GovCompass
NL
AI governance
GuideAccountability

EU AI Act timeline 2025–2028: all deadlines after the omnibus agreement

By GovCompass.ai· Last verified June 2026· Aligned with the consolidated EU AI Act, including the 2026 Omnibus amendments.

The EU AI Act phases in between 2025 and 2028: the Art. 5 prohibitions and Art. 4 AI literacy applied from 2 February 2025, the Art. 50 transparency obligations from 2 August 2026, and the full high-risk obligations for Annex III systems from 2 December 2027 following the Omnibus amendments.

Updated: June 2026, reflects AI Omnibus agreement of May 2026

Introduction: the omnibus changes everything

The EU AI Act entered into force on 1 August 2024 with a graduated implementation timeline. The May 2026 AI Omnibus agreement, a legislative amendment to the original regulation, significantly revised the deadlines for high-riskriskIn the EU AI Act's terms, the combination of the probability that a harm occurs and the severity of it if it does. The link between a principle (via the harm that would breach it) and a control (the measure that reduces it). Naming the harm and assessing its risk is required by Art. 9 before any mitigation measure is chosen. See harm, control, residual risk.Open full entry → AI obligationsAI obligationsThe duties the AI Act places on a party, which depend on its role in the value chain and the system's risk tier.Open full entry →, providing additional time for both providers and deployers to achieve compliance.

This article presents the definitive post-Omnibus timeline for all EU AI Act obligations, with practical implications for Dutch organizations at each stage.

The complete timeline

2 February 2025 ✅, now in force

Prohibited AI practices (Art. 5): All eight prohibitions are in full force. Organizations using AI systems that fall within the prohibited categories must have decommissioned or modified those systems. Enforcement actions have begun in multiple EU member states.

AI LiteracyAI literacySufficient understanding of AI's workings, capabilities and risks for one's role — an explicit expectation for provider and deployer staff under the EU AI Act.Open full entry → (Art. 4): The obligation to ensure sufficient AI literacy among staff dealing with AI systems is in force. Training programs should be operational.

2 August 2025 ✅, now in force

GPAI obligations (Art. 52–55): Obligations for providers of general-purpose AIgeneral-purpose AIA model trained on broad data that can be adapted to many downstream tasks; the AI Act sets specific obligations for it, with extra duties when it poses systemic risk.Open full entry → models, including transparencytransparencyOpenness about the fact that AI is used and how it operates in general: disclosures, documentation, notices. Pairs with explainability, which addresses individual outcomes.Open full entry → requirements, copyright policy, technical documentationtechnical documentationRecords a provider must compile and keep for a high-risk AI system to demonstrate conformity, covering its design, data, testing, risk management and monitoring.Open full entry →, and (for systemic risksystemic riskEU AI Act category for the most capable general-purpose models (presumed above a training-compute threshold), triggering extra duties: evaluations, adversarial testing, incident reporting, cybersecurity.Open full entry → models) adversarial testing, are in force.

2 August 2026 ⚠️, approaching (2 months away)

Transparency obligations (Art. 50): AI-generated content labelling, chatbot disclosure obligations, and deepfakedeepfakeAI-generated or manipulated audio, image or video that convincingly depicts real people or events that did not occur; subject to labelling duties under the EU AI Act's transparency tier.Open full entry → labelling requirements come into force.

Full applicability: the regulation's general provisions and the national governancegovernanceThe system through which an organization steers itself: corporate governance, risk management, compliance, lines of accountability, risk appetite, and the operating model. It exists across everything the organization does, before and beyond AI. AI governance is this same system extended for AI. See AI governance, governance design, execution level.Open full entry → structures apply from this date. Note: there is no separate, earlier high-risk deadline for the public sector. Standalone Annex IIIAnnex IIIThe EU AI Act's list of high-risk use-case areas — biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice.Open full entry → high-risk obligations (Art. 26, FRIAFRIAFundamental Rights Impact Assessment — required of public bodies and certain private deployers before using some high-risk AI systems under the EU AI Act.Open full entry → under Art. 27, registration) apply from 2 December 2027 for all sectors, public and private alike (see below).

Codes of practicecodes of practiceVoluntary guidance under the AI Act, notably for general-purpose AI, that helps providers show compliance until harmonized standards exist.Open full entry →: GPAI providers must comply with the EU AI Office's approved codes of practice.

2 December 2027 🔜, NEW omnibus deadline

Stand-alone high-risk AI (Annex III): The original deadline was 2 August 2026. The Omnibus agreement extended this to 2 December 2027 for all sectors, public and private alike, there is no separate, earlier date for public authorities. This is the deadline for standalone Annex III high-risk systems, covering AI in HR, credit, healthcare, and similar contexts. The Omnibus is a provisional political agreement (May 2026); formal adoption and publication are expected in July 2026, and 2 December 2027 is the planning anchor pending that final adoption.

What this means for deployers: you have until December 2027 to achieve full Art. 26 compliance for Annex III systems. However, the preparatory work, inventory, classification, FRIA, DPIADPIAData Protection Impact Assessment — required before likely-high-risk processing (systematic profiling with significant effects, large-scale special categories, public monitoring); AI development triggers it constantly.Open full entry →, supplier documentation, governance setup, should begin now. 18 months sounds long. It is not, for organizations with complex AI estates.

2 August 2028 🔜, NEW omnibus deadline

High-risk AI in regulated products (Annex I): AI systems embedded in machinery, medical devices, vehicles, and other regulated products face this extended deadline (original: 2 August 2027).

What has NOT changed

The Omnibus changes affected timing, not substance. The full compliance obligations remain. Notably:

  • Art. 5 prohibitions: unchanged, in force since February 2025
  • Art. 4 literacy: unchanged, in force since February 2025
  • The risk classification framework: unchanged
  • The Art. 26 deployerdeployerAn organization using an AI system under its own authority in its activities — carrying operator duties: use per instructions, oversight, input relevance, monitoring, notices.Open full entry → obligation set: unchanged in content, extended in deadline

Enforcement outlook

The Autoriteit Persoonsgegevens (AP) has been designated as the Netherlands' primary market surveillance authoritymarket surveillance authorityThe national body that enforces the AI Act in a member state, with powers to investigate, order corrective action and apply penalties.Open full entry → for the EU AI Act. The AP has indicated that it will prioritize enforcement in areas where harmharmThe concrete damage an AI system can do that a responsible-AI principle exists to prevent: in the EU AI Act's terms, harm to a person's health, safety, or fundamental rights. Harm is the bridge between an abstract principle and a governable risk; governance becomes operational the moment an organization names the specific harms it wants to prevent. For fairness, a harm is a group receiving systematically worse outcomes because of a characteristic that should not have counted. See principle, risk.Open full entry → potential is highest: HR AI, credit AI, and AI used by public authorities. The Omnibus deadline extensions do not affect the AP's supervisory powers over Art. 5 violations and AI literacy requirements.

Compliance checklist

  1. Are you compliant with Art. 5 (prohibited practicesprohibited practicesAI uses banned outright under the AI Act, such as social scoring, manipulative techniques and untargeted scraping of facial images.Open full entry →)? This is non-negotiable, it has been in force since February 2025.
  2. Is your Art. 4 AI literacy program operational?
  3. If you use GPAI models: are you monitoring your providers' Art. 52–55 compliance?
  4. For Art. 50 (August 2026): are AI-generated content labelling and chatbot disclosures in place?
  5. For Annex III high-risk AI: is your compliance roadmap targeting December 2027?
  6. Is your AI governance framework in place to manage the transition through all deadlines?
Legal referencesArt. 26Art. 4Art. 5Art. 50
Share Share on LinkedIn

More on Accountability

Art. 10 EU AI Act: data and data governance for high-risk AI

Reference

Art. 10 requires that the training, validation, and testing data for high-risk AI systems meets quality criteria: relevant, sufficiently representative, and as free of errors and complete as possible for the intended purpose. It also requires documented data governance practices covering collection, preparation, bias examination, and gap mitigation, and it permits the limited processing of special-category data where strictly necessary to detect and correct bias, under safeguards.

Art. 12 EU AI Act: record-keeping and logging for high-risk AI

Reference

Art. 12 requires high-risk AI systems to technically allow for the automatic recording of events (logs) over their lifetime. The logging must enable traceability of the system's functioning at a level appropriate to its intended purpose, support post-market monitoring, and help identify situations that may lead to risk or substantial modification. It is a design obligation on the provider that makes the system auditable by construction.

Art. 19 EU AI Act: keeping the automatically generated logs

Reference

Art. 19 requires providers of high-risk AI systems to keep the logs that the system automatically generates (under Art. 12) for as long as they control them, for a period appropriate to the intended purpose and at least six months unless other law requires longer. It is the retention counterpart to the Art. 12 logging capability, and it works alongside the deployer retention duty in Art. 26.6.

Art. 26.1 EU AI Act: following provider instructions as a deployer

Reference

Art. 26.1 requires deployers to use high-risk AI systems strictly in accordance with the provider's instructions for use. This means using the system only for its intended purpose, within its specified technical configuration, and by qualified users, and documenting that compliance. Deviating from the instructions can shift liability entirely to the deployer.