EU AI Act deadlines firming

Europe’s AI law is no longer a distant threat. It is turning into a calendar. The EU AI Act entered into force on August 1, 2024, but its rules were always meant to arrive in stages. Now those stages are landing. Prohibited AI practices and basic AI literacy duties started applying on February 2, 2025. Rules for general-purpose AI models kicked in on August 2, 2025. The big next date is August 2, 2026, when most of the law starts to bite, including the main rules for high-risk AI systems and the Act’s transparency duties. Full rollout is due by August 2, 2027 (digital-strategy.ec.europa.eu, ai-act-service-desk.ec.europa.eu). That matters because the law is built around categories, and companies have to decide which box they are in before they can decide what to build. The Act sorts AI into unacceptable risk, high risk, and systems with narrower transparency duties. Unacceptable-risk systems are banned outright. The Commission’s February 2025 guidance spelled out what that means in practice, including bans on social scoring, untargeted scraping of facial images to build recognition databases, emotion recognition in workplaces and schools, and certain forms of real-time remote biometric identification by police in public spaces (digital-strategy.ec.europa.eu, digital-strategy.ec.europa.eu). Once a system is not banned, the next question is whether it is high risk. That is where the compliance work starts to look less like policy and more like engineering. The Commission’s own description of the coming 2026 phase points to requirements on data governance, technical documentation, human oversight, robustness, and transparency. These are not abstract principles. They imply inventories of models and use cases, internal sign-off processes, testing records, supplier documentation, and a way to prove that a system can be supervised by humans after deployment (eur-lex.europa.eu, ai-act-service-desk.ec.europa.eu). The same shift is happening for foundation models. The EU’s rules for general-purpose AI models already apply, and the Commission has stopped being vague about who is covered. Its guidance says the obligations began on August 2, 2025. Providers of new GPAI models must comply now. Providers of models already on the market before that date have until August 2, 2027. The Commission’s enforcement powers over GPAI providers start on August 2, 2026. For the most advanced models that present systemic risk, the duties go further, including notification, model evaluation, incident reporting, and cybersecurity measures (digital-strategy.ec.europa.eu, digital-strategy.ec.europa.eu). That is why the recent guidance matters so much. Brussels is not just announcing deadlines. It is building the machinery around them. The AI Office now sits at the center of enforcement for the most powerful general-purpose models, while national authorities will police high-risk systems and prohibited uses inside each member state. Those member states were supposed to designate competent authorities and adopt penalty rules by August 2, 2025. By August 2, 2026, each country should also have at least one AI regulatory sandbox up and running, which is the EU’s way of admitting that many companies will need supervised testing space before they can safely launch anything serious (digital-strategy.ec.europa.eu, ai-act-service-desk.ec.europa.eu). The practical effect is easy to miss if you only read the law at a high level. A company using AI for hiring, credit, education, insurance, or critical infrastructure may be heading toward the 2026 deadline with a system that cannot be documented well enough to pass. A company building chatbots or image tools may discover that Article 50’s transparency rules also arrive on August 2, 2026, requiring users to be told when they are interacting with AI and requiring AI-generated or AI-manipulated content, including deepfakes, to be disclosed in specific cases (ai-act-service-desk.ec.europa.eu, ai-act-service-desk.ec.europa.eu). And the cost of getting this wrong is not theoretical. The Act allows fines of up to €35 million or 7% of global annual turnover for violations involving prohibited practices, with lower but still painful tiers for other breaches. For months, many firms treated the AI Act as a future compliance problem. The EU has spent the last year turning that future into dated guidance, named authorities, draft codes, and operational deadlines. August 2, 2026 is now close enough that “wait and see” has become its own form of noncompliance (artificialintelligenceact.eu, digital-strategy.ec.europa.eu).