EU AI Act Timeline: What SMEs Need to Know in 2025-2027

The EU AI Act (Regulation 2024/1689) entered into force on August 1, 2024, but enforcement is phased over three years. For SMEs deploying AI, understanding these dates is critical — because some obligations are already legally binding, and missing the August 2026 deadline carries fines up to €35 million or 7% of global turnover.

This guide covers every key date, what each phase actually requires, and what SMEs should be doing right now.

What's Already in Force

February 2, 2025 — AI Literacy (Article 4)

The first enforcement milestone passed on February 2, 2025. Every organisation that provides or deploys AI systems must ensure their staff have "sufficient AI literacy." This isn't aspirational — it's a legally binding obligation under Article 4.

In practice, AI literacy means your staff should understand:

• Which AI systems your organisation uses and in which processes
• How those systems work at a high level — their inputs, outputs, and logic
• Their known limitations, failure modes, and potential for bias
• The risks specific to your deployment context
• How to escalate concerns or anomalies

You don't need to train every employee on neural network architecture. But managers who rely on AI-generated outputs for decisions affecting people — hiring recommendations, credit assessments, performance evaluations — need substantive understanding, not a checkbox completion.

The European AI Office has not issued detailed guidance on what constitutes "sufficient" literacy, but the practical standard is: could this employee identify an AI error and know what to do about it?

February 2, 2025 — Prohibited AI Practices (Article 5)

Eight categories of AI are now outright prohibited across the EU:

1. Subliminal manipulation — AI that uses techniques below conscious awareness to influence behaviour in harmful ways
2. Exploitation of vulnerabilities — AI targeting people based on age, disability, or social/economic situation to distort behaviour
3. Social scoring by public authorities — scoring natural persons based on social behaviour or personal characteristics for general social evaluation
4. Real-time remote biometric identification in public spaces by law enforcement (with narrow, time-limited exceptions for specific crimes)
5. Biometric categorisation inferring sensitive attributes (race, political opinions, religious beliefs, sexual orientation) from biometric data
6. Emotion recognition in workplaces and educational institutions
7. Untargeted facial image scraping from the internet or CCTV to build biometric databases
8. Predictive policing targeting individuals based on profiling or personality traits

For most SMEs, the key prohibition to check is emotion recognition in the workplace (rule 6). If you use any HR analytics, meeting software, or productivity tools that claim to infer employee sentiment or emotional state from video, audio, or behaviour, that use case is now prohibited.

What Applies from August 2025

August 2, 2025 — GPAI Model Obligations (Chapter V)

From August 2025, providers of general-purpose AI models must comply with transparency and documentation requirements. This applies to companies that develop and release foundation models — not to businesses that use them via API.

If you use GPT-4, Claude, Gemini, or Mistral through an API, you are a deployer, not a GPAI provider. These obligations fall on OpenAI, Anthropic, Google, and Mistral respectively. However, if you fine-tune a foundation model and release it externally, you may become a GPAI provider subject to these rules.

GPAI providers must produce technical documentation, maintain copyright policies, and publish summaries of training data. Models deemed to present "systemic risk" (those trained with more than 10^25 FLOPs) face additional requirements: adversarial testing, cybersecurity measures, and incident reporting to the European AI Office.

The Big Deadline: August 2, 2026

High-Risk AI Systems (Annex III)

This is the deadline that matters most for the majority of organisations deploying AI. From August 2, 2026, any AI system that falls under Annex III and is used to make or significantly influence decisions affecting people must meet the full set of high-risk obligations.

Annex III categories:

1. Biometric identification and categorisation
2. Critical infrastructure (energy, water, transport, digital networks)
3. Education and vocational training (access, assessment, evaluation)
4. Employment (recruitment, selection, promotion, termination, monitoring)
5. Access to essential services (credit, insurance, social benefits, emergency services)
6. Law enforcement
7. Migration and asylum
8. Administration of justice and democratic processes

Most SMEs won't be directly operating AI in law enforcement or migration. But employment and access to services are relevant for a wide range of businesses:

• AI-assisted CV screening or candidate ranking tools
• Performance monitoring software that influences employment decisions
• Credit risk or insurance underwriting tools
• Chatbots that gate access to public services or benefits

What full compliance requires for high-risk AI:

• Risk management system (Article 9): documented, ongoing process for identifying and mitigating risks throughout the lifecycle
• Data and data governance (Article 10): training, validation, and test data must be relevant, representative, and free from errors
• Technical documentation (Article 11): detailed documentation of the system's purpose, design, performance, and known limitations
• Record-keeping / logging (Article 12): automatic logging of operations, especially for law enforcement and critical infrastructure
• Transparency to deployers (Article 13): providers must supply instructions for use, including intended purpose and limitations
• Human oversight (Article 14): effective oversight measures, including the ability of humans to intervene, override, or shut down the system
• Accuracy, robustness, and cybersecurity (Article 15): defined performance metrics and cybersecurity measures throughout the lifecycle
• Conformity assessment (Article 43): third-party assessment for specific high-risk categories, or self-assessment with notified body registration

The conformity assessment alone can take three to six months. Organisations that wait until early 2026 to start will struggle to complete it in time.

August 2, 2027 — Full Enforcement

The final phase covers AI systems embedded in products already regulated under EU harmonised legislation: medical devices, in vitro diagnostics, civil aviation, marine equipment, rail, motor vehicles, agricultural machinery, and toys. These products must comply by August 2027.

This matters for manufacturers of physical products that incorporate AI — a monitoring device with ML-based diagnostics, a vehicle safety system, a smart toy. The AI Act obligations layer onto existing product safety regulations.

What SMEs Should Be Doing Now

Step 1: AI literacy (already required). Run a documented training session covering your AI tools, their limitations, and escalation procedures. Keep records — national competent authorities will ask for evidence.

Step 2: Build an AI inventory. List every AI system your organisation uses, including third-party tools with embedded AI. Document the purpose, vendor, data inputs, and who relies on the outputs.

Step 3: Classify each system by risk tier. Work through the Annex III categories for each system in your inventory. The decision tree is: does this AI operate in a listed sector? Does it make or significantly influence decisions about people? If yes to both, it's high-risk.

Step 4: Check Annex I for product-embedded AI. If you manufacture products, verify whether AI components fall under harmonised legislation affected by the 2027 deadline.

Step 5: For each high-risk system, start gap analysis. Compare your current documentation and processes against the nine requirements in Articles 9-15. Build a remediation plan. If a third-party conformity assessment is required, identify a notified body and begin engagement now — pipeline is filling up.

Frequently Asked Questions

We use AI tools from vendors — are we a "deployer" or "provider"? If you use third-party AI via API or SaaS and deploy it in your business processes, you are a deployer. Providers (the companies that built and supply the AI system) bear the primary obligations. But deployers have their own obligations under Article 26, including ensuring the system is used within its intended purpose and that human oversight is in place for high-risk systems.

What if our AI system doesn't fall under Annex III? Systems outside Annex III are not high-risk. They may still have limited transparency obligations (Article 50 — for chatbots and deep fakes) but do not require conformity assessments or the full documentation regime. You still need AI literacy compliance (Article 4) and must avoid prohibited practices (Article 5).

Is the August 2026 deadline firm? Yes. The phased application dates are embedded in Article 113 of the regulation. There is no indication of extension, and the European AI Office is actively building enforcement capacity. National competent authorities have been designated across EU member states.

What's the fine for missing the high-risk deadline? Non-compliance with high-risk obligations (Articles 9-15) carries fines of up to €15 million or 3% of global annual turnover, whichever is higher. Prohibited practices (Article 5) carry up to €35 million or 7%. Providing incorrect information to authorities carries up to €7.5 million or 1.5%.

Sources

• EUR-Lex, Regulation (EU) 2024/1689 (EU AI Act), Article 113 (application dates): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689
• European AI Office, AI Act implementation timeline and guidance: https://digital-strategy.ec.europa.eu/en/policies/european-ai-office
• ENISA, AI compliance roadmap and guidance for operators: https://www.enisa.europa.eu/topics/artificial-intelligence