The EU Artificial Intelligence Act entered into force on 1 August 2024 and is being implemented in phases through 2027. Understanding what has already taken effect, what is coming, and what it means for your organisation requires cutting through considerable confusion in the market — confusion that is partly a product of the Act's deliberately staggered timeline.
This article uses the official European Commission implementation timeline, supplemented by legal analysis from DLA Piper and Greenberg Traurig, to lay out what is actually required and when.
What Has Already Taken Effect
February 2, 2025: Prohibited AI practices became legally binding. The Act bans AI systems that use manipulative techniques exploiting psychological vulnerabilities, systems that conduct untargeted scraping of facial images for recognition databases, emotion recognition in workplace and educational settings, social scoring by public authorities, and — with narrow law enforcement exceptions — real-time remote biometric identification in publicly accessible spaces. Any AI system in these categories must have been removed from the EU market by this date.
August 2, 2025: General Purpose AI (GPAI) model obligations took effect. From this date, providers of foundation models — those trained using more than 10²³ FLOPS — must maintain technical documentation, publish training data summaries, and comply with EU copyright law. For models carrying "systemic risk" (trained above 10²⁵ FLOPS), additional obligations apply including adversarial testing, incident reporting, and cybersecurity measures.
Also from August 2025: The EU AI Office became fully operational, the penalty regime took effect for most provisions (fines up to €35 million or 7% of global annual turnover), and Member States were required to designate national competent authorities.
- Feb 2025: Prohibited AI practices banned — active enforcement
- Aug 2025: GPAI obligations in force; EU AI Office operational; penalties active for most provisions
- Aug 2026: High-risk AI system requirements apply (hiring, credit, healthcare AI etc.)
- Aug 2027: Full compliance deadline for legacy systems in regulated products
- Fines: Up to €35M or 7% of global annual turnover for prohibited practice violations
The GPAI Code of Practice
The Commission published a voluntary GPAI Code of Practice in July 2025. Within weeks, major AI providers including Amazon, Google, Microsoft, OpenAI, and Anthropic signed on as early signatories, per TTMS analysis. The Code provides a compliance pathway — but it is voluntary. Providers choosing not to follow it must independently demonstrate to regulators how their alternative measures fulfil each requirement of the Act.
What's Coming in August 2026
The most significant upcoming deadline is August 2, 2026, when obligations for high-risk AI systems take full effect. High-risk systems include AI used in: hiring and employment decisions, credit scoring, educational assessment, access to essential services, migration and border control, and administration of justice. An estimated 18% of enterprise AI systems are classified as high-risk under this framework, according to Introl's compliance analysis (December 2025).
High-risk system obligations include conformity assessments, technical documentation, human oversight mechanisms, logging and audit trails, and registration in the EU's AI database before market deployment. These are not trivial compliance exercises — they require structural changes to how systems are developed, documented, and monitored.
Practical Steps for Companies Now
Legal firms advising on EU AI Act compliance consistently recommend the same starting point: a complete AI inventory with risk classification. You cannot assess your obligations until you know what AI systems you operate and how they are classified under the Act's risk tiers.
For companies with high-risk systems, the August 2026 deadline is closer than it appears when the documentation and governance infrastructure required is properly scoped. The organisations facing the least disruption in 2026 are those that started this process in 2025 — not those waiting for the final guidance texts.