EU AI Act enforcement timeline

A lot of companies talk about “launching in Europe” like it is a switch they can flip, but the European Union’s Artificial Intelligence Act turns that into a calendar problem with hard dates. The law entered into force on August 1, 2024, banned some uses from February 2, 2025, started rules for general-purpose artificial intelligence models on August 2, 2025, and makes most remaining rules apply on August 2, 2026. (digital-strategy.ec.europa.eu) That August 2, 2026 date is the one many software buyers are now circling because it is when the broad compliance regime arrives for most systems, especially “high-risk” uses. The European Commission says the law is fully applicable then “with some exceptions,” which means the countdown is no longer theoretical. (digital-strategy.ec.europa.eu) The law works like airport security, not like a blanket ban. Most artificial intelligence systems face light rules or none at all, but systems used in sensitive areas such as employment, education, critical infrastructure, and some public services can fall into the “high-risk” bucket and trigger documentation, testing, monitoring, and human oversight duties. (digital-strategy.ec.europa.eu) Another layer sits underneath many chatbots and agents: general-purpose artificial intelligence models, which are the base models that can be reused across many products. The European Commission says obligations for those model providers started applying on August 2, 2025, with extra duties for the most powerful models that create “systemic risk.” (digital-strategy.ec.europa.eu) That split matters because one company may build the foundation model, another may wrap it in an agent, and a third may deploy it inside a bank or hospital. The Act assigns different obligations to providers and deployers, so a business cannot just say “the model vendor handles compliance” if its own use puts the system into a regulated category. (digital-strategy.ec.europa.eu) For companies shipping agentic artificial intelligence, the practical problem is memory. If an agent can call tools, update prompts, route tasks across models, and act on user data, the company needs records showing which model version ran, what data it touched, what safeguards were active, and who approved the deployment. (eur-lex.europa.eu) That is why governance is starting to look like product architecture. A company with one central log of model cards, evaluations, incident reports, and deployment approvals can answer a regulator or customer much faster than a company whose records are scattered across engineering tickets, cloud dashboards, and vendor emails. (digital-strategy.ec.europa.eu) The law also pushes a regional choice that many executives hoped to avoid. If the newest model update is available in the United States first but not yet documented for European Union compliance, a firm may have to choose between giving European customers the latest capability and giving them the version with the cleaner paper trail. (digital-strategy.ec.europa.eu) Enforcement will not come from one giant Brussels inspectorate alone. The Commission says national market surveillance authorities, notified bodies, data protection authorities in some cases, and a new European Artificial Intelligence Office all have roles, which means companies may be answering questions from several directions at once. (digital-strategy.ec.europa.eu) The penalties are large enough to move boardrooms before any fine is issued. The Act allows fines that can reach tens of millions of euros or a share of global annual turnover, with the exact level depending on the breach and the size of the company. (eur-lex.europa.eu) So the real deadline is earlier than August 2026 for any company that still cannot answer four simple questions: which model is running, where it is running, what it is allowed to do, and what evidence proves that. By the time the rulebook is fully live on August 2, 2026, the firms that treated documentation like an afterthought will be trying to build an audit trail after the plane has already taken off. (digital-strategy.ec.europa.eu)