The EU AI Act entered into force on 1 August 2024. Its obligations do not all apply from that date. The Act applies in four distinct phases, staggered across three years, with different rules becoming enforceable at different points depending on the type of AI system and the role of the organisation responsible for it.
Article 113 of the Act sets out the application dates. The structure reflects a legislative judgement that different parts of the framework require different lead times: prohibited practices were sufficiently clear to apply immediately, while high-risk system obligations required time for standards to develop and businesses to prepare.
The phased structure does not mean the Act is a future problem. Three phases are already in force. Only one remains pending as of May 2026.
The table below gives the full picture before each phase is explained in detail.
| Phase | Date | What applies | Who is affected |
|---|---|---|---|
| Phase 1 | 1 August 2024 | Act enters into force. Governance structure established. AI Office operational | All operators. Governance bodies |
| Phase 2 | 2 February 2025 | Prohibited practices banned. AI literacy obligation applies | All providers and deployers |
| Phase 3 | 2 August 2025 | GPAI model obligations. Authorised Representative for GPAI providers. Codes of practice | GPAI model providers. Non-EU GPAI providers |
| Phase 4 | 2 August 2026 | High-risk AI system obligations. Authorised Representative for high-risk AI providers | Providers and deployers of high-risk AI. Non-EU high-risk AI providers |
| Transitional | 2 August 2027 | Annex I embedded systems. Pre-August 2025 GPAI models | Product manufacturers. Legacy GPAI providers |
EU AI Act Phase 1: Entry into Force
Date: 1 August 2024
The Act entered into force on 1 August 2024, twenty days after its publication in the Official Journal of the European Union on 12 July 2024. Entry into force is legally distinct from applicability. The Act became binding law on 1 August 2024, but most of its substantive obligations did not become enforceable on that date.
What did take effect immediately was the institutional architecture. The European AI Office was established within the European Commission as the central supervisory body for general-purpose AI models. The AI Board, the Advisory Forum, and the Scientific Panel of Independent Experts were constituted. National competent authorities began designating market surveillance authorities for high-risk AI enforcement.
Article 64 established the AI Office with authority to supervise GPAI model providers, develop guidelines, facilitate codes of practice, and enforce GPAI obligations across the EU. This body was operational from entry into force, not from any later application date.
| What applied from 1 August 2024 | Legal basis |
|---|---|
| Act legally binding across all EU member states | Article 113 |
| European AI Office established and operational | Article 64 |
| AI Board constituted | Article 65 |
| Scientific Panel of Independent Experts constituted | Article 68 |
| Advisory Forum established | Article 67 |
| National market surveillance authority designation process begins | Article 70 |
| Member states required to establish AI regulatory sandboxes | Article 57 |
EU AI Act Phase 2: Prohibited Practices and AI Literacy
Date: 2 February 2025
The most significant obligations in Phase 2 are the prohibition of eight categories of AI practice under Article 5, and the AI literacy requirement under Article 4. Both have applied since 2 February 2025.
Prohibited Practices
Article 5 bans eight categories of AI outright. These prohibitions apply to every operator in the EU, and to non-EU operators whose AI systems affect people in the EU. There is no conformity assessment process, no exemption procedure, and no transitional arrangement for systems already on the market. A system that meets the description of a prohibited practice was required to cease operating by 2 February 2025.
| Prohibited practice | Legal basis |
|---|---|
| Subliminal manipulation techniques causing harm | Article 5(1)(a) |
| Exploitation of vulnerability due to age, disability, or economic situation | Article 5(1)(b) |
| Social scoring by public authorities | Article 5(1)(c) |
| Real-time remote biometric identification in public spaces for law enforcement | Article 5(1)(d) |
| Biometric categorisation to infer sensitive attributes | Article 5(1)(e) |
| Emotion recognition in workplace and education settings | Article 5(1)(f) |
| Untargeted scraping to build facial recognition databases | Article 5(1)(g) |
| Predictive criminal profiling based solely on individual profiling | Article 5(1)(h) |
The penalty for operating a prohibited AI system is a fine of up to EUR 35,000,000 or 7% of total worldwide annual turnover under Article 99(3), whichever is higher. For SMEs, fines are capped at the lower of the applicable percentage or fixed amount.
AI Literacy and EU AI Act
Article 4 states: “Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in.”
This obligation applies to every provider and deployer, regardless of the risk tier of the AI systems they use or build. A business using only minimal-risk AI tools is still subject to Article 4. The obligation is assessed against what is reasonably achievable given the nature of the staff and the systems involved, not against an absolute technical standard.
| What AI literacy requires in practice | Who must comply |
|---|---|
| Staff understand what AI systems they are working with | All providers and deployers |
| Staff understand the risk classification of the systems they use | All providers and deployers |
| Staff understand the organisation’s obligations under the Act | All providers and deployers |
| Training is documented and updated when new systems are adopted | All providers and deployers |
Commission Guidelines on Prohibited Practices
Article 96 required the Commission to publish guidelines on prohibited AI practices by 2 May 2025. The Commission published these guidelines as required, providing legal explanations and practical examples to assist operators in determining whether their systems fall within the prohibited categories. The guidelines are not legally binding but carry significant interpretive weight in regulatory and enforcement proceedings.
EU AI Act Phase 3: General-Purpose AI Model Obligations
Date: 2 August 2025
Phase 3 brought into force the obligations applicable to providers of general-purpose AI models under Chapter V of the Act, Articles 51 to 56. These obligations apply to providers of GPAI models placed on the EU market from 2 August 2025. Providers of GPAI models placed on the market before that date have until 2 August 2027 under the transitional provisions in Article 111.
Who Is a GPAI Model Provider
Article 3(63) defines a general-purpose AI model as “an AI model, including where such an AI model is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications.”
This definition captures large language models, multimodal foundation models, and other models capable of broad task performance. It does not capture narrowly trained models designed for a single specific task.
Standard GPAI Model Obligations
| Obligation | What is required | Legal basis |
|---|---|---|
| Technical documentation | Prepare and maintain technical documentation as specified in Annex XI | Article 53(1)(a) |
| Copyright transparency | Make available information about training data covered by copyright law | Article 53(1)(c) |
| Model card | Publish a sufficiently detailed summary of the content used for training | Article 53(1)(b) |
| Downstream provider cooperation | Provide information and documentation to downstream providers integrating the model | Article 53(1)(e) |
| Policy on copyright | Implement a policy for complying with Union copyright law | Article 53(1)(c) |
GPAI Models with Systemic Risk
Article 51(1) states: “A general-purpose AI model shall be classified as a general-purpose AI model with systemic risk if it has high-impact capabilities evaluated on the basis of appropriate technical tools and methodologies, including indicators and benchmarks.” The primary quantitative indicator is training compute exceeding 10^25 floating-point operations. The AI Office may designate models below this threshold if their capabilities warrant it.
| Additional obligation for systemic risk models | What is required | Legal basis |
|---|---|---|
| Adversarial testing | Conduct model evaluations including adversarial testing before and after market placement | Article 55(1)(a) |
| Incident reporting | Report serious incidents to the AI Office without undue delay | Article 55(1)(b) |
| Cybersecurity measures | Implement appropriate cybersecurity protections for the model and its physical infrastructure | Article 55(1)(c) |
| Energy efficiency reporting | Report energy consumption of the model to the AI Office | Article 55(1)(d) |
Authorised Representative for GPAI Providers
Non-EU providers of GPAI models placed on the EU market from 2 August 2025 must appoint an EU-established Authorised Representative before market placement. Article 54(1) states: “Prior to placing a general-purpose AI model on the Union market, providers established in third countries shall, by written mandate, appoint an authorised representative which is established in the Union.”
A UK-established entity does not qualify. The representative must be established in an EU member state.
GPAI Code of Practice
The AI Office facilitated development of a code of practice for GPAI model providers through a multi-stakeholder process running from late 2024 through to mid-2025. The code became the primary compliance reference for GPAI obligations from 2 August 2025. Adherence to an approved code creates a presumption of conformity with the corresponding obligations under Articles 53 and 55. Providers not adhering to any approved code must demonstrate compliance through alternative means and remain subject to direct AI Office supervision.
Open-Source GPAI Models
Providers of open-source GPAI models benefit from partial exemptions under Article 53(2), which states that providers of GPAI models that are released under a free and open-source licence that allows access, use, modification, and distribution of the model are exempt from the technical documentation and downstream provider cooperation obligations, provided they publish the required information. The exemption does not apply to open-source models classified as posing systemic risk.
Phase 4: High-Risk AI System Obligations
Date: December 2027
Phase 4 is the largest and most operationally demanding phase of the Act. It brings into force the obligations applicable to providers and deployers of high-risk AI systems under Chapters II and III of the Act.
High-risk AI systems are defined by two pathways under Article 6. The first covers AI systems that are safety components of Annex I regulated products or are themselves such products. The second covers AI systems used in the eight domains listed in Annex III: biometric identification, critical infrastructure, education, employment, essential services, law enforcement, migration, and justice.
High-Risk Provider Obligations
| Obligation | What is required | Legal basis |
|---|---|---|
| Risk management system | Establish, implement, document, and maintain a risk management system for the entire AI system lifecycle | Article 9 |
| Data governance | Implement data governance and management practices for training, validation, and testing data | Article 10 |
| Technical documentation | Prepare technical documentation as specified in Annex IV before market placement | Article 11 |
| Record-keeping | Enable automatic logging of events during system operation | Article 12 |
| Transparency to deployers | Provide deployers with sufficient information to implement the system correctly | Article 13 |
| Human oversight | Design systems to enable effective human oversight during operation | Article 14 |
| Accuracy and robustness | Achieve appropriate levels of accuracy, robustness, and cybersecurity | Article 15 |
| Quality management system | Implement a quality management system covering all obligations | Article 17 |
| Documentation keeping | Retain technical documentation and quality management records for 10 years | Article 18 |
| Corrective actions | Take corrective action where the system does not conform | Article 20 |
| Cooperation with authorities | Cooperate with competent authorities upon request | Article 21 |
| Conformity assessment | Carry out conformity assessment before market placement | Article 43 |
| CE marking | Affix CE marking to high-risk AI systems before market placement | Article 48 |
| Declaration of Conformity | Draw up an EU Declaration of Conformity | Article 47 |
| Registration | Register the system in the EU database before market placement | Article 49 |
| Post-market monitoring | Establish a post-market monitoring system | Article 72 |
| Serious incident reporting | Report serious incidents to national authorities without undue delay | Article 73 |
Deployer Obligations from 2 August 2026
| Obligation | What is required | Legal basis |
|---|---|---|
| Human oversight | Implement appropriate human oversight measures during operation | Article 26(1) |
| Follow provider instructions | Use the system in accordance with the provider’s instructions for use | Article 26(3) |
| Staff competence | Assign operation to sufficiently competent staff | Article 26(4) |
| Monitoring | Monitor the system for risks during operation and report issues to providers | Article 26(5) |
| Log retention | Retain automatically generated logs for at least six months | Article 26(6) |
| Individual notification | Inform individuals subject to a high-risk AI system of its use | Article 26(8) |
| Fundamental Rights Impact Assessment | Conduct a FRIA before deploying a high-risk AI system listed in Annex III | Article 27 |
| Data protection coordination | Coordinate with data protection obligations where personal data is processed | Article 26(9) |
Authorised Representative for High-Risk AI Providers
Non-EU providers of high-risk AI systems must appoint an EU-established Authorised Representative before placing their systems on the EU market. This obligation applies from 2 August 2026. Article 22(1) states: “Prior to making their high-risk AI systems available on the Union market, providers established in third countries shall, by written mandate, appoint an authorised representative which is established in the Union.”
The representative carries direct obligations under Article 22(3), including verifying technical documentation, retaining records for 10 years, cooperating with authorities, and terminating the mandate and notifying authorities if the provider acts contrary to the Act.
EU AI Act Transitional Arrangements
Date: 2 August 2027
Article 111 of the Act sets out transitional provisions for AI systems that were already placed on the market or put into service before the relevant obligations became applicable. These provisions give operators additional time to bring existing systems into compliance, but they do not create permanent exemptions.
Systems Covered by Transitional Provisions
| System category | Transitional deadline | What is required by deadline |
|---|---|---|
| High-risk AI systems placed on market before 2 August 2026 that undergo substantial modification after that date | 2 August 2026 | Substantial modification triggers full compliance obligations from the date of modification |
| High-risk AI systems already placed on market or in service before 2 August 2026 without substantial modification | 2 August 2027 | Full compliance with all provider and deployer obligations |
| GPAI models placed on market before 2 August 2025 | 2 August 2027 | Full compliance with GPAI obligations under Articles 51 to 56 |
| High-risk AI systems that are safety components of Annex I products (embedded systems) | 2 August 2027 | Full compliance with high-risk AI obligations |
What Substantial Modification Means
Article 3(23) defines substantial modification as “a change to the AI system after its placing on the market or putting into service which is not foreseen or planned by the provider in the original conformity assessment and as a result of which the compliance of the AI system with the requirements set out in Chapter III, Section 2 is affected or results in a modification to the intended purpose for which the AI system has been assessed.”
A substantial modification triggers full provider obligations from the date of the modification, regardless of when the original system was placed on the market. Operators who modify legacy systems to add new capabilities, change the intended use, or alter the system’s behaviour in a way that affects its risk classification should assess whether the modification is substantial before proceeding.
What the Transitional Provisions Do Not Cover
The transitional provisions apply only to high-risk AI system obligations under Chapters II and III, and to GPAI model obligations under Chapter V. They do not apply to:
| Obligation | Transitional provision available |
|---|---|
| Prohibited practices (Article 5) | No. Prohibition applied from 2 February 2025 with no transitional period |
| AI literacy (Article 4) | No. Obligation applied from 2 February 2025 with no transitional period |
| GPAI obligations for models placed on market from 2 August 2025 | No. Obligations apply immediately on market placement |
| High-risk AI obligations following substantial modification | No. Modification triggers immediate compliance requirement |
EU AI Act Digital Omnibus Timeline Adjustments
In February 2025, the European Commission published the Digital Omnibus package, which proposes amendments to several EU digital regulations including the AI Act. The most relevant proposal for the implementation timeline concerns the high-risk AI obligations in Phase 4.
The Commission has proposed adjusting the application of high-risk AI rules to allow a maximum of 16 months from the point at which relevant harmonised standards are available, rather than the fixed date of 2 August 2026. The stated rationale is that harmonised standards, which create presumptions of conformity for high-risk systems, have developed more slowly than the legislative timeline anticipated.
| Digital Omnibus proposal | Current rule | Proposed change | Status |
|---|---|---|---|
| High-risk AI timeline | Fixed date of 2 August 2026 | Maximum 16 months from standards availability | Under negotiation, not adopted |
| SME proportionality | Fines capped at lower of percentage or fixed amount | Additional protections for micro and small enterprises | Under negotiation, not adopted |
| AI system definition | Current OECD-based definition | Proposed narrowing to exclude certain traditional software | Under negotiation, not adopted |
| GPAI obligations | Applied from 2 August 2025 | No change proposed | No change |
| Prohibited practices | Applied from 2 February 2025 | No change proposed | No change |
Planning on the assumption that the Digital Omnibus will move the August 2026 deadline is not a sound compliance approach. Even if the proposals are adopted in a form that adjusts the timeline, the work required to meet high-risk AI obligations takes months. Providers beginning conformity assessment, technical documentation, and quality management system work in 2026 are already operating with insufficient lead time under the current rules.
Timeline Summary Table
| Obligation | Status (May 2026) | Deadline |
|---|---|---|
| Governance structure and AI Office | In force | 1 August 2024 |
| Prohibited practices (Article 5) | In force | 2 February 2025 |
| AI literacy (Article 4) | In force | 2 February 2025 |
| Commission guidelines on prohibited practices | Published | 2 May 2025 |
| GPAI technical documentation | In force | 2 August 2025 |
| GPAI copyright transparency | In force | 2 August 2025 |
| GPAI systemic risk obligations | In force | 2 August 2025 |
| GPAI Code of Practice | In force | 2 August 2025 |
| Authorised Representative for GPAI providers | In force | 2 August 2025 |
| High-risk AI provider obligations | Pending | 2 August 2026 |
| High-risk AI deployer obligations | Pending | 2 August 2026 |
| Authorised Representative for high-risk AI providers | Pending | 2 August 2026 |
| Transitional period ends for legacy high-risk systems | Pending | 2 August 2027 |
| Transitional period ends for Annex I embedded systems | Pending | 2 August 2027 |
| Transitional period ends for pre-August 2025 GPAI models | Pending | 2 August 2027 |
Frequently Asked Questions
The Act entered into force in August 2024. Does that mean all obligations applied from that date?
No. Entry into force and applicability are legally distinct concepts. The Act became binding law on 1 August 2024, but the substantive obligations apply on a staggered schedule set out in Article 113. The governance structure and institutional bodies became operational from entry into force. The prohibited practices and AI literacy obligation applied from 2 February 2025. GPAI obligations applied from 2 August 2025. High-risk AI obligations apply from 2 August 2026.
We placed our high-risk AI system on the EU market in early 2026. Do we have until August 2026 to comply?
No. Article 113 requires providers of high-risk AI systems to comply with the obligations in Chapters II and III before placing their systems on the market or putting them into service. If you placed a system on the market in early 2026, you should have been preparing for compliance from the point the Act entered into force. The August 2026 date is the universal application date, not a grace period that begins on that date.
Our legacy system was placed on the market before August 2026. Can we rely on the transitional provisions until August 2027?
Only if the system has not undergone a substantial modification after 2 August 2026. Article 111(2) states that systems already on the market before the application date must comply by 2 August 2027, but Article 3(23) provides that a substantial modification triggers full compliance obligations immediately. If you modify a legacy system after August 2026, assess whether the modification is substantial before concluding that the 2027 transitional deadline applies.
We provide a GPAI model that was placed on the market in January 2025. When do our obligations apply?
Your obligations apply from 2 August 2027 under the transitional provisions in Article 111(3). GPAI models placed on the market before 2 August 2025 benefit from the extended transitional period. However, if your model is classified as posing systemic risk, the AI Office has authority to engage with you before that date and may require cooperation under Articles 91 to 93 regardless of the transitional deadline.
Does the AI literacy obligation in Article 4 apply to us if we only use minimal-risk AI tools?
Yes. Article 4 applies to all providers and deployers of AI systems, regardless of risk tier. The scope of what AI literacy requires in practice is calibrated to the systems in use and the technical background of the staff concerned, but the obligation itself is universal. A business using only AI-powered spam filters or recommendation engines is still required to ensure that staff dealing with those systems have a sufficient level of understanding of what those systems do.
We are a non-EU business selling AI software to EU enterprise customers. Which deadlines apply to us?
If your software is a high-risk AI system under Article 6, your provider obligations apply from 2 August 2026 and you must appoint an EU-established Authorised Representative before that date. If your software is a GPAI model placed on the EU market from 2 August 2025, GPAI obligations and the Authorised Representative requirement applied from that date. If your software is minimal or limited risk, you are not subject to the high-risk or GPAI frameworks but remain subject to Article 4 (AI literacy) and Article 50 (transparency obligations) where applicable.
We modified our existing AI system significantly in March 2026. Does this affect our timeline?
Yes. If the modification meets the definition of substantial modification in Article 3(23), meaning it affects the system’s conformity with the Act’s requirements or changes its intended purpose, the modified system is treated as a new system. Full provider obligations apply from the date of the modification. You cannot rely on the August 2026 application date as the start of your compliance period for a substantially modified system.
What happens to systems that are prohibited under Article 5 if they were already on the market before February 2025?
There are no transitional provisions for prohibited practices. Article 5 prohibitions applied from 2 February 2025 with no grace period for systems already on the market. Any system meeting the description of a prohibited practice was required to cease operating by that date. The transitional provisions in Article 111 apply only to high-risk AI system and GPAI model obligations, not to prohibited practices.
When do notified body requirements apply?
Notified body requirements under Articles 28 to 39 apply in connection with the conformity assessment obligations for high-risk AI systems. Since conformity assessment must be completed before market placement, and high-risk AI system obligations apply from 2 August 2026, notified body assessments for systems requiring third-party conformity assessment must be completed before that date for new market placements. For legacy systems relying on the transitional provisions, third-party conformity assessment must be completed before 2 August 2027.
This guide reflects the text of Regulation (EU) 2024/1689 as published in the Official Journal on 12 July 2024, the Digital Omnibus proposals published in February 2025, and applicable guidance issued by the European AI Office through May 2026. It is published for general informational purposes and does not constitute legal advice.
![EU AI Act High-Risk System Requirements [UPDATED May 2026]](https://grecta.com/wp-content/themes/blankslate/assets/images/2026/03/hero-image-EU-AI-Act-compliance-automation-platform.png)