EU AI Act Enforcement Timeline: Every Compliance Deadline From February 2025 to August 2027

ComplianceStack

EU AI Act Enforcement Timeline: What's Already in Force and What's Coming

Last updated: 2026-04-12 — ComplianceStack Editorial Team

Regulation (EU) 2024/1689 entered into force on August 1, 2024 — but 'in force' does not mean 'enforceable.' The Act uses a phased application schedule spread across three years, with different obligations becoming binding on different dates. Companies that assume the EU AI Act is a 2026 problem are already wrong: prohibited practices have been enforceable since February 2, 2025, and GPAI model obligations have been binding since August 2, 2025. The largest tranche — high-risk AI, general deployer obligations, and the full penalty framework — activates August 2, 2026. Understanding exactly which obligations apply to your AI systems and when is the foundation of EU AI Act compliance planning. Getting the timeline wrong means either over-spending on premature compliance work or — worse — being live in a prohibited or non-compliant deployment when enforcement begins.

Regulatory Authority: Regulation (EU) 2024/1689, Article 113 (Entry into force and application dates), Article 5 and Article 113(1) (Prohibited practices — applicable February 2, 2025), Articles 51–56 and Article 113(2) (GPAI obligations — applicable August 2, 2025), Article 6 and Chapters III–VIII and Article 113(3) (General application — August 2, 2026), Annex I systems per Article 113(4) (Extended deadline — August 2, 2027), Article 74 (NCA designation deadline — August 2, 2025), Article 101 (EU AI Office enforcement procedures), Article 111 (Transitional provisions for existing AI systems)

Penalty Tier Breakdown

Phase 1: Prohibited Practices (Effective February 2, 2025)

€35,000,000 or 7% of global annual turnover

Annual max: Effective NOW — highest penalty tier, already enforceable

Article 5 prohibited practices became applicable 6 months after entry into force. Companies deploying any system falling within the eight prohibited categories have been in violation-eligible territory since February 2, 2025. National competent authorities designated during 2025 are empowered to investigate and fine immediately.

Example: A company that deployed a social scoring AI for internal use before February 2025 and did not withdraw or modify it before February 2, 2025 has been operating a prohibited AI system for over a year by August 2026 — the duration of violation is an aggravating factor in penalty calculation.

Phase 2: GPAI Obligations (Effective August 2, 2025)

€15,000,000 or 3% of global annual turnover

Annual max: Effective NOW — GPAI providers in violation if documentation not in place

Title VIII (GPAI model obligations, Articles 51–56) and Article 101 (EU AI Office enforcement) became applicable 12 months after entry into force. GPAI providers who had not established technical documentation processes, copyright compliance policies, and systemic risk assessment frameworks by August 2, 2025 have been in violation since that date.

Example: A major LLM provider who first submitted their GPAI technical documentation package to the EU AI Office in January 2026 — 5 months after the deadline — may face a penalty calculation that accounts for the full 5-month violation period when the EU AI Office determines the fine amount.

Phase 3: High-Risk AI and Full Enforcement (Effective August 2, 2026)

€15,000,000 or 3% of global annual turnover (high-risk) / €7.5M or 1% (transparency)

Annual max: Primary compliance deadline for most companies — 90%+ of Act's provisions activate

Chapters III (high-risk AI requirements), IV (transparency obligations), V (general-purpose AI — except GPAI-specific rules already applicable), VI (market surveillance), VII (governance), and VIII (sanctions) all apply from August 2, 2026. This is the date when national competent authorities gain full enforcement authority and can impose the full penalty schedule against providers and deployers of non-compliant AI systems.

Example: An HR software company that offers an automated CV screening tool (Annex III, Area 4) and has not completed conformity assessment, registered in the EU database, or implemented required human oversight mechanisms by August 1, 2026 is in violation from the first day of enforcement — August 2, 2026.

Phase 4: Annex I High-Risk AI (Effective August 2, 2027)

€15,000,000 or 3% of global annual turnover

Annual max: Extended timeline for safety-regulated products

AI systems embedded in products regulated by EU safety legislation listed in Annex I (medical devices, civil aviation, industrial machinery, toy safety, etc.) have an extended compliance deadline of August 2, 2027. This reflects the fact that these products already undergo conformity assessment under their existing regulatory frameworks, and integrating AI Act requirements takes additional time.

Example: An AI-enabled diagnostic imaging device regulated under EU MDR (Medical Devices Regulation) must complete AI Act-specific conformity assessment by August 2027 — one year later than standalone AI software products. The MDR CE mark does not substitute for AI Act compliance.

How Penalties Are Calculated

The EU AI Act enforcement timeline creates a layered compliance obligation structure. For penalty calculation purposes, national competent authorities and the EU AI Office consider the date from which the specific obligation became applicable — meaning violations that began in Phase 1 (February 2, 2025) are assessed based on the full duration of non-compliance, not just the post-August 2026 period. This matters because: (1) prohibited practice violations running from February 2025 accumulate a 12+ month violation history before the main enforcement gate opens; (2) GPAI violations running from August 2025 accumulate 12 months before the August 2026 enforcement date; and (3) NCAs can impose penalties for pre-August 2026 violations in their investigation conclusions even if proceedings formally begin after August 2026. The practical implication: companies that have been operating prohibited or non-compliant AI systems since early 2025, and who assume they have a 'grace period' until August 2026, are miscalculating their exposure. The enforcement action timeline is gated by NCA capacity — not by statute of limitations on the violation start date. Article 101(8) sets no limitation period shorter than 5 years for EU AI Office proceedings; member states' administrative law determines NCA statute of limitations periods.

Recent Enforcement Actions

2025 — EU AI Office — Formal Establishment

The EU AI Office, established within the European Commission's DG CONNECT, became operational in early 2024 and began its oversight role from entry into force. By Q1 2025, the Office had established: the GPAI Model Registry, the scientific advisory panel, the AI Safety Evaluations Center framework, and preliminary enforcement procedures. It had not yet issued formal fines as of Q1 2026 — but its investigative procedures for GPAI providers were underway.

Penalty: EU AI Office operational — zero formal fines as of Q1 2026; formal GPAI enforcement actions expected H2 2026

Source: EU AI Office Annual Report 2025; European Commission DG CONNECT AI Act Implementation Update, Q4 2025

2025 — National Competent Authority Designations

Article 74 required member states to designate their national competent authorities by August 2, 2025. As of Q1 2026, 24 of 27 EU member states had designated their primary NCA. Germany designated the Federal Network Agency (BNetzA); France designated CNIL with an AI oversight division; Spain designated AEPD; the Netherlands designated the Dutch Authority for Digital Infrastructure (RDI). Three member states (Hungary, Bulgaria, Malta) had not completed formal designation by the Q1 2026 reporting date.

Penalty: Member states who fail to designate NCAs by the August 2, 2025 deadline face infringement proceedings from the European Commission — separate from any enforcement action against AI providers

Source: European Commission AI Act Implementation Tracker, Q1 2026; Article 74 of Regulation (EU) 2024/1689

2026 — EU AI Act Database — Registration Deadline

All providers of high-risk AI systems listed in Annex III must register their systems in the EU AI Act database (operated by the European Commission under Article 71) before placing them on the EU market from August 2, 2026 onward. Systems already on the market before that date have a grace period under Article 111, but systems undergoing 'significant changes' lose this protection.

Penalty: Registration non-compliance is the most objectively verifiable violation NCAs can identify — no subjective technical judgment required. NCAs in Germany, France, Netherlands and Spain have publicly indicated database registration will be their first enforcement priority from August 2026 onward.

Source: EU AI Act Database Implementation Guide, EU AI Office Q4 2025; Article 71 and Article 111 of Regulation (EU) 2024/1689

Understand Your EU AI Act Penalty Exposure

Use ComplianceStack's free tools to identify gaps before regulators do.

Take the Quiz → Gap Analyzer →

🔔

Get enforcement alerts before they hit the news

Weekly enforcement actions, penalty updates, and regulatory changes for EU AI Act. Free, no spam, unsubscribe anytime.

Frequently Asked Questions

Which EU AI Act obligations are already in force as of April 2026?

As of April 2026, two tranches of EU AI Act obligations are already applicable and enforceable. First, since February 2, 2025: Article 5 prohibited practices — the eight categories of banned AI (subliminal manipulation, social scoring, real-time biometric identification in public spaces for law enforcement without exception, emotion recognition in workplaces, biometric categorization by sensitive attributes, untargeted facial recognition scraping, and predictive criminal profiling). Companies still operating systems that fall within these categories are in ongoing violation. Second, since August 2, 2025: Title VIII GPAI obligations — all providers of general-purpose AI models must have technical documentation, training data summaries, copyright compliance policies, and model cards in place; GPAI models with systemic risk (>10^25 FLOPs) must have adversarial testing and incident reporting procedures active. National competent authorities could formally launch investigations into violations of these already-applicable provisions at any point. The main August 2, 2026 deadline — covering high-risk AI, transparency obligations, and the full penalty framework — is still upcoming as of Q1 2026.

Do AI systems on the EU market before August 2026 need to comply immediately?

It depends on the obligation tier and whether the system has undergone changes. Article 111 of Regulation (EU) 2024/1689 provides transitional provisions: AI systems (other than GPAI models) that were already placed on the market or put into service before August 2, 2026 generally have until August 2, 2027 to comply with the Act's requirements — unless they undergo 'significant changes' in design or intended purpose after August 2, 2026. A 'significant change' triggers the full compliance obligation immediately, without the grandfathering period. GPAI models do not benefit from this transitional provision — GPAI obligations applied from August 2, 2025 regardless of when the model was first released. Prohibited practices under Article 5 have no transitional exception — systems violating Article 5 must have been withdrawn from the market by February 2, 2025.

How does EU AI Act enforcement actually work — who investigates and what happens during an investigation?

Enforcement operates through two parallel tracks. Track 1 — National competent authorities (NCAs): For most AI systems other than GPAI models, the NCA designated in each member state is the primary enforcer. Investigations are typically triggered by: market surveillance activities (NCAs proactively testing AI systems in their jurisdiction), complaint referrals from individuals, other regulators (DPAs, financial supervisors), or the European Commission, and serious incident notifications filed under Article 73. During an investigation, the NCA can: request technical documentation, require access to AI systems for testing, conduct on-site inspections, and impose interim measures (e.g., suspend market access) while the investigation proceeds. Investigations must comply with the member state's administrative law. Track 2 — EU AI Office: For GPAI models, the EU AI Office conducts its own investigations directly under Article 101. The Office can act on its own initiative or via a referral from an NCA or member state. It can impose fines on GPAI providers without going through a national court, though providers can appeal to the Court of Justice of the EU. Both tracks can run simultaneously for AI products that include both GPAI components and downstream high-risk applications.