One dated, current view of every EU AI Act milestone, the Digital Omnibus deferral, and the obligations that sit alongside them. Each entry records the obligation, who it binds, the governing article, and whether it is in force, adopted, or only proposed. Sourced from primary regulatory texts. Reviewed monthly and on legislative events.
Short answer
As of 14 June 2026, the EU AI Act applies in stages. In force now: the Article 5 prohibited-practices ban and the Article 4 AI literacy duty (both since 2 February 2025), and the general-purpose AI (GPAI) model obligations, the governance architecture, and the Article 99 penalties framework (all since 2 August 2025).
The next binding date is 2 August 2026: Article 50 transparency obligations apply, and, on the current law, high-risk standalone systems under Annex III. The Digital Omnibus on AI reached a provisional political agreement on 7 May 2026 that would move the high-risk date to 2 December 2027 (and Annex I product-embedded systems to 2 August 2028), but it is not yet adopted and not published in the Official Journal, so the original 2 August 2026 and 2 August 2027 dates remain the law. The revised Product Liability Directive applies to products placed on the market after 9 December 2026.
The moving parts since spring 2026, most recent first.
Regulation (EU) 2024/1689 entered into force, starting the staged application calendar. Nothing became immediately binding on operators on this date; the obligations switch on at the milestones below.
The first hard obligations took effect. The Article 5 ban on prohibited AI practices (including untargeted facial-image scraping, certain social scoring, manipulative or exploitative systems, and most real-time remote biometric identification in public spaces) applies. Separately, the Article 4 AI literacy duty requires providers and deployers to ensure a sufficient level of AI literacy among staff and others operating AI on their behalf.
Three things switched on. The general-purpose AI (GPAI) model obligations under Chapter V apply: technical documentation, training-data summaries, copyright policy, and, for models with systemic risk, model evaluation and serious-incident reporting. The governance architecture became operational, with the European AI Office coordinating GPAI and systemic-risk supervision alongside the AI Board, scientific panel, and advisory forum. The Article 99 penalties framework applies, requiring Member States to lay down penalty rules.
EIOPA published its Opinion on Artificial Intelligence governance and risk management (reference EIOPA-BoS-25-360), addressed to national insurance supervisors. It creates no new rules. It reads AI into existing sectoral law (Solvency II, the Insurance Distribution Directive, DORA, and the GDPR) on a risk-based, proportionate basis, covering data governance, fairness, explainability, and human oversight across pricing, underwriting, claims, and fraud detection. Relevant context for any insurer deploying AI agents.
Two distinct things land on this date, and they have different statuses.
Article 50 transparency (not deferred). Disclosure that a person is interacting with an AI system, labelling of AI-generated or manipulated content including deepfakes, and notice for emotion-recognition and biometric-categorisation systems. The Digital Omnibus does not move this date. It proposes only a narrow grace period to 2 December 2026 for the machine-readable marking or watermarking duty under Article 50(2), and only for systems already on the market.
High-risk standalone systems (deferral proposed, not adopted). On the current law, the full obligations for Annex III high-risk systems (risk management, data governance, technical documentation, logging, human oversight, accuracy and robustness, conformity assessment, registration) apply from this date. The Digital Omnibus would move this to 2 December 2027.
The Commission published the Digital Omnibus package on 19 November 2025 to postpone the high-risk compliance deadlines. On 7 May 2026, the Council and Parliament reached a provisional political agreement. The agreement replaced the Commission's earlier conditional stop-the-clock trigger (which would have tied the deadline to harmonised standards being available) with fixed dates:
High-risk Annex III standalone systems would move from 2 August 2026 to 2 December 2027. High-risk Annex I product-embedded systems would move from 2 August 2027 to 2 August 2028.
Directive (EU) 2024/2853, the revised Product Liability Directive, applies to products placed on the market or put into service after 9 December 2026, and Member States must have transposed it into national law by the same date. It expressly treats software and AI systems as products, introduces rebuttable presumptions of defectiveness that ease a claimant's burden of proof where a system is complex or opaque, and expands compensable damage to include data loss and medically recognised psychological harm. The old Directive 85/374/EEC continues to apply to products placed on the market before this date. Free and open-source software supplied outside a commercial activity is excluded.
A separate, narrower point: the Digital Omnibus proposes a grace period to 2 December 2026 for the Article 50(2) machine-readable marking or watermarking duty, for systems already on the market only. The core Article 50 transparency duty is unaffected and still applies from 2 August 2026.
On the current law, the high-risk obligations apply to AI systems that are safety components of, or are themselves, products already regulated under the Union harmonisation legislation listed in Annex I (for example medical devices, machinery, lifts, radio equipment, and motor vehicles). These systems get the extra year because their conformity assessment runs through existing sectoral product law. The Digital Omnibus proposes to move this date to 2 August 2028.
High-risk AI components of the large-scale EU information systems listed in Annex X (for example systems in the area of freedom, security, and justice) that were placed on the market or put into service before 2 August 2027 must be brought into compliance by 31 December 2030. This is the long-stop transitional date in the Regulation and is not affected by the Digital Omnibus deferral.
Every date is verified against primary regulatory texts (the Official Journal, the consolidated Regulation, supervisory authority publications) before it is stated. Where a date is contested, both the legally binding date and the proposed change are shown, with the status of each made explicit. The page leads with the binding date and never presents a proposed deferral as settled.
The timeline is reviewed monthly and on legislative events, including any formal adoption and Official Journal publication of the Digital Omnibus. The date in the utility bar and the last-updated stamp reflect the most recent review. No government, regulator, law firm, or operator pays for placement. Corrections may be submitted to [email protected] and are reviewed against primary sources before adoption.
Related reading on this desk: the global AI regulatory tracker across 17 jurisdictions, and the US, EU, and UK AI liability comparison.