When does the EU AI Act actually apply?
The EU AI Act does not switch on all at once β it phases in over years, and the 2026 Digital Omnibus has provisionally pushed the heaviest obligations further out. Here is every key date in one place, with the proposed changes clearly flagged.
Dates marked Provisional (Omnibus) reflect the Digital Omnibus political agreement of 7 May 2026, which is not yet formally adopted or published in the Official Journal. Treat them as the likely direction, not settled law, until adoption (expected before 2 August 2026).
Prohibited practices + AI literacy
The Article 5 bans on unacceptable-risk AI β such as social scoring and untargeted scraping of facial images β apply, along with the Article 4 duty to ensure staff have sufficient AI literacy.
General-purpose AI + governance
Obligations for general-purpose AI (GPAI) model providers begin, alongside the governance architecture (the AI Office and national authorities) and the penalty regime β up to β¬35m or 7% of worldwide turnover for prohibited practices.
Transparency obligations
The Article 50 transparency duties begin to apply β telling people when they are interacting with AI, and marking AI-generated or manipulated content.
Content marking + a new prohibition
Under the Digital Omnibus, pre-existing systems must meet the AI-content marking rules, and a new Article 5 prohibition takes effect on AI used to generate child sexual abuse material and non-consensual intimate imagery.
High-risk obligations β Annex III
Obligations for Annex III high-risk systems β areas like employment, creditworthiness, essential services, and biometric uses β now apply. The Digital Omnibus defers this from the original 2 August 2026.
High-risk obligations β Annex I
Obligations for high-risk AI embedded in regulated products (Annex I β for example machinery, medical devices, vehicles) apply, deferred from 2 August 2027 under the Digital Omnibus.
What the Digital Omnibus changes
Defers the high-risk obligations: Annex III to 2 December 2027 and Annex I to 2 August 2028, giving standards bodies and businesses more time.
Adds a new Article 5 prohibition on AI used to generate child sexual abuse material and non-consensual intimate imagery.
Tightens content-marking timing, with pre-existing systems expected to comply by 2 December 2026.
Extends some relief to small mid-cap companies, not just SMEs, and reinforces the AI Officeβs oversight of GPAI-based systems.
Wondering which obligations fall on you? Your duties depend on whether you are a provider, deployer, importer, or distributor β work it out with our EU AI Act roles guide, or start with what the EU AI Act is.
Frequently asked questions
Is the EU AI Act delayed?
Partly. The core dates that have already passed β prohibited practices (February 2025), GPAI and governance (August 2025) β remain in force. What the Digital Omnibus defers is the most burdensome layer: the high-risk obligations. Under the provisional agreement, Annex III high-risk obligations move to 2 December 2027 and Annex I to 2 August 2028.
Is the Digital Omnibus actually law yet?
Not as of mid-2026. A provisional political agreement was reached on 7 May 2026, but the changes still require formal adoption by the European Parliament and Council and publication in the Official Journal β expected before 2 August 2026. Until then the deferred dates are likely but not certain, so plan against both the current and proposed timelines.
Does the Act apply to organisations outside the EU?
Yes, it can. The EU AI Act has extraterritorial reach: it can apply to providers and deployers outside the EU where the AI system is placed on the EU market or its output is used in the EU. Which obligations you carry depends on your role β see our guide to the EU AI Act roles.
What counts as high-risk?
Broadly, two groups: AI used in the sensitive areas listed in Annex III (such as employment, credit, education, essential services, and certain biometric and law-enforcement uses), and AI that is a safety component of, or itself, a product regulated under Annex I (such as medical devices or machinery). High-risk systems carry the heaviest obligations.
What should we be doing now?
Confirm whether the Act applies to you and in what role; inventory your AI systems and classify them by risk tier; meet the prohibitions, AI-literacy, GPAI, and transparency duties already in force; and use the deferred high-risk timeline as runway to build conformity processes rather than as a reason to wait.
Related glossary terms
A deferred deadline is runway, not a reprieve
The extra time on high-risk obligations is best spent building conformity processes now. Knowing your role and your inventory is the first step.
This page is general information, not legal advice. The EU AI Act timeline is subject to change β the Digital Omnibus was provisional at the time of writing β so always confirm the current position against the Official Journal and the European Commissionβs own publications before relying on a date.