The EU AI Act entered into force on 1 August 2024. Its obligations do not all take effect at once. Instead, the Act phases in over roughly three years, with different categories of obligation binding at different dates. For companies that use, deploy or build AI systems, the practical question is: which obligations are binding on us, when, and what should we be doing now?

This piece works through that question with the dates that matter, the obligations attached to each, and a six-month action list for companies that are not yet in formal compliance preparation.

Why the phase-in matters

The Act's structure groups AI systems into risk tiers (prohibited, high-risk, limited-risk, minimal) and applies different obligations to each tier. The phase-in dates correspond roughly to risk tier:

Most companies will not be building or providing AI systems themselves. Most will be deployers, companies that use AI systems built by others. Deployer obligations are lighter than provider obligations, but they are not zero, and they bind on the same calendar.

The calendar

2 Feb 2025
Prohibited AI practices binding. Practices listed in Article 5 (e.g. social scoring, emotion recognition in workplaces and schools, untargeted scraping of facial images) are prohibited from this date. AI literacy obligation under Article 4 also binds: deployers must ensure relevant staff have sufficient AI literacy to use AI responsibly.
2 Aug 2025
GPAI rules + governance + penalties binding. General-purpose AI model rules (Chapter V) take effect. Member State governance structures (notifying authorities, market surveillance) come into force. The penalty regime (fines up to EUR 35M or 7% of global turnover for the most serious breaches) becomes applicable.
2 Aug 2026
Most high-risk system obligations binding. The bulk of the Act applies. High-risk AI systems (Annex III categories) must meet their full obligations: risk management system, data governance, technical documentation per Annex IV, record-keeping, transparency to users, human oversight, accuracy/robustness/cybersecurity, conformity assessment, registration in the EU database. Transparency obligations for limited-risk AI (chatbots, deepfakes, emotion recognition) also bind.
2 Aug 2027
Final high-risk categories binding. AI systems regulated as safety components under sectoral product legislation (Annex I) reach full applicability. This is the latest deadline and concerns specific regulated product categories.

What this means for a typical company

The bulk of obligations bind in August 2026. For most companies, this is the date that matters. Working backwards from August 2026, a company that has not started yet has roughly three months of preparation runway as of this article's publication date.

The obligations break into three buckets depending on the company's relationship with AI:

Bucket 1: companies using third-party AI tools (deployers)

This is most companies. The company subscribes to AI tools (ChatGPT, Claude, Microsoft Copilot, sectoral SaaS with AI features). The company is a deployer not a provider. Key obligations:

Bucket 2: companies developing AI features in their own product

companies in this bucket are providers when they place AI systems on the market under their own name. Provider obligations are substantially heavier than deployer obligations. Key obligations:

Bucket 3: companies using AI as a critical operational system

companies whose business depends on internal AI workflows (compliance automation, internal underwriting, automated KYC, automated content moderation) sit between deployer and provider categories depending on architecture and intent. Many will fall into deployer status, but the practical compliance burden is heavier than for casual users. Recommended approach: treat as if high-risk deployer, build the operational compliance early.

The next six months: a practical action list

For companies that have not started formal AI Act preparation, the next six months are the working window before the August 2026 deadline.

Month 1, Inventory. List every AI system in use: third-party tools, internal builds, embedded AI in vertical software. Note who in the company uses each, for what purpose, and what data flows through it. Most companies are surprised by what surfaces.
Month 2, Risk classification. For each inventoried system, determine: is it prohibited? Is it high-risk under Annex III? Is it a limited-risk system requiring transparency? Is it general-purpose? Most systems in a typical company classify as minimal or limited risk; the high-risk ones are usually the ones to focus on.
Month 3, Gap analysis. For each system above minimal risk, list the obligations that will bind by August 2026 and the current state. The output is a written gap analysis: what is in place, what is missing, what is at risk of late delivery.
Month 4, Governance framework. Set up the AI governance basics: a named owner, an AI register, a policy on AI use, an incident response process. Most companies do not need elaborate governance, they need basic governance that exists.
Month 5, Documentation and process work. Build the operational documentation: AI literacy training records, transparency notices for limited-risk systems, oversight processes for high-risk systems, monitoring logs, technical documentation per Annex IV where applicable.
Month 6, Verification. Run a mock compliance review against the gap analysis. Identify residual gaps. Close them or document the remediation plan with timeline.

Common misreadings to avoid

"We do not build AI so the Act does not apply to us"

This is the most common misreading. Deployers (companies using AI built by others) have obligations from February 2025 onwards, including the AI literacy requirement that already binds. The Act applies to virtually every company using AI tools in the EU, even if obligations are lighter than provider obligations.

"We will deal with it after August 2026"

The risk classification, governance setup and documentation work typically takes three to six months for a company. Starting after the deadline means operating non-compliant during the catch-up period. The penalty regime (binding from August 2025) covers all infringements from that date onwards.

"Our existing GDPR compliance covers it"

GDPR and the AI Act overlap on data governance but address different concerns. AI Act obligations on risk management, transparency, technical documentation and human oversight do not have GDPR equivalents. Existing GDPR programmes are useful infrastructure but do not substitute for AI Act compliance.

"Our software vendor handles it"

Vendors handle their provider obligations. The deployer obligations sit with the company using the system. Vendor compliance does not transfer.

Where this fits in the calendar

For most companies, the practical AI Act work is a four-to-six-month engagement, scoped against the August 2026 binding date for the bulk of obligations. The work is well-suited to fixed-scope rather than open-ended retainer billing, and it pairs cleanly with adjacent compliance work (GDPR, sectoral regimes) where overlap exists.

The AI Act is not a special compliance regime that sits outside the rest of the company. It is a regulatory framework for the AI tools the company already uses, and the obligations attach where the company already sits in its operational reality.

The most useful posture is to treat AI Act compliance as part of the company's normal compliance and governance work, not a separate AI-specific project that runs parallel to it. Companies that do this find the work proportionate. Companies that treat it as a special parallel project tend to overbuild.

For companies that want help structuring their AI Act work, FounderAIO provides AI Act diagnostics and implementation engagements. Get in touch with the scope you have in mind.

FounderAIO · More insights Published May 2026 · This piece is general information, not legal advice.