EU AI Act 12 min read May 2026

EU AI Act enforcement dates: the complete 2025–2027 timeline for technical teams

CipherFort Security Team

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive legal framework for artificial intelligence. It entered into force on 1 August 2024, but — like most major regulations — it applies in stages. Understanding which obligations apply when is essential for technical teams building or deploying AI systems in the EU.

The phased rollout at a glance

The EU AI Act does not apply all at once. Obligations become enforceable over a 36-month window from the entry-into-force date. The most severe prohibitions came first; the most complex conformity assessment requirements for high-risk systems come last.

August 2024: Entry into force

The regulation entered into force on 1 August 2024 — 20 days after publication in the Official Journal of the European Union. This date does not trigger any compliance obligations for deployers or providers. It starts the clocks for the phased application dates below.

February 2025: Prohibited AI practices banned

Six months after entry into force, the prohibitions in Article 5 became enforceable. These are the "unacceptable risk" AI systems that are outright banned across the EU:

Social scoring systems used by public authorities to evaluate individuals based on behaviour
AI that exploits subliminal techniques or manipulates people in ways that bypass their rational agency
AI that exploits vulnerabilities of specific groups (age, disability, social situation)
Real-time remote biometric identification systems in publicly accessible spaces, with narrow law enforcement exceptions
Emotion recognition in workplaces and educational institutions
AI used to infer sensitive attributes (race, political opinion, religion) from biometric data

If your organisation deployed or is planning to deploy any system falling into these categories, it needs to be decommissioned or fundamentally redesigned. The penalties for prohibited systems are the highest in the regulation: up to €35 million or 7% of global annual turnover.

August 2025: GPAI model obligations

General Purpose AI models — foundation models like large language models — face their own obligation set under Title III of the regulation. Twelve months after entry into force, providers of GPAI models must:

Maintain technical documentation describing training data, architecture, capabilities, and limitations
Provide information to downstream deployers to enable their own compliance assessments
Publish a sufficiently detailed summary of training data (the "training data summary")
Have a copyright compliance policy in place covering training data

Models that pose "systemic risk" — defined as those trained using more than 10^25 FLOPs of compute — face additional requirements: adversarial testing (red-teaming), incident reporting to the EU AI Office, and cybersecurity protections for model weights. As of 2026, this threshold captures the frontier models from OpenAI, Google, Anthropic, and Meta, but not most open-source or fine-tuned models.

February 2026: High-risk AI in Annex III

Eighteen months after entry into force, the high-risk AI obligations apply to systems listed in Annex III. These are AI systems used in sensitive contexts where errors have significant consequences:

Biometric identification and categorisation of natural persons
AI used in education or vocational training (e.g. exam scoring, student assessment)
AI used in employment decisions (CV screening, promotion decisions, performance evaluation)
AI used in credit scoring or insurance risk assessment
AI used in law enforcement for risk assessment of individuals
AI used in migration, asylum, or border control decisions
AI used in administration of justice

For Annex III high-risk systems, providers must complete a conformity assessment, register the system in the EU database, implement a quality management system, and maintain detailed technical documentation. Human oversight must be built into the system design — not added as an afterthought.

August 2026: Full application

The final major milestone is 2 August 2026 — full application of the regulation, including high-risk AI systems listed in Annex II. These are AI systems embedded in regulated products already subject to EU product safety legislation: medical devices, machinery, vehicles, toys, aviation equipment, and others. For these systems, the AI Act obligations layer on top of existing product safety conformity assessments.

What technical teams need to do now

Inventory your AI systems. Build a register of every AI system your organisation develops, deploys, or integrates. Include the vendor, purpose, data inputs, and decision outputs.
Classify each system by risk tier. Work through the Article 6 criteria and Annex III list. Most internal tooling and productivity AI falls into the "minimal risk" category with no mandatory obligations. Document your classification rationale.
Start technical documentation now for high-risk systems. Conformity assessments require substantial documentation that takes months to compile. Do not start this the month before a deadline.
Check your GPAI model providers. If you use API-based AI services, verify that your provider has published their model documentation and training data summary as required under Article 53.
Appoint an AI governance lead. Someone needs to own this — whether that is your CISO, DPO, or a dedicated AI governance role. The regulation requires identifiable responsible parties.

AISEC

Put this into practice with AISEC

AI-powered compliance for ISO 27001, SOC 2, GDPR, and the EU AI Act. Your first policy in under 90 seconds.

Start free Explore docs

February 2025: Prohibited AI practices banned

Six months after entry into force, the prohibitions in Article 5 became enforceable. These are the "unacceptable risk" AI systems that are outright banned across the EU:

Social scoring systems used by public authorities to evaluate individuals based on behaviour

AI that exploits subliminal techniques or manipulates people in ways that bypass their rational agency

AI that exploits vulnerabilities of specific groups (age, disability, social situation)

Real-time remote biometric identification systems in publicly accessible spaces, with narrow law enforcement exceptions

Emotion recognition in workplaces and educational institutions

AI used to infer sensitive attributes (race, political opinion, religion) from biometric data

August 2025: GPAI model obligations

Maintain technical documentation describing training data, architecture, capabilities, and limitations

Provide information to downstream deployers to enable their own compliance assessments

Publish a sufficiently detailed summary of training data (the "training data summary")

Have a copyright compliance policy in place covering training data

February 2026: High-risk AI in Annex III

Eighteen months after entry into force, the high-risk AI obligations apply to systems listed in Annex III. These are AI systems used in sensitive contexts where errors have significant consequences:

Biometric identification and categorisation of natural persons

AI used in education or vocational training (e.g. exam scoring, student assessment)

AI used in employment decisions (CV screening, promotion decisions, performance evaluation)

AI used in credit scoring or insurance risk assessment

AI used in law enforcement for risk assessment of individuals

AI used in migration, asylum, or border control decisions

AI used in administration of justice

August 2026: Full application

What technical teams need to do now

Inventory your AI systems. Build a register of every AI system your organisation develops, deploys, or integrates. Include the vendor, purpose, data inputs, and decision outputs.

Classify each system by risk tier. Work through the Article 6 criteria and Annex III list. Most internal tooling and productivity AI falls into the "minimal risk" category with no mandatory obligations. Document your classification rationale.

Start technical documentation now for high-risk systems. Conformity assessments require substantial documentation that takes months to compile. Do not start this the month before a deadline.

Check your GPAI model providers. If you use API-based AI services, verify that your provider has published their model documentation and training data summary as required under Article 53.

Appoint an AI governance lead. Someone needs to own this — whether that is your CISO, DPO, or a dedicated AI governance role. The regulation requires identifiable responsible parties.