The EU AI Act does not land all at once. It entered into force on 1 August 2024 and rolls out in phases through 2027. Each phase activates a different set of obligations for different categories of AI systems.

For DACH enterprises, the challenge is not understanding that deadlines exist — it is knowing which ones apply to you and what minimum viable action each requires. This article provides that mapping.

The full timeline at a glance

1 August 2024 — The AI Act enters into force. The clock starts.

2 February 2025 — Prohibitions on unacceptable-risk AI systems take effect (6 months after entry into force).

2 August 2025 — Obligations for general-purpose AI (GPAI) models take effect. Governance structure (AI Office, AI Board, advisory forum) becomes operational (12 months).

2 August 2026 — Most obligations for high-risk AI systems take effect. This includes conformity assessments, technical documentation, risk management, human oversight, and monitoring requirements (24 months).

2 August 2027 — Extended deadline for high-risk AI systems that are safety components of products already regulated under EU sectoral legislation — Annex I, Section A (medical devices, aviation, automotive, rail, etc.) (36 months).

Phase 1: Prohibitions — February 2025 (already in effect)

What happened: AI systems classified as unacceptable risk became illegal. This includes social scoring, real-time remote biometric identification in public spaces (with narrow exceptions), exploitation of vulnerable groups, emotion recognition in workplaces and schools, and untargeted facial image scraping.

Who is affected: Any organisation operating AI systems in these categories within the EU.

What you should have done:

  • Audited your AI inventory for any systems that fall under the prohibited categories
  • Decommissioned any prohibited systems
  • Documented the audit and its results

If you have not done this yet: Do it now. The prohibitions are in effect. The risk is not theoretical — it is an active enforcement exposure.

For most DACH enterprises in insurance, manufacturing, financial services, and professional services, this phase required a review but no system changes. The prohibited categories are specific and most enterprise AI does not touch them. But the audit must be documented.

Phase 2: GPAI obligations — August 2025 (already in effect)

What happened: Providers of general-purpose AI models must now comply with transparency and documentation requirements. Providers of GPAI models with systemic risk face additional obligations including adversarial testing and incident reporting.

Who is affected: Primarily providers of foundation models — OpenAI, Anthropic, Google, Mistral, and others. But deployers are affected indirectly.

What deployers should do:

  • Verify your GPAI provider's compliance. If you use models from OpenAI, Anthropic, Google, or other providers, confirm they have published their compliance documentation. This is relevant for your own risk management.
  • Review your contracts. Your agreement with the model provider should address AI Act obligations, liability, and cooperation with authorities.
  • Document your GPAI usage. Which models do you use? For what purposes? Through which APIs or platforms? This feeds into your AI system inventory and classification.

The practical impact on most DACH deployers is limited: you are downstream of the provider obligations. But documenting your usage and verifying provider compliance is part of good governance — and it will matter when high-risk obligations arrive.

Phase 3: High-risk obligations — August 2026 (the critical deadline)

What is coming: The full compliance stack for high-risk AI systems activates. This is the phase that requires the most preparation and has the highest stakes for enterprise deployers.

Who is affected: Any organisation operating high-risk AI systems — which includes AI used in employment, financial services, insurance, critical infrastructure, education, and several other domains defined in the Act's Annex III.

What high-risk obligations include:

For providers of high-risk AI systems:

  • Risk management system
  • Data governance and data quality requirements
  • Technical documentation
  • Record-keeping and automatic logging
  • Transparency and information to deployers
  • Human oversight design
  • Accuracy, robustness, and cybersecurity
  • Conformity assessment (self-assessment or third-party, depending on sector)
  • EU declaration of conformity
  • CE marking
  • Registration in the EU AI database

For deployers of high-risk AI systems:

  • Use the system in accordance with its intended purpose and instructions
  • Implement human oversight measures as specified by the provider
  • Ensure input data is relevant and representative
  • Monitor the system's operation
  • Keep logs for at least six months
  • Inform workers and their representatives when AI systems are used in the workplace
  • Conduct a fundamental rights impact assessment before deployment
  • Report serious incidents to the provider and relevant authorities

What you should be doing now (Q2/Q3 2026):

  1. Complete your AI system classification. Every AI system in your inventory must have a documented risk classification. Use the classification guide if you have not started.
  2. For high-risk systems, begin conformity preparation. Assess whether you are a provider or deployer. If provider: start your conformity assessment. If deployer: review the provider's documentation and assess your deployer-specific obligations.
  3. Implement or verify human oversight. For every high-risk system, a named person must have the authority and ability to oversee the system's operation, understand its outputs, and override decisions. This is not a policy — it is an operational requirement.
  4. Update technical documentation. High-risk systems need comprehensive documentation covering system design, training data, testing methodology, performance metrics, and known limitations. Most companies have this information — scattered across repositories and wikis. Consolidate it into audit-ready form.
  5. Implement monitoring and logging. Systems must generate logs that allow post-hoc analysis of system behaviour. If your architecture does not support this, you need an engineering sprint. See Compliance by Design for the architectural patterns.
  6. Run impact assessments. Fundamental rights impact assessment for high-risk systems. DPIA for AI for all systems processing personal data. Combined assessment where both apply.
  7. Brief your leadership. The board or Geschäftsführung must understand the compliance obligations and resource requirements. This is not IT's problem alone.

The timeline pressure: The remaining time sounds comfortable. It is not. Organisations with multiple high-risk AI systems need to run classification, documentation, monitoring implementation, impact assessments, and conformity preparation in parallel. Start now.

Phase 4: Sectoral products — August 2027

What is coming: High-risk AI systems that are safety components of products already regulated under existing EU harmonised legislation (medical devices, machinery, aviation, automotive, rail, marine) have an extended compliance deadline.

Who is affected: Companies in regulated product sectors that embed AI in their products. This includes DACH manufacturers of medical devices, automotive components, industrial machinery, and aviation systems.

What to do: If your products are covered by Annex I, Section A of the AI Act, you have until August 2027. But do not treat this as a reprieve. The conformity assessment for AI in regulated products is complex and interfaces with existing sector-specific certification. Start now if you have not already.

National implementation: Germany, Austria, Switzerland

The AI Act is an EU regulation — directly applicable in all member states without national transposition. However, each member state must designate national competent authorities for market surveillance and enforcement.

Germany: The Bundesnetzagentur (BNetzA) has been designated as the responsible authority for AI Act supervision. Coordination with existing Datenschutzaufsichtsbehörden (data protection authorities) is still evolving.

Austria: Designation of the national competent authority is in progress. The existing regulatory landscape (Datenschutzbehörde, FMA for financial services) will interface with AI Act enforcement.

Switzerland: As a non-EU country, Switzerland is not directly subject to the AI Act. However, the Swiss FADP (Federal Act on Data Protection) and market access considerations mean that Swiss companies selling into the EU must comply. The Swiss government is monitoring developments and may align its regulatory framework.

For DACH enterprises operating across borders, the practical implication is: comply with the AI Act regardless of where your headquarters is located, if your AI systems affect persons in the EU.

What happens if you miss a deadline

Penalties under the AI Act are structured by severity:

  • Prohibited AI practices: Up to €35 million or 7% of global annual turnover (whichever is higher)
  • High-risk non-compliance: Up to €15 million or 3% of global annual turnover
  • Incorrect information to authorities: Up to €7.5 million or 1% of global annual turnover
  • SME and startup reductions: Lower penalty ceilings apply for small and medium enterprises

Beyond fines, non-compliance carries operational risk: systems may be required to be taken off the market or out of service. For an enterprise that depends on an AI workflow for critical business operations, that is a bigger threat than the fine.

The minimum viable compliance calendar

If you are reading this in mid-2026 and have done nothing yet, here is the compressed path:

Week 1–2: AI system inventory. List every AI system — production, pilot, embedded in SaaS, shadow AI. Assign an owner for each.

Week 3–4: Classification. Apply the risk framework to each system. Document the rationale. Identify high-risk systems.

Month 2: Provider/deployer analysis. For each high-risk system, determine your role. Review provider documentation and contracts.

Month 3–4: Documentation and monitoring sprint. Consolidate technical documentation. Implement logging where missing. Set up monitoring dashboards.

Month 4–5: Impact assessments. Run DPIA and fundamental rights assessments for high-risk systems. Involve DSB and legal.

Month 5–6: Human oversight implementation. Name the oversight persons. Train them. Implement override mechanisms.

Ongoing: Quarterly review cycle. Update inventory, classifications, and documentation. Monitor regulatory guidance.

This is tight but feasible for an organisation with 3–10 AI systems. For larger portfolios, you need more time and likely external support.

Book a Fit Call if you want to build a compliance roadmap specific to your AI portfolio and timeline.

Related: