AnnouncementEU AI Act implementation timeline: key dates for deployers
KLA Digital Logo
KLA Digital
Interactive timeline

EU AI Act implementation timeline

Choose your role and risk level. Get a practical plan by phase — with the exact artifacts you need to produce and the evidence you must be able to export.

Last updated: Dec 16, 2025 · Version v1.0 · Orientation only. Not legal advice.

Build my checklist Request a 4-week pilot plan

Report an issue: /contact

Context

What this is (and when you need it)

A phased plan for producing the deliverables and evidence auditors expect.

This page is not a legal summary. It’s an implementation timeline keyed to real deliverables: technical documentation, human oversight procedures, monitoring plans, log retention policy, and evidence export drills.

Use the interactive toggles to produce a checklist by role and risk confidence. If you’re uncertain, treat it as potential high-risk until you can defend the classification.

You need it when

  • You’re planning budgets and sequencing work across teams.
  • You need to produce artifacts fast — and keep them linked to evidence.
  • You want to prove audit readiness via export drills, not promises.

Common failure mode

Teams start documentation too late and can’t export evidence on demand — no version trail, no review records, no integrity proof, no drill reports.

Checklist

What good looks like

Timeline success criteria: controls + evidence, not slide decks.

  • You have an owned system inventory and a defensible classification memo.
  • High-risk actions are controlled by policy gates and/or approval queues.
  • Monitoring plan includes thresholds, sampling policy, owners, and incident workflow.
  • Audit logs are integrity-protected and exportable with a manifest + checksums.
  • You run export drills and retain drill reports + corrective actions as evidence.
Milestones

Key dates (orientation)

Use these milestones to sanity-check your internal timeline.

12 Jul 2024

Published in the Official Journal

Start of the countdown. Use this date to sanity-check phased applicability timelines.

1 Aug 2024

Entered into force

The regulation is in force, with many obligations phasing in later.

2 Feb 2025

Prohibited practices apply (Article 5)

High-risk or not, banned use cases should be removed or redesigned.

2 Aug 2025

General-purpose AI (GPAI) obligations begin

Provider-side duties start phasing in for GPAI models and systemic-risk models.

2 Aug 2026

Most obligations apply

High-level operational programs should be live, not “in planning”.

2 Aug 2027

Some high-risk rules fully apply

Later-stage requirements and category-specific obligations phase in.

Planner

Interactive implementation plan

A suggested order of operations, tailored to your role and risk confidence.

Phase 1 — Inventory and classification

You can’t comply with what you haven’t identified. Start by making risk classification defensible.

Owners

  • Compliance
  • Product
  • Engineering

What you produce

  • System inventory
  • Classification memo (assumptions + rationale)
  • Owner map

Checklist

  • Inventory AI systems, owners, deployment regions, and affected user groups.
  • Write intended purpose and boundaries (“do not use for”).
  • Classify risk tier; if uncertain, treat as potential high-risk until clarified.
  • Identify and remove prohibited patterns; record remediation decisions.

Phase 2 — Governance and change control

Audits fail when versioning and approvals are missing. Make “what changed when” provable early.

Owners

  • Compliance
  • Security
  • Engineering

What you produce

  • Change control policy
  • Material change definition
  • Approval workflow + evidence fields

Checklist

  • Define “material change” (model/prompt/policy/workflow/data/tool changes).
  • Implement approvals for risky changes and capture rationale + identity.
  • Define retention and export expectations for audit logs.

Phase 3 — Controls: gates, oversight, and logging

Move from documentation to enforceable runtime controls (fail-closed where needed).

Owners

  • Engineering
  • Compliance
  • Ops

What you produce

  • Policy-as-code checkpoints
  • Human oversight SOP
  • Audit log taxonomy

Checklist

  • Define policy checkpoints (block / require-review / allow) for high-risk actions.
  • Stand up an approval queue with escalation and override procedure.
  • Log decisions, approvals/overrides, tool calls, and versions in effect.

Phase 4 — Documentation package and evidence pointers

Reviewers want an artifact that links every claim to exportable proof.

Owners

  • Compliance
  • Engineering
  • Risk

What you produce

  • Annex IV-aligned technical documentation draft
  • Evidence pointers per section

Checklist

  • Draft Annex IV sections and attach evidence pointers (artifact → source → integrity proof).
  • Produce a one-page summary for stakeholders (forwardable).
  • Prepare deployer instructions and required operational controls.

Phase 5 — Post-market monitoring and incident response

You must prove ongoing control effectiveness: sampling, thresholds, incidents, corrective actions.

Owners

  • Ops
  • Compliance
  • Engineering

What you produce

  • Post-market monitoring plan
  • Sampling policy
  • Incident runbook

Checklist

  • Define monitored signals and thresholds (quality, policy compliance, tool correctness, operational health).
  • Implement risk-tiered sampling (baseline + burst rules).
  • Define incident severity levels, SLAs, rollback/kill-switch procedure, and reporting responsibilities.

Phase 6 — Audit readiness drills

Evidence exists only if you can export it on demand — with verification steps.

Owners

  • Compliance
  • Engineering
  • Security

What you produce

  • Evidence export drill report
  • Corrective action log

Checklist

  • Run a time-boxed evidence export drill (simulate an auditor request).
  • Verify integrity independently (manifest + checksums + hash chain validation).
  • Record gaps and corrective actions; repeat on cadence (monthly/quarterly).
Preview

Checklist preview

A small excerpt of the downloadable artifact (indexable HTML).

TIMELINE_CHECKLIST :: EXCERPT
## Phase 2 — Gap assessment (artifacts you must be able to produce)
- Annex IV technical documentation draft (if high-risk)
- Human oversight SOP + intervention evidence path
- Logging taxonomy + retention policy + export mechanism
- Post-market monitoring plan + sampling policy + incident workflow

## Phase 6 — Audit readiness drills
- Run a full evidence export drill (time-boxed)
- Verify integrity independently (manifest + checksums)
- Fix gaps and record corrective actions
KLA Mapping

How KLA helps (Govern / Measure / Prove)

Turn the timeline into a control plane with exportable evidence.

Govern

  • Policy-as-code checkpoints that block or require review for risky actions.
  • Versioned approvals for model/prompt/policy/workflow changes.

Measure

  • Risk-tiered sampling reviews (baseline + burst rules).
  • Near-miss tracking (blocked / nearly blocked steps) as a control effectiveness signal.

Prove

  • Tamper-proof, append-only audit trail with 7+ year retention language where required.
  • Evidence Room export bundles (manifest + checksums) for independent verification.
Annex IV templatesEvidence pack checklistMonitoring plan
Changelog

Update log

Freshness signal without pretending to be the regulator.

2025-12-16

Initial interactive timeline

Added role/risk toggles + phased checklist + downloadable checklist artifact.

Last updated: 2025-12-16

FAQ

FAQs

Short answers for planning and reviews.

Download

Download the timeline checklist

Editable Markdown checklist for planning and audit-readiness drills.

Download checklist