Skip to content

Regulatory deadlines

A working reference of the application and transition dates for the frameworks the project maps in docs/governance/compliance-map.md (BL-036). This is not legal advice; verify each date against the Official Journal of the European Union (and the Austrian Federal Law Gazette) before relying on it. Dates are ISO 8601.

The point of tracking these here is operational: a control that is "planned" in the compliance map (annotated with a BL-NNN) should close before the obligation it serves applies. The "Relevant project controls" column names where to look.

EU frameworks

Framework Milestone Date Relevant project controls
EU AI Act, Regulation (EU) 2024/1689 Entry into force 2024-08-01 compliance-map "EU AI Act" rows
EU AI Act Prohibited practices (Chapter II) apply 2025-02-02 n/a (praxis defines no prohibited-practice system)
EU AI Act GPAI model obligations apply 2025-08-02 n/a (praxis ships no GPAI model)
EU AI Act High-risk obligations (Annex III stand-alone) apply 2027-12-02 (deferred; statutory date was 2026-08-02) Art. 12 logging (execution/audit.py), Art. 14 oversight (execution/runner.py)
EU AI Act High-risk obligations (Annex I products) apply 2028-08-02 (deferred; statutory date was 2027-08-02) as above
NIS2, Directive (EU) 2022/2555 Member-State transposition deadline 2024-10-17 compliance-map "NIS2" rows
NIS2 Measures apply in transposing States 2024-10-18 SEC-8 least privilege/kill switch; SEC-2/SEC-9 audit evidence
NISG 2026 (Austria) National NIS2 transposition (in progress) 2026 as NIS2; expected 2026, tracked because Austria missed the 2024-10-17 deadline
Cyber Resilience Act, Regulation (EU) 2024/2847 Entry into force 2024-12-10 compliance-map "Cyber Resilience Act" rows
CRA Reporting obligations (Art. 14) apply 2026-09-11 SEC-2/SEC-9 audit evidence; vulnerability handling CI
CRA Main obligations apply 2027-12-11 secure-by-default posture; digest-pin/SBOM (BL-033, BL-092)
GDPR, Regulation (EU) 2016/679 Applicable 2018-05-25 SEC-9 redaction; SEC-4 classification filtering
ISO/IEC 27001 2013-to-2022 certification transition deadline 2025-10-31 compliance-map "ISO/IEC 27001:2022" rows

Notes

  • praxis is a tool an operator runs, not itself a regulated AI system, a NIS2 essential entity, or a CRA manufacturer of record. These dates are the obligations of the operator and their organisation; the project's job is to make the supporting evidence and controls available before the relevant date (see the compliance map).
  • The CRA dates follow the staggered schedule in the Regulation: reporting obligations 21 months after entry into force, the remaining obligations 36 months after.
  • The AI Act high-risk dates are the two staggered application dates (Annex III systems, then Annex I regulated products); the earlier prohibited-practice and GPAI dates are listed for completeness even though praxis triggers neither.
  • The high-risk dates above carry the deferral agreed in the Digital Omnibus on AI, a targeted amendment package to Regulation (EU) 2024/1689. The co-legislators reached a provisional agreement on 2026-05-07: Annex III stand-alone high-risk obligations move from 2026-08-02 to 2027-12-02 (16 months), and Annex I product-embedded high-risk obligations move from 2027-08-02 to 2028-08-02 (12 months). As of this writing (2026-06) the package is politically agreed but not yet formally adopted or published in the Official Journal; formal adoption is expected before the 2026-08-02 statutory date it supersedes. Treat the deferred dates as provisional and re-confirm both the dates and the in-force status against the Official Journal once it publishes (tracked as BL-113; the original statutory dates remain in force until then). The same package adds two prohibited practices under Art. 5 (AI-generated non-consensual intimate imagery and CSAM); praxis defines no such system, so its prohibited-practice disposition is unchanged.