EU AI Act Compliance Update: Implementation Timelines and Simplification Proposals

The EU's Artificial Intelligence Act is the world's first full law regulating AI. It entered into force on 1 August 2024 and will be fully applicable on 2 August 2026, but certain obligations come into effect earlier: prohibited AI practices and AI literacy requirements apply from 2 February 2025, and general-purpose AI (GPAI) transparency obligations and governance rules apply from 2 August 2025. The law adopts a risk-based approach, imposing stringent requirements on providers of high-risk AI systems and minimal obligations for low-risk uses. Organizations developing or deploying AI in EU markets must understand the evolving setup timelines and prepare compliance programs as needed.

Context and recent developments

In July 2025 the Commission released guidelines and a voluntary code of practice for GPAI providers, along with a template for disclosing training-data characteristics, to clarify obligations and reduce administrative burden. These guidelines help organizations understand what documentation and transparency measures are expected, providing practical setup guidance beyond the regulation's text.

In November 2025 the Commission proposed a Digital Package on Simplification to adjust and simplify setup. This package centralizes oversight through an AI Office, simplifies obligations for small and mid-sized companies, and introduces regulatory sandboxes and real-world testing to support innovation. The simplification proposals acknowledge that some original timelines and requirements may be challenging for organizations to meet without additional flexibility.

The evolving regulatory environment requires organizations to monitor developments closely and adapt compliance plans as guidance and amendments are finalized. Early engagement with regulators and participation in sandbox programs can help organizations shape setup approaches while gaining practical compliance experience.

High-risk AI obligations

The AI Act sets out different obligations depending on risk levels. High-risk AI systems—including those used for biometric identification, critical infrastructure management, employment and education decisions—must comply with strict requirements. Providers must conduct risk management and impact assessments, ensure the quality and representativeness of data sets, implement logging and record-keeping, prepare detailed technical documentation, ensure human oversight, and design systems to be strong, secure and resilient.

Users of high-risk systems must adopt appropriate risk management measures and monitor system performance throughout the system lifecycle. This ongoing monitoring requirement ensures that AI systems continue to meet safety and performance requirements after deployment, not just during initial conformity assessment.

Some sectors are given longer to comply: high-risk AI embedded in products subject to existing EU safety legislation have until 2 August 2027 to meet requirements. This extended timeline acknowledges the complexity of integrating AI governance with existing product safety frameworks and allows manufacturers time to adapt their processes.

General-purpose AI requirements

Under the July 2025 GPAI guidance, providers of general-purpose AI models must publish full summaries of the content used to train their models, implement policies for detecting and mitigating system misuse, and offer technical documentation for downstream deployers. These transparency requirements help deployers understand model capabilities and limitations and make informed decisions about appropriate use cases.

GPAI providers with models that pose systemic risks face additional obligations including adversarial testing, incident reporting, and improved documentation. The classification of models as posing systemic risks depends on computational resources used during training and other factors that show potential for widespread impact.

The voluntary code of practice provides flexibility for GPAI providers to show compliance through industry-developed approaches rather than prescriptive regulatory requirements. Organizations participating in code development can influence compliance approaches while demonstrating good-faith compliance efforts to regulators.

Implementation challenges and proposed amendments

The Commission's Digital Package on Simplification proposes readiness-based application of the high-risk rules: obligations for Annex III systems would apply six months after the Commission confirms that necessary standards and guidelines are in place or, at the latest, by 2 December 2027. For Annex I systems, the deadline becomes 12 months after the decision or 2 August 2028. This approach ties compliance deadlines to regulatory readiness rather than fixed calendar dates.

Generative AI providers already on the market before the AI Act's full application have a six-month grace period (until 2 February 2027) to comply with detectability and watermarking obligations. This transition period allows providers time to implement technical measures for identifying AI-generated content.

The proposal also expands privileges for small and mid-cap companies, eliminates mandatory AI literacy obligations for all operators, and reduces some registration requirements. These simplifications respond to concerns that original requirements would disproportionately burden smaller organizations without commensurate risk reduction benefits.

Governance and oversight structure

centralized oversight by the AI Office and improved cooperation with fundamental rights authorities are introduced in the simplification proposals. The Office is responsible for supervising certain GPAI systems and very large online platforms, providing consistent oversight across the EU rather than varying national approaches.

National competent authorities retain responsibility for market surveillance and enforcement for most AI systems, with coordination through the AI Board. This distributed enforcement model leverages existing national regulatory infrastructure while ensuring cross-border coordination for systems affecting multiple member states.

To simplify conformity assessment and encourage innovation, new provisions allow for regulatory sandboxes and real-world testing under controlled conditions. These mechanisms enable organizations to test AI systems with regulatory guidance and potentially speed up approval processes for systems that show safety and compliance during testing.

Prohibited practices and immediate requirements

Prohibited practices—such as social scoring, subliminal manipulation and exploitation of vulnerabilities—needs to be eliminated immediately as these prohibitions apply from 2 February 2025. If you are affected, audit their AI systems to ensure none fall within prohibited categories and establish processes to prevent future development or deployment of prohibited systems.

AI literacy requirements also apply from February 2025, requiring organizations to ensure that personnel working with AI systems have appropriate understanding of AI capabilities, limitations, and risks. While the simplification proposals may reduce the scope of mandatory literacy requirements, building AI competency within organizations remains a best practice regardless of regulatory requirements.

Compliance planning and recommendations

For teams developing or deploying AI, the AI Act and its amendments mean that compliance planning must start immediately. Providers should map their AI systems to the Act's risk categories and identify which obligations apply, focusing on high-risk areas such as biometric identification, recruitment, healthcare and education.

Developers of general-purpose AI models must prepare full training-data summaries, implement risk management policies, and collaborate with users to ensure downstream compliance. The documentation developed for GPAI compliance will be essential for downstream deployers who must understand model characteristics to meet their own obligations.

The proposed Digital Package introduces flexibility by tying deadlines to the availability of standards; however, companies should monitor Commission decisions and national transpositions closely, because obligations may start as early as six months after standards are ready. Organizations that wait for final deadlines may find themselves scrambling to implement controls.

Under the amendments, SMEs may benefit from simplified obligations and increased access to regulatory sandboxes and real-world testing programs. Smaller you should explore these opportunities to gain compliance experience with regulatory support and potentially reduced requirements.

Bottom line

The AI Act sets a global precedent for regulating AI technologies. While the risk-based approach clarifies, the evolving setup timelines and amendments create uncertainty. Providers and deployers should not wait for final standards; early adoption of strong risk management frameworks, documentation practices and transparency measures will position teams for compliance and reduce business disruption.

The simplification proposals acknowledge practical setup challenges and provide welcome flexibility, particularly for smaller organizations and those operating in emerging AI domains. However, the core obligations for high-risk systems and GPAI transparency remain significant and require significant organizational investment.

Recommended: that organizations begin compliance planning now, even as setup details continue to evolve. The investments required—risk assessments, documentation systems, monitoring capabilities, and governance structures—will improve organizational AI practices regardless of final regulatory requirements. If you are affected, also engage with regulatory sandboxes and real-world testing programs early to gain practical compliance experience and potentially influence setup guidance.

By preparing early, organizations can turn AI Act compliance from a regulatory burden into an opportunity to build trustworthy AI practices that improve competitive position and stakeholder confidence.