TL;DR
The AI Act’s enforcement clock has two main milestones in 2026 and 2027. On 2 August 2026, national supervisory authorities became operational and the penalty regime in Article 99 became applicable. On 2 August 2027, the high-risk regime in Annex III takes full effect, including conformity assessment for most high-risk AI systems. Article 4 has been live since 2 February 2025; the difference 2026 makes is that there is now a regulator who can ask for evidence and impose penalties when the answer is missing.
Phased application of the regulation
Article 113 of Regulation (EU) 2024/1689 sets out a staggered application schedule. The European Commission AI Act service desk and the Digital Strategy framework page summarise the dates:
- 1 August 2024 - regulation in force (no obligations yet binding).
- 2 February 2025 - Chapter I (general provisions, including Article 4 AI literacy) and Chapter II (prohibited practices, Article 5) apply.
- 2 August 2025 - obligations on providers of general-purpose AI models apply; governance structures established.
- 2 August 2026 - the bulk of the regulation, including the penalty regime under Article 99, applies. National competent authorities are designated under Article 70 and start supervising.
- 2 August 2027 - high-risk AI systems listed in Annex III, including those embedded in products subject to existing EU product legislation, become fully subject to the regulation including conformity assessment.
What “enforcement” means in operational terms
From 2 August 2026, member-state regulators are designated, staffed, and have the legal basis to investigate. They can request documentation, perform inspections in line with national procedural law, and impose penalties.
Article 99 sets the upper limits: up to EUR 35 million or 7% of total worldwide annual turnover for prohibited-practice violations, up to EUR 15 million or 3% for most other obligation violations, and up to EUR 7.5 million or 1% for incorrect information supplied to authorities. SMEs face proportionate caps. Article 4 violations sit in the middle band.
The Government of Portugal’s digital portal and the Portuguese Government Digital Strategy describe how Portugal’s national supervisory authority is being stood up and which existing regulators (CNPD on data protection, AMA on digital administration) are co-ordinating. Other member states follow similar patterns: an existing regulator picks up the AI brief, sometimes with a new dedicated unit.
What 2027 changes
The 2 August 2027 milestone is decisive for any organisation that builds or deploys high-risk AI systems. From that date, Annex III high-risk systems must be subject to conformity assessment, must come with technical documentation under Article 11, and must operate under post-market monitoring under Article 72. Existing literacy and governance work is the substrate the conformity work sits on top of.
Research outputs from Instituto Superior Técnico and Nova IMS have argued consistently that organisations that wait for 2027 to begin the literacy work will miss the August 2027 high-risk deadline.
How to plan against the timeline
Three checkpoints:
- Now to 31 July 2026. Land the Article 4 programme and produce the documentation pack. Treat this as table stakes, not a project.
- August 2026 onward. Build a roster of who would respond to a regulator’s request for evidence. Run a tabletop exercise. Document the response flow.
- Before August 2027. If you build or deploy any system in Annex III categories, complete the conformity assessment scoping work. The literacy work feeds directly into Article 11 documentation.
How AISO Learn helps
We run Article 4 readiness as an eight-week engagement and we keep the documentation maintainable so you are not redoing it before each regulator interaction. See our team-engagement programme.
Plan your enforcement-timeline readiness