A law that switches on in phases
The European Union’s Artificial Intelligence Regulation —the AI Act, Regulation (EU) 2024/1689— did not enter into force all at once. Like most major European legislation, it switches on in phases, and each phase has a date. On 1 August 2024 the clock started. On 2 February 2025 the prohibitions activated. On 2 August 2025 the general-purpose model obligations took effect. And on 2 August 2026 —within weeks— the most demanding phase activates: the obligations for high-risk AI systems.
This tracker does not narrate the AI Act’s political debate. It measures its calendar: which obligations are live today, which are coming, and the gap between the date the law states and the date the enforcement machinery will actually be ready. That gap is the data point that matters to anyone building, deploying or procuring AI destined for the European market —which, through the Brussels effect, is almost everyone—.
The calendar, in one table
| Milestone | Date | Status as of May 2026 |
|---|---|---|
| Regulation enters into force | 1 Aug 2024 | Completed |
| Article 5 prohibitions | 2 Feb 2025 | In force and sanctionable |
| GPAI model obligations | 2 Aug 2025 | In force |
| National authority designation | 2 Aug 2025 | Deadline passed, uneven compliance |
| High-risk obligations (Annex III) | 2 Aug 2026 | Disputed (Digital Omnibus) |
| Full application (AI in regulated products) | 2 Aug 2027 | Pending |
| Legacy public-sector systems | 2 Aug 2030 | Pending |
The pattern is deliberate: Brussels activates first what it deems intolerable (prohibited practices), then the cross-cutting layer (general-purpose models), and leaves for last the most operationally complex part (high-risk systems embedded in products). The 2 August 2026 date is, according to regulatory analysts, the most operationally demanding deadline in the entire regulation.
What already bites: the fines are not symbolic
Unlike the GDPR, which had a slow start, the AI Act’s penalty regime was designed to be dissuasive from day one. The structure has three tiers, and the top figure is the one analysts say keeps chief financial officers awake.
| Type of infringement | Maximum fine | Calculation base |
|---|---|---|
| Prohibited practices (art. 5) | €35M or 7% of global turnover | The greater of the two |
| Non-compliance with obligations (data, transparency) | €15M or 3% of global turnover | The greater of the two |
| Incorrect information to authorities | €7.5M or 1.5% of global turnover | The greater of the two |
The 7% of global turnover exceeds the GDPR’s 4% ceiling. It applies to prohibited practices —social scoring, real-time biometric identification, emotion recognition at work—, which have been sanctionable since February 2025. According to public trackers, there are ongoing investigations into workplace emotion recognition and into insufficiently transparent generative-AI services, though as of this piece’s closing no final sanctions have been made public.
The twist: the Digital Omnibus could delay everything 16 months
Here appears the most interesting gap between what the law says and what will happen. On 19 November 2025, the European Commission proposed the so-called Digital Omnibus, a simplification package that —among other measures— proposes delaying the application of the Annex III high-risk obligations from August 2026 to 2 December 2027, a postponement of up to sixteen months.
The reason for the brake is revealing: the notified bodies —the entities that must certify high-risk systems— are today a bottleneck, and the technical standards are not yet ready. That is, the enforcement infrastructure does not arrive in time for the date the law itself set. The Omnibus is in trilogue between the Parliament, the Council and the Commission. If it is not adopted in time, the original August 2026 date stands.
It is worth stressing what does not move, per the proposed text: the Article 5 prohibitions and the GPAI model transparency obligations remain live and are not postponed. The discussion is exclusively about the high-risk tier.
The market signal: who signed and who did not
A leading indicator of how the industry is positioning itself is the Code of Practice for general-purpose models, published by the European AI Office in July 2025. Although it is formally voluntary, the list of signatories functions as a map of who accepts cooperating with the regulator.
| Position on the GPAI Code | Actors | Reading |
|---|---|---|
| Signatories (August 2025) | Microsoft, Google, Amazon, OpenAI, Anthropic and others (26 providers) | Cooperation with the AI Office |
| Non-signatory | Meta | Enhanced regulatory scrutiny announced |
Meta’s refusal to sign, against the adhesion of most major providers, is the kind of signal compliance teams read closely: it marks who is willing to align with the regulator’s interpretation before the sanctions arrive.
Why this is data infrastructure, not a news story
The value of tracking the AI Act as a structured dataset —and not as a succession of news items— lies in the questions it lets you answer comparably and verifiably. Which obligations are enforceable today and which are coming? Which member states have already designated their national authority and which are missing the deadline? Has high-risk been postponed or is it still in August 2026? Each answer has a cutoff date and an official source.
For a compliance team, a legaltech, a regulatory consultancy or a company deploying AI in Europe, the difference between “the AI Act enters in 2026” and “high-risk is in trilogue and may move to December 2027, but the prohibitions and GPAI are already sanctionable” is the difference between planning blind and planning with data. The European AI market this regulation governs is estimated at 524 billion euros, and its reach is extraterritorial: a San Francisco startup serving European users is subject just like one in Munich.
Methodology note
The dates and thresholds come from Regulation (EU) 2024/1689 published in the Official Journal of the EU, complemented by the Digital Omnibus proposal of November 2025 and the monitoring of specialised regulatory analysts. A distinction is drawn between an obligation in force, a sanctionable obligation, and an obligation in legislative dispute. The fine figures are the Regulation’s maximums, not imposed fines; as of this piece’s closing, no final sanctions under the AI Act are on record. The Digital Omnibus status updates as the trilogue advances. Diálogo Ciudadano does not provide legal advice; this tracker is informational infrastructure.