The AI Act entered into force on 1 August 2024. Every scale-up I work with knows this. What they do not know — and what is already starting to hurt — is that the Act was never going to enforce itself on day one. It enforces itself on a staggered schedule, with four meaningfully different deadlines, each triggering a different set of obligations. Missing any of them produces the same outcome: a deal lost on a security review, a notified body refusing to engage, a supervisory authority opening a preliminary assessment.

The pattern I keep seeing is the same. A founder reads a headline, writes “AI Act compliance — 2026” in a board pack, and assumes there is time. By the time the first deadline bites, the controls that needed to be designed into the product architecture are impossible to retrofit in under six months. The company is now negotiating procurement with an enterprise buyer who has just added an AI-governance clause to its standard template. The buyer is willing to wait. They are not willing to wait twelve months.

The four deadlines that actually apply

The staggered schedule breaks into four stages. I will describe what triggers at each, not restate the legislative text — you can read that in the Official Journal. The operational implications are what matter.

February 2025 — Prohibited practices. Article 5 prohibitions on unacceptable-risk AI systems became enforceable. For most scale-ups this is a compliance-by-construction question: do you operate any system that could plausibly be argued to fall into a prohibited category? Social scoring, real-time biometric identification in public spaces, emotion recognition in workplaces or education, manipulative systems exploiting vulnerabilities of specific groups. The answer is usually no — but the discipline of documenting why the answer is no, before a regulator or an enterprise buyer asks, is the point. “We considered it and ruled it out” is a defence. “We never thought about it” is not.

August 2025 — GPAI obligations. Providers of general-purpose AI models became subject to transparency, documentation, and copyright-policy obligations. Systemic-risk GPAI providers took on additional duties — model evaluation, adversarial testing, incident reporting. For most scale-ups, you are not a GPAI provider. But if you fine-tune an open-source foundation model and re-distribute it, you may be. If you wrap an API and re-sell it, you may be a downstream provider with documentation obligations of your own. The analysis is architecture-dependent and the default assumption “the provider handles it” is frequently wrong.

August 2026 — High-risk systems, codes of practice, governance structures. This is the big one. High-risk AI systems — the Annex III list — become subject to the full risk-management, data-governance, transparency, human-oversight, robustness, and post-market monitoring requirements. If your product touches credit scoring, recruitment, education admissions, essential services, law enforcement, migration, or justice administration, and you have not started on Article 9 risk management and Article 10 data governance by the time you read this, you are already late. These are not paper exercises. They are engineering disciplines that have to be designed into the system, not bolted on.

August 2027 — Embedded high-risk. High-risk AI embedded in products already covered by existing Union harmonisation legislation — including medical devices under the MDR — moves into scope. For HealthTech SaMD with AI components, this is the year two regulatory regimes converge. The integration effort is substantial and cannot be delivered in the final quarter before the deadline.

Where the under-appreciated risk sits

Most scale-ups worry about the wrong deadline. The August 2026 high-risk requirements are what gets discussed. The real risk is upstream.

The first is procurement drift. Enterprise buyers are adding AI-governance clauses to their standard contract templates in 2025 and 2026 — not because they are obliged to, but because their own legal teams are anticipating obligations and hedging. A clause that was boilerplate in 2024 now names ISO 42001, fundamental rights impact assessments, and conformity documentation. If your sales motion runs through enterprise procurement, your effective AI Act deadline is whatever your largest prospect’s legal team decides it is.

The second is fundraising diligence. Investor questionnaires from mid-2025 onward have started including AI-governance questions. “How is your AI system classified under the EU AI Act?” is now a standard item. The question is binary. You either have a classification analysis, or you do not. The investors who care the most are the ones leading rounds north of €20M, and they care more in every successive round.

The third is GPAI chain obligations. You may think your obligations end with the API you integrate. They do not. Article 25 places duties on downstream providers who substantially modify a high-risk system, and the threshold for “substantial modification” is lower than most founders assume. Fine-tuning, system prompting at scale, or building a product that materially redefines the intended purpose of an upstream model can all trigger downstream-provider obligations.

What to do now

The methodology I use — Identify, Translate, Control, Activate — front-loads the work that matters most right now: the Identify stage. The first deliverable in any AI Act engagement is a written applicability analysis. Which Articles apply, to which of your systems, with what evidence. That analysis does three things simultaneously. It eliminates the obligations that do not apply (most of the regulation, for most scale-ups). It sequences the ones that do, by commercial urgency. And it becomes the artefact you hand to enterprise buyers, investors, and — eventually — auditors.

The common mistake is to wait for ISO 42001 certification as the finish line. Certification is useful. But it is a trailing indicator. What procurement teams, investors, and regulators actually ask for is evidence of governance — risk classification, conformity documentation, incident response readiness, fundamental rights assessments where required. Those can and should be in place twelve to eighteen months before any certification body arrives.

The deadline that matters is not the one written in the Official Journal. It is the deadline your next enterprise deal imposes. That deadline is almost always earlier than you think.