Implementation Timeline for the EU AI Act: Current Requirements and Changes Under the Digital Omnibus


Regulatory Intelligence

A Practical Analysis of Regulation (EU) 2024/1689, Its Phased Obligations, and the Deferrals Approved by the Council on June 29, 2026.

Published: July 2026
Legal source: EUR-Lex · PE-CONS 30/26
Update: Digital Omnibus Act passed on June 29, 2026
Regulatory Analysis EU AI Act

Key Findings

  • The AI Act has been in effect since August 2024, but its implementation is phased: not all provisions take effect at the same time.
  • August 2, 2026, is the general effective date of the Regulation for provisions that do not have a specific timeline, including Article 50 (transparency and labeling of synthetic content).
  • The Digital Omnibus has postponed the high-risk obligations under Annex III until December 2, 2027, providing an additional 16 months compared to the original timeline.
  • The ban on non-consensual intimate/sexual content and AI-generated CSAM takes effect on December 2, 2026, a new date introduced by the Omnibus bill.
  • Companies that are already using AI have work to do before August 2, 2026: inventory, risk classification, documentation, and human oversight policies.

A regulation that is in effect but is implemented in phases

Regulation (EU) 2024/1689, known as the AI Act or the Artificial Intelligence Regulation, was published in the Official Journal of the European Union on July 12, 2024, and entered into force on August 1, 2024. However, “entering into force” does not mean “being fully enforced from that moment on.”

Unlike an ordinary regulation, which takes effect the day after its publication, the AI Act establishes a deliberately phased transitional regime. The European legislature recognized that organizations would need time to adapt, harmonized technical standards would need to be developed, and the institutional oversight infrastructure would need to be built. The result is an implementation timeline that spans from February 2025 through 2031.

This phased approach has a direct implication for companies: there is no single “compliant or non-compliant” moment. Each type of AI use has its own timeline, its own obligations, and its own oversight framework. Understanding this landscape is the first task for any legal, technical, or executive leader who wants to manage regulatory risk in an informed manner.

Note on Sources

This analysis is based on the consolidated text of Regulation (EU) 2024/1689 (EUR-Lex, CELEX 02024R1689-20240712) and on the amendments adopted by the Council of the EU in the Digital Omnibus on AI (PE-CONS 30/26), which was finally adopted on June 29, 2026. For formal legal purposes, the consolidated version on EUR-Lex as of the date of use should be consulted.

Key Dates for the AI Act: From Its Origins to 2031

The following table lists the key dates and milestones of Regulation (EU) 2024/1689 in its original version, prior to the amendments introduced by the Digital Omnibus. It outlines the legal basis and practical implications for organizations that deploy or use AI.

Date Legal Basis Obligation / Milestone Practical Reading
June 13, 2024 Regulation (EU) 2024/1689 Date of the legislative act of the European Parliament and of the Council. Base text of the AI Act. Reference for any legal interpretation.
July 12, 2024 OJEU L 2024/1689 Official publication in the Official Journal of the European Union. Start of the countdown to entry into force (20 days later).
Aug. 1, 2024 Art. 113 Effective Date of the Regulation. The regulation is in place and its phased implementation is beginning.
Since Aug. 2024, annually Art. 112.1 Commission: Annual assessment of the need to amend Annex III and the list of prohibited practices. Relevant to institutional oversight and potential regulatory expansions.
Feb. 2025 Art. 113.a; Arts. 1–5 Application of Chapters I and II: General Provisions, Definitions, AI Literacy, and Prohibited Practices. Key date: staff training (Art. 4) and prohibition of prohibited practices (Art. 5). Already in effect.
May 2, 2025 Art. 56.9 Best practice guidelines for general-purpose AI models: expected completion date. Support for GPAI model providers and voluntary compliance.
Aug. 2, 2025 Art. 113.b; Arts. 70.2 and 70.6 Application of Chapter III, Section 4; Chapters V, VII, VIII, XII, Article 78. Notification by competent national authorities. GPAI models, institutional governance, confidentiality. It allows for the identification of supervisors and the control structure.
Feb. 2, 2026 Articles 6.5 and 72.3 Commission: Guidelines on the Classification of High-Risk Systems and a Model for a Postmarket Surveillance Plan. Interpretive guidelines. Article 72.3 was affected by the Omnibus Act.
Aug. 2, 2026 ★ Art. 113, General Rule General effective date of the Regulation for provisions not subject to a specific timeline. Includes Article 50 (transparency and labeling of summary content). The transparency requirements under Article 50 take effect today. The high-risk category (Annex III) has been postponed by the Omnibus Act until December 2, 2027.
Aug. 2, 2027 Original Art. 113.c; Art. 111.3 Application of Article 6.1 and obligations for high-risk systems introduced before Aug. 2, 2025. (Amended by the Omnibus Act: Annex III → Dec. 2, 2027.) Date rescheduled. See Table 2 for details on postponements.
Aug. 2, 2028 Art. 112.2; Arts. 112.5–7 The Commission's initial assessments of GPAI, transparency, governance, the AI Office, and energy efficiency. Institutional review milestone; may result in changes.
Aug. 2, 2029 Art. 112.3 First General Report on the Evaluation and Review of the Regulations. Monitoring of implementation and possible proposal for modification.
Aug. 2, 2030 Art. 111.2 High-risk AI systems intended for use by public authorities: mandatory compliance measures. Specific transitional provisions for pre-existing public uses.
Dec. 31, 2030 Art. 111.1 AI systems that are components of large-scale computer systems listed in Annex X, placed on the market before Aug. 2, 2025. Deadline for large regulated computer systems.
Aug. 2, 2031 Art. 112.13 Evaluation of the Regulation's Implementation Following Its First Few Years of Application. Possible initiation of a structural review of the implementation model.

★ Reference date for this analysis. The general date includes Article 50 but excludes the high-risk provisions of Annex III, which were deferred by the Digital Omnibus.

Changes in the Digital Omnibus: What Has Changed and Why It Matters

On June 29, 2026, the Council of the EU adopted the Digital Omnibus on AI (PE-CONS 30/26), a package of amendments to the AI Act that adjusts deadlines, introduces new prohibitions, and simplifies certain requirements. It enters into force three days after its publication in the Official Journal of the European Union.

The most significant change for most companies is the postponement of the high-risk obligations under Annex III from August 2, 2026, to December 2, 2027. This gives an additional 16 months to suppliers and system implementers operating in categories such as biometrics, critical infrastructure, employment, education, essential services, immigration, and the administration of justice.

Please note: The postponement of Annex III is not universal.

The postponement to December 2, 2027, applies to Annex III as a whole, but does not affect Article 50 (transparency and labeling of synthetic content), which retains its general effective date of August 2, 2026. Nor is the ban on manipulation practices or the literacy requirements (Art. 4) already in effect postponed.

Subject Planned Start Date New date / change Legal Basis Practical Scope
High risk (Annex III) Aug. 2, 2026 Dec. 2, 2027 Art. 113.c, as amended; PE-CONS 30/26 Biometrics, critical infrastructure, employment, education, essential services, migration, justice, democratic processes.
High risk associated with Annex I products Aug. 2, 2027 Aug. 2, 2028 Art. 113.c, as amended; PE-CONS 30/26 AI Systems in Security Products (Existing Sector-Specific Directives).
New Prohibited Practices: Non-Consensual Intimate/Sexual Content and CSAM Not included in the original text Dec. 2, 2026 Amended Art. 5; PE-CONS 30/26; PE 06/16/2026 New specific ban on the creation or manipulation of non-consensual intimate or sexual content and child sexual abuse material.
Labeling of synthetic content for systems already on the market Aug. 2, 2026 Dec. 2, 2026 New Art. 111.4; Art. 50.2; PE-CONS 30/26 System providers, including GPAI, that generate synthetic audio, images, video, or text and were already on the market before Aug. 2, 2026, have an additional four months.
National AI Regulatory Sandbox Aug. 2, 2026 Aug. 2, 2027 Art. 57.1, as amended; Council, June 29, 2026 Each Member State must have at least one controlled testing site; the deadline has been extended by one year.
Post-Marketing Surveillance Plan Required by Feb. 2, 2026 Voluntary Guide by September 2, 2027 Art. 72.3, as amended; PE-CONS 30/26 The mandatory model is being replaced by a Commission guideline, which is more flexible for high-risk providers.
Machinery and Regulatory Overlap Regulations Under Annex I of the AI Act Delegated acts applicable before Aug. 2, 2028 PE-CONS 30/26; Regulation (EU) 2023/1230 The relationship between the AI Act and the Machinery Regulation is being reorganized to avoid a double regulatory burden.
“There is no general postponement of the AI literacy requirement: it remains in effect as of February 2, 2025. Nor is the block on general-purpose AI models, applicable as of August 2, 2025, being postponed, without prejudice to specific transitional arrangements.” — Table 2 of the Actiaris report, AI Governance · July 2026

What Organizations Should Monitor, and When

The value of the calendar lies not in memorizing dates, but in organizing compliance in layers. An organization that deploys AI has three distinct tasks: identifying which AI uses exist and who is using them; determining whether each use falls into a regulated category; and retaining sufficient evidence to demonstrate that it operates with human oversight, appropriate controls, and traceable documentation.

Starting in February 2025 — already mandatory
AI Literacy and the Prohibition of Manipulative Practices
Article 4 requires providers, implementers, and operators to ensure that their staff have an adequate level of AI competence. Article 5 prohibits public authorities from using techniques to manipulate human behavior, exploit vulnerabilities, or employ social scoring systems.
Starting in Aug. 2025 — already mandatory
General-Purpose AI (GPAI) Models: Governance and Documentation
GPAI providers must comply with transparency, technical documentation, and copyright obligations. Models with systemic impact (threshold of 10²⁵ FLOP) have additional requirements regarding risk assessment and incident reporting.
August 2, 2026 — General Application
Article 50: Transparency and Labeling of Synthetic Content
AI systems that interact with individuals must clearly disclose that fact. Systems that generate synthetic content (images, audio, video, text) must label that content in a machine-readable format. This requirement takes effect today for systems placed on the market on or after this date; systems already on the market have until December 2, 2026, to comply.
December 2, 2026
New Ban: Non-Consensual Intimate/Sexual Content and CSAM
The Digital Omnibus Act is introduced. Any AI system used to generate or manipulate material of this type is expressly prohibited as of this date.
December 2, 2027 — postponed by Omnibus
High risk under Annex III: full obligations
Technical documentation (Annex IV), risk management, data quality, activity logs, human oversight, accuracy, and cybersecurity; conformity assessment and post-market surveillance. Applies to biometrics, employment, education, essential services, the administration of justice, migration, and critical infrastructure.

The four structural obligations that cannot be deferred

Beyond the specific dates, the Regulation sets out four categories of obligations that, to varying degrees, are already in effect or will take effect without extension as of August 2026:

Art. 4 · Effective as of Feb. 2025

AI Literacy

Operators and implementers must ensure that personnel working with AI systems have the appropriate skills. No formal degree is required, but evidence of education and training is required.

Now mandatory
Art. 50 · Effective as of Aug. 2026

Transparency and Labeling of Synthetic Content

Requirement to inform users when they interact with an AI and to label any artificially generated content (images, video, audio, text) in a technically detectable manner.

Since Aug. 2, 2026
Art. 14 · High Risk · Dec. 2027

Effective human supervision

High-risk systems must be designed to allow for supervision by human operators. Human intervention must be able to interrupt, modify, or reject the system's outputs in real time.

Postponed to Dec. 2027
Articles 9–17 · High Risk · Dec. 2027

Technical Documentation and Risk Management

Risk management system, data quality, Annex IV technical documentation, automated activity logs, transparency, accuracy, robustness, and cybersecurity.

Postponed to Dec. 2027

What Organizations Can't Afford to Ignore Before the End of 2026

Postponing Annex III does not eliminate the risk; it merely shifts it. Companies that wait until December 2027 to begin establishing traceability, documentation, and human oversight will be too late. The experience with the GDPR showed that organizations that began adapting two or three years in advance were the ones that were able to demonstrate actual compliance; those that waited until the last month opted for superficial solutions that did not hold up under an audit.

There are three actions that any organization should have completed or underway by January 2027:

1 · Inventory of AI Applications

Identify all AI systems that are deployed or in use: vendor, function, data processed, whether they make or assist in decision-making, and whether they affect individuals. Without an inventory, classification is not possible.

2 · Regulatory Risk Classification

For each inventory system: Is it for general use (GPAI)? Does it fall into any category in Annex III? Does it generate synthetic content? Does it make decisions about people? The classification determines which regime applies and on what date.

3 · Documentation of human oversight and traceability

For high-impact use cases, begin documenting: who oversees the AI’s output, how human interventions are recorded, and what evidence exists to show that the process is effectively controlled. This documentation is valuable for a regulatory audit as well as for a contractual dispute or litigation.

These three actions are not formal requirements under the AI Act for all systems, but they constitute the minimum basis for responding to any supervisory authority or counterpart that requires proof of the governance of the AI system being used.

V-PROOF · Reference

Cryptographic evidence as a response to the obligations under Article 50

The transparency requirement in Article 50—the technically detectable labeling of AI-generated content—demands something that traditional document management systems do not provide: verifiable, independent evidence that content has a specific origin, that it was reviewed by a human, and that this evidence has not been altered.

V-PROOF operates as a layer of cryptographic evidence on top of AI outputs: it generates an hash of the document or content, anchors it via IPFS, and records it on Base L2, creating an on-chain seal on-chain by any third party without the need for credentials or reliance on the provider. The evidence never expires. Regulators do not need to trust the company’s system; they can verify it independently.

In addition to Article 50, V-PROOF the evidentiary aspects of Article 14 (human oversight: immutable record of critical interventions and authorizations) and Article 16 (data traceability and integrity in high-risk systems).

For more information, visit vproofprotocol.com →
V-PROOF · Coverage Analysis

What does V-PROOF cover V-PROOF the EU AI Act?

Strengths, limitations, regulatory opportunities, and adoption risks

F Strengths · What It Covers
  • Immutable cryptographic evidence of AI outputs — hash + IPFS + L2 layer, verifiable by any third party without credentials or reliance on a provider. Art. 50 · Labeling of AI-generated content
  • An immutable record of interventions and authorizations for human oversight of AI systems. Art. 14 · Human Oversight
  • Seal of integrity and traceability for data processed by high-risk systems, with timestamp on-chain timestamp . Art. 16 · Obligations of High-Risk Providers
  • Verifiable technical documentation and an audit trail of critical system event logs. Art. 12 · Log Recording · Art. 13 · Transparency
  • No additional infrastructure. No complex onboarding. Integration with existing outputs. All applicable items · Cross-functional implementation
O Opportunities · Where the market is active
  • Article 50 has been in effect since Aug. 2, 2026: any organization that generates synthetic content must include detectable technical markup. Article 50 · Effective immediately
  • Digital Omnibus: An additional 16 months to prepare high-risk evidence. A window for implementation without pressure. Amended Art. 113 · PE-CONS 30/26
  • Regulated sectors—healthcare, finance, human resources, education—covered by Annex III, with requirements for demonstrable traceability to regulators. Annex III · High-risk systems
  • B2B Contracts with AI Audit Trail Clauses: Implementers Require Evidence from Their Model Providers. Art. 25 · Responsibilities in the Value Chain
D Weaknesses · Out of scope
  • It does not replace the conformity assessment by a notified body for high-risk systems. Art. 43 · Conformity Assessment
  • It does not cover the audit of the model’s technical architecture or the validation of training data. Art. 10 · Data Governance
  • Does not apply to systems that do not generate documentable outputs or that operate without recordable intermediate outputs. Embedded systems or systems without structured output
  • It does not perform the initial inventory of the organization's AI systems—this is the starting point prior to V-PROOF. Art. 4 · Literacy · Step Zero of Compliance
A Threats · Market Risks
  • Organizations that are postponing compliance until 2027 due to the postponement of Annex III, without considering that Article 50 is already mandatory. Article 50 vs. Amended Article 113 · Risk of confusion
  • Confusion between “conformity assessment” and “evidence”: Companies believe that a one-time audit is sufficient to satisfy the regulator. Art. 43 vs. Arts. 12, 14, and 16 · Structural misunderstanding
  • GRC and document management platforms that offer “AI compliance” without cryptographic guarantees, creating a false sense of coverage. Market · Unequal Competition
  • Uncertainty regarding the publication date of the Digital Omnibus in the Official Journal of the European Union (OJEU) could lead to a standstill in compliance-related investment decisions. PE-CONS 30/26 · Pending publication in the OJEU
V-PROOF · Next Step

Does your organization know where it stands with regard to the AI Act?

We identify your regulatory exposure, classify your AI systems, and generate the cryptographic evidence required by the Regulation. No prior inventory required, no additional infrastructure needed.

Let's talk →

Official sources and references

  1. Consolidated text of Regulation (EU) 2024/1689 — EUR-Lex · CELEX 02024R1689-20240712
  2. Official Publication of the AI Act in the OJEU — EUR-Lex · ELI / OJ
  3. Article 113 and Base Timeline — AI Act Service Desk · European Commission
  4. Official AI Act Implementation Page — European Commission · Shaping Europe's Digital Future
  5. Adopted Text of the Digital Omnibus on AI — Council of the EU · PE-CONS 30/26
  6. Final Approval by the Council, June 29, 2026 — Council of the EU · Official Statement


Previous
Previous

Why Your Organization Needs V-PROOF Than a Platform Based Outside the European Union

Next
Next

IPFS and Quantum Computing: Why the evidence you seal today with V-PROOF be valid in 2035