The full timeline — six dates that have legal effect
| Date | Trigger | Source | Penalty if missed |
|---|---|---|---|
| 1 August 2024 | Regulation enters into force. The 24-month clock to high-risk obligations starts. | Article 113 | — |
| 2 February 2025 | Article 5 prohibited practices banned. Article 4 AI literacy obligations effective. | Article 113(a) | Up to €35M / 7% (Art 99(1)) |
| 2 August 2025 | GPAI transparency obligations effective. Member States must designate notifying authorities and market surveillance authorities. National penalty rules must be in place (Art 99(11)). | Article 113(b) | Up to €15M / 3% (Art 99(2)) |
| 2 August 2026 | High-risk obligations under Annex III effective as written; provisionally moved to 2 December 2027 by the Digital Omnibus agreement of 7 May 2026, pending formal adoption. Provider conformity assessment, deployer human oversight, post-market monitoring, incident reporting. | Article 113(c) | Up to €15M / 3% (Art 99(2)) |
| 2 August 2027 | GPAI models placed on the market before 2 August 2025 must be compliant. Annex I high-risk safety components (medical devices, machinery, automotive) effective; provisionally moved to 2 August 2028 by the Digital Omnibus, pending formal adoption. | Articles 111(1), 113(d) | Up to €15M / 3% (Art 99(2)) |
| 2 August 2030 | Public authority deployers of high-risk AI placed in service before 2 August 2026 must complete compliance. | Article 111(3) | Up to €15M / 3% (Art 99(2)) |
| 31 December 2030 | AI systems integrated into large-scale IT systems established by Annex X legal acts (SIS, VIS, Eurodac, ETIAS, EES, ECRIS-TCN) must comply. | Article 111(2) | Up to €15M / 3% (Art 99(2)) |
Source: Articles 99, 111 and 113 of Regulation (EU) 2024/1689.
What is already in force today (June 2026)
- All eight Article 5 prohibitions — subliminal manipulation, exploitation of vulnerabilities, social scoring, predictive policing on individuals, untargeted facial-image scraping, emotion inference at workplace and school, biometric categorisation by sensitive attributes, real-time remote biometric identification in public spaces by law enforcement (with the three narrow exceptions).
- Article 4 AI literacy — providers and deployers must take measures to ensure their staff and persons operating or affected by AI systems on their behalf have a sufficient level of AI literacy.
- GPAI transparency — Article 53 documentation, downstream-information packs, copyright policy and training-data summary. Article 55 systemic-risk obligations apply to models classified as systemic-risk under Article 51.
- Penalty regime for the above — every Member State should have national rules on penalties in place since 2 August 2025 (Article 99(11)).
What lands on 2 August 2026 as written, 50 days from this briefing
Article 113(c) applies the high-risk regime in full on that date as written. Under the Digital Omnibus provisional agreement of 7 May 2026, the Annex III items below move to 2 December 2027, pending formal adoption. From the applicable date forward:
- Annex III systems require completed conformity assessment under Article 43 before placing on the market.
- Providers must maintain technical documentation under Article 11 and Annex IV; deployers must keep automatically generated logs for at least six months under Article 19.
- Risk management systems under Article 9 must be operating across the lifecycle.
- Post-market monitoring under Article 72 begins at the same moment the system is on the market.
- Serious incidents must be reported under Article 73 within 15 days, or 2 days for fundamental-rights breaches affecting widespread populations, or immediately for incidents involving death.
- Article 27 fundamental rights impact assessments (FRIA) are required for public-body deployers and for deployers of Annex III 5(b) credit scoring and 5(c) insurance pricing systems before first use.
The grandfather clauses — read these carefully
Article 111 carves out staged transitions for systems already in production:
- Article 111(1) — GPAI before 2 August 2025. Models placed on the market before that date have until 2 August 2027 to comply. Critically: this is only about placing on the market. New deployments of an existing GPAI model after 2 August 2025 do not benefit from this carve-out.
- Article 111(2) — Annex X large-scale IT. AI systems integrated into the EU’s large-scale information systems (SIS, VIS, Eurodac, ETIAS, EES, ECRIS-TCN) have until 31 December 2030. This is the only date in the regulation that is not 2 August.
- Article 111(3) — public authority deployers. High-risk systems used by public bodies and put in service before 2 August 2026 have until 2 August 2030. Significantly modified systems lose the grandfather and revert to the standard date.
The phrase "significantly modified" is the trap. Article 25 of the AI Act treats a substantial modification as creating a new system with a new provider — meaning the grandfather period evaporates the moment you upgrade the model in production.
Real numbers Fontvera tracks
- 743 AI Act obligations across the structured corpus, mapped to article numbers and entity roles. The obligations attached to each date above are queryable directly.
- 20 dedicated AI Act article-level intelligence pages (Articles 5, 6, 7, 9–17, 22, 26, 27, 40–43, 50, 99) sit underneath this timeline; each one resolves to the specific obligations effective on the matching date.
- 312,758 current EU regulatory documents — including AI Office guidance, ENISA technical standards work, and national implementing acts — feed the timeline graph.
Penalty exposure mapped to date
The simplest way to think about exposure is by Article 99 tier:
- Already exposed (since 2 February 2025): any Article 5 violation. Tier 1 ceiling — €35,000,000 or 7% worldwide turnover.
- Already exposed (since 2 August 2025): GPAI breaches under Articles 53–55. Tier 2 — €15,000,000 or 3%.
- Exposed from 2 August 2026: Article 50 transparency (unchanged by the Digital Omnibus). High-risk Annex III obligations, Article 26 deployer duties and Article 73 incident reporting follow the high-risk date: 2 August 2026 as written, provisionally 2 December 2027. Tier 2 ceiling €15,000,000 or 3%.
- Exposed from 2 August 2027: Annex I high-risk safety components (medical devices, machinery, automotive); provisionally 2 August 2028 under the Digital Omnibus. Tier 2 ceiling €15,000,000 or 3%.
- Tier 3 (from each date): supplying incorrect, incomplete or misleading information to authorities — €7,500,000 or 1%.
What good looks like in the 50 days before 2 August 2026
- Classify every system against Article 5 first, regardless of vintage. The prohibition has been in force since February 2025; vintage is no defence.
- Run conformity assessment under Article 43 now for any Annex III system you plan to keep in market on 3 August 2026. Internal assessment for most categories; notified-body assessment for Annex III point 1 biometric ID.
- If you depend on Article 111 grandfather periods, document the "no significant modification" position in writing with version pinning. The grandfather only protects an unmodified system.
- If you are a public-body deployer: the 2 August 2030 grandfather is conditional. Article 27 FRIA is required for first use after 2 August 2026, regardless of when the system was deployed.
Run your free AI Act compliance diagnostic
Returns whether your system is already exposed today, or first becomes exposed on 2 August 2026, 2027, 2030 — with the specific articles attached.