The EU AI Act did not arrive without warning. The legislative process ran for more than three years, and the enforcement timeline is staggered across four years after entry into force. Understanding the history explains why the law is structured the way it is. Understanding the enforcement dates tells you when your obligations apply and what the Digital Omnibus proposals may change.
EU AI Act: The Legislative History
2018–2020: Foundation
The European Commission began publishing AI policy documents from 2018 onward, establishing the intellectual groundwork for a binding legal framework.
| Date | Event |
|---|---|
| April 2018 | Commission publishes European AI Strategy, the first formal EU position on AI governance |
| December 2018 | Coordinated Plan on AI adopted, setting out member state cooperation objectives |
| April 2019 | High-Level Expert Group on AI publishes Ethics Guidelines for Trustworthy AI |
| February 2020 | Commission White Paper “On Artificial Intelligence: A European approach to excellence and trust” launches public consultation |
| November 2020 | Public consultation closes with over 1,200 responses across industry, civil society, and academia |
The White Paper was the turning point. It set out two regulatory options: a voluntary framework or a binding risk-based framework. The consultation responses and internal policy debate drove the Commission toward the binding approach.
2021: The Commission Proposal
On 21 April 2021, the European Commission published its formal legislative proposal for the AI Act. This was the first binding AI regulation proposed by any major jurisdiction.
| Date | Event |
|---|---|
| 21 April 2021 | Commission publishes proposed Regulation laying down harmonised rules on artificial intelligence (COM/2021/206) |
| April 2021 | Coordinated Plan on AI updated alongside the proposal |
| May 2021 | European Data Protection Board and European Data Protection Supervisor issue joint opinion |
The 2021 proposal established the architecture that survived largely intact into the final text: a risk-based classification framework with four tiers, provider and deployer role distinctions, and a list of prohibited practices. The original proposal did not include provisions for general-purpose AI models, which were added later in response to the rapid development of large language models.
2022: Parliamentary and Council Work
| Date | Event |
|---|---|
| April 2022 | European Parliament’s Internal Market Committee and Civil Liberties Committee adopt their draft reports |
| May 2022 | Council of the EU adopts its general approach on the proposal |
| September 2022 | European Parliament’s lead committees vote on their position |
| December 2022 | ChatGPT launches publicly, fundamentally shifting the political context for general-purpose AI regulation |
The December 2022 launch of ChatGPT changed the legislative debate overnight. Provisions that had been largely theoretical, concerning capable foundation models, suddenly became urgent. The Parliament and Council both began working on amendments to address general-purpose AI systems.
2023: Trilogue Negotiations
The trilogue process is the negotiation between the European Parliament, the Council of the EU, and the Commission to agree a final text. AI Act trilogues were among the most contested in recent EU legislative history.
| Date | Event |
|---|---|
| June 2023 | European Parliament adopts its full position, including significant new provisions on general-purpose AI and stricter limits on biometric surveillance |
| 8 December 2023 | Political agreement reached between Parliament and Council after marathon final trilogue session lasting over 36 hours |
The final trilogue was exceptionally contentious. The main fault lines were the treatment of general-purpose AI models (France and Germany initially pushed for lighter regulation of foundation model providers), the scope of real-time biometric surveillance exceptions, and the classification thresholds for high-risk systems. The political agreement resolved these but required substantial compromise on all sides.
2024: Adoption and Entry into Force
| Date | Event |
|---|---|
| 2 February 2024 | European Parliament’s Internal Market and Civil Liberties Committees adopt the agreed text |
| 13 March 2024 | European Parliament adopts the AI Act in plenary by 523 votes to 46 |
| 21 May 2024 | Council of the EU formally adopts the Regulation |
| 12 July 2024 | AI Act published in the Official Journal of the European Union |
| 1 August 2024 | AI Act enters into force (20 days after publication) |
The plenary vote on 13 March 2024 was one of the most significant regulatory votes in EU history. The margin, 523 to 46, reflected the broad cross-party consensus that had built through the trilogue process despite the difficulty of the negotiations.
The Enforcement Timeline
Entry into force and applicability are legally distinct. The Act entered into force on 1 August 2024 but its provisions apply on a staggered schedule. The table below sets out every key applicability date.
| Date | What becomes applicable | Who is affected |
|---|---|---|
| 1 August 2024 | Act enters into force. Governance provisions apply. AI Office established | All operators |
| 2 February 2025 | Prohibited AI practices (Article 5) banned. AI literacy obligation (Article 4) applies | All providers and deployers |
| 2 May 2025 | Commission must provide guidelines on prohibited practices | European Commission |
| 2 August 2025 | GPAI model obligations apply (Articles 51–56). Authorised Representative requirement for GPAI providers. Codes of practice for GPAI models | Providers of GPAI models |
| 2 August 2026 | High-risk AI system obligations fully apply (Chapters II and III). Authorised Representative requirement for high-risk AI providers. Notified body requirements apply | Providers and deployers of high-risk AI systems |
| 2 August 2027 | High-risk AI systems embedded in Annex I regulated products. GPAI models placed on market before 2 August 2025 | Product manufacturers, legacy GPAI providers |
What Is Already in Force
This section addresses the most common misconception about the AI Act: that it is a future compliance problem. Three sets of obligations are already enforceable.
| Obligation | In force since | Applies to |
|---|---|---|
| Prohibited AI practices | 2 February 2025 | All operators |
| AI literacy (Article 4) | 2 February 2025 | All providers and deployers |
| GPAI model technical documentation | 2 August 2025 | GPAI model providers |
| GPAI copyright transparency | 2 August 2025 | GPAI model providers |
| GPAI systemic risk assessment and testing | 2 August 2025 | Systemic risk GPAI providers |
| Authorised Representative (GPAI) | 2 August 2025 | Non-EU GPAI model providers |
| Codes of practice for GPAI | 2 August 2025 | GPAI model providers |
Prohibited EU AI Act Practices: In Force Since February 2025
The following AI practices are banned outright under Article 5. Operating any of these systems is already unlawful across the EU.
| Prohibited practice | Description |
|---|---|
| Subliminal manipulation | AI that deploys techniques beyond a person’s consciousness to impair decision-making in a harmful way |
| Exploitation of vulnerabilities | AI that exploits vulnerabilities due to age, disability, or social situation to distort behaviour harmfully |
| Social scoring by public authorities | AI used by public authorities to evaluate or classify individuals based on social behaviour or personal characteristics |
| Real-time remote biometric identification in public spaces | AI used by law enforcement for real-time biometric surveillance in publicly accessible spaces, subject to narrow exceptions |
| Biometric categorisation by sensitive characteristics | AI that categorises individuals based on biometric data to infer race, political opinions, religion, sexual orientation, or other sensitive attributes |
| Emotion recognition in workplace and education | AI used to infer emotions of individuals in workplace or educational settings, with limited exceptions |
| Untargeted scraping for facial recognition databases | AI that scrapes the internet or CCTV footage untargetedly to build facial recognition databases |
| Manipulation of criminal recidivism prediction | AI that makes risk assessments of individuals based solely on profiling for the purpose of predicting criminal behaviour |
EU AI Act Institutional Architecture
The AI Act created a new governance structure that sits alongside existing national regulators.
| Institution | Role | Legal basis |
|---|---|---|
| European AI Office | Supervises GPAI model providers. Develops guidelines. Enforces GPAI obligations | Article 64 |
| AI Board | Coordinates national authorities. Issues opinions and recommendations | Article 65 |
| National market surveillance authorities | Enforce high-risk AI system obligations at member state level | Article 70 |
| Scientific Panel of Independent Experts | Advises the AI Office on GPAI models and systemic risk | Article 68 |
| Advisory Forum | Provides stakeholder input from industry, civil society, and academia | Article 67 |
| Notified bodies | Conduct third-party conformity assessments for certain high-risk AI systems | Articles 28–39 |
The Digital Omnibus: Proposed Changes
In February 2025, the European Commission published the Digital Omnibus package, a set of proposed amendments to multiple EU digital regulations including the AI Act. The proposals reflect political pressure from industry and member states to reduce compliance burden on businesses, particularly SMEs.
The Digital Omnibus proposals are not yet law. They require agreement between the Parliament and Council through the ordinary legislative procedure. The timeline for adoption is uncertain as of May 2026.
| Proposed change | Current rule | Proposed amendment | Status |
|---|---|---|---|
| High-risk AI timeline acceleration | High-risk rules apply 2 August 2026 | Commission proposes a maximum 16-month transition to ensure standards are available before rules apply | Under negotiation |
| SME exemptions | Fines capped at lower of percentage or fixed amount | Additional proportionality measures proposed for micro and small enterprises | Under negotiation |
| Deployer FRIA simplification | All deployers of Annex III systems must complete FRIA | Proposals to simplify or standardise FRIA requirements | Under negotiation |
| General-purpose AI obligations | GPAI obligations apply from August 2025 | No substantive change proposed to GPAI timeline | No change proposed |
| Definition of AI system | Current definition based on OECD framework | Proposed narrowing to exclude certain traditional software systems | Under negotiation |
The Commission’s stated rationale for the Digital Omnibus is that companies need standards and supporting tools to be available before full enforcement begins. The harmonised standards process under the Act has moved more slowly than anticipated, leaving some providers without clear technical benchmarks against which to assess conformity.
The proposals have been criticised by civil society organisations and several members of the European Parliament as weakening enforcement before it has begun. Industry groups have broadly welcomed the proposals as necessary for practical implementation.
Key point for planning purposes: the Digital Omnibus does not affect obligations already in force. Prohibited practice rules, the AI literacy obligation, and GPAI model obligations remain unchanged under the current proposals. The debate concerns the August 2026 high-risk AI deadline and the conditions under which it applies.
Codes of Practice for GPAI Models
The AI Act required the AI Office to facilitate development of codes of practice for GPAI model providers, to serve as a practical compliance mechanism before and alongside formal enforcement. The code of practice process began in late 2024.
| Date | Development |
|---|---|
| November 2024 | First drafting plenary of GPAI Code of Practice |
| January 2025 | First draft of the Code published for consultation |
| March 2025 | Second draft published |
| May 2025 | Third and final draft published |
| 2 August 2025 | Code of Practice becomes the primary compliance reference for GPAI obligations |
Adherence to an approved code of practice creates a presumption of conformity with the corresponding GPAI obligations. Providers that do not adhere to any approved code must demonstrate compliance through alternative means and remain subject to direct AI Office supervision.
EU AI Act Harmonised Standards
The AI Act envisages that European Standards Organisations (CEN, CENELEC, and ETSI) will develop harmonised standards against which conformity with high-risk AI requirements can be assessed. Compliance with a harmonised standard creates a presumption of conformity.
The standards development process has been slower than the legislative timeline anticipated. As of May 2026, the primary AI Act standards are still in development. This is one of the principal reasons behind the Digital Omnibus proposals on the high-risk AI timeline.
| Standards body | Mandate | Status (May 2026) |
|---|---|---|
| CEN/CENELEC JTC 21 | AI Act harmonised standards for high-risk systems | In development |
| ISO/IEC JTC 1/SC 42 | International AI standards referenced by AI Act | Several published, including ISO 42001 |
| ETSI | Standards for specific AI applications in telecoms and digital infrastructure | In development |
EU AI Act Penalties
| Infringement | Maximum fine |
|---|---|
| Prohibited AI practices (Article 5) | EUR 35,000,000 or 7% of worldwide annual turnover |
| Provider, deployer, importer, distributor, Authorised Representative obligations | EUR 15,000,000 or 3% of worldwide annual turnover |
| Supplying incorrect or misleading information to authorities | EUR 7,500,000 or 1% of worldwide annual turnover |
| GPAI model provider obligations | EUR 15,000,000 or 3% of worldwide annual turnover |
| Providers of GPAI models with systemic risk | Additional fines under Article 101 |
For SMEs and start-ups, fines are capped at the lower of the applicable percentage or fixed amount.
Frequently Asked Questions
When did the EU AI Act become law?
The Act was adopted by the Council of the EU on 21 May 2024 and published in the Official Journal on 12 July 2024. It entered into force on 1 August 2024, which is the date the law became legally binding. Applicability of the substantive obligations is staggered across 2025, 2026, and 2027.
Why did the AI Act take so long to negotiate?
Three factors extended the process significantly. First, the December 2022 emergence of capable large language models required Parliament and Council to substantially revise the text to address GPAI models, which were not in the original proposal. Second, biometric surveillance provisions were among the most contested in EU legislative history, with significant disagreement between Parliament’s position and member state preferences. Third, France and Germany initially opposed strong regulation of foundation model providers, creating a fault line that took months to resolve in trilogue.
What is the Digital Omnibus and has it changed my obligations?
The Digital Omnibus is a package of proposed amendments to EU digital regulations, including the AI Act, published by the Commission in February 2025. It proposes adjustments to the high-risk AI timeline and additional SME protections. As of May 2026, the proposals are still under negotiation between Parliament and Council and have not been adopted. Obligations already in force, including prohibited practices, AI literacy, and GPAI model requirements, are unaffected by the current proposals.
Will the August 2026 deadline move?
The Commission has proposed adjusting the high-risk AI timeline to allow up to 16 months from the point at which relevant harmonised standards are available. This proposal has not been adopted. Planning on the assumption that the deadline will move is not a sound compliance strategy. The work required to meet August 2026 obligations takes months regardless of the final date.
What happened to the original 2021 proposal?
The core architecture of the 2021 proposal survived largely intact: a risk-based classification framework, provider and deployer distinctions, and prohibited practices. The most significant additions made during the legislative process were the GPAI model provisions in Chapter V, the systemic risk framework, the AI Office, and strengthened provisions on biometric surveillance. The risk classification thresholds and Annex III categories were also substantially revised during Parliamentary and Council deliberations.
What is the AI Office and who does it regulate?
The European AI Office was established within the Commission and became operational in 2024. It is the primary supervisory body for GPAI model providers across the EU. It develops guidelines, facilitates codes of practice, conducts evaluations of systemic risk models, and has enforcement powers against GPAI model providers. National market surveillance authorities remain responsible for enforcing high-risk AI system obligations at member state level.
What are harmonised standards and why do they matter?
Harmonised standards are technical specifications developed by European Standards Organisations under a Commission mandate. Compliance with a harmonised standard creates a legal presumption of conformity with the corresponding regulatory requirements. For high-risk AI system providers, harmonised standards will be the primary practical mechanism for demonstrating conformity assessment compliance. The slow development of these standards is one reason the Digital Omnibus proposes adjustments to the high-risk timeline.
What is the GPAI Code of Practice?
The GPAI Code of Practice is a practical compliance document developed through a multi-stakeholder process facilitated by the AI Office. It sets out specific measures GPAI model providers should take to meet their obligations under Articles 51 to 56 of the Act. Adherence to an approved code creates a presumption of conformity. The finalised code became the primary compliance reference for GPAI obligations from 2 August 2025.
Does the AI Act apply to AI systems developed before it entered into force?
Yes, with some transition provisions. AI systems already placed on the market or put into service before the applicable obligations entered into force benefit from transition periods, but these end by 2 August 2027 at the latest. Providers of GPAI models placed on the market before 2 August 2025 have until 2 August 2027 to comply. There is no permanent grandfather clause.
How does the AI Act interact with the GDPR?
The Acts operate in parallel. The GDPR governs the processing of personal data used in AI systems, including training data and inference. The AI Act imposes additional requirements on the AI system itself, independent of whether personal data is processed. Where both apply, the stricter requirement governs. National data protection authorities and market surveillance authorities are expected to coordinate enforcement where AI systems process personal data.
This guide reflects the text of Regulation (EU) 2024/1689 as published in the Official Journal on 12 July 2024, the Digital Omnibus proposals published in February 2025, and applicable guidance issued by the European AI Office through May 2026. It does not constitute legal advice.
