EU AI Act Deadlines 2025-2027: SME Overview

Wito AI

EU AI Act Deadlines 2025-2027: What Applies When

The EU AI Act enters into force in stages — four deadlines, four packages of action. This overview shows SMEs what becomes mandatory and by when: prohibitions, GPAI rules, high-risk obligations and penalties.

Book an EU AI Act compliance check Start your free Wito Digital Audit (WDA)

What is the EU AI Act and how does it enter into force?

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive statutory regulation of artificial intelligence. It entered into force on 1 August 2024 and takes full effect over a staggered 36-month period — with four clearly defined deadlines running through to August 2027.

The regulation applies to every organisation that deploys, develops or markets AI systems in the EU — regardless of company size or location. In other words: even an SME with 15 employees that only uses off-the-shelf AI tools is caught as a deployer under Art. 3(4) of the EU AI Act.

Overview of the four EU AI Act deadlines

The EU AI Act structures its requirements into four staggered stages. The underlying logic is risk-based: first come the prohibitions on the most dangerous AI systems, then the transparency duties for general-purpose AI models, then the extensive high-risk obligations, and finally the exemptions for certain regulated product categories.

According to the European Commission AI Office (2025), an estimated 15,000 SMEs in Germany alone are directly affected by the high-risk requirements. At the same time, a Bitkom study (2025) found that 64% of German SMEs are still unaware that the EU AI Act applies to them.

The four deadlines can be read as successive waves of compliance, each bringing new obligations. From the 2 August 2026 deadline onward, the rules of the regulation apply in full under Art. 113 of the EU AI Act, except where expressly provided otherwise. The BMWK expressly advises businesses to prepare for each deadline gradually and early, rather than leaving everything to the last minute.

1Aug 2024

Entry into force — EU Commission

Quelle: EU Commission, 2024

2Feb 2025

Prohibitions (unacceptable risk) apply — Art. 5

Quelle: EU AI Act Art. 5, 2025

2Aug 2025

GPAI rules + authorities — Art. 51-56

Quelle: EU AI Act Art. 51-56, 2025

2Aug 2026

High-risk AI obligations — Art. 6-49

Quelle: EU AI Act Art. 6-49, 2026

2 February 2025: prohibited AI practices (Art. 5 EU AI Act)

Six months after entry into force — on 2 February 2025 — the prohibitions on AI systems with unacceptable risk took effect. These AI practices have been fully banned across the EU since that date. Any organisation still operating such systems has been acting unlawfully since then and risks fines of up to EUR 35M or 7% of worldwide annual turnover.

Under Art. 5 of the EU AI Act, the following AI systems and practices are prohibited:

Social scoring: AI systems that rate people on the basis of social behaviour or personal characteristics and derive social disadvantages from those ratings (such as a state-run points system).
Manipulative AI practices: systems that use subliminal techniques to influence human behaviour in ways that cause harm.
Exploitation of vulnerabilities: AI that exploits the specific vulnerabilities of particular groups (age, disability) in order to influence their behaviour.
Real-time biometric surveillance in public spaces by law-enforcement authorities — subject to narrow exceptions defined in law.
Emotion recognition in the workplace and in educational settings — with exceptions for medical or safety-related use.
Biometric categorisation based on sensitive characteristics (race, political opinion, trade-union membership, religious belief, sexuality).
AI-based predictive policing based on profiling without any concrete underlying facts.

Particularly relevant for SMEs in practice: anyone using AI-based sentiment or emotion analysis on employees (e.g. in HR tools, video-conferencing software or productivity monitoring) had to disable those features by 2 February 2025 at the latest, or demonstrate that they fall under the medical exception. According to the Bitkom EU AI Act guide (2024), many SMEs had unknowingly activated these features in standard software.

2 August 2025: GPAI rules, the AI Office and national authorities

Twelve months after entry into force — on 2 August 2025 — the rules for general-purpose AI models (GPAI) and the institutional structures took effect. This deadline affects SMEs mainly indirectly: the providers of the AI models that SMEs use every day must now be demonstrably compliant.

GPAI: what are general-purpose AI models?

GPAI models are large AI models that can be trained and deployed for a wide range of tasks — without being tied to a specific purpose. Prominent examples include GPT-4 and GPT-5 (OpenAI), Claude (Anthropic), Gemini (Google DeepMind) and LLaMA (Meta). Under Art. 51-56 of the EU AI Act, providers of these models have had to meet the following obligations since 2 August 2025:

Provide technical documentation and model evaluations.
Publish and comply with copyright policies (training-data policy).
Make all relevant information available to downstream providers that build on the model.
Take additional safety measures where there are systemic risks (models with particularly high capability — as of 2025, a training compute above 10^25 FLOPs).

What does this mean for SMEs as users?

For SMEs acting as deployers, the rule is: you may only use GPAI models from providers that can demonstrably meet the EU AI Act requirements. In practice this means reviewing and archiving the providers' conformity documentation (e.g. Microsoft, OpenAI, Google, Anthropic). The major providers have now made this documentation publicly available.

The AI Office and national authorities

Also from 2 August 2025, the EU AI Office is fully operational. It is the central EU authority overseeing compliance with the GPAI rules. In parallel, the EU member states are to designate their national market surveillance authorities for AI — in Germany, the Federal Network Agency (Bundesnetzagentur) is expected to take on this role, although the final decision by the BMDV (Federal Ministry for Digital and Transport) is still pending (as of Q2 2026).

According to the Heinrich-Böll-Stiftung EU AI Act analysis (2024), the institutional structure is a core element of the law: without functioning national authorities, the threatened fines are formally valid but barely enforceable in practice. That changes from August 2025 — the authorities receive extensive investigatory and enforcement powers, including unannounced audits.

2 August 2026: high-risk AI obligations and full sanctioning power

The 2 August 2026 deadline is the pivotal EU AI Act milestone for the majority of affected SMEs. From this date — 24 months after entry into force — all requirements for high-risk AI systems under Art. 6-49 of the EU AI Act apply in full. At the same time, the full force of the fines under Art. 99 of the EU AI Act takes effect from this deadline.

Which systems are high-risk?

High-risk AI systems are listed in Annex III of the regulation. Areas particularly relevant for SMEs:

HR and people management: AI for candidate pre-screening, performance evaluation, pay recommendations or dismissals. Affects any mid-sized company with AI-supported HR software.
Lending: automated creditworthiness assessment and credit scoring. Relevant for companies with AI-supported finance tools.
Education and vocational training: access decisions or the assessment of learners by AI.
Critical infrastructure: AI in water supply, energy and transport.
Safety-relevant products: AI in machinery, vehicles and medical devices.

Obligations for deployers of high-risk systems

SMEs that operate high-risk AI systems must meet the following requirements under Art. 9-15 of the EU AI Act by 2 August 2026:

Risk-management system under Art. 9: a documented system for identifying, analysing and mitigating risks across the entire lifecycle of the AI system.
Data quality assurance under Art. 10: ensuring that training and operational data meet the requirements for quality, representativeness and freedom from errors.
Technical documentation under Art. 11: comprehensive documentation of the AI system, its purposes, limitations and performance parameters.
Logging and record-keeping under Art. 12: automatic logging of events during the operation of a high-risk system.
Transparency and user information under Art. 13: clear information for deployers and users about capabilities, limitations and oversight duties.
Human oversight under Art. 14: institutionally embedded control by natural persons — technical and organisational measures must make this possible.
Conformity assessment under Art. 43: either as a self-assessment or by a third party, depending on the type of system.

Fines from 2 August 2026

The fine structure under Art. 99 of the EU AI Act is significant for SMEs: breaches of the high-risk requirements can be penalised with up to EUR 15M or 3% of worldwide annual turnover (whichever is higher). For an SME with EUR 10M in turnover, that means fines of up to EUR 300,000 — for missing compliance documentation alone. For prohibited AI practices under Art. 5, the even higher ceiling of EUR 35M or 7% of annual turnover applies.

According to ZEW Mannheim (2024), one-off compliance costs for SMEs can range between EUR 50,000 and EUR 400,000 depending on complexity, if everything is implemented in-house. With external support and a structured approach, that effort is reduced considerably — and it is far cheaper than a single fine.

This Regulation shall apply from 2 August 2026, save as otherwise provided. Title I and Title II shall apply from 2 February 2025. The provisions on general-purpose AI models in Chapter V of Title VIII, and the provisions of Chapters I, II and VI of Title VIII as well as Chapter III of Title IX, shall apply from 2 August 2025.

Europäisches Parlament und Rat der Europäischen Union, Verordnung (EU) 2024/1689 — EU Artificial Intelligence Act, Art. 113, Amtsblatt der Europäischen Union, 2024

2 August 2027: the final transition period for special categories

For certain high-risk AI systems that are embedded in existing European safety and product-conformity frameworks, an extended transition period until 2 August 2027 applies. This exemption is set out in Art. 113(2) of the EU AI Act and covers systems subject to a CE-marking procedure under other EU harmonisation legislation.

Specifically, this affects high-risk AI systems in the following regulated product categories:

Medical devices under Regulation (EU) 2017/745 (MDR): AI-supported diagnostic software, imaging AI in radiology, AI-based treatment-recommendation systems.
In-vitro diagnostics under Regulation (EU) 2017/746 (IVDR): AI in laboratory diagnostics and the interpretation of genetic tests.
Toys under Directive 2009/48/EC: AI features in interactive educational toys.
Machinery and lifts: AI in safety-critical machine controls, where these fall under the Machinery Directive.
Aviation and maritime: AI systems that are already subject to other EU safety regimes.

For SMEs in the manufacturing, medical-technology and toy sectors this means: the relevant deadline is not August 2026 but August 2027. Even so, the groundwork (AI inventory, risk classification, gap analysis) should be completed by the end of 2025, to allow enough lead time for the conformity assessment. The Bitkom EU AI Act guide (2024) advises businesses in these sectors to use their existing CE procedures as a foundation and extend them with the AI Act-specific requirements.

Action checklist: what to do, and by when

The checklist below summarises the key steps to take for each deadline. It is no substitute for legal advice, but it gives a practical overview of the most important measures for SMEs.

Right now (catching up on 2 February 2025)

Inventory the AI tools used across your organisation — in full, including AI features built into standard software (CRM, ERP, HR tools, office suites).
Check whether emotion-recognition or scoring features are active — these must be disabled or legally reviewed.
Create an AI policy (an internal AI-usage guideline) — defining permitted and prohibited AI use by employees.
Add a transparency notice to chatbots and AI assistants ("You are chatting with an AI assistant").

By 2 August 2025 (the GPAI deadline)

Request and archive the conformity documentation of the GPAI providers you use (OpenAI, Google, Microsoft, Anthropic).
Make sure you only use models that comply with the EU AI Act — and review whether you need to switch providers.
Identify your national authority contact point (currently the Federal Network Agency) and define an internal escalation process.

By 2 August 2026 (the main high-risk deadline)

Complete the risk classification of every AI system you use under Annex III of the EU AI Act.
For high-risk systems: implement technical documentation, a risk-management system and logging mechanisms.
Carry out conformity assessments for your own or significantly modified high-risk systems.
Embed human-oversight processes institutionally — name those responsible and define escalation rules.
Train the employees who operate or supervise AI systems.
Prepare an incident-reporting process with the national authority.

By 2 August 2027 (special categories only)

For medical devices, toys and other CE-regulated areas: complete the conformity assessment with the AI Act extension.
Extend existing CE documentation with AI Act-specific evidence.
Establish ongoing monitoring and an annual AI-inventory review.

Frequently asked questions about the EU AI Act deadlines

From the relevant deadline onward you are formally acting unlawfully and risk fines from the national market surveillance authority. In practice, the authorities are likely to focus first on serious breaches (prohibited practices, high-risk systems with no documentation whatsoever). That is no lasting protection, however: even a missing transparency notice on a simple chatbot is subject to fines once the relevant deadline has passed. Demonstrable compliance efforts — even if individual points are still being implemented — are your best protection in an official inspection.

Yes. Under the market-location principle, the EU AI Act applies to every organisation whose AI systems are used in the EU — regardless of where the company is based. A US SaaS company that sells a high-risk AI system to German SMEs must meet the provider obligations of the EU AI Act. As an SME deployer in Germany, you can rely on compliant providers supplying an EU declaration of conformity — so request it actively.

GPAI stands for general-purpose AI — general-purpose AI models such as GPT-4/5, Claude, Gemini or LLaMA. These models are not built for a specific use case but can be used for a wide range of tasks. From 2 August 2025, providers of these models must meet extensive transparency and safety obligations. For SMEs as users this means: check whether your AI providers can demonstrate GPAI compliance. Non-compliant GPAI models may no longer be used in the EU.

The EU AI Act does not mandate a formal "AI Officer" role in the way the GDPR requires a data protection officer. Deployers of high-risk systems must, however, embed human oversight institutionally and be able to demonstrate named responsibilities for AI compliance. In practice it is advisable to appoint an internal person or an external service provider as the AI compliance lead — in order to pass audits and meet the requirements for documented human oversight.

The conformity assessment under Art. 43 of the EU AI Act varies by type of system. For most high-risk systems, a self-assessment by the provider is possible — based on harmonised standards. Only for certain biometric and safety-critical systems is a third-party assessment mandatory. As an SME deployer, your primary task is to review the provider's declaration of conformity. If you develop or significantly modify a high-risk system yourself, you carry out the conformity assessment and draw up the EU declaration of conformity.

As a rule: each deadline brings new obligations that apply to every affected organisation. The prohibitions under Art. 5 (February 2025) apply to everyone — regardless of the risk class of the systems in use. The GPAI obligations (August 2025) affect you as a user of general-purpose models. The high-risk obligations (August 2026) only affect you if you actually deploy high-risk systems. The extended deadline until August 2027 applies exclusively to CE-regulated product categories.

Existing AI systems that were put into operation before the EU AI Act entered into force on 1 August 2024 are also subject to the requirements — but with the same staggered transition periods. There is no grandfathering rule for systems already in use. For high-risk systems already in operation before 2 August 2026, the compliance requirements must be met by that deadline. The only exception: systems in CE-regulated product categories have until August 2027.

Germany has not yet made a final decision on the national market surveillance authority for AI (as of Q2 2026). The most likely candidate is the Federal Network Agency (BNetzA), which already has competencies in digital regulation. The decision rests with the Federal Ministry for Digital and Transport (BMDV). Until the final designation, companies can direct enquiries to the BMDV or to the AI Office of the European Commission. The Federal Network Agency has already begun building capacity for AI oversight.