EU AI Act Timeline & Deadlines (2025–2027): What Compliance Officers Need to Know

If your AI touches the EU, you’ve got a firm clock to work against. The EU Artificial Intelligence Act became law on August 1, 2024, and its obligations phase in over several years. Understanding the sequence—what bites when—is the difference between a calm rollout and a last-minute fire drill. Below is a practical, date-driven roadmap you can use to back-plan your compliance program.

The milestone dates (and what each one means)

August 1, 2024 — Law in force.
Publication in the EU’s Official Journal triggered the 20-day countdown; the AI Act formally entered into force on August 1, 2024. From this point, the clock started on all subsequent application deadlines. EUR-Lex

February 2, 2025 — Prohibited practices apply.
The first obligations to bite are the outright bans (e.g., certain manipulative or abusive uses, some biometric practices) and associated AI-literacy measures. If any current or planned use falls into a prohibited bucket, it must cease or be redesigned before this date. Law-firm trackers and regulatory summaries confirm this initial six-month trigger. DLA Piper

August 2, 2025 — General-Purpose AI (GPAI) obligations begin.
Providers of GPAI models face transparency and copyright-related requirements beginning twelve months after entry into force. The Commission published a GPAI Code of Practice to guide implementation; while voluntary, it’s the practical playbook most providers are expected to follow. Digital Strategy EU

August 2, 2026 — The heavy lift for “high-risk” systems.
Most of the Act applies here: risk management, data governance, technical documentation (Annex IV), logging, human oversight, robustness/cybersecurity, instructions for use, and—in many cases—conformity assessment and CE marking before placing on the EU market. If your product maps to Annex III use cases or is a safety component under sector rules, this is your critical deadline. White & Case

August 2, 2027 — Two groups hit a later cutoff.

1. High-risk AI that’s a safety component covered by certain sectoral product laws gets thirty-six months from entry into force. 2) GPAI models already on the EU market before August 2, 2025 have a one-year grace to transition, making August 2, 2027 their compliance date. Jones Day

How to back-plan your program against the dates

Now through Q1 2025: Clean your portfolio.
Inventory every AI system with EU exposure and screen for prohibited uses. If anything is close to a ban line, redesign early—don’t carry risk past February 2025. Map your legal role per system (provider vs. deployer) so you know which obligations you actually own. A living registry avoids “shadow AI” surprises later. (If you also process personal data, run GDPR/CCPA alignment in parallel.)

Q1–Q3 2025: Get GPAI and foundations ready.
If you provide a GPAI model, implement the Code of Practice measures and publish the required model documentation before August 2025. Even if you don’t, use 2025 to standardize templates for Annex IV, risk management, data governance, and human oversight—the same artifacts you’ll need for high-risk systems in 2026. Digital Strategy EU

Q4 2025–Q2 2026: Execute for high-risk.
Treat 2026 like a product-safety launch. Finalize your quality management system, complete evaluations, assemble technical files, and line up notified-body involvement where required. Do a dry-run conformity assessment in spring 2026 so you have time for remediation before August 2, 2026. White & Case

2026–2027: Operate, monitor, and close the long-tail.
Once live, switch to post-market monitoring and incident reporting. If you ship GPAI or high-risk systems with sectoral ties, track the 2027 endpoints and keep your technical documentation updated as the models or data evolve. Grace periods aren’t pauses—they’re your runway. Jones Day

Why the sequence matters

Each milestone changes your evidentiary burden. February 2025 is a go/no-go on specific practices. August 2025 is documentation-heavy for GPAI providers. August 2026 is where auditors will expect to see a mature, repeatable compliance engine for high-risk systems—not just policies, but proof. Working backward from these dates tells you when to lock model architectures, complete bias and robustness testing, and freeze your Annex IV technical files long enough to pass assessment.

A quick note on penalties and posture

The AI Act’s fines scale with severity and company size, and GPAI providers also face substantial penalties for non-compliance once their obligations apply. More important than the headline numbers is regulatory posture: being able to show credible processes, versioned evidence, and a responsive post-market program dramatically reduces risk even if issues arise. Jones Day

How WALLD helps you hit the dates

WALLD automates the grind behind this timeline: it inventories your AI systems, classifies risk, scaffolds Annex IV technical documentation with linked evidence, and tracks vendor and GPAI dependencies. As you approach each milestone, WALLD keeps your files audit-ready and your post-market monitoring organized—so engineering can ship and legal can sleep.

Disclaimer: This article is for general information and is not legal advice. Always consult qualified counsel for your specific situation.