The AI Act in 2026: timeline, obligations and when enforcement really begins

2 August 2026 marks the decisive milestone of the European AI Regulation. From that date, the majority of AI Act obligations move from "preparation" to "effective enforcement." If you haven't yet done an inventory of your organization's AI systems, this is the last reasonable quarter to start.

What exactly changes on 2 August 2026

The AI Act entered into force on 1 August 2024, but its application has been phased. Some blocks have been in force since 2025 (prohibitions, AI literacy, general-purpose AI model obligations). What changes on 2 August 2026 is the heart of the Regulation: the full regime for high-risk systems under Annex III, the transparency obligations of Article 50, and the activation of national enforcement powers.

The European Commission and the AI Act Service Desk make it clear: 2026 is the year the Regulation moves from phased preparation to broad and enforceable application. The official phrase is that "August 2026 is the date on which most rules become enforceable, and enforcement begins at national and EU level on the same day."

Definitive AI Act timeline

These are the key dates you need to know and communicate internally:

DateWhat comes into force
2 Feb 2025 Prohibitions under Art. 5 (unacceptable risk AI systems) + AI literacy obligations under Art. 4.
2 Aug 2025 Obligations for GPAI model providers (Chapter V), institutional governance (AI Office operational), and enforcement regime at Member State level.
2 Aug 2026 General application: Annex III high-risk (Arts. 8–15), Art. 50 transparency, regulatory sandboxes and full enforcement powers.
2 Aug 2027 Application to high-risk systems embedded in products regulated by EU harmonised legislation (Annex I) and to GPAI models placed on the market before 2 August 2025.

The four risk categories, in one phrase each

The Regulation organises AI systems into four risk levels, and everything else hangs off them:

  • Unacceptable risk: directly prohibited. Subliminal manipulation, government social scoring, real-time biometric identification in public spaces (with limited exceptions), among others. Applicable since February 2025.
  • High risk: systems that may affect fundamental rights or safety. Education, employment, essential services, justice, border control, critical infrastructure. This is where the bulk of compliance sits: Arts. 8 to 15 and the full system lifecycle (risk management, data governance, technical documentation, automatic logging, transparency, human oversight, robustness and accuracy).
  • Limited risk: transparency obligations under Art. 50. Chatbots and deepfakes must inform users that they are interacting with AI or that content has been generated/manipulated.
  • Minimal risk: no specific obligations, though voluntary adoption of codes of conduct is encouraged.

GPAI: the special case

General-purpose AI models (GPAI) have their own calendar. Their obligations (Chapter V) came into force in August 2025, but the Commission's enforcement powers over GPAI providers do not activate until 2 August 2026. That is: during this first year, providers of models like GPT, Claude, Gemini or Llama have been obligated, but the Commission could not fine them; from August, it can.

For GPAI models placed on the market before 2 August 2025, the deadline extends to 2 August 2027. This is the clause giving leeway to adapt pre-existing models.

Fines are deterrent: up to €35 million or 7% of global annual turnover (whichever is higher) for serious breaches of the prohibitions regime. For breaches of provider or deployer obligations, up to €15 million or 3% of global annual turnover.

Who enforces the Regulation in Spain

Enforcement is two-tiered. At European level, the Commission acts through the AI Office, fully operational since August 2025, with exclusive competences over GPAI. At national level, each Member State designates one or more market authorities. Spain was a pioneer: in 2024 it created the Spanish Agency for the Supervision of Artificial Intelligence (AESIA), based in A Coruña.

The AEPD retains its role as data protection authority and, by extension, over any AI system that processes personal data. In July 2025 it published guidance clarifying that it can already act against prohibited AI systems that process personal data, even before full AI Act application. In practice, for many cases in Spain you will not have one authority but two, and both must be coordinated in your compliance plan.

What to do now if you haven't prepared yet

Three months until August 2026. It's not time to design a compliance programme from scratch, but it is enough to start the four tasks any auditor will want to see on day one:

1. Complete inventory of AI systems

Exhaustive list of all systems with an AI component that your organisation develops, deploys or uses. Include not just in-house models: also count SaaS platforms with embedded AI (CRM, HR, marketing, customer service). A typical company discovers twice as many systems as it thought when doing this inventory.

2. Risk classification

Each system in the inventory is mapped against the four categories. Annex III of the Regulation is the reference: eight areas that automatically classify a system as high-risk (biometrics, critical infrastructure, education, employment, essential private/public services, law enforcement, borders, justice and democratic processes).

3. AI literacy programme

Mandatory since February 2025 (Art. 4). If you have employees or third parties using AI systems, you must ensure they have a "sufficient" level of AI literacy. There is no defined measure of "sufficient", but the AEPD and the Commission consider simply sending a PDF insufficient: documented, role-adapted and registrable training is expected.

4. Internal governance

Designate clear responsibilities. In small organisations, this often falls to the DPO expanding their role or an ad hoc committee. In medium and large organisations, a reasonable approach is an AI Governance Officer or a multidisciplinary committee (legal + IT + business + security). If you are pursuing ISO 42001 certification, this governance is the foundation on which the entire AIMS is built.

What comes after August 2026

From full application, expect three market moves: (a) the first national enforcement proceedings, likely on Art. 50 transparency before high-risk —because they are easier to detect—; (b) a cascade of contractual updates in the AI supply chain (each client will demand formal compliance guarantees from their providers); and (c) the consolidation of ISO/IEC 42001 as the "ISO 27001 for AI", with audits already available under BS ISO/IEC 42006:2025.

The AI Act is not perfect and there will still be clarifications in its practical application during 2026 and 2027. But the direction is clear: in Europe, doing AI without thinking about governance is no longer an option.

Discover your AI Act exposure

Free assessment with your priority gaps, plus the risk classifier and savings calculator on the AI Governance path.

Take the free assessment → See AI Act templates → Calculate my savings →