EU AI Act Enforcement Timeline Finale: Complete 2026-2028 Compliance Roadmap for SaaS & AI Providers
Post #5 in the EU AI Act Enforcement Timeline 2026-2028 Series
The EU AI Act does not arrive in a single wave. It was designed as a phased regulation — with different obligations activating at different dates over a four-year period — precisely because building compliance infrastructure across 27 member states, across dozens of regulated sectors, and across thousands of AI system categories takes time. If your planning horizon for the AI Act has ended at August 2, 2026, you have mapped only the most visible deadline in a longer enforcement story.
This finale post consolidates everything covered in this series into a single navigable reference: the complete enforcement schedule from February 2025 through 2028 and beyond, what each phase actually requires from SaaS providers and AI developers, and a structured checklist you can use to assess where your compliance program stands against each phase.
The Complete EU AI Act Enforcement Timeline
Phase 0 — Entry into Force: August 1, 2024
The EU AI Act entered into force on August 1, 2024, twenty days after publication in the Official Journal. Entry into force is not the same as application: the regulation's substantive obligations are staggered by the article 113 application schedule, but the clock for all deadlines starts ticking from August 1, 2024.
What this means for developers: The AI Act is law from this date. The application dates below are when individual obligations become enforceable — but the underlying legal framework is in place, and any AI system designed or modified after August 2024 should be built with compliance in mind from the start.
Phase 1 — February 2, 2025: Prohibited AI Practices Banned
Six months after entry into force, Article 5's list of prohibited AI practices became enforceable. These are the practices the regulation treats as categorically incompatible with EU fundamental rights — no proportionality analysis, no risk-benefit balance, and no conformity assessment path.
Prohibited AI practices under Article 5 include:
- AI systems that use subliminal manipulation techniques operating below the threshold of consciousness to distort a person's behaviour in a way that causes or is likely to cause that person or another person psychological or physical harm
- Systems that exploit vulnerabilities based on age, disability, or socioeconomic situation to materially distort behaviour in a harmful way
- Real-time remote biometric identification systems in publicly accessible spaces by law enforcement, with narrow exceptions
- AI systems used to infer emotions in workplaces or educational institutions except for safety-justified medical or research purposes
- Predictive policing systems based solely on profiling
- Social scoring systems operated by public authorities
- Biometric categorisation systems that infer sensitive personal characteristics from biometric data
Developer checklist for Phase 1:
- Audit all AI features that analyse user behaviour, emotion states, or physiological signals
- Confirm that no personalisation, recommendation, or content-targeting system uses subliminal or manipulative techniques as defined in Article 5(1)(a)-(b)
- If your product is used in HR, education, or access-to-services contexts, confirm no prohibited emotion inference applies
- Document the review and its outcome
Phase 2 — August 2, 2025: GPAI Model Obligations and Governance Architecture
Twelve months after entry into force, two major structural elements of the AI Act became operational.
General-purpose AI (GPAI) model obligations under Title V (Articles 51–56) apply to providers of GPAI models — the foundation models, large language models, and multimodal models that are placed on the EU market and used as components in downstream AI applications. From August 2025:
- All GPAI model providers must draw up technical documentation, provide it to downstream providers and the AI Office, maintain an up-to-date policy for copyright compliance, and publish a sufficiently detailed summary of the training data used
- GPAI model providers whose models are classified as systemic-risk models (generally, those trained on computation exceeding 10^25 FLOPs) face additional obligations: adversarial testing before market release, incident reporting to the AI Office for serious incidents, and cybersecurity protections
- GPAI model providers must register with the EU AI Office
Governance infrastructure goes live: The European Artificial Intelligence Board (AI Board), the AI Office within the European Commission, and the national competent authorities entered full operational status. The AI Office is the primary supervisor for GPAI model providers; NCAs supervise providers and deployers of high-risk AI systems at the national level.
AI regulatory sandboxes under Article 57 became available from August 2025, allowing innovators to test AI systems in a controlled environment with regulatory guidance before market launch.
Developer checklist for Phase 2:
- Determine whether your organisation providers a GPAI model (not just uses one — the obligations attach to providers who place models on the EU market)
- If yes: draw up technical documentation, establish copyright compliance policy, prepare training data summary
- If your model exceeds the systemic-risk computation threshold: implement adversarial testing program, establish incident-reporting procedures to the AI Office, implement cybersecurity measures appropriate to identified risks
- Register with the EU AI Office if applicable
- Consider whether an AI regulatory sandbox could reduce compliance costs or provide regulatory clarity for novel use cases
Phase 3 — August 2, 2026: Full High-Risk AI and Transparency Enforcement
Twenty-four months after entry into force, the bulk of the AI Act's obligations became enforceable. This is the phase that the majority of compliance preparation in 2025 and early 2026 has focused on. For SaaS providers building AI features into their products, this is typically the most operationally demanding phase.
High-risk AI systems covered by Annex III must meet the full set of requirements set out in Chapter 3 (Articles 8–25):
| Obligation | Article | What it requires |
|---|---|---|
| Risk management system | 9 | Continuous process identifying, estimating, evaluating, and mitigating risks throughout the lifecycle |
| Data and data governance | 10 | Training, validation, and testing data must meet quality criteria; data governance practices documented |
| Technical documentation | 11 | Documentation sufficient for conformity assessment, kept up to date |
| Record-keeping | 12 | Automatic logging of events, including duration of use, reference database queries, input data |
| Transparency to deployers | 13 | Instructions for use enabling deployers to understand capabilities, limitations, and performance characteristics |
| Human oversight | 14 | Design enabling natural persons to effectively oversee and intervene during operation |
| Accuracy, robustness, cybersecurity | 15 | Appropriate levels across the lifecycle, particularly with respect to errors and adversarial attacks |
Providers must also complete conformity assessment (Article 43), draw up an EU declaration of conformity (Article 47), affix the CE marking, and register in the EU database of high-risk AI systems before placing the system on the market or putting it into service.
Transparency obligations under Article 50 apply to a broader set of AI systems, not only those in Annex III:
- Providers of AI systems designed to interact with natural persons must inform users that they are interacting with an AI system (unless this is obvious from context)
- Providers and deployers of AI systems that generate synthetic audio, video, image, or text content must mark it with machine-readable metadata disclosing that it is AI-generated — the "watermarking" obligation
- Providers of emotion recognition systems and biometric categorisation systems must inform exposed persons of the system's operation
- Deployers using AI systems that generate or manipulate visible content constituting deepfakes must disclose this
Developer checklist for Phase 3:
- Map all AI systems in your product against Annex III categories — identify which, if any, qualify as high-risk
- For each high-risk system: complete risk management documentation, data governance records, technical documentation, and logging implementation
- Conduct or commission conformity assessment; prepare EU declaration of conformity; register in the EU database
- For AI systems interacting with users: implement disclosure that the user is interacting with an AI where not obvious from context
- For generative AI outputs (text, image, audio, video): implement machine-readable metadata marking outputs as AI-generated
- For emotion recognition or biometric categorisation: implement user notification
- Train all staff involved in deploying or operating high-risk AI systems on their obligations under Article 26
Phase 4 — August 2, 2027: Product-Embedded AI Systems
Thirty-six months after entry into force, the final major cohort of high-risk AI systems comes into scope: AI systems that are safety components of products regulated under Union harmonisation legislation listed in Annex I, Section A.
This cohort covers AI embedded in:
- Machinery (Regulation (EU) 2023/1230)
- Medical devices (Regulation (EU) 2017/745) and in vitro diagnostic medical devices (Regulation (EU) 2017/746)
- Radio equipment (Directive 2014/53/EU)
- Pressure equipment (Directive 2014/68/EU)
- Toys (Directive 2009/48/EC)
- Recreational craft (Directive 2013/53/EU)
- Lifts (Directive 2014/33/EU)
- Equipment and protective systems intended for use in potentially explosive atmospheres (Directive 2014/34/EU)
- Appliances burning gaseous fuels (Regulation (EU) 2016/426)
- Civil aviation safety components (Regulation (EU) 2018/1139)
The compliance pathway for these systems is co-regulated with the existing product legislation: the conformity assessment for the AI system is integrated with the conformity assessment for the product under its applicable sectoral regulation. This means the notified bodies already involved in product certification — and not only the NCA — have a role in AI Act compliance for this cohort.
Developer checklist for Phase 4:
- Identify whether any AI in your product is a safety component of a product covered by Annex I, Section A legislation
- If yes: coordinate AI Act compliance with the conformity assessment required under the applicable product regulation
- Engage the relevant notified body early — notified body involvement in AI Act conformity assessment for Annex I products requires both bodies to be designated under their respective frameworks
- Ensure technical documentation satisfies the combined requirements of the AI Act and the sectoral product regulation
Phase 5 — 2028 and Beyond: Market Surveillance Maturity
As covered in Post #4 of this series, 2028 represents the transition from initial enforcement to systematic, mature oversight. The institutional infrastructure — NCAs, the AI Office, the AI Board, the EU AI database — is fully operational. Post-market monitoring data from the first deployment cohort (systems that went live in August 2026) is accumulating. Market surveillance authorities are moving from building inspection capacity to exercising it systematically.
Key enforcement dynamics in 2028:
- NCA inspection cycles: The first full supervisory cycle is underway or completed in leading jurisdictions. Providers can expect document requests, on-site inspections, and — in cases of suspected non-compliance — formal investigations
- EU AI database cross-referencing: MSAs can systematically identify unregistered high-risk AI systems by comparing market observations against database registrations
- Post-market monitoring reviews: Two years of incident logs, monitoring data, and performance records are available for regulatory review — meaning gaps in documentation are no longer theoretical
- GPAI model registry maturity: The AI Office has three years of GPAI model registration data and has developed pattern-matching capacity to identify systemic risks across the model ecosystem
- Cross-border enforcement coordination: The AI Board has established coordination protocols for providers operating across multiple member states
Master Compliance Checklist: All Phases
Use this checklist to identify your compliance position across all enforcement phases:
Governance and organisational readiness
- AI governance policy adopted and board-approved
- AI inventory maintained — every AI system in use mapped against risk categories
- Roles and responsibilities for AI compliance defined (who owns each system)
- Staff training programme active for staff who develop, deploy, or supervise AI systems
Documentation
- For each high-risk AI system: technical documentation current and conformity assessment complete
- For each GPAI model you provide: technical documentation, copyright policy, training data summary maintained
- Post-market monitoring plan in place and data being collected
- Serious incident reporting procedures documented and tested
Transparency
- AI interaction disclosure implemented for conversational and decision-support systems
- AI-generated content marked with machine-readable metadata where Article 50 applies
- Emotion recognition and biometric categorisation disclosures in place where applicable
Compliance maintenance
- Annual review cycle for AI inventory and risk assessments
- EU database registrations kept current as systems are updated or deprecated
- Monitoring plan data reviewed at the frequency specified in the plan
- Incident response procedure tested, with escalation path to NCA incident reporting where triggered
Positioning for the Full Enforcement Period
The EU AI Act's phased schedule reflects a practical recognition that compliance at scale takes time to build. The most sophisticated compliance programs in 2028 will not be those that scrambled to meet each deadline in isolation — they will be those that built continuous, documented, auditable processes from the start and treated each phase as an addition to a living system rather than a discrete deadline event.
For SaaS providers and AI developers operating on EU-hosted infrastructure, the regulatory positioning is clearer: data residency within the EU eliminates a significant category of jurisdiction risk, and GDPR-aligned data governance practices provide a strong foundation for the AI Act's data and data governance requirements under Article 10. The compliance overhead of the AI Act, while real, is more tractable for organisations that already operate within the EU regulatory framework rather than trying to retrofit it from a non-EU baseline.
The August 2, 2026 deadline was not the finish line — it was the point at which the race began in earnest. The providers who invested in systematic compliance infrastructure before 2026 will spend 2027 and 2028 maintaining and improving systems that are already audit-ready, while those who treated the August 2026 deadline as a one-time event face the more difficult task of sustaining compliance without the organisational infrastructure to do so reliably.
This post concludes the EU AI Act Enforcement Timeline 2026-2028 series. Posts #1–4 covered the August 2026 enforcement activation, the Q4 2026 new obligations, the 2027 compliance calendar, and the 2028 market surveillance maturity phase respectively. For the next series in this space, see the sota.io EU compliance blog.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.