Skip to content
Calibrant
All insights

Calibrant· Jun 2026

The EU AI Act timeline: what applies, and when

A plain-English map of the EU AI Act's staggered obligations - which duties are already live, what lands next, and how to read the dates without panic or complacency.

The EU AI Act (Regulation (EU) 2024/1689) does not switch on all at once. Its obligations arrive in stages over several years, and the staggered dates are where most of the confusion sits. The point of this note is narrow and practical: which duties are already live, what lands next, and how to read the timeline without either panic or complacency.

The shape of the rollout

The Act entered into force on 1 August 2024, but its substantive obligations apply on a phased schedule. The sequence is deliberate - the highest-harm uses are restricted first, the rules for general-purpose models follow, and the heavier compliance load for high-risk systems comes later, giving organisations time to prepare.

Already live

  • February 2025 - prohibited practices & AI literacy. Uses deemed an unacceptable risk are banned, and organisations carry obligations to ensure staff working with AI have an adequate level of AI literacy.
  • August 2025 - general-purpose AI & governance.Obligations for general-purpose AI models begin to apply, and the Act’s governance and enforcement structures take shape.

Coming up

  • August 2026 - high-risk obligations & broad applicability. Most of the high-risk system requirements apply, and the bulk of the Act becomes generally applicable.
  • August 2027 - high-risk AI in regulated products. Obligations extend to high-risk AI embedded in products already governed by existing EU safety legislation.

How to read it

Two failure modes are common. The first is panic - treating every date as an emergency and over-investing in controls before knowing where you actually stand. The second is complacency - assuming “2026” means there is nothing to do now. Both are wrong. The literacy and prohibition duties are already in force, and the work that makes 2026 manageable - mapping where AI sits in your operations, classifying risk, and identifying gaps - takes months, not weeks.

The Act also does not stand alone. For many organisations it overlaps with NIS2 (cybersecurity and resilience obligations) and with continuity standards such as ISO 22301. The practical task is rarely “comply with one regulation” - it is building a governance posture that satisfies several at once without duplicating effort.

A sensible first step

Before committing to a remediation programme, it is worth getting an honest, scored read on where you stand: which obligations already apply to you, where the real gaps are, and what to sequence first. That diagnostic is deliberately small and fixed in scope - the goal is clarity, not a standing engagement.

This piece is general information, not legal advice. Confirm specific obligations against the current official text and guidance for your situation.

Where do you actually stand?

The AI Governance Readiness Assessment turns this timeline into a scored read on your exposure - and a board-ready plan to act on it.

Assess your readiness