A status tracker is only useful if it is honest about uncertainty. Several entries below have moved more than once in the past year: the Colorado AI Act has been postponed twice, and the EU AI Act's high-risk timing is the subject of an active legislative proposal. We label each entry with its current status and the date we last checked it against an official source. Confirm any single deadline against the cited source before you rely on it for a compliance or insurance decision.
Key takeaways
- EU AI Act, live: general-purpose AI (GPAI) obligations took effect on 2 August 2025; the Commission's enforcement powers over GPAI providers begin 2 August 2026. Most remaining rules also apply from 2 August 2026, while the Article 6(1) high-risk product classification rule applies 2 August 2027.
- EU Digital Omnibus, proposed change: published 19 November 2025, it would tie the high-risk rules to the availability of harmonised standards or Commission guidelines, potentially moving the 2 August 2026 high-risk date. It is in active trilogue and not yet adopted.
- US states diverge: Texas TRAIGA and California SB 53 are both in force from 1 January 2026, while the Colorado AI Act (SB 24-205) was postponed to 1 January 2027 and rewritten by SB 189 (signed 14 May 2026) into a narrower disclosure model.
- Council of Europe Framework Convention, signed not yet in force: opened for signature 5 September 2024; the EU ratified on 15 May 2026; entry into force awaits five ratifications including at least three Council of Europe member states.
- Voluntary frameworks carry no deadline but govern insurability: ISO/IEC 42001:2023, the NIST AI RMF 1.0, and the AIUC-1 agent standard are the controls underwriters such as Munich Re (aiSure), Armilla, and AIUC reference when pricing AI liability cover.
How to read this tracker
Each entry uses one of five status labels. In force means the obligation is currently applicable. Applies later means the instrument is adopted but a specific provision has a future application date. Proposed change means a draft measure could alter a date or obligation but has not been adopted. Signed, not in force means a treaty or law has been signed or ratified by some parties but is not yet binding. Voluntary means there is no statutory deadline or penalty, but the framework carries weight through procurement and insurance.
EU AI Act: the master timeline
The EU AI Act (Regulation 2024/1689) applies in phases. The two phases that matter most for operators in 2026 are the general-purpose AI rules and the high-risk rules.[1]
| Milestone | Date | Status (verified 13 Jun 2026) |
|---|---|---|
| Prohibited practices (Article 5) apply | 2 February 2025 | In force |
| GPAI model obligations apply (new models) | 2 August 2025 | In force |
| Most remaining rules apply; GPAI enforcement powers begin | 2 August 2026 | Applies later (subject to Digital Omnibus) |
| GPAI models placed before 2 Aug 2025 must comply | 2 August 2027 | Applies later |
| Article 6(1) high-risk product classification rule applies | 2 August 2027 | Applies later (subject to Digital Omnibus) |
The GPAI obligations took effect on 2 August 2025. The Commission's enforcement actions against GPAI providers, including requests for information, model access, and recalls, begin a year later on 2 August 2026. The voluntary General-Purpose AI Code of Practice, whose final version the AI Office published on 10 July 2025, gives providers a practical route to demonstrate compliance across its three chapters on transparency, copyright, and safety and security.[1]
The Digital Omnibus: the live variable
The single biggest source of uncertainty in the European timeline is the Digital Omnibus on AI, a Commission proposal published on 19 November 2025. It responds to a delay in the harmonised standards needed to support the high-risk requirements and to the slow set-up of competent authorities in member states, both of which put the smooth entry into application on 2 August 2026 at risk.[2]
The proposal would link the application date of the high-risk rules to the availability of support measures such as harmonised standards, common specifications, or Commission guidelines, rather than a fixed calendar date, with a reported backstop that would push the Annex III high-risk obligations from 2 August 2026 to 2 December 2027. For high-risk AI systems regulated as products under Annex I (such as radio equipment, lifts, and medical devices), reporting indicates the relevant obligations would be postponed from 2 August 2027 to 2 August 2028. The Omnibus is under consideration by the European Parliament and the Council and is not yet adopted, so its dates are proposed, not law.[2]
| Element | Current position | Proposed under Digital Omnibus |
|---|---|---|
| High-risk rules trigger (Annex III) | Fixed date (2 August 2026 for most) | Tied to standards availability, backstop 2 December 2027 (reported) |
| Annex I product high-risk obligations | 2 August 2027 | Postponed to 2 August 2028 (reported) |
| Legislative status | AI Act in force as adopted | In trilogue, not yet adopted |
For a deeper treatment of the Omnibus mechanics and the trilogue, see the master brief on the European edition: the Digital Omnibus explained.
United States: a moving state patchwork
There is no comprehensive federal AI statute. The binding obligations in 2026 sit at state level, and they are diverging in both substance and timing.[3]
| Law | Effective date | Status (verified 13 Jun 2026) |
|---|---|---|
| Texas Responsible AI Governance Act (TRAIGA) | 1 January 2026 | In force |
| California Transparency in Frontier AI Act (SB 53) | 1 January 2026 | In force |
| Colorado AI Act (SB 24-205, as amended by SB 189) | 1 January 2027 | Applies later (rewritten 14 May 2026) |
TRAIGA, enacted 22 June 2025, took effect on 1 January 2026. It prohibits developing or deploying AI for certain unlawful purposes, including intentional unlawful discrimination and the generation of illegal or explicit material, and requires government entities to disclose AI interactions to the public before or at the time of the interaction.[4]
California's SB 53, signed 29 September 2025, also took effect on 1 January 2026. It targets large frontier developers, those with annual gross revenue above USD 500 million, requiring them to publish a frontier AI framework describing how they manage and mitigate catastrophic risk, publish transparency reports about their frontier models, and report critical safety incidents to California regulators.[5]
The Colorado AI Act is the clearest example of why a tracker beats a static guide. Originally due on 1 February 2026, it was postponed to 30 June 2026 by SB 25B-004 (signed 28 August 2025), then postponed again to 1 January 2027 by SB 189 (signed 14 May 2026). SB 189 also rewrote the substance: it removed the deployer duties to maintain risk management programmes and conduct impact assessments, and the duty of care to prevent algorithmic discrimination, replacing the original comprehensive risk-based regime with a narrower disclosure-and-transparency model. Developers must give deployers specified information about automated decision-making technologies, and deployers must notify consumers when a high-risk system makes a consequential decision and inform them of a right to appeal.[6]
International and treaty layer
Above national law sits a treaty and a cluster of intergovernmental principles. None of these creates a direct operator deadline today, but they shape how national regimes converge.
| Instrument | Key date | Status (verified 13 Jun 2026) |
|---|---|---|
| Council of Europe Framework Convention on AI | Opened for signature 5 Sep 2024; EU ratified 15 May 2026 | Signed, not yet in force |
| OECD AI Principles (revised 2024) | Original 2019, updated May 2024 | In force as soft-law principles |
The Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law was opened for signature on 5 September 2024. Japan signed on 11 February 2025, and the European Union ratified on 15 May 2026. The treaty enters into force on the first day of the month following a three-month period after five signatories, including at least three Council of Europe member states, have ratified it. As of 13 June 2026 that ratification threshold had not yet been publicly confirmed as met, so the Convention remains signed and partly ratified but not yet binding in force.[7]
Voluntary frameworks and the insurance layer
The frameworks below carry no statutory deadline, but for an operator that wants to be insurable they are the operative reference. Underwriters use them as evidence of reasonable care when pricing and binding AI liability cover.
| Framework or product | Identifier and date | Status (verified 13 Jun 2026) |
|---|---|---|
| AI management system standard | ISO/IEC 42001:2023 (published Dec 2023) | Voluntary, certification accelerating |
| AI risk management framework | NIST AI RMF 1.0 (AI 100-1, Jan 2023) | Voluntary |
| Generative AI profile | NIST AI 600-1 (July 2024) | Voluntary |
| AI agent security standard | AIUC-1 (first agent standard) | Voluntary, first policy Feb 2026 |
ISO/IEC 42001:2023, the AI management system standard published in December 2023, is the closest analogue to ISO 27001 for AI governance. Certification is voluntary, but adoption is accelerating in 2026 as certification bodies have operationalised their audits and major vendors such as Pegasystems have certified. The NIST AI RMF 1.0 (NIST AI 100-1, January 2023) and its Generative AI Profile (NIST AI 600-1, July 2024) provide the GOVERN, MAP, MEASURE, and MANAGE functions that map cleanly onto both ISO/IEC 42001 controls and the EU AI Act's risk-management expectations.[8]
AIUC-1 is presented as the first security and reliability standard built specifically for AI agents, created by the Artificial Intelligence Underwriting Company (AIUC) with input from Orrick, Stanford, the Cloud Security Alliance, MIT, and MITRE. It verifies agents across data protection, operational boundaries, attack resistance, and error prevention. AIUC was founded in 2024 and backed by investors including Nat Friedman and Anthropic's Ben Mann; the first AIUC-1-backed insurance policy was reported for ElevenLabs in February 2026, and vendors such as UiPath have achieved certification.[9]
On the carrier side, Munich Re's aiSure programme and Armilla, a Canadian managing general agent operating as a Lloyd's coverholder with coverage reported up to USD 25 million, both write AI liability cover that explicitly contemplates AI errors including hallucinations. For how parametric AI cover is structured, see the aiSure analysis on agentinsured.eu, and for the certification-to-underwriting bridge see agentcertified.eu.[10]
What operators should do with this tracker
First, treat the EU AI Act 2 August 2026 milestone as live but watch the Digital Omnibus, because the high-risk timing is the most likely thing to move this year. Second, if you operate in the United States, map your footprint against Texas and California now (both in force) and diarise Colorado for 1 January 2027 against the narrower SB 189 obligations rather than the original text. Third, do not wait for treaties: the Council of Europe Convention sets direction, not an operator deadline. Fourth, build to the voluntary frameworks anyway, because ISO/IEC 42001, the NIST AI RMF, and AIUC-1 are what determine whether you can buy AI liability cover and at what price. For the underlying liability theory that ties these together, see the NIST AI RMF reasonable-care guide and the US-EU-UK liability comparison.
Frequently asked questions
What is the next live EU AI Act deadline for operators in 2026?
Two dates dominate the second half of 2026. On 2 August 2026 most remaining EU AI Act rules become applicable and the Commission's enforcement powers over GPAI providers begin, one year after the GPAI obligations took effect on 2 August 2025. The Article 6(1) high-risk product classification rule applies later, on 2 August 2027. The Digital Omnibus proposal of 19 November 2025 would link the high-risk rules to the availability of standards or guidelines, which could move the 2 August 2026 high-risk timing. It is in trilogue, so treat that date as live but subject to change.
Has the Colorado AI Act been delayed or changed?
Both. Originally due 1 February 2026, SB 24-205 was postponed to 30 June 2026 by SB 25B-004 (signed 28 August 2025), then to 1 January 2027 by SB 189 (signed 14 May 2026). SB 189 also rewrote the law, removing the deployer duties to maintain risk management programmes and conduct impact assessments and the duty of care against algorithmic discrimination, shifting to a narrower disclosure model: developers supply specified information about automated decision-making technologies, and deployers notify consumers when a high-risk system makes a consequential decision and of a right to appeal.
Which US state AI laws are already in force in 2026?
Texas TRAIGA, enacted 22 June 2025, took effect 1 January 2026; it prohibits AI developed or deployed for certain harmful purposes and requires government entities to disclose AI interactions. California SB 53, the Transparency in Frontier AI Act signed 29 September 2025, also took effect 1 January 2026; it requires large frontier developers (over USD 500 million revenue) to publish a frontier AI framework, file transparency reports, and report critical safety incidents. Colorado's law is now deferred to 1 January 2027.
Is the Council of Europe AI Framework Convention in force yet?
Not yet as of 13 June 2026. It opened for signature on 5 September 2024; the EU ratified on 15 May 2026 and signatories include Japan (11 February 2025). It enters into force on the first day of the month following a three-month period after five signatories, including at least three Council of Europe member states, have ratified. Until that threshold is confirmed met, it is signed and partly ratified but not yet binding in force.
What is the AIUC-1 standard and is it being used by AI insurers?
AIUC-1 is described as the first security and reliability standard built specifically for AI agents, from the Artificial Intelligence Underwriting Company with input from Orrick, Stanford, the Cloud Security Alliance, MIT, and MITRE. It verifies agents across data protection, operational boundaries, attack resistance, and error prevention. AIUC was founded in 2024, backed by investors including Nat Friedman and Anthropic's Ben Mann; the first AIUC-1-backed policy was reported for ElevenLabs in February 2026, and vendors such as UiPath have certified. It sits alongside ISO/IEC 42001 and the NIST AI RMF as a voluntary benchmark underwriters reference.
Do voluntary frameworks like ISO/IEC 42001 and the NIST AI RMF have deadlines?
No. ISO/IEC 42001:2023 (published December 2023) and the NIST AI RMF 1.0 (January 2023) with its Generative AI Profile (July 2024) are voluntary, with no statutory effective date or penalties. Their force comes from procurement and insurance: customers increasingly require ISO/IEC 42001 certification, and underwriters use these frameworks plus AIUC-1 as evidence of reasonable care when pricing AI liability cover. Adoption is accelerating in 2026 as audits have operationalised and major vendors have certified.
How often is this AI regulation status tracker verified?
It is verified against official sources and updated when a status materially changes. Every entry carries a status label and a last-verified date; this version was verified on 13 June 2026. Because the EU Digital Omnibus is in active trilogue and several US state laws have shifted dates more than once, treat the dates as accurate at the verification date and confirm against the cited official source before relying on any single deadline for a decision.
References
- EU Regulation 2024/1689 (the EU AI Act). Phased application: Article 5 prohibitions from 2 February 2025; GPAI model obligations from 2 August 2025 with Commission enforcement powers over GPAI providers from 2 August 2026; most remaining rules from 2 August 2026; Article 6(1) high-risk product classification rule from 2 August 2027. General-Purpose AI Code of Practice final version published by the AI Office on 10 July 2025 (transparency, copyright, safety and security chapters). Implementation timeline at artificialintelligenceact.eu/implementation-timeline and digital-strategy.ec.europa.eu.
- European Commission, Digital Omnibus on AI proposal, published 19 November 2025. Proposes linking application of the high-risk rules to the availability of harmonised standards, common specifications, or Commission guidelines, with a reported backstop moving the Annex III high-risk obligations from 2 August 2026 to 2 December 2027; reported postponement of Annex I product high-risk obligations from 2 August 2027 to 2 August 2028. Under consideration by the European Parliament and the Council. Coverage at insideprivacy.com and globalpolicywatch.com (Covington), May 2026.
- Overview of the US state AI law patchwork, 2026: no comprehensive federal AI statute; binding obligations at state level. See Akin AI Law and Regulation Tracker, akingump.com.
- Texas Responsible Artificial Intelligence Governance Act (TRAIGA), enacted 22 June 2025, effective 1 January 2026. Prohibits AI developed or deployed for certain unlawful purposes; requires government entities to disclose AI interactions. Analysis at nortonrosefulbright.com and lw.com (Latham & Watkins).
- California Transparency in Frontier Artificial Intelligence Act (SB 53), signed 29 September 2025, effective 1 January 2026. Requires large frontier developers (annual gross revenue above USD 500 million) to publish a frontier AI framework, file transparency reports, and report critical safety incidents to California regulators. Official text at leginfo.legislature.ca.gov; analysis at whitecase.com and nelsonmullins.com.
- Colorado AI Act (SB 24-205). Original effective date 1 February 2026; postponed to 30 June 2026 by SB 25B-004 (signed 28 August 2025); postponed to 1 January 2027 and amended by SB 189 (signed 14 May 2026), which removed deployer risk-management-programme, impact-assessment, and duty-of-care obligations in favour of a disclosure model. Analysis at hunton.com, troutmanprivacy.com, and akingump.com; bill at leg.colorado.gov/bills/sb24-205.
- Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law (CETS No. 225). Opened for signature 5 September 2024; Japan signed 11 February 2025; European Union ratified 15 May 2026. Entry into force on the first day of the month following a three-month period after five signatories, including at least three Council of Europe member states, ratify. coe.int/en/web/artificial-intelligence.
- ISO/IEC 42001:2023, AI management system standard, published December 2023; voluntary certification. NIST AI Risk Management Framework 1.0 (NIST AI 100-1), January 2023, and NIST AI 600-1 Generative AI Profile, July 2024. iso.org and nist.gov/artificial-intelligence.
- AIUC-1, AI agent security and reliability standard from the Artificial Intelligence Underwriting Company (AIUC), developed with Orrick, Stanford, the Cloud Security Alliance, MIT, and MITRE; AIUC founded 2024, backed by investors including Nat Friedman and Anthropic's Ben Mann; first AIUC-1-backed policy reported for ElevenLabs February 2026; UiPath AIUC-1 certification. aiuc-1.com and uipath.com newsroom.
- Munich Re aiSure AI performance insurance; Armilla, a Canadian managing general agent and Lloyd's coverholder with coverage reported up to USD 25 million; both contemplate AI errors including hallucinations. See agentinsured.eu/articles/munich-re-aisure-parametric-ai-insurance-europe.