Enforcement timeline tracking

When the EU AI Act enforcement clock ticks past a deadline you forgot to plan for, the penalty for "we'll get to it" can reach 7% of global turnover. Teams that track compliance against a phased timeline catch gaps months ahead of audits; teams that don't discover them when a regulator does. By the end you'll be able to model the four EU AI Act enforcement milestones, attach verifiable per-Article requirements to each, and generate a prioritized gap report that distinguishes overdue obligations from upcoming ones.

• Enforcement milestone — A specific date on which a new set of EU AI Act obligations becomes legally enforceable; missing one means you are already non-compliant, not "running late."
• GPAI (General-Purpose AI) — A class of foundation models with broad capabilities; GPAI-specific obligations (technical docs, copyright policy, training-data summary) activated on 2 August 2025 and gate every downstream deployer.
• Article reference — A pointer such as Article 5 or Article 53(1)(c) that ties each tracked requirement to the exact AI Act provision; the unit of evidence regulators ask for during an audit.
• Compliance status — A four-state classifier (compliant, non_compliant, partial, not_assessed) attached to each requirement; the not_assessed state is the silent killer because it looks like "not a problem yet."
• Gap report — The prioritized output that ranks non-compliant and partial requirements by deadline proximity so remediation effort targets the highest-exposure items first.

The four enforcement milestones — Feb 2025 (prohibitions + AI literacy), Aug 2025 (GPAI obligations), Feb 2026 (post-market monitoring), Aug 2026 (high-risk requirements) — each activate distinct requirement sets that the tracker must model independently (see Code Walkthrough).

Milestone-anchored requirements

A milestone is not a single switch; it activates a bundle of requirements, each tied to its own Article. The August 2025 GPAI milestone alone activates technical documentation (Article 53), a copyright policy (Article 53(1)(c)), and a training-data summary (Article 53(1)(d)). Collapsing the milestone into one item fuses three independent evidence trails and erases the ability to report partial readiness — which is the shape every realistic compliance posture takes.

Status that distinguishes "not done" from "not looked at"

A binary compliant / non_compliant model forces unknown requirements into one of the two buckets, usually compliant by default. The four-state model (compliant, non_compliant, partial, not_assessed) preserves the difference between "we have evidence" and "we haven't checked." Audits start with the not_assessed set; that is where regulators discover the violations you didn't know you had.

Deadline-proximity prioritization

Once each requirement carries a status, the gap report ranks remediation work by how close — or past — the enforcement date is. Requirements past their effective date are not "Priority 1"; they are active regulatory exposure and they bump every upcoming item down the queue. The schedule below visualises the four active dates the tracker reasons over.

Concretising the three concepts — milestone-anchored requirements, four-state status, and a status-report aggregation — into one model. ComplianceRequirement and ComplianceMilestone carry per-Article evidence; ComplianceChecker.get_status_report walks the milestones and produces the overall score the gap report ranks against.

Code snippetpython
1from datetime import date
2from enum import Enum
3from typing import Any, Dict, List
4from pydantic import BaseModel, Field
5
6class ComplianceStatus(str, Enum):
7    COMPLIANT = "compliant"
8    NON_COMPLIANT = "non_compliant"
9    PARTIAL = "partial"
10    NOT_ASSESSED = "not_assessed"
11
12class ComplianceRequirement(BaseModel):
13    requirement_id: str
14    description: str
15    article_reference: str  # e.g. "Article 53(1)(c)"
16    status: ComplianceStatus = ComplianceStatus.NOT_ASSESSED
17    evidence_links: List[str] = Field(default_factory=list)
18
19class ComplianceMilestone(BaseModel):
20    milestone_id: str
21    name: str
22    effective_date: date
23    is_active: bool = False
24    requirements: List[ComplianceRequirement] = Field(default_factory=list)
25
26class ComplianceChecker:
27    """Tracks EU AI Act compliance across the four enforcement milestones."""
28
29    def __init__(self) -> None:
30        self._milestones: List[ComplianceMilestone] = [
31            ComplianceMilestone(
32                milestone_id="eu-ai-act-feb-2025",
33                name="Prohibitions and AI Literacy",
34                effective_date=date(2025, 2, 2),
35                is_active=True,
36                requirements=[
37                    ComplianceRequirement(
38                        requirement_id="prohib-001",
39                        description="No prohibited AI practices",
40                        article_reference="Article 5",
41                    ),
42                    ComplianceRequirement(
43                        requirement_id="literacy-001",
44                        description="AI literacy program in place",
45                        article_reference="Article 4",
46                    ),
47                ],
48            ),
49            ComplianceMilestone(
50                milestone_id="eu-ai-act-aug-2025",
51                name="GPAI Model Obligations",
52                effective_date=date(2025, 8, 2),
53                is_active=True,
54                requirements=[
55                    ComplianceRequirement(
56                        requirement_id="gpai-001",
57                        description="Technical documentation available",
58                        article_reference="Article 53",
59                    ),
60                    ComplianceRequirement(
61                        requirement_id="gpai-002",
62                        description="Copyright policy implemented",
63                        article_reference="Article 53(1)(c)",
64                    ),
65                    ComplianceRequirement(
66                        requirement_id="gpai-003",
67                        description="Training data summary published",
68                        article_reference="Article 53(1)(d)",
69                    ),
70                ],
71            ),
72            ComplianceMilestone(
73                milestone_id="eu-ai-act-feb-2026",
74                name="Post-Market Monitoring",
75                effective_date=date(2026, 2, 2),
76                is_active=True,
77                requirements=[
78                    ComplianceRequirement(
79                        requirement_id="monitor-001",
80                        description="Post-market monitoring system",
81                        article_reference="Article 72",
82                    ),
83                    ComplianceRequirement(
84                        requirement_id="monitor-002",
85                        description="Incident reporting mechanism",
86                        article_reference="Article 73",
87                    ),
88                ],
89            ),
90            ComplianceMilestone(
91                milestone_id="eu-ai-act-aug-2026",
92                name="High-Risk AI Requirements",
93                effective_date=date(2026, 8, 2),
94                is_active=False,
95                requirements=[
96                    ComplianceRequirement(
97                        requirement_id="highrisk-001",
98                        description="Risk management system",
99                        article_reference="Article 9",
100                    ),
101                    ComplianceRequirement(
102                        requirement_id="highrisk-002",
103                        description="Human oversight mechanisms",
104                        article_reference="Article 14",
105                    ),
106                ],
107            ),
108        ]
109
110    def get_status_report(self) -> Dict[str, Any]:
111        total, compliant = 0, 0
112        report: Dict[str, Any] = {"milestones": [], "overall_score": 0.0}
113        for ms in self._milestones:
114            ms_data: Dict[str, Any] = {
115                "milestone": ms.name,
116                "effective_date": str(ms.effective_date),
117                "is_active": ms.is_active,
118                "requirements": [],
119            }
120            for req in ms.requirements:
121                ms_data["requirements"].append({
122                    "id": req.requirement_id,
123                    "article": req.article_reference,
124                    "status": req.status.value,
125                })
126                total += 1
127                if req.status == ComplianceStatus.COMPLIANT:
128                    compliant += 1
129            report["milestones"].append(ms_data)
130        if total:
131            report["overall_score"] = compliant / total
132        return report

Verify by instantiating ComplianceChecker() and printing get_status_report(): each active milestone should appear with its requirements in not_assessed status, and overall_score should be 0.0 until you start flipping requirements to COMPLIANT with evidence links attached.

Do's

1. ✓Do attach an article_reference to every requirement — auditors index by Article, not by your internal requirement IDs.
2. ✓Do treat not_assessed as the highest-investigation priority — unknown status is where regulators find their first finding.
3. ✓Do regenerate the gap report on a fixed cadence — monthly or quarterly evidence of good-faith compliance effort can mitigate penalties.

Don'ts

1. ✗Don't collapse a milestone into one boolean — a milestone activates multiple Article-anchored requirements, and partial readiness must be reportable per Article.
2. ✗Don't default the status field to COMPLIANT — it converts unknowns into false positives that hide live exposure.
3. ✗Don't wait for the deadline to start tracking — once a milestone is past, every non-compliant requirement is enforceable, not a "to-do."