The AI Act: timeline and what it requires

Regulation (EU) 2024/1689, known as the “AI Act”, entered into force on 1 August 2024. Its obligations do not apply all at once: they roll out in stages, and their intensity depends on the level of risk of the system concerned.

The timeline

On 2 February 2025, two sets of provisions became applicable: the prohibition of unacceptable-risk practices, and the AI-literacy obligation (training the people who design or use these systems).

On 2 August 2025, the obligations relating to general-purpose AI (GPAI) models came into effect.

2 August 2026 is the main milestone: the majority of obligations applicable to high-risk systems in Annex III become binding.

On 2 August 2027, finally, the obligations covering high-risk AI systems embedded in products already subject to sectoral regulation apply.

The risk levels

The regulation grades obligations across four levels. Unacceptable risk is prohibited (social scoring, manipulation, certain biometric surveillance). High risk is allowed but heavily framed: risk management, technical documentation, human oversight, transparency. Limited risk carries only transparency obligations — signalling, for instance, that one is interacting with an AI or that content is generated. Minimal risk remains unrestricted.

Provider or deployer

Obligations differ according to the role held: provider (which develops and places the system on the market) or deployer (which uses it under its responsibility). Identifying this role determines everything else.

Listing the AI systems actually in use, classifying them by risk level, then deriving the applicable obligations: that is the starting point of any compliance effort.