EU AI Act Timeline: Key Compliance Deadlines for 2027-2028

The EU AI Act has crossed the line from theory to operating reality. Three deadlines now anchor the next two years: 2 August 2026 for transparency obligations, 2 December 2027 for most standalone high-risk systems, and 2 August 2028 for high-risk AI embedded in already-regulated products. Misjudging any of them carries fines up to €35 million or 7% of global turnover.

At a glance

This guide turns the AI Act’s dense legal text into a project plan. You’ll see which actors carry which obligations, the risk classification that determines your regulatory burden, a milestone-by-milestone timeline through 2028, and the eight core duties (Articles 9–15, 43) that every provider of a high-risk system must meet before the December 2027 cliff edge.

Risk pyramid

How the Act classifies AI systems by risk

The Act’s core principle is risk-based: the level of regulation an AI system faces is tied to the risk it poses to health, safety, and fundamental rights. Four categories sit at the foundation of every downstream obligation.

01

Unacceptable risk

Banned outright since 2 February 2025. Includes social scoring by public authorities and most real-time remote biometric identification in public spaces.

02

High-risk

The most regulated category. Covers AI in critical infrastructure, education, employment, law enforcement, and medical devices — strict pre- and post-market rules apply.

03

Limited risk

Specific transparency duties: users must know they are interacting with an AI chatbot, and AI-generated content like deepfakes must be clearly labeled.

04

Minimal risk

Spam filters, AI in video games, and most other systems. No new obligations, though voluntary codes of conduct are encouraged.

Who is on the hook

Four actors in the AI value chain

The Act distributes responsibility across the lifecycle. Knowing exactly which role your organization plays — and where the handoffs sit — is the first step in scoping the workload.

Primary obligation holder

Providers

Organizations that develop an AI system (or have one developed) and place it on the EU market under their own name or trademark. Providers carry the bulk of the burden: conformity assessment, technical documentation, post-market monitoring.

Operational responsibility

Deployers (users)

Any organization using a high-risk AI system under its authority — excluding personal, non-professional use. Responsible for following the provider’s instructions and maintaining effective human oversight in production.

Cross-border gateway

Importers

EU-based entities that place an AI system from a third country on the EU market. Must verify that the foreign provider has completed the necessary conformity assessment procedures before the system enters the single market.

Last-mile check

Distributors

Entities in the supply chain — other than the provider or importer — that make an AI system available on the EU market. Must verify the system bears the required CE marking and is accompanied by the necessary documentation.

Timeline

Three deadlines that anchor your roadmap

The Act entered into force in mid-2024, starting the countdown to full application. The dates below reflect the May 2026 “AI Act Omnibus” amendment, which extended several timelines and carved out sector-specific frameworks.

1

2 August 2026 · Transparency obligations

First major deadline affecting a broad range of AI systems. Under Article 50, limited-risk systems must disclose AI interaction (e.g., chatbots), label AI-generated content (deepfakes, synthetic media), and inform users of emotion-recognition or biometric categorization.

2

2 December 2027 · Full application for high-risk systems

The Act’s most significant deadline. Most standalone high-risk AI on the EU market must be fully compliant. This is not a checklist exercise — it demands a fundamental shift in how AI is developed, documented, and monitored. The eight core obligations sit below.

3

2 August 2028 · High-risk AI in regulated products

An extra year for AI that is a component of products already covered by EU safety laws — machinery, toys, medical devices, IVDR-regulated diagnostics. Following the May 2026 Omnibus, machinery received a complete carve-out to integrate AI Act requirements directly into existing safety frameworks.

High-risk obligations

Eight duties before the December 2027 cliff

For providers placing standalone high-risk systems on the market, Articles 9 through 15 and 43 define the baseline. Every one of them must be in place — and demonstrably so — before the December 2027 deadline.

  • Article 9 · Risk management system. Continuous, documented, lifecycle-wide. Identify foreseeable risks, evaluate them, adopt mitigation measures.
  • Article 10 · Data and data governance. Training, validation, and testing data sets must be relevant, representative, and as bias-free as possible. Governance practices must be in place.
  • Article 11 · Technical documentation. Detailed documentation per Annex IV, drawn up before the system is placed on the market and kept up to date.
  • Article 12 · Record-keeping and logs. Systems must automatically log events while in operation, enabling traceability and post-market monitoring.
  • Article 13 · Transparency and instructions for use. Systems must be transparent enough for users to interpret outputs correctly, with complete instructions for downstream deployers.
  • Article 14 · Human oversight. Effective oversight by design — people must be able to intervene, override, or stop the system.
  • Article 15 · Accuracy, robustness, cybersecurity. Consistent performance throughout the lifecycle, resilience to errors and adversarial attacks.
  • Article 43 · Conformity assessment. Demonstrate compliance, then affix the CE marking before market placement.

Deadlines at a glance

The compliance calendar

DeadlineScopeConcrete example
2 Aug 2026Transparency obligations for limited-risk systemsLabeling a customer-service chatbot or a deepfake video
2 Dec 2027Most standalone high-risk AI systemsAI for credit scoring or recruitment screening
2 Aug 2028High-risk AI as safety components of products under other EU regulationsAI-powered safety feature in a car or a diagnostic AI in a medical device

Beyond the deadlines

Compliance is a program, not a project

Hitting the AI Act deadlines is not the finish line — it is the starting gun. The European AI Office will release guidance, standards will be updated, and legal interpretations will evolve. Static compliance is a contradiction in terms.

Organizations must run post-market monitoring continuously — tracking how each high-risk system performs in production and reporting serious incidents. Manually polling the AI Office, national authorities, and standards bodies will not scale. Automated compliance monitoring turns regulatory drift into a managed signal.

  • Monitor regulatory changes. Automatically track new guidance, delegated acts, and harmonized standards tied to the AI Act.
  • Track stakeholder discourse. Understand how regulators, competitors, and civil society are interpreting the rules in real time.
  • Identify emerging risks. Get early warnings on new compliance exposures or reputational threats linked to AI systems already in production.

The enforcer

The European AI Office

Sitting inside the European Commission, the AI Office is the Act’s central implementation and enforcement body. It directly supervises providers of general-purpose AI models with systemic risks, issues guidance and codes of practice, coordinates national authorities to keep enforcement uniform across member states, and supports the development of technical standards.

ℹ️ The AI Office is the primary source of official interpretation. Monitoring its publications — delegated acts, guidance notes, codes of practice — should be a continuous workflow, not an ad-hoc check.

Action plan

Three moves before 2027

As the 2027 and 2028 deadlines approach, focus shifts from designing the framework to stress-testing it.

1

Audit your classifications

Re-evaluate the AI inventory. Have any systems changed in a way that alters their risk classification? Are new systems being developed that fall into the high-risk category?

2

Stress-test the documentation

Technical documentation and risk-management frameworks are living artifacts. Review them against the latest AI Office guidance to ensure they remain robust and complete.

3

Automate intelligence gathering

Keyword alerts no longer cut it. The challenge is signal-to-noise: a system that analyses guidance, delegated acts, and stakeholder positions, and delivers decision-ready intelligence on a cadence that matches the regulator’s.

The EU AI Act sets a global precedent for technology regulation. Navigating its timeline and ongoing requirements demands more than a legal review — it requires a strategic, technology-enabled approach to compliance and risk management.

Navigate the Evolving AI Act Landscape with Confidence

Move beyond static checklists and see how our platform transforms unstructured public information into a clear, actionable compliance advantage.

Discover our EU AI Act Compliance Monitoring solution →

Continue reading

State Election Monitoring: Fixing the National Policy Blind Spot
May 27, 2026 · Article

State Election Monitoring: Fixing the National Policy Blind Spot
May 23, 2026 · Article

How to Build an Effective Adverse Media Screening Program for Suppliers
EU-Mercosur Trade Agreement Explained (2026 Guide)
May 22, 2026 · Article

EU-Mercosur Trade Agreement Explained (2026 Guide)

More in Guide

Tell us what you need to monitor

No spam. No automatic sign-up. We will contact you directly to discuss your setup.