This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.
The EU AI Act doesn't have one compliance date, it has several, spread across roughly four years, and which ones apply to your business depends entirely on what kind of AI system you're using. Most SMBs using ordinary AI tools, writing assistants, scheduling, general chatbots, will never hit the heaviest deadlines at all, because those deadlines only apply to specific high-risk categories.
In short: The EU AI Act phases in from February 2025 (banned practices) through August 2027 and beyond (full application for certain categories). The date that matters most for an ordinary business is 2 August 2026, when high-risk system obligations become enforceable, but this only applies if you're actually using a high-risk AI system in the first place, which most everyday business tools are not.
The plain-English answer
If your business isn't using an AI tool involved in hiring, credit decisions, insurance pricing, or a handful of other high-risk categories, the deadline that's most likely to actually affect you already passed quietly, back in February 2025, when a short list of clearly prohibited AI practices came into effect, none of which describe ordinary business AI use. The deadline most businesses should actually have on their radar, if they use a high-risk AI tool at all, is August 2026. For everything else, most everyday AI use, there isn't a specific deadline to track, because there isn't a specific heavy obligation attached to it in the first place.
Why this matters for your business
A 30-person manufacturing business hearing that "the EU AI Act is already in force" without any further detail is a recipe for a specific, common kind of anxiety, worrying about a deadline you've already missed without being able to identify what it actually required of you. That anxiety is usually disproportionate to the real exposure. The Act was deliberately designed to phase in gradually, giving businesses time to adjust, and the earliest, already-passed deadlines targeted a narrow list of clearly harmful practices, not routine business AI use.
The real risk isn't a missed early deadline for most businesses, it's not knowing which future deadline, if any, actually applies to their specific tools, and either ignoring a genuine obligation coming up or spending unnecessary time worrying about one that was never going to apply to them.
The actual timeline
The full regulation text is published as Regulation (EU) 2024/1689, with the European Commission's own AI Act policy page tracking implementation. The key dates:
2 February 2025. Prohibited practices banned. A short list of clearly harmful AI uses, manipulative techniques exploiting vulnerabilities, social scoring, most real-time public biometric identification, became illegal outright. This date has already passed and doesn't describe ordinary business AI use.
2 August 2025. General-purpose AI model obligations, governance bodies operational. Obligations for providers of general-purpose AI models, the companies behind large language models like GPT, Claude, and Gemini, began. This mostly affects the model providers themselves, not businesses using their tools through a normal subscription.
2 August 2026. High-risk AI system obligations. This is the date that matters most for an ordinary business, if it uses a high-risk AI system at all. High-risk systems, hiring and worker-management tools, credit scoring, insurance pricing, and a handful of other Annex III categories, need conformity assessment, EU database registration, risk management, and human oversight in place from this date.
2 August 2027 and beyond. Full application, including AI embedded in regulated products. Certain remaining categories, including AI systems embedded as safety components in already-regulated products like medical devices or machinery, phase in later still, into 2028 for some product categories, aligning with the existing product-safety regulatory cycles those products already follow.
What this looks like in practice
Picture the manufacturing business owner working through what actually applies to them. Their AI use is limited to an internal scheduling tool that optimises production line staffing, nothing that scores or makes decisions about a specific, identifiable person in a way that touches the high-risk categories. None of the passed deadlines applied to them, and the August 2026 high-risk deadline doesn't either, because their tool was never high-risk to begin with.
The genuinely useful outcome of working through the timeline isn't a list of dates to panic about, it's the confirmation that there's nothing urgent to do right now, and a specific date worth revisiting if the business ever adopts a new AI tool that touches hiring, credit, or another high-risk category. Writing that date down, and what would trigger revisiting it, is more useful than trying to track every deadline in the Act regardless of relevance.
What you can do about it
A short process for working out which deadlines actually apply to you:
- Confirm first whether you use any AI system in a high-risk category, hiring, credit, insurance, and a small number of others, see our guide on risk tiers if you're not sure.
- If none of your tools are high-risk, none of the heavy deadlines apply to you specifically, note this and move on rather than tracking dates that don't affect your business.
- If you do use a high-risk tool, treat 2 August 2026 as your real deadline, and start the conformity assessment and registration process well before it, not in the final weeks.
- If your business makes or embeds AI into a physical product already subject to separate safety regulation, check the later, product-specific deadline directly rather than assuming the general high-risk date applies.
- Revisit this check whenever you adopt a new AI tool, the deadline that matters is tied to what the tool does, not a single fixed date for the whole business.
For the fuller breakdown of which AI tools actually count as high-risk in the first place, see our guide on EU AI Act risk tiers explained.
Methodology (Real-World, Verified)
We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.
Related reading: our AI governance by region.
Free tools: AI Privacy Risk Scorer to score your current AI tool setup against data-privacy best practice | AI Compliance Checker to check whether your AI tools meet your compliance obligations.
Have I already missed a deadline if my business started using AI before February 2025?
Almost certainly not, unless your AI use falls into the narrow prohibited-practices category, which describes a small list of clearly harmful uses, not ordinary business AI tools. The February 2025 deadline banned specific practices going forward, it didn't retroactively penalise earlier, unrelated AI use.
Does the August 2026 deadline apply to every business using AI?
No, only to businesses using a high-risk AI system as defined in the Act's Annex III. If none of your AI tools fall into a high-risk category, hiring, credit, insurance, and similar, this specific deadline doesn't create an obligation for you.
What if I'm not sure which deadline applies to a specific AI tool I use?
Start by classifying the tool's risk tier first, the deadline follows directly from the classification. A tool that isn't high-risk generally has no specific deadline attached to it at all, beyond the lighter transparency obligations that already apply from August 2026 for chatbots and similar interactive systems.
Will more deadlines be added to the Act over time?
The Act's core timeline is set, but the European Commission continues to publish supporting guidance, codes of practice, and standards as the later deadlines approach. Checking the Commission's own AI Act policy page periodically, rather than a single one-time read, is worth doing if you're managing a high-risk system specifically.
The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.
Not sure whether any of your AI tools actually count as high-risk?
Check the risk tiers