The Three Timelines of the EU AI Act
Which one drives your audit risk - and why it’s not the one you think
Executive Summary
The EU AI Act now lives inside a broader, more complex regulatory universe. With the Digital Omnibus on the table and post-Omnibus commentary spreading like wildfire, leadership teams are once again recalculating when they “really” need to be compliant.
Some are locking onto the political cycle: Council conclusions, Omnibus negotiations, and Commission communications that suggest gradual simplification.
Others fixate on enforcement: stop-the-clock mechanisms, extended grace periods, and the apparent shift of high-risk penalties into late 2027.
Almost no one is looking at the only timeline that actually governs financial exposure: the date when classification and documentation obligations crystallize for every AI system they place on the EU market.
The EU AI Act is now operating across three distinct timelines:
A Political Timeline - volatile, headline-driven, and structurally incapable of telling you when your risk actually starts.
An Enforcement Timeline - flexible, dependent on national capacity and Commission acceleration choices, and frequently misread as “extra time.”
A Classification Timeline - fixed, anchored in August 2026, and tied not to enforcement but to the act of placing systems on the market and registering high-risk determinations.
Most organizations are optimizing for the first two. Their decisions are rational from a distance, but structurally misaligned with how the Act actually creates exposure.
This piece does three things:
It explains how these three timelines emerged and why they are diverging after the Digital Omnibus.
It shows why only the classification timeline is a reliable anchor for financial risk — and why it did not move.
It outlines how leadership teams should structure their 2025-2026 roadmap if they want to use Omnibus “simplification” as a competitive advantage rather than a justification for delay.
The conclusion is blunt: political and enforcement timelines can move; the classification timeline cannot. If your organization is still waiting for “clarity” before it starts classification, you are betting your balance sheet on the wrong clock.
How the EU AI Act Fractured Into Three Timelines
When the AI Act was first discussed, many organizations assumed a single, clean trajectory: adoption, a transition period, then full enforcement. That model was always optimistic; it did not survive the reality of EU law-making, sectoral legislation, and now the Digital Omnibus.
Today, the Act operates in three different temporal dimensions.
The political dimension is driven by co-legislators, institutional negotiations, and broader digital policy agendas. It explains why dates slip, why compromises appear late, and why simplification packages materialize after the main act is already in force.
The enforcement dimension is driven by capacity and prioritization. Market surveillance authorities, sectoral regulators, and (for foundation models) the AI Office do not become fully operational overnight. Staff must be hired, structures built, methodologies agreed, cooperation mechanisms tested. This creates a ramp-up curve that can be slowed or accelerated, but not skipped.
The classification dimension is different. It is not a political signal or a capacity question; it is a structural condition embedded in the text of the Act. Once the relevant provisions apply, any provider or deployer placing a system on the EU market must know what that system is under Article 6 - and must be able to show their working.
Digital Omnibus changes some of the geometry around these timelines. It introduces simplifications, delays certain enforcement consequences and registration obligations for specific categories, and creates new interactions between central and national supervision. But it does not change the fact that classification is tied to market placement, not to the comfort level of political actors or the readiness of enforcement authorities.
Understanding this fracture is the first step towards a defensible strategy.
The Political Timeline: Where Attention Goes to Die
The political timeline is the most visible and the least actionable.
This is the timeline of:
Commission strategies and press releases.
Parliamentary debates and amendments.
Council working parties, conclusions, and last-minute changes.
Horizontal “simplification” narratives, of which the Digital Omnibus is the most recent instance.
From a distance, this timeline looks like the natural place to anchor decisions. If the Commission announces simplification, it feels rational to wait and see what that simplification actually does. If Council conclusions talk about reducing burdens for SMEs, it feels rational to pause and see whether that relief applies.
The trap is that political timelines move for reasons that have nothing to do with your organization’s risk.
A negotiation delayed by three months does not delay classification obligations by three months. A simplification narrative does not repeal Article 6. A future communication on guidelines does not extend the date when technical documentation must exist for systems entering the market.
Executives who follow only the political timeline experience a recurring pattern: relief at the announcement, ambiguity while the details are parsed, then a sudden realization that nothing fundamental moved on the classification side — but several months of preparation time have just evaporated.
Post-Omnibus, this pattern is intensifying. “Simplification” is being interpreted as “delay.” In reality, it is far closer to “conditional relief for those who classified early and correctly.”
The Enforcement Timeline: A Moving Target
The enforcement timeline is the second major source of confusion.
Here, the discussion centers on dates like August 2027 for full high-risk enforcement, phased transparency obligations, and the extent to which “stop-the-clock” mechanisms push penalties further into the future for certain categories of systems.
It is absolutely correct that enforcement will not arrive everywhere at once. Some authorities will be ready earlier; others later. Certain sectors will attract earlier and more intensive scrutiny. Foundation models will see centralized supervision dynamics that differ from national supervisory authorities’ treatment of downstream systems.
It is also correct that Omnibus-style adjustments can create real time buffers in some areas. Delayed penalties and phased obligations can mean, in practice, that an organization has more room to reach maturity on risk management, monitoring, and documentation depth — if it has already completed the prerequisite work.
What this timeline does not do is create more time to decide what your systems are.
A delayed penalty date does not retroactively legalize a missing classification.
A phased enforcement plan does not allow a system to be placed on the market without an Article 6 determination.
A national authority still retains the power to ask, at any point after obligations apply: “On what basis did you decide that this system is not high-risk?”
Enforcement timelines determine when that question is likely to be asked.
They do not change whether you were required to have a defensible answer the day you placed the system on the market.
This is the distinction that gets lost when “August 2027” is treated as the real start date. It is, at best, the point at which failure becomes visible. The obligations that create the failure start earlier.
The Classification Timeline: The Only Fixed Anchor
Against this moving background, the classification timeline is remarkably simple.
From August 2026, organizations placing AI systems on the EU market must be able to answer a series of non-negotiable questions:
How did you determine whether this system falls under Article 6(1) as a safety component of a regulated product?
How did you assess Annex III applicability under Article 6(2)?
If you relied on any derogations or exemptions, under which provision, on what basis, and subject to which conditions?
Did the system engage in profiling of individuals, and if so, how did you account for the profiling override?
Where is the technical documentation that records this assessment, in a form a market surveillance authority can understand?
The Act does not say, “You may decide this later, once guidelines are final.”
It says, in effect: You must know what you are placing on the market, and you must document that knowledge before you do so.
This is why the classification timeline is the only true risk anchor. It ties your obligations to:
the specific systems you control,
the dates on which you place them on the market or put them into service, and
the internal methodologies and documentation that exist at that moment.
The Digital Omnibus can reduce burdens for certain categories, streamline reporting, and relax some obligations for SMEs and small mid-caps. It can delay when certain penalties bite. It can rationalize interactions between different digital laws.
What it cannot do is retroactively authorize not knowing what you put on the market in August 2026.
That is the line you cannot move.
How Organizations Mis-Read the Timelines
The misalignment between these timelines produces familiar failure modes. They differ by organizational type, but the underlying error is the same: treating political and enforcement signals as if they had the power to shift classification obligations.
Large vendors see Omnibus simplification and prospective guidelines and conclude that serious classification work can wait until interpretative texts are final. Classification becomes a “second-half-of-2026” problem. What this ignores is that many of their systems will be on the market long before then — and each one will carry a classification assumption that may never have been formally agreed, let alone documented.
Enterprises, particularly outside the tech sector, anchor on enforcement. They look at high-risk penalty dates, central supervision of foundation models, and phased transparency obligations, and they infer a slow ramp. The assumption is that authorities will “spend the first year learning” and only later move into aggressive enforcement. In this model, detailed classification is something to be developed in parallel with enforcement readiness.
SMEs and small mid-caps often take their cue from simplification narratives. Hearing that documentation burdens will be reduced and quality management expectations scaled to their size, they infer that the classification problem itself will somehow be simpler — or, worse, that it is safe to postpone decisions until simplified pathways are fully clarified.
In all three cases, the same structural fact is being missed:
Simplified treatment, delayed penalties, and phased enforcement are conditional benefits.
The condition is that you have classified correctly.
An organization that misclassifies — or fails to classify — will not be treated as an enthusiastic but overwhelmed participant in a complex regulatory transition. It will be treated as having failed at the most basic requirement: knowing whether its systems are high-risk.
When the first audits arrive, the questions will not be “Did you read the Omnibus communications?” or “Did you see the guideline footnotes?” They will be:
Show us your Article 6 determination for this system as of August 2026.
Show us who approved it.
Show us the evidence and reasoning that support your decision.
Those are classification-timeline questions, not enforcement-timeline questions.
What This Means for Your 2025–2026 Roadmap
Once you accept that classification sits on its own fixed timeline, the structure of the next 18–24 months changes.
The core of your roadmap is no longer “reach compliance by August 2027.” It becomes: “Have every relevant system correctly classified, and that classification documented, by August 2026 — with a buffer.”
That reframes the work in three ways.
First, it makes inventory and boundary work non-negotiable in 2025. You cannot classify systems you have not identified, and you cannot defend classifications if you cannot explain where one system ends and another begins. In practice, this means treating AI system inventory as a board-visible initiative, not a side activity bolted onto existing registers.
Second, it moves intended purpose from a marketing artefact to a regulatory control. The way your organization describes what a system does is no longer a vague positioning statement; it is the primary input into Article 6 analysis. The difference between “assists HR teams in screening candidates” and “automates ranking and shortlisting of candidates based on predicted performance” is not semantic. It can be the difference between falling squarely into Annex III employment high-risk territory and sitting at the edge of another category with a potential derogation.
Third, it elevates classification methodology from an internal spreadsheet to a governance artefact. Authorities will not simply ask what you decided; they will ask how you decide, system after system, and whether that method is coherent. That means establishing, ahead of August 2026, a repeatable Article 6 process that:
is understood by technical, legal, and business stakeholders,
covers both the safety-component pathway and Annex III mapping,
addresses profiling and other overrides explicitly, and
leads naturally into the technical documentation structures you will need later.
If this sounds like building a small, specialized governance system before you build your full AI management system, that is not an accident. Classification is the keystone. The rest of your compliance architecture either stands on it or collapses under scrutiny.
Where does the Digital Omnibus sit in this roadmap? As a modifier, not a driver. It can reduce the volume and granularity of documentation for certain categories of organizations and systems. It can make some conformity assessment processes more efficient. It can give you more time to reach full maturity after you have classified correctly.
It cannot do anything useful for you if, when the time comes, you still cannot explain what your systems are under Article 6.
Conclusion: Which Timeline Are You Really On?
After the Digital Omnibus, it is tempting to believe that the story of the EU AI Act is one of delay and relief. Enforcement appears to drift into 2027. Simplification promises to reduce burdens. Guidelines are on the horizon.
But beneath these moving parts, one date remains stubbornly in place.
From August 2026, every system you place on the EU market must have a defensible Article 6 classification behind it. That classification must rest on a clear intended purpose, a coherent mapping against Annex III, a considered view on exemptions and overrides, and documentation capable of withstanding regulatory scrutiny.
That is the classification timeline. It is the only one that truly determines your financial exposure, because it is the only one that directly connects what you do inside your organization with what authorities are entitled to ask when they arrive.
Political timelines move.
Enforcement timelines shift.
Classification timelines do not.
Over the coming months, leadership teams will sort themselves into two groups.
One group will continue to plan around political and enforcement milestones, waiting for “just one more” clarification before committing. They will discover, too late, that the moment they placed their systems on the market, they started a clock they never acknowledged.
The other group will treat August 2026 as the fixed anchor it is, and will use every month between now and then to build the classification capacity they need. For them, enforcement delays and Omnibus simplifications become what they were always meant to be: accelerators, not excuses.
The only real strategic question left for 2025 is deceptively simple:
Which timeline is your organization actually planning against?
P.S. If you need a structured, defensible methodology for Article 6 classification, I’ve published a full handbook that translates this regulatory logic into operational steps:
The Article 6 Classification Handbook: A Practical, Defensible Methodology for EU AI Act Compliance