The EU AI Act (Regulation (EU) 2024/1689) was published in the Official Journal of the European Union on 12 July 2024 and entered into force on 1 August 2024. Unlike many EU regulations that apply from the date of entry into force, the AI Act uses a phased implementation schedule spread across three years. Missing a phase deadline is not a minor administrative slip—it can expose your organisation to fines of up to €35 million or 7% of global annual turnover for the most serious violations.

This guide maps every deadline to concrete product and engineering decisions, so your team knows what needs to be done now, what can be planned for later, and what was supposed to be done already.

The Four-Phase Implementation Structure

The EU AI Act's transitional periods are defined relative to the date of entry into force (1 August 2024). The four key dates are:

Date Phase What Applies
2 Feb 2025 Phase 1 — +6 months Prohibited AI practices (Article 5) and AI literacy obligations (Article 4)
2 Aug 2025 Phase 2 — +12 months GPAI model obligations (Chapter V), governance and enforcement bodies
2 Aug 2026 Phase 3 — +24 months High-risk AI systems (Chapters III and IV), most obligations for providers and deployers
2 Aug 2027 Phase 4 — +36 months High-risk AI that are safety components of regulated products (Annex I products: medical devices, machinery, etc.)

Phase 1: February 2025 — Prohibited Practices and AI Literacy

As of 2 February 2025, Article 5 prohibitions are in force. These are absolute bans—there is no risk-tiered compliance path, no transition period for existing systems, and no proportionality exception. If your product does any of the following, it is illegal in the EU from this date.

Prohibited AI Practices Under Article 5

  • Subliminal manipulation: AI systems that deploy subliminal techniques beyond a person's consciousness to materially distort their behaviour in a way that causes or is likely to cause harm.
  • Exploitation of vulnerabilities: Systems that exploit specific vulnerabilities of persons due to their age, disability, or socio-economic situation in a way that distorts their behaviour.
  • Social scoring by public authorities: General-purpose social scoring of natural persons by public authorities, leading to detrimental treatment in unrelated contexts.
  • Real-time remote biometric identification in public spaces for law enforcement (with narrow exceptions for targeted searches related to terrorism or serious crime, subject to judicial authorisation).
  • Emotion inference in the workplace and education: AI systems that infer emotions of natural persons in workplace and educational settings, with exceptions for medical or safety reasons.
  • Biometric categorisation to deduce sensitive attributes: Systems that categorise persons based on biometric data to deduce or infer race, political opinions, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation.
  • Predictive policing based solely on profiling: AI systems used to make risk assessments of natural persons for the purpose of preventing crime, based solely on profiling or assessing personality traits.
  • Facial recognition databases scraped from the internet or CCTV: Building or expanding databases of facial recognition using untargeted scraping of facial images.

Article 4 also requires providers and deployers to take measures to ensure sufficient AI literacy of their staff working with AI systems. This is not just training for compliance officers—it includes engineers, product managers, and anyone deploying or operating AI systems.

What Product Teams Should Have Done by Now

  • Audited your AI systems for any of the eight prohibited categories above.
  • If you offer workplace monitoring, emotion detection, or HR analytics tools: legal review of whether they infer emotions or use biometric categorisation.
  • Established a minimum AI literacy baseline (documented training completion) for staff operating AI systems.

Phase 2: August 2025 — GPAI Model Obligations

From 2 August 2025, Chapter V obligations apply to providers of general-purpose AI (GPAI) models. A GPAI model is a model trained on broad data at scale, capable of performing a wide range of tasks, that can be integrated into downstream systems or applications. This captures foundation models, large language models, and multimodal models.

GPAI Model Obligations (Articles 51–55)

All GPAI model providers (regardless of whether the model poses systemic risk) must:

  • Draw up and maintain technical documentation (model architecture, training data, compute used, evaluation results).
  • Provide information and documentation to downstream providers who integrate the model into their AI systems.
  • Publish and maintain a publicly available summary of the content used for training (a copyright compliance summary).
  • Put in place a policy to comply with EU copyright law, including the text and data mining exception under Directive 2019/790.

Systemic Risk Models: Additional Obligations

GPAI models with systemic risk are those trained on more than 1025 floating point operations (FLOPs). The EU AI Office can also designate models as systemic risk based on other criteria. For these models, additional obligations apply:

  • Perform model evaluations, including adversarial testing, before placing on the market and after significant model updates.
  • Assess and mitigate possible systemic risks at the Union level.
  • Report serious incidents and corrective measures to the EU AI Office.
  • Ensure an adequate level of cybersecurity protection.

What This Means in Practice

If your company provides an API-accessible foundation model or LLM that third parties build on, you are a GPAI model provider. You need technical documentation that covers training data sourcing, model architecture, and evaluation benchmarks—in enough detail that downstream integrators can understand the model's capabilities and limitations. The copyright summary must be publicly accessible, not behind a login.

Phase 3: August 2026 — High-Risk System Requirements

The most operationally complex deadline is 2 August 2026, when the obligations for providers and deployers of high-risk AI systems under Chapters III and IV take full effect. If you have a high-risk system (see our classification guide), this is the date by which you must have:

Provider Obligations for High-Risk Systems

  • Risk management system (Article 9): An iterative process identifying, analysing, estimating, evaluating, and mitigating foreseeable risks throughout the lifecycle.
  • Data governance (Article 10): Documented data governance and management practices for training, validation, and testing datasets—including bias analysis.
  • Technical documentation (Article 11 + Annex IV): A technical file covering the system's description, design specifications, training methodology, performance metrics, and testing results.
  • Automatic logging (Article 12): Logging capabilities to enable post-market monitoring and investigation of incidents.
  • Transparency for deployers (Article 13): Instructions for use that enable deployers to interpret and use the system's output.
  • Human oversight (Article 14): Design measures enabling human oversight, including the ability to pause, override, or disregard system outputs.
  • Accuracy, robustness, and cybersecurity (Article 15): Documented performance metrics and resilience against adversarial inputs.
  • Conformity assessment (Article 43): Either a self-assessment conformity procedure or a third-party notified body assessment (required for biometrics and law enforcement in certain categories).
  • EU declaration of conformity (Article 47) and CE marking: Required before placing the system on the EU market.
  • EU database registration (Article 49): High-risk systems must be registered in the EU database maintained by the EU AI Office.
  • Post-market monitoring (Article 72): Active collection and review of data from deployed systems; serious incident reporting within 15 days.

Deployer Obligations for High-Risk Systems

  • Use systems in accordance with their instructions for use.
  • Assign human oversight to appropriately competent persons.
  • Monitor operation and report serious incidents to the provider and market surveillance authority.
  • Conduct a Data Protection Impact Assessment (DPIA) where the system processes personal data.
  • Inform workers and their representatives when AI is used in workplace monitoring or evaluation contexts.

Phase 4: August 2027 — Safety-Component AI in Regulated Products

AI systems that are safety components of products covered by EU harmonisation legislation listed in Annex I of the AI Act (machinery, medical devices, in vitro diagnostic medical devices, civil aviation, marine equipment, rail, automotive, agricultural vehicles, recreational craft, lifts, and pressure equipment) get an additional 36-month transition, until 2 August 2027. This extended period reflects the complexity of conformity assessment under the sectoral regulation that already governs these products.

The Regulatory Sandbox Provision

Article 57 of the EU AI Act requires member states to establish at least one AI regulatory sandbox before 2 August 2026. Sandboxes allow providers to develop, train, test, and validate innovative AI systems under a controlled environment with direct support and supervision from national competent authorities—before the system is placed on the market.

Sandbox participation can provide a practical compliance pathway for novel AI applications where the risk classification is unclear, or where a provider needs to test a high-risk system's conformity before full market deployment. The sandbox does not suspend legal obligations—it provides a supervised environment for testing and regulatory engagement.

2025 Compliance Checklist

  • ☐ Confirm no product functions fall under Article 5 prohibited practices.
  • ☐ Document AI literacy programme for all staff operating AI systems.
  • ☐ If you are a GPAI provider: publish copyright training summary, draft technical documentation, and put copyright policy in place.
  • ☐ Conduct initial AI system inventory across all products and internal tools.
  • ☐ Run Annex III classification assessment for each AI system.
  • ☐ For any system provisionally classified as high-risk: begin gap assessment against Chapter III requirements.
  • ☐ Assign a data protection and compliance owner for the AI Act programme.

2026 Compliance Checklist (for high-risk systems)

  • ☐ Risk management system documented and operational.
  • ☐ Data governance documentation complete for all training and validation datasets.
  • ☐ Technical file (Annex IV) drafted and signed off by technical owner.
  • ☐ Automatic logging capability deployed and tested.
  • ☐ Instructions for use (Article 13 documentation) written and version-controlled.
  • ☐ Human oversight mechanisms designed and operational.
  • ☐ Conformity assessment completed (self-assessment or notified body).
  • ☐ EU declaration of conformity signed.
  • ☐ System registered in EU AI Act database.
  • ☐ Post-market monitoring programme established with incident reporting SLA.