The EU AI Act Timeline 2026-2027, Untangled — Are You in Scope Even Outside Europe?

· 4 min read · SOVALYX Technologies

SHARE

The EU AI Act applies in full on 2 August 2026. But the Digital Omnibus, agreed provisionally on 7 May 2026, pushes the obligations for Annex III high-risk systems back to 2 December 2027. With penalties of up to €35M or 7% of worldwide turnover, it pays to know exactly what applies, when — and to whom, including outside Europe.

The real timeline, date by date

The AI Act entered into force in August 2024, with staged application. The bans on unacceptable-risk practices have applied since 2 February 2025, and the obligations for general-purpose AI models (GPAI) since 2 August 2025. The structural deadline remains 2 August 2026: full application of the regulation, as detailed in Leto's compliance guide and the briefing by the French Direction générale des Entreprises.

Here comes the 2026 nuance: the Digital Omnibus, subject of a provisional agreement on 7 May 2026, delays the obligations for high-risk systems under Annex III to 2 December 2027, as reported by donneespersonnelles.fr. Beware the hasty reading: the delay covers those systems only. Everything else keeps its original schedule, penalty regime included — up to €35M or 7% of worldwide annual turnover.

In scope even outside Europe? Yes, in three cases

Like the GDPR before it, the AI Act reaches beyond EU borders. A company established outside the Union — in Mauritius, for instance — falls within its scope as soon as:

In other words: if your customers are in Europe, the timeline above is yours too, whether your server sits in Paris, Ébène or Port Louis.

High risk, limited risk: where does your use case sit?

The regulation is built as a risk pyramid. At the top, prohibited practices (already in force). Next, high-risk systems — including those under Annex III, which covers uses such as recruitment, access to essential services or education: this is the category that benefits from the December 2027 delay. Below that, transparency obligations for systems that interact with people, such as chatbots. Finally, the vast majority of minimal-risk uses, with no new obligations.

The qualification work — which system, which category, which role (provider or deployer) — is the first concrete task, and the most urgent: it determines whether your deadline has passed, is imminent or has been postponed.

Private, documented AI: a compliance shortcut

The AI Act's obligations converge on one common baseline: an inventory of systems, technical documentation, traceability of training data and decisions, logging, human oversight. That baseline is structurally easier to build when the model and the data stay in-house. A private LLM hosted on your own infrastructure delivers by construction what a public API can only promise: knowing exactly which data goes in, what the model logs, and where all of it resides. It is the approach SOVALYX applies to its private AI deployments: compliance documentation becomes a by-product of the architecture, not a separate project. The same reasoning now extends beyond AI: Europe is applying the same logic to cloud with the Cloud and AI Development Act.

The timeline in one table — and three actions

DeadlineWhat applies
2 February 2025Ban on unacceptable-risk practices
2 August 2025Obligations for general-purpose AI models (GPAI)
2 August 2026Full application of the regulation; fines up to €35M or 7% of worldwide turnover
2 December 2027Obligations for Annex III high-risk systems (Digital Omnibus delay, provisional agreement of 7 May 2026)

Before the end of the quarter:

How SOVALYX can help

If your clients are in Europe, SOVALYX can help you turn this timeline into an action plan: an infrastructure and AI assessment inventories your AI systems and qualifies their exposure to the AI Act. Our in-house private LLMs, hosted on a private cloud in Mauritius, provide the expected traceability by design — you know what data goes in, what is logged and where everything resides, and no content ever leaves for a public AI service. 24/7 monitoring under SLA and an automated, tested disaster recovery plan complete the evidence your regulated clients will ask for.

Talk private AI with an engineer

🧰 The companion tool: Are you ready for the AI Act? — free · 2 minutes.

Reviewed and optimised by AI.