EU AI Act timeline 2025–2028: all deadlines after the omnibus agreement

Updated: June 2026, reflects AI Omnibus agreement of May 2026

Introduction: the omnibus changes everything

The EU AI Act entered into force on 1 August 2024 with a graduated implementation timeline. The May 2026 AI Omnibus agreement, a legislative amendment to the original regulation, significantly revised the deadlines for high-risk AI obligations, providing additional time for both providers and deployers to achieve compliance.

This article presents the definitive post-Omnibus timeline for all EU AI Act obligations, with practical implications for Dutch organisations at each stage.

The complete timeline

2 February 2025 ✅, now in force

Prohibited AI practices (Art. 5): All eight prohibitions are in full force. Organisations using AI systems that fall within the prohibited categories must have decommissioned or modified those systems. Enforcement actions have begun in multiple EU member states.

AI LiteracyAI literacySufficient understanding of AI's workings, capabilities and risks for one's role — an explicit expectation for provider and deployer staff under the EU AI Act.Open full entry → (Art. 4): The obligation to ensure sufficient AI literacy among staff dealing with AI systems is in force. Training programmes should be operational.

2 August 2025 ✅, now in force

GPAI obligations (Art. 52–55): Obligations for providers of general-purpose AI models, including transparencytransparencyOpenness about the fact that AI is used and how it operates in general: disclosures, documentation, notices. Pairs with explainability, which addresses individual outcomes.Open full entry → requirements, copyright policy, technical documentation, and (for systemic risksystemic riskEU AI Act category for the most capable general-purpose models (presumed above a training-compute threshold), triggering extra duties: evaluations, adversarial testing, incident reporting, cybersecurity.Open full entry → models) adversarial testing, are in force.

2 August 2026 ⚠️, approaching (2 months away)

Transparency obligations (Art. 50): AI-generated content labelling, chatbot disclosure obligations, and deepfakedeepfakeAI-generated or manipulated audio, image or video that convincingly depicts real people or events that did not occur; subject to labelling duties under the EU AI Act's transparency tier.Open full entry → labelling requirements come into force.

Public sector high-risk AI: For public authorities, the full Art. 26 compliance obligations (including FRIAFRIAFundamental Rights Impact Assessment — required of public bodies and certain private deployers before using some high-risk AI systems under the EU AI Act.Open full entry → under Art. 27) are required for high-risk AI systems already in use.

Codes of practice: GPAI providers must comply with the EU AI Office's approved codes of practice.

2 December 2027 🔜, NEW omnibus deadline

Stand-alone high-risk AI (Annex IIIAnnex IIIThe EU AI Act's list of high-risk use-case areas — biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice.Open full entry →): The original deadline was 2 August 2026. The Omnibus agreement extended this by 16 months. This is the deadline that applies to most private-sector deployers operating AI in HR, credit, healthcare, and similar contexts.

What this means for deployers: you have until December 2027 to achieve full Art. 26 compliance for Annex III systems. However, the preparatory work, inventory, classification, FRIA, DPIADPIAData Protection Impact Assessment — required before likely-high-risk processing (systematic profiling with significant effects, large-scale special categories, public monitoring); AI development triggers it constantly.Open full entry →, supplier documentation, governance setup, should begin now. 18 months sounds long. It is not, for organisations with complex AI estates.

2 August 2028 🔜, NEW omnibus deadline

High-risk AI in regulated products (Annex I): AI systems embedded in machinery, medical devices, vehicles, and other regulated products face this extended deadline (original: 2 August 2027).

What has NOT changed

The Omnibus changes affected timing, not substance. The full compliance obligations remain. Notably:

• Art. 5 prohibitions: unchanged, in force since February 2025
• Art. 4 literacy: unchanged, in force since February 2025
• The risk classification framework: unchanged
• The Art. 26 deployerdeployerAn organization using an AI system under its own authority in its activities — carrying operator duties: use per instructions, oversight, input relevance, monitoring, notices.Open full entry → obligation set: unchanged in content, extended in deadline

Enforcement outlook

The Autoriteit Persoonsgegevens (AP) has been designated as the Netherlands' primary market surveillance authority for the EU AI Act. The AP has indicated that it will prioritise enforcement in areas where harm potential is highest: HR AI, credit AI, and AI used by public authorities. The Omnibus deadline extensions do not affect the AP's supervisory powers over Art. 5 violations and AI literacy requirements.

Compliance checklist

1. Are you compliant with Art. 5 (prohibited practices)? This is non-negotiable, it has been in force since February 2025.
2. Is your Art. 4 AI literacy programme operational?
3. If you use GPAI models: are you monitoring your providers' Art. 52–55 compliance?
4. For Art. 50 (August 2026): are AI-generated content labelling and chatbot disclosures in place?
5. For Annex III high-risk AI: is your compliance roadmap targeting December 2027?
6. Is your AI governance framework in place to manage the transition through all deadlines?