations on any business deploying AI that interacts with or generates content for end users — regardless of risk classification. Four obligations apply from August 2, 2026:
Chatbot disclosure
Any AI system that communicates conversationally with users must tell them they're interacting with AI — at the point of first contact, before any conversation begins.
Emotion recognition / biometric categorisation
If your AI infers emotional states or categorises users by biometric characteristics, you must notify those people.
Deepfake and synthetic media labelling
AI-generated images, audio, or video depicting real people must be machine-readable labelled as synthetic content.
AI-generated text disclosure
Large-scale AI-generated text intended for public communication (news, public interest content) must disclose its AI origin — though this does not apply to creative works where AI use is obvious.
For implementation guidance on each obligation, see our Article 50 Transparency Requirements guide.
One additional year of transition applies to a specific, narrow category: AI systems that are safety components of products already covered by existing EU product safety legislation listed in Annex I of the AI Act. These include:
The extra year reflects the complex existing conformity-assessment processes for these products. These companies were already subject to EU product safety law, and aligning AI Act requirements with existing CE marking and notified-body processes takes time.
Does the August 2027 extension affect your business?
Only if your AI system is a safety-critical component in one of the Annex I product categories AND is currently subject to the conformity assessment process for that product type. For most SMBs using AI in HR, customer service, finance, or operations — the answer is no. Your deadline is August 2, 2026.
Given that three phases are already in effect, many businesses are non-compliant without knowing it. Use this checklist to check your current position:
Do you use any AI for emotion recognition at work, in education, or in customer interactions?
If yes: this is likely already prohibited (Article 5) since February 2025. Evaluate immediately.
Do you use social scoring, employee behavioural monitoring that profiles over time, or persuasive systems that exploit vulnerabilities?
If yes: likely prohibited since February 2025. Stop use and seek legal advice.
Do all staff who use AI tools have documented, appropriate training on those tools?
If no: Article 4 AI literacy has applied since February 2025. Implement training and document it.
Do you build products or workflows using a GPAI API (ChatGPT, Claude, Gemini, Copilot, etc.)?
If yes: GPAI deployer obligations have applied since August 2025. Review your usage for compliance.
Does your AI-powered chatbot or customer-service bot identify itself as AI at the start of interactions?
If no: this will be required from August 2, 2026 — 51 days away. Implement this now.
Do you use AI in employment (CV screening, performance management), credit scoring, or education (student assessment, admission)?
If yes: you are operating a high-risk system. Full obligations apply August 2, 2026. Begin compliance work immediately.
Myth: "The EU AI Act doesn't apply until August 2026."
Reality: False. Prohibited practices and AI literacy obligations have been enforceable since February 2, 2025. GPAI rules have applied since August 2, 2025. Violations of these can be penalised now.
Myth: "I'm not building AI, just using tools like ChatGPT — so the Act doesn't apply to me."
Reality: Partially false. Article 4 (AI literacy) applies to any business whose staff use AI tools. If you use ChatGPT in customer interactions, Article 50 chatbot disclosure applies from August 2026. If you use AI for HR or credit decisions, high-risk obligations apply to you as a deployer.
Myth: "The August 2, 2026 deadline only matters for AI companies."
Reality: False. Annex III includes AI used in HR, recruitment, credit, education, and customer services — sectors spanning millions of SMBs. If you use AI-assisted hiring, loan decisions, or automated customer communications, August 2026 applies to you.
Myth: "If my AI supplier is compliant, I'm covered."
Reality: Partially false. Providers (your supplier) have their own obligations, but deployers (you) have separate, direct obligations — including human oversight, staff training, incident monitoring, and in some cases your own conformity assessment. You cannot delegate your obligations entirely to your supplier.
Myth: "The fines won't actually be enforced for small businesses."
Reality: Uncertain. The EU AI Act contains proportionality provisions for SMBs (Article 99(6)), so fines are scaled to turnover not just absolute caps. However, GDPR enforcement history shows that EU regulators do pursue SMBs for significant violations, even if large fines take years. The compliance bar for many SMB obligations is low enough that non-compliance without effort is hard to justify.
Before worrying about August 2026, confirm you are already compliant with February 2025 obligations: no prohibited AI in use, and Article 4 AI literacy documented for relevant staff. These are already enforceable.
Use our free risk classifier to determine whether any of your AI systems fall into the high-risk category. If you are a deployer using packaged AI software, classification tells you your obligations as an operator.
51 days is not much time for full high-risk compliance if you're starting from scratch. Begin with risk assessment, human oversight procedures, and reviewing your supplier's documentation. If you can't complete everything before the deadline, document your compliance programme — good-faith effort counts.
Article 50 chatbot disclosures are straightforward to implement. If any AI system in your customer-facing stack converses with users, add "I'm an AI assistant" or equivalent to your opening message. This is low-effort and non-optional.
Enforcement authorities look for evidence of a compliance programme. Even if you don't complete every requirement, documenting your assessment, your reasoning, and your action plan demonstrates good faith and reduces fine exposure under the Article 99(6) proportionality provisions.
Yes, if you place AI systems on the EU market or if your AI system's outputs are used in the EU. This mirrors the GDPR's territorial scope: the determining factor is whether your AI affects people in the EU, not where you are incorporated. Companies based in the UK, US, or anywhere else that sell or deploy AI into the EU market are in scope.
No automatic grandfathering, but the transition periods provide time to adjust. AI systems already placed on the market before August 2, 2026 had until that date to become compliant for most Annex III categories. Systems placed on the market before August 2, 2024 (entry into force) had the full 24-month transition period. The key point: systems currently in deployment must be compliant by August 2, 2026, not just newly deployed ones.
Yes, several. Article 99(6) requires national authorities to set fines proportionately for SMEs and startups, with lower caps in absolute terms. The Act also requires national authorities to provide simplified compliance documentation templates for SMBs, and EU AI regulatory sandboxes must have dedicated SME tracks. These provisions reduce burden but do not eliminate obligations — they affect proportionality and penalty scale, not whether the rules apply.
Post-August 2, 2026, businesses operating non-compliant AI systems risk investigation and fines from their national competent authority. The enforcement timeline closely mirrors GDPR: initial investigations following complaints, with proactive audits taking longer to develop. For high-risk violations, fines can reach €15M or 3% of global turnover; for prohibited practices, up to €35M or 7%. SME proportionality applies. The practical risk near the deadline is mainly around any flagged complaints, not immediate raids.
The EU AI Act and GDPR have different enforcement authorities (national AI supervisory authorities vs data protection authorities) and different scopes. They overlap in areas like DPIAs (the AI Act requires Fundamental Rights Impact Assessments for certain high-risk systems, which overlap conceptually with GDPR DPIAs), training data lawful basis, and data subject rights. See our GDPR vs AI Act guide for the full interaction analysis.
Member states had to designate national competent authorities (NCAs) by August 2025 and notify the Commission. Most larger member states (Germany, France, Italy, Netherlands) have designated authorities. NCAs must be operational and resourced by August 2, 2026. Smaller member states may be slower, but relying on enforcement unreadiness is not a sound compliance strategy — obligations exist regardless.
High-Risk AI Systems: The Full Annex III List
Is your system in scope for the August 2026 obligations?
SMB Compliance Checklist for August 2026
Step-by-step checklist for meeting every deadline
EU AI Act Fines and Penalties
The three-tier structure and SME proportionality provisions
EU AI Act vs GDPR
How the two frameworks interact and what GDPR compliance covers
The free risk classifier asks 5 questions about your AI system and tells you exactly which obligations apply — and by when.
Check My AI System Risk LevelFree · No signup · Not legal advice