EU AI Act Timeline and Enforcement
The EU AI Act entered into force on August 1, 2024, but implementation follows a phased timeline extending through 2027. Understanding key dates and penalty structures helps organizations plan their compliance journey.
Key Takeaways
| Point | Summary |
|---|---|
| Entry into force | August 1, 2024 |
| Full application | August 2, 2026 for most high-risk requirements |
| Phased approach | Different requirements apply at different times |
| Maximum penalties | Up to 35 million EUR or 7% of global turnover for prohibited practices |
| Enforcement bodies | National market surveillance authorities, coordinated by the AI Office |
Quick Answer: The EU AI Act became law in August 2024 with staggered compliance dates. Prohibitions apply from February 2025. High-risk AI requirements fully apply from August 2026. Penalties can reach 35 million EUR or 7% of global revenue for the most serious violations.
Implementation Timeline
Phase 1: Prohibition Period (February 2025)
Effective date: February 2, 2025
| Requirement | Description |
|---|---|
| Prohibited AI practices | All prohibited AI applications must cease |
| AI literacy | Organizations must ensure staff have sufficient AI literacy |
What this means: By February 2025, organizations must have removed any AI systems engaging in prohibited practices such as social scoring, subliminal manipulation, emotion recognition in workplaces (with exceptions), or real-time remote biometric identification in public spaces for law enforcement.
Phase 2: GPAI Rules (August 2025)
Effective date: August 2, 2025
| Requirement | Description |
|---|---|
| General-purpose AI models | All GPAI-specific requirements apply |
| GPAI with systemic risk | Additional obligations for high-capability models |
| Governance | National competent authorities must be designated |
What this means: Providers of general-purpose AI models (foundation models) must meet transparency requirements, maintain documentation, and comply with copyright provisions. Models with systemic risk face additional obligations including adversarial testing and incident reporting.
Phase 3: Full Application (August 2026)
Effective date: August 2, 2026
| Requirement | Description |
|---|---|
| High-risk AI systems | Full compliance required for Annex III high-risk systems |
| Conformity assessment | Required before placing high-risk systems on market |
| EU database registration | High-risk systems must be registered |
| Transparency obligations | All limited-risk transparency requirements apply |
| Codes of conduct | Voluntary codes for minimal-risk AI encouraged |
What this means: This is the primary compliance deadline for most organizations. High-risk AI systems in areas like HR, credit scoring, and education must meet all requirements: risk management, data governance, documentation, human oversight, and conformity assessment.
Phase 4: Extended High-Risk (August 2027)
Effective date: August 2, 2027
| Requirement | Description |
|---|---|
| Safety component AI | High-risk AI that is also a safety component of products |
| Product-specific rules | AI systems covered by other EU harmonization legislation |
What this means: AI systems that are safety components of products already regulated under EU product safety laws (medical devices, machinery, etc.) receive an additional year to comply. This recognizes the complexity of aligning AI requirements with existing sectoral regulations.
Penalty Structure
The EU AI Act establishes significant penalties, scaled by violation severity:
Penalty Tiers
| Violation Type | Maximum Penalty |
|---|---|
| Prohibited AI practices | 35 million EUR or 7% of worldwide annual turnover |
| High-risk AI non-compliance | 15 million EUR or 3% of worldwide annual turnover |
| Incorrect information to authorities | 7.5 million EUR or 1% of worldwide annual turnover |
For SMEs and startups: Penalties are adjusted with specific caps. The regulation requires that fines be "effective, proportionate, and dissuasive" while considering the specific circumstances of small and medium enterprises.
Factors Affecting Penalty Calculation
| Factor | Consideration |
|---|---|
| Nature and gravity | How serious is the violation? |
| Duration | How long did non-compliance continue? |
| Intentionality | Was the violation deliberate or negligent? |
| Corrective actions | What steps were taken to mitigate harm? |
| Cooperation | Did the organization cooperate with authorities? |
| Previous violations | Is this a repeat offense? |
| Financial benefit | Did the organization profit from non-compliance? |
| Organization size | Turnover and market position |
| Other penalties | Have other penalties been imposed for the same behavior? |
Beyond Financial Penalties
Market surveillance authorities have powers beyond fines:
| Power | Description |
|---|---|
| Corrective orders | Require organizations to remedy non-compliance |
| Product recalls | Order withdrawal of non-compliant AI systems |
| Market bans | Prohibit placing AI systems on the market |
| Public warnings | Issue public statements about non-compliant organizations |
| Access to systems | Require access to AI systems, code, and documentation |
| Suspend operations | Temporarily prohibit AI system operation |
Enforcement Structure
European Level: The AI Office
The AI Office within the European Commission has several roles:
| Function | Description |
|---|---|
| GPAI oversight | Direct enforcement authority for general-purpose AI models |
| Coordination | Coordinate enforcement across member states |
| Standards | Develop and maintain AI Act implementing measures |
| Guidance | Publish guidelines, recommendations, and best practices |
| International cooperation | Coordinate with non-EU regulators |
National Level: Market Surveillance Authorities
Each EU member state must designate competent authorities:
| Authority Type | Role |
|---|---|
| Market surveillance authority | Primary enforcement of AI Act provisions |
| Notifying authority | Designate and monitor conformity assessment bodies |
| Lead authority | Coordinate when AI system affects multiple member states |
Coordination with other regulators: For AI systems in specific sectors, market surveillance authorities coordinate with sector-specific regulators (e.g., financial supervisors, health authorities, data protection authorities).
European AI Board
The AI Board advises the Commission and ensures consistent application:
| Function | Description |
|---|---|
| Advisory role | Advise on AI Act implementation and application |
| Consistency | Ensure consistent enforcement across member states |
| Best practices | Share enforcement approaches and decisions |
| Emerging issues | Identify and address new challenges |
Practical Compliance Timeline
For organizations starting compliance work now, a suggested approach:
Immediate (By February 2025)
| Action | Purpose |
|---|---|
| Prohibited AI audit | Identify any AI engaging in prohibited practices |
| Remediation | Remove or modify any prohibited AI systems |
| AI literacy program | Ensure staff understand AI basics and obligations |
| Initial inventory | Begin cataloging AI systems across the organization |
Near-Term (By August 2025)
| Action | Purpose |
|---|---|
| Complete AI inventory | Full catalog of AI systems with classifications |
| GPAI assessment | If using/providing GPAI, assess compliance needs |
| Gap analysis | Identify requirements and current state gaps |
| Compliance roadmap | Plan for August 2026 readiness |
Medium-Term (By August 2026)
| Action | Purpose |
|---|---|
| Risk management | Implement risk management systems for high-risk AI |
| Technical documentation | Complete documentation for high-risk systems |
| Conformity assessment | Complete required assessments |
| EU registration | Register high-risk systems in EU database |
| Transparency measures | Implement user disclosures for limited-risk systems |
| Human oversight | Establish oversight mechanisms |
Ongoing (Post-August 2026)
| Action | Purpose |
|---|---|
| Post-market monitoring | Continuously monitor AI system performance |
| Incident management | Report and respond to serious incidents |
| Documentation maintenance | Keep technical documentation current |
| Re-assessment | Re-evaluate when AI systems change |
| Regulatory tracking | Monitor guidance and enforcement developments |
Transitional Provisions
The AI Act includes provisions for AI systems already on the market:
| Scenario | Rule |
|---|---|
| Systems placed before August 2027 | May continue operating if no significant changes |
| Significant modifications | Triggers requirement for fresh compliance |
| Public authority systems | Must comply by August 2030 if entered into use before August 2027 |
| High-risk systems already trained | May need to re-assess data governance if previously compliant |
What counts as significant modification: Changes that affect the AI system's compliance with requirements or modify its intended purpose to make it high-risk.
Common Questions
What if my AI system is already on the market?
AI systems placed on the market before applicable deadlines may continue operating without modification. However, any significant changes to the system will trigger compliance requirements. Organizations should assess whether ongoing updates constitute significant modifications.
Can enforcement begin before full application?
Prohibited practices enforcement begins February 2025. For other violations, formal enforcement starts when the relevant provisions become applicable. However, market surveillance authorities may begin preparatory activities and investigations earlier.
How will cross-border enforcement work?
When an AI system affects multiple member states, authorities coordinate through the AI Board. A "lead" market surveillance authority is designated based on where the provider is established or has an authorized representative. Other authorities can request action and share information.
Will there be enforcement discretion initially?
The regulation does not explicitly provide a "grace period" after applicable dates. However, enforcement typically considers factors like good faith compliance efforts and the complexity of requirements. Early and demonstrable compliance efforts may be viewed favorably.
How Bastion Helps
Bastion helps organizations meet EU AI Act deadlines:
- Timeline planning. We map your AI portfolio to applicable dates and create achievable compliance milestones.
- Priority assessment. We identify which systems need attention first based on risk and timeline.
- Prohibition audit. We review AI systems against prohibited practices before February 2025.
- Documentation acceleration. We help create required documentation efficiently across multiple systems.
- Ongoing tracking. We monitor enforcement developments and guidance updates, keeping you informed.
Ready to plan your EU AI Act compliance timeline? Talk to our team
Sources
- EU AI Act Final Text (EUR-Lex) - Articles 111-113 on entry into force and application dates
- AI Office - EU body responsible for coordination and GPAI oversight