EU AI Act Deadlines by Obligation: What You Must Do, and When
EU AI Act deadlines by obligation: Art 4/5 (Feb 2025), GPAI Art 53 (Aug 2025), Art 50 (Aug 2026), high-risk Annex III (Dec 2027), Annex I (Aug 2028).
Regulation (EU) 2024/1689 entered into force on 1 August 2024, but its obligations did not all start then. They activate at different dates, tied to the type of duty — not the type of organisation. The same company may face three separate deadlines depending on what its AI systems do and which role it occupies in the supply chain.
This page organises every live and upcoming deadline by obligation, not by chronology. If you already know the timeline by date, the EU AI Act timeline is a useful companion. This page answers a different question: what specific duty must I fulfil, and when does it bind me?
Obligation 1 — AI literacy (Article 4): 2 February 2025
Article 4 applies to every organisation that develops, deploys, imports or distributes an AI system in a professional capacity — not only to providers of high-risk systems. The obligation is proportionality-anchored: you must ensure that the people involved in operating or overseeing AI systems have a sufficient level of AI literacy, taking into account technical knowledge, experience, relevant sector context, and the specific systems in use.
No certification is mandated. The Act does not prescribe a course catalogue or a minimum training duration. What it does require is that literacy measures are in place and documented — so that if a market-surveillance authority investigates an incident, you can demonstrate that your staff understood the system's capabilities and limits at the time they used it.
This obligation is already live. There is no transitional period and no exemption for small organisations. A 12-person SaaS company deploying a chatbot to screen support tickets owes the same basic Article 4 duty as a large bank — scaled to the complexity and impact of the systems in question.
What it means in practice: map which roles in your organisation interact with AI systems, identify the competence gaps, and document the steps you took to close them. A structured record of your AI inventory, role assignments, and literacy measures will satisfy the spirit of Article 4.
Obligation 2 — Stop prohibited practices (Article 5): 2 February 2025
Article 5 bans a defined list of AI practices outright. Unlike the high-risk regime, these bans are unconditional — there is no conformity assessment, no risk mitigation, no transitional period, and no Art 6(3) filter. The listed practices are prohibited regardless of who deploys them and regardless of how effective the system is at the harmful behaviour it enables.
The banned practices as of 2 February 2025:
- Real-time remote biometric identification of natural persons in publicly accessible spaces for law enforcement, outside the three narrow exceptions (Art 5(1)(h)).
- Subliminal manipulation techniques that operate below conscious perception to distort behaviour in ways that cause or are likely to cause significant harm (Art 5(1)(a)).
- Exploitation of vulnerabilities — targeting specific groups (by age, disability, or social/economic situation) to distort behaviour harmfully (Art 5(1)(b)).
- Social scoring — evaluating or classifying individuals based on social behaviour or personal characteristics, leading to detrimental or disproportionate treatment (Art 5(1)(c)).
- Predicting criminal or antisocial behaviour solely from profiling of a natural person without any objective, verifiable facts directly linked to the individual (Art 5(1)(d)).
- Untargeted facial-image scraping to build or expand facial-recognition databases (Art 5(1)(e)).
- Emotion recognition in the workplace and in education (Art 5(1)(f)) — with narrow exceptions for certain medical or safety purposes.
- Biometric categorisation inferring sensitive attributes (race, political opinion, trade-union membership, religious or philosophical beliefs, sex life, sexual orientation) (Art 5(1)(g)).
The penalty ceiling for violations: €35,000,000 or 7% of total worldwide annual turnover (whichever is higher), under Article 99(3). For companies meeting the SME definition, the fine is capped at the lower of the two figures under Article 99(6) — but the prohibition itself is not reduced.
One distinction that catches companies off guard: a system that would be high-risk under Annex III may instead be prohibited under Article 5 if it crosses one of the above lines. Emotion recognition is the sharpest example — lawful for limited medical/safety uses, but prohibited in the workplace and education. Getting this boundary wrong is expensive.
Obligation 3 — GPAI provider obligations (Article 53): 2 August 2025
Chapter V of the Regulation (Articles 51–56) applies to providers of general-purpose AI models — large-scale models trained on broad datasets that can be adapted across tasks. The obligations started on 2 August 2025. GPAI models already on the market before that date have until 2 August 2027 to comply.
Every GPAI provider, regardless of whether its model poses systemic risk, must:
- Draw up and maintain technical documentation on the model: architecture, training data, computational resources, performance benchmarks, known limitations (Art 53(1)(a)).
- Provide downstream providers with information sufficient for them to understand the model's capabilities and the obligations that may attach to systems built on it (Art 53(1)(b)).
- Establish and publish a copyright policy for the training data, including appropriate technical measures for opt-out compliance under EU law (Art 53(1)(c)).
- Publish a training-data summary — the types and sources of data used to train the model (Art 53(1)(d)).
Systemic-risk GPAI models (those trained with compute above the 10²⁵ FLOP threshold, or designated by the AI Office under Article 51) carry additional obligations under Article 55: model evaluation and adversarial testing, risk mitigation, cybersecurity measures, and mandatory serious-incident reporting to the AI Office.
The Digital Omnibus deferral that moved the high-risk Annex III deadline does not affect Chapter V. The GPAI obligations apply on their original schedule.
If you are building a product on top of a third-party GPAI model (using an API, for example), the GPAI obligations rest with the model provider, not with you. Your obligations are determined by what your system does with that output — i.e., by your use-case classification under Articles 5 and 6.
Obligation 4 — Limited-risk transparency (Article 50): 2 August 2026
Article 50 governs four specific transparency duties that apply to AI systems interacting with natural persons or generating synthetic content. These are not high-risk obligations. They apply to a much wider set of systems — chatbots, synthetic-media tools, emotion-recognition systems, deepfake generators, and AI-generated text distributed at scale.
The four transparency duties, and when each fires:
| Art 50 paragraph | Duty | Who it applies to |
|---|---|---|
| 50(1) | Inform users they are interacting with an AI system (unless obvious from context) | Providers/deployers of AI systems that interact with natural persons |
| 50(2) | Mark AI-generated synthetic audio, video, text, or images as AI-generated | Providers/operators of AI that generates synthetic content |
| 50(3) | Inform people when emotion-recognition or biometric-categorisation systems are operating on them | Providers/deployers of emotion/biometric AI |
| 50(4) | Label deepfakes and AI-generated text on matters of public interest | Providers of systems that produce this content |
Article 50 is separate from the high-risk regime. A chatbot at a consumer-facing company is not Annex III and does not require a conformity assessment — but it does require Article 50(1) disclosure from 2 August 2026. Many compliance programmes have missed this distinction, concentrating entirely on the high-risk stack and overlooking the broader disclosure duties.
What you must have in place by 2 August 2026: clear, user-facing disclosure mechanisms; technical means to label synthetic content; and documented processes for maintaining those disclosures as your AI systems evolve.
Obligation 5 — The full high-risk stack (Articles 9–15, 16–27, 43, 47–49, 72–73)
Stand-alone Annex III systems: 2 December 2027
Under the Digital Omnibus — the Commission proposal of 19 November 2025, political agreement reached 7 May 2026, formal adoption expected before 2 August 2026 — the deadline for stand-alone high-risk AI systems was moved from the original 2 August 2026 to 2 December 2027. These are the systems listed in Annex III: recruitment and HR tools, credit-scoring and insurance-pricing systems, biometric identification, critical infrastructure, law enforcement risk assessment, visa and asylum processing, education admission and evaluation, and judicial/democratic processes.
If your system is a stand-alone Annex III high-risk system, the following must all be in place before you place it on the market or put it into service from 2 December 2027.
Provider obligations (Articles 16–25): risk management system (Article 9); data governance (Article 10); Annex IV technical documentation (Article 11); automatic logging (Article 12); transparency to deployers (Article 13); human oversight design (Article 14); accuracy, robustness, and cybersecurity (Article 15); quality management system (Article 17); conformity assessment before market entry — Annex VI internal self-assessment for most Annex III categories, Annex VII notified-body route for biometrics (Article 43); EU declaration of conformity (Article 47); CE marking (Article 48); registration in the EU database before market placement (Article 49); post-market monitoring plan (Article 72); and serious-incident reporting — within 15 days of awareness, 2 days for widespread infringement or critical-infrastructure disruption, 10 days where a person has died (Article 73(2)–(4)).
Deployer obligations (Article 26): use the system per the provider's instructions; assign human oversight to qualified, authorised persons; monitor operation and flag risks or serious incidents to the provider; retain logs for at least six months; notify worker representatives before workplace deployment.
Fundamental Rights Impact Assessment (Article 27): public bodies deploying high-risk systems, and private deployers of creditworthiness (Annex III point 5(b)) or life/health-insurance (Annex III point 5(c)) systems, must conduct a FRIA before deployment. Private employers using HR tools do not automatically owe one — Article 27 is narrower than it appears. Where a GDPR DPIA under GDPR Article 35 already exists, the FRIA under Article 27(4) may build on it.
Annex I embedded systems: 2 August 2028
High-risk AI systems that are safety components of products covered by existing EU product law (listed in Annex I — machinery, toys, medical devices, civil aviation equipment, motor vehicles, etc.) have a separate deadline: 2 August 2028. These systems follow an integrated conformity-assessment route (the AI Act requirements are folded into the existing product-safety assessment), not the stand-alone Annex III route.
Medical-imaging AI is a common point of confusion here. Diagnostic AI for radiology is typically high-risk via Article 6(1) + Annex I (as a safety component of a medical device under MDR 2017/745 or IVDR 2017/746), not via the Annex III self-assessment route. Its deadline is 2 August 2028, not 2 December 2027.
Deadline summary table
| Obligation | Key articles | Applies from |
|---|---|---|
| AI literacy | Art 4 | 2 Feb 2025 (live) |
| Prohibited practices — absolute bans | Art 5 | 2 Feb 2025 (live) |
| GPAI provider obligations — new models | Art 53–55 | 2 Aug 2025 (live) |
| GPAI provider obligations — pre-existing models | Art 53–55 | 2 Aug 2027 |
| Limited-risk transparency | Art 50 | 2 Aug 2026 |
| General application of the Act | Art 113 | 2 Aug 2026 |
| High-risk Annex III stand-alone systems — full stack | Art 9–15, 16–27, 43, 47–49, 72–73 | 2 Dec 2027 |
| High-risk Annex I embedded systems — full stack | Art 6(1) + Annex I | 2 Aug 2028 |
The Article 6(3) filter: not every Annex III system is high-risk
Before building out the full compliance stack for an Annex III system, check whether Article 6(3) applies. A system that falls within an Annex III area is not high-risk if it poses no significant risk of harm to health, safety, or fundamental rights — specifically, if it performs a narrow procedural task, improves the result of a previously completed human activity, detects decision patterns without replacing or influencing human assessment, or does only preparatory work.
The exception has limits. Any system that profiles natural persons is always high-risk, regardless of how narrow the claimed task. Providers claiming the Article 6(3) exemption must document the assessment in writing and register the system in the EU database (Article 49 — registration is still required).
How Confir helps
The deadlines above are not abstract future obligations — they are a sequenced compliance programme, and each date is a hard output gate. Confir's classification and scoping logic is rule-based and deterministic: it asks you plain-English questions about what each AI system in your organisation does, derives the risk tier under Articles 5 and 6, and maps your role (Provider under Article 16 / Deployer under Article 26 / Importer under Article 23 / Distributor under Article 24). From that result, it shows you exactly which of the obligations above apply to your system, and which deadline each carries.
For high-risk systems, Confir generates the Article 11 / Annex IV technical documentation pack, the Article 47 / Annex V EU Declaration of Conformity, and (for qualifying deployers) the Article 27 FRIA workflow. An immutable audit log captures every classification decision and its underlying rationale, which is the evidence trail any Article 73 or market-surveillance investigation will expect.
Starting at €600 per year, self-serve, no consultants. You can classify your first AI system in under two hours.
Frequently asked questions
The high-risk deadline was 2 August 2026. Is that still the date I need to meet?
No. Under the Digital Omnibus (political agreement 7 May 2026, formal adoption expected before 2 August 2026), the deadline for stand-alone Annex III high-risk systems moved to 2 December 2027. Annex I embedded systems move to 2 August 2028. The 2 August 2026 date remains valid only for the general application of the Act and for Article 50 limited-risk transparency obligations — those were not deferred. Articles 4 and 5 have been live since 2 February 2025 and were not affected by the Omnibus at all.
Does the Article 4 AI literacy obligation apply to my company even if our AI systems are minimal-risk?
Yes. Article 4 applies to any organisation that develops, deploys, imports, or distributes an AI system in a professional context — it is not limited to high-risk systems. The obligation scales to the nature of the systems and the roles involved, but it applies regardless of risk tier. It has been in force since 2 February 2025.
My company only deploys AI tools built by third parties. What obligations does that create, and when?
As a deployer under Article 26, you have obligations that vary by the system's risk tier. For high-risk systems: monitor operation, ensure human oversight, retain logs (≥6 months), follow instructions for use, notify workers before workplace deployment — all from 2 December 2027 for Annex III systems. For systems subject to Article 50: implement the relevant disclosure mechanism from 2 August 2026. For all AI: Article 4 literacy obligations since 2 February 2025. You are generally not responsible for the provider's conformity assessment, but you must verify that the provider has completed it before deploying a high-risk system.
What is the penalty for missing the Article 5 deadline, which is already past?
The prohibited practices ban under Article 5 has applied since 2 February 2025. Violations carry the highest penalty tier: up to €35,000,000 or 7% of total worldwide annual turnover (whichever is higher) under Article 99(3). For companies meeting the SME definition, the fine is capped at the lower of the fixed sum and the percentage figure (Article 99(6)). Non-compliance does not benefit from transitional relief — the bans are absolute.
My AI system is used in recruitment. Which deadline applies, and what do I need to do?
Recruitment screening AI that makes or significantly influences hiring decisions falls under Annex III point 4(a). As a provider, your conformity assessment, Article 9 risk management system, Article 11 technical documentation, Article 12 logging, Article 14 human oversight design, and Article 49 EU-database registration must all be in place before 2 December 2027. The conformity route for Annex III point 4 is the Annex VI internal self-assessment (notified-body assessment is not required for employment AI). As a deployer, your Article 26 obligations apply from the same date. Article 4 literacy obligations for your recruitment staff are already live.
Is the GPAI deadline the same as the high-risk deadline?
No — and this is a common planning error. The Digital Omnibus deferral applies to the high-risk regime only. GPAI model obligations under Chapter V (Articles 53–55) have applied since 2 August 2025 for new models. Models already on the market before that date have until 2 August 2027. Building a product on top of a GPAI model does not give you a GPAI deadline — your deadline is determined by what your system does under Articles 5 and 6.
Related guides
- EU AI Act timeline: all dates in order
- Digital Omnibus 2027: the high-risk deferral explained
- Article 5: prohibited AI practices
- Article 4: AI literacy obligations
- Compliance implementation roadmap
- EU AI Act overview and scope
- EU AI Act compliance checklist
- Annex III high-risk AI system categories
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →