The EU AI Act Timeline 2026-2027, Untangled — Are You in Scope Even Outside Europe?

The EU AI Act applies in full on 2 August 2026. But the Digital Omnibus, agreed provisionally on 7 May 2026, pushes the obligations for Annex III high-risk systems back to 2 December 2027. With penalties of up to €35M or 7% of worldwide turnover, it pays to know exactly what applies, when — and to whom, including outside Europe.
The real timeline, date by date
The AI Act entered into force in August 2024, with staged application. The bans on unacceptable-risk practices have applied since 2 February 2025, and the obligations for general-purpose AI models (GPAI) since 2 August 2025. The structural deadline remains 2 August 2026: full application of the regulation, as detailed in Leto's compliance guide and the briefing by the French Direction générale des Entreprises.
Here comes the 2026 nuance: the Digital Omnibus, subject of a provisional agreement on 7 May 2026, delays the obligations for high-risk systems under Annex III to 2 December 2027, as reported by donneespersonnelles.fr. Beware the hasty reading: the delay covers those systems only. Everything else keeps its original schedule, penalty regime included — up to €35M or 7% of worldwide annual turnover.
In scope even outside Europe? Yes, in three cases
Like the GDPR before it, the AI Act reaches beyond EU borders. A company established outside the Union — in Mauritius, for instance — falls within its scope as soon as:
- it places an AI system on the European market (selling or making available a product or service embedding AI to EU customers);
- the output produced by its system is used within the Union — a score, a CV shortlist or an analysis generated in Mauritius for a European client is enough;
- it is a subcontractor of a regulated European player, who will pass its own obligations down the contract chain, exactly as NIS2 does — a mechanism we describe in "NIS2: why your European client will ask for your disaster recovery plan".
In other words: if your customers are in Europe, the timeline above is yours too, whether your server sits in Paris, Ébène or Port Louis.
High risk, limited risk: where does your use case sit?
The regulation is built as a risk pyramid. At the top, prohibited practices (already in force). Next, high-risk systems — including those under Annex III, which covers uses such as recruitment, access to essential services or education: this is the category that benefits from the December 2027 delay. Below that, transparency obligations for systems that interact with people, such as chatbots. Finally, the vast majority of minimal-risk uses, with no new obligations.
The qualification work — which system, which category, which role (provider or deployer) — is the first concrete task, and the most urgent: it determines whether your deadline has passed, is imminent or has been postponed.
Private, documented AI: a compliance shortcut
The AI Act's obligations converge on one common baseline: an inventory of systems, technical documentation, traceability of training data and decisions, logging, human oversight. That baseline is structurally easier to build when the model and the data stay in-house. A private LLM hosted on your own infrastructure delivers by construction what a public API can only promise: knowing exactly which data goes in, what the model logs, and where all of it resides. It is the approach SOVALYX applies to its private AI deployments: compliance documentation becomes a by-product of the architecture, not a separate project. The same reasoning now extends beyond AI: Europe is applying the same logic to cloud with the Cloud and AI Development Act.
The timeline in one table — and three actions
| Deadline | What applies |
|---|---|
| 2 February 2025 | Ban on unacceptable-risk practices |
| 2 August 2025 | Obligations for general-purpose AI models (GPAI) |
| 2 August 2026 | Full application of the regulation; fines up to €35M or 7% of worldwide turnover |
| 2 December 2027 | Obligations for Annex III high-risk systems (Digital Omnibus delay, provisional agreement of 7 May 2026) |
Before the end of the quarter:
- Inventory every AI system you use or supply, including SaaS tools with embedded AI.
- Qualify each system (risk category, your company's role, European customers or not).
- Document now the systems that will stay: data, logs, human oversight — and if you would rather validate that qualification with a third party, talk to a specialist.
How SOVALYX can help
If your clients are in Europe, SOVALYX can help you turn this timeline into an action plan: an infrastructure and AI assessment inventories your AI systems and qualifies their exposure to the AI Act. Our in-house private LLMs, hosted on a private cloud in Mauritius, provide the expected traceability by design — you know what data goes in, what is logged and where everything resides, and no content ever leaves for a public AI service. 24/7 monitoring under SLA and an automated, tested disaster recovery plan complete the evidence your regulated clients will ask for.
Talk private AI with an engineer🧰 The companion tool: Are you ready for the AI Act? — free · 2 minutes.
Reviewed and optimised by AI.