The EU AI Act does not have a single compliance date. Obligations came into force in stages across 2025, 2026, and 2027. For most companies deploying AI tools, 2 August 2026 is the deadline that matters most. Here is what that means in practice.
The full timeline
| Date | What happened |
|---|---|
| 1 August 2024 | Act entered into force |
| 2 February 2025 | Article 4 (AI literacy) became enforceable |
| 2 August 2025 | Prohibited AI systems banned (Article 5) |
| 2 August 2026 | General-purpose AI model obligations; most Annex III high-risk deployer requirements |
| 2 August 2027 | High-risk AI systems covered by Annex I (regulated products) |
What was already due: February 2025
Article 4 required companies to have an AI literacy policy in place from 2 February 2025. That deadline has passed.
An AI literacy policy documents how your organisation ensures staff who work with AI systems have sufficient understanding of those systems. It covers which roles are in scope, what training or awareness measures apply to each role, who is responsible for maintaining the programme, and when it gets reviewed.
If your company does not have this document, it is already out of compliance. The good news is it is one of the faster documents to produce.
What was already due: August 2025
From 2 August 2025, the Act’s prohibited AI practices became illegal across the EU. These include:
- Subliminal manipulation techniques that bypass a person’s free will
- Exploitation of vulnerabilities based on age, disability, or social situation
- Social scoring by public authorities
- Real-time remote biometric identification in public spaces by law enforcement (with narrow exceptions)
- Emotion recognition in workplace and education settings
- Biometric categorisation based on sensitive attributes
If your company uses any of these, the obligation is not to document a policy. It is to stop.
What August 2026 requires
This is the deadline that affects the most companies. From 2 August 2026:
For all deployers
Risk classification memo. Every company using AI systems should have a documented assessment of where each system sits in the Act’s risk hierarchy. This does not need to be a complex document, but it needs to exist, cover your actual AI systems, and record the reasoning behind each classification.
General-purpose AI (GPAI) model obligations become active. If your products or services incorporate a GPAI model (such as GPT-4 or similar foundation models), additional transparency requirements apply regarding how those models are used.
For high-risk AI deployers
If any of your AI systems fall under Annex III (employment tools, credit scoring, biometrics, education systems, and others), you also need:
Usage policy. A document defining permitted uses of the high-risk system, who can use it and under what conditions, the human oversight mechanism, and the procedure for reporting incidents or malfunctions.
Logging. Evidence that the system’s operation is logged and those logs are retained. Most commercial AI tools generate logs automatically; the obligation is to know where they are and how long they are kept.
Human oversight. A named person or function responsible for monitoring the system’s performance and reviewing outputs before they affect individuals.
Notification obligations. Affected persons must be informed that AI was used in a decision that affects them, and must have a way to challenge that decision.
What August 2027 requires
From 2 August 2027, high-risk AI systems listed in Annex I, covering safety components of regulated products (medical devices, machinery, vehicles, aviation systems), must also comply with the full high-risk framework.
Most software companies are not affected by the Annex I deadline unless they supply components to regulated hardware product manufacturers.
How to prepare for August 2026
Step 1: inventory. List every AI tool your company uses. Include tools that have AI features embedded in them, not just dedicated AI products. ATS platforms, analytics tools, productivity software with AI assistants — all of it.
Step 2: classify. For each tool, assess whether it falls into the high-risk categories under Annex III. The Annex III classification guide covers the eight categories in detail. If in doubt, classify as high-risk and document why.
Step 3: document. Produce the required documents for each classification outcome. At minimum, every company needs an AI literacy policy (already overdue) and a risk classification memo (due August 2026). High-risk deployers also need a usage policy and transparency notice.
Step 4: review contracts. If you use AI tools from vendors, check whether those vendors have provided a CE mark and EU declaration of conformity for any high-risk systems. Your usage policy should reference the provider’s documentation.
Get your August 2026 documents ready now
Generate your Risk Classification Memo, Usage Policy, and AI Literacy Policy in 30 minutes. Prefilled with your company details, ready to adopt.
Start my compliance →A word on enforcement timing
EU member states are still building out their national AI authorities. Enforcement capacity in 2026 will vary significantly by country. Germany, France, and the Netherlands are moving faster than most.
That said, the August 2026 deadline is written into the Regulation. Documents dated after the deadline are evidence of non-compliance, not compliance. Starting now, rather than in July 2026, also gives time for internal review, legal sign-off, and board approval, which most compliance documents require before they are formally adopted.