Skip to main content
compliance deadline trackerMulti-jurisdiction (EU, US federal, multiple US states)

Track These AI Compliance Deadlines in 2026

A jurisdiction-by-jurisdiction reference consolidating every active and incoming AI regulatory deadline in 2026 — covering the EU AI Act, U.S. state laws, and federal actions — with penalty ranges and practical next steps for legal professionals.

Entry details

Who it applies to
Legal professionals, compliance officers, and organizations deploying AI across EU and US jurisdictions; obligations vary by role (provider, deployer, employer, vendor)
Last reviewed
2026-07-09

One AI deployment in 2026 can land on more than one compliance calendar at once. A hiring-screening tool may trigger New York City bias-audit rules, Illinois employment obligations, California automated decision-making notices, and EU AI Act risk classification work if the same vendor or workflow touches EU users or operations. A customer analytics model may sit under consumer-protection enforcement even when no AI-specific statute has reached its first enforcement date.

This tracker is current as of July 9, 2026. It is an operational reference, not legal advice. Treat each entry as a calendar item to verify against primary law, regulator guidance, and current counsel review before relying on it for a deployment decision.

Overlapping regulatory timeline strips converging toward one AI deployment

2026 AI Compliance Deadline Tracker

Calendar items should be verified against current legal sources before use.
Jurisdiction or regimeKey dateObligation triggerPenalty or enforcement exposureImmediate next step
EU AI ActAugust 2, 2026 for high-risk provider obligations; proposed delay to December 2, 2027 for standalone high-risk systems remains unsettledProvider of a high-risk AI system, with separate analysis needed for deployer obligations and risk categoryUp to €35 million or 7% of global annual turnover for the most serious violationsClassify systems now; do not remove the August 2, 2026 date from the calendar unless the delay is finally adopted
Colorado SB 26-189January 1, 2027Use of covered AI systems under the replacement Colorado frameworkState enforcement risk under the new consumer-notice-and-human-review model; verify final enforcement details against current Colorado sourcesReplace any SB 24-205 tracker entry with SB 26-189 and schedule implementation work before year-end 2026
California CPPA ADMT regulationsEffective January 1, 2026; full compliance by January 2027Use of automated decision-making technology covered by California privacy regulationsCalifornia privacy enforcement exposure; obligations include notices, opt-out rights, and retention requirementsInventory ADMT uses, draft pre-use notices, map opt-out handling, and preserve required records
California SB 53Track through 2026 implementation planningCovered AI activities under California’s AI-specific requirementsUp to $1 million per violationAssign California AI obligations to a named owner rather than leaving them inside a general privacy workstream
California AB 2013Track through 2026 implementation planningCovered generative AI training-data transparency obligationsVerify current statutory and enforcement details before publication or vendor relianceAsk vendors for training-data transparency materials and publication schedules
NYC Local Law 144Active; annual independent bias audit required before use and then annuallyAutomated employment decision tool used for hiring or promotion in New York City$500 to $1,500 per violationConfirm whether each hiring or promotion tool is in scope; calendar the annual audit and notice review
Illinois IHRA amendmentsActive in 2026AI use in employment decisions covered by Illinois anti-discrimination rulesEmployment enforcement and discrimination-risk exposureReview employment AI notices, human review procedures, and vendor documentation
Texas TRAIGATrack during 2026 for applicability and enforcement postureCovered AI development, deployment, or use under Texas AI governance requirementsState enforcement exposure; verify current scope before deploymentScreen Texas-facing systems for coverage and preserve an uncertainty note until final guidance is reviewed
Federal executive-order and enforcement landscapeDecember 2025 Executive Order; litigation and preemption activity ongoing in 2026Federal AI litigation, consumer protection, employment, or preemption challenge affecting AI usesNo automatic suspension of state AI laws as of July 2026Do not pause state-law compliance solely because a federal challenge may develop

The table is intentionally not elegant. A useful AI compliance calendar has to keep inconsistent legal categories visible: provider, deployer, employer, covered business, vendor, consumer-facing operator. Flattening those roles into one “AI owner” column is how notice obligations and audit dates disappear.

The EU AI Act Date Should Stay on the Calendar Until the Delay Is Real

The EU AI Act’s high-risk date is the most dangerous kind of deadline: both close enough to require work and politically unsettled enough to invite wishful scheduling. Holland & Knight reported that August 2, 2026 is the binding compliance date for high-risk AI Act obligations for providers, while the European Parliament voted in April 2026 to potentially delay standalone high-risk obligations to December 2, 2027, subject to Council agreement before the original deadline.[1]

That is not the same as saying the deadline has moved. A tracker should carry both dates: August 2, 2026 as the operative date, and December 2, 2027 as a pending-delay scenario. If the business removes the August date too early, the compliance team loses the lead time needed for classification, technical documentation, vendor questions, and role analysis. If the business ignores the delay debate entirely, it may overbuild against a timeline that changes.

The first assignment is classification. Decide whether the system is prohibited, high-risk, limited-risk, or outside the main AI Act categories; then decide whether the organization is acting as a provider, deployer, importer, distributor, or another regulated actor. Readers who need a plain-language classification starting point can use the EU AI Act risk categories glossary. For deeper deployer obligations and the provider/deployer distinction, use the EU AI Act law firm compliance guide.

The penalty number belongs in the same row as the date, not buried in a risk memo. The EU AI Act allows fines up to €35 million or 7% of global annual turnover for the most serious violations.[1] That figure does not mean every late control creates maximum exposure. It does mean the calendar entry needs an accountable owner, a last-reviewed date, and an uncertainty note visible to legal, procurement, security, and the business sponsor.

Relative penalty severity bars across AI compliance jurisdictions

Colorado Is the Stale-Source Trap

Colorado needs a conspicuous correction flag in any 2026 AI compliance file. Finnegan reported that Colorado repealed SB 24-205 on May 14, 2026 and replaced it with SB 26-189, moving from the earlier duty-of-care framework to a consumer-notice-and-human-review model effective January 1, 2027.[2]

That makes otherwise respectable early-2026 summaries risky. If a vendor questionnaire, board deck, or compliance register still refers to Colorado SB 24-205 as the operative framework, the next step is not a legal debate. The next step is a document-control correction: mark the entry obsolete, add SB 26-189, record the May 14, 2026 repeal date, and set a review task for the final implementation requirements before January 1, 2027.

  • Search internal trackers, vendor assessments, and policy drafts for “SB 24-205” and “Colorado AI Act.”
  • Replace the entry with SB 26-189 and preserve a note that the prior framework was repealed on May 14, 2026.
  • Classify affected systems by consumer-notice and human-review obligations rather than by the repealed duty-of-care model.
  • Set January 1, 2027 as the effective-date anchor and add an earlier internal readiness date in Q4 2026.

Colorado is also a reminder that AI compliance is not only about detecting regulated AI uses. It is about detecting when the compliance source itself has expired.

California Needs a Cluster View, Not Three Separate Memos

California’s 2026 problem is density. SB 53, AB 2013, and the California Privacy Protection Agency’s automated decision-making technology regulations do not all ask the same thing, but they can touch the same deployment file. A business using automated decisioning, generative AI, or vendor-supplied AI should not track these as isolated alerts assigned to different teams with no shared inventory.

The CPPA ADMT regulations are the clearest calendar item: they became effective January 1, 2026, with full compliance by January 2027, and require pre-use notices, opt-out rights, and four-year data retention for covered automated decision-making technology.[3][4]

California itemWhy it belongs in the same trackerOwner to assign
CPPA ADMT regulationsThey create operational steps before and after use: notice, opt-out handling, and four-year retentionPrivacy lead with product and records-management support
SB 53The penalty figure can reach $1 million per violation, so it should not sit in an informal AI policy backlogLegal owner for California AI obligations
AB 2013Training-data transparency questions affect procurement, vendor diligence, and public-facing disclosuresVendor-risk or product counsel, depending on who controls the model

For an in-house team, the practical move is to make California a deployment checklist rather than a jurisdiction memo. Before launch, ask whether the system makes or supports decisions about consumers or employees, whether any pre-use notice is required, whether an opt-out path exists, what records must be retained, whether training-data transparency materials are needed, and whether the vendor contract supplies enough information to answer those questions.

The four-year retention requirement should be assigned deliberately. If records management assumes product will keep the evidence, and product assumes privacy has archived the notice, the organization may keep neither in a form that can be retrieved during an inquiry. A calendar entry should say who preserves the notice, who preserves the opt-out workflow evidence, and who reviews the retention rule before deletion.

Employment AI Rules Are Already Operational

NYC Local Law 144 is not a future-planning item. It requires an annual independent bias audit for any automated employment decision tool used in hiring or promotion, with penalties of $500 to $1,500 per violation.[4][3] If the recruiting team buys a screening tool in August and legal reviews it in November, the calendar has already failed.

The useful sequence is procurement-first. No employment AI tool should enter pilot, renewal, or expansion without a scope question: will this tool substantially assist or replace discretionary decision-making for hiring or promotion in New York City? If yes, the annual audit and notice obligations need dates, not just policy language.

Illinois belongs in the same employment-AI review because its Human Rights Act amendments are active in 2026 and affect AI use in employment decisions. The available sources support a narrower operational conclusion: review notices, human-review procedures, and discrimination-risk controls for Illinois-covered employment AI rather than assuming a New York audit alone answers every state employment question.

Texas and General Consumer-Protection Enforcement Should Not Be Treated as Blank Space

Texas TRAIGA should be carried as a 2026 applicability and enforcement-review item. The available materials do not support overstating a universal operational checklist here, but they do support a screening task: identify Texas-facing AI systems, determine whether the organization develops, deploys, or uses covered AI, and preserve a current-source note before launch or renewal.

More broadly, state attorneys general retain enforcement authority under general consumer-protection statutes even when specific AI laws are challenged or uncertain.[4] That matters for compliance scheduling because a missing AI-specific effective date is not the same as no enforcement risk. Marketing claims, deceptive interfaces, discriminatory outputs, unfair consumer practices, and inadequate disclosures can still create exposure under existing authority.

The Federal Executive Order Creates Uncertainty, Not a Pause Button

The Trump administration’s December 2025 Executive Order created an AI Litigation Task Force, adding federal preemption and litigation uncertainty to the 2026 compliance landscape.[4][5] As of July 2026, the materials do not identify any court ruling that has struck down state AI laws across the board. State obligations remain calendar items unless and until a court, legislature, or regulator changes them.

That distinction should be visible in the tracker. A federal-preemption column can say “monitor,” “challenged,” or “potentially affected.” It should not say “inactive” unless there is current legal authority for that status. The person maintaining the compliance calendar needs permission to keep doing unglamorous work while the constitutional arguments develop elsewhere.

How to Maintain the Calendar Without Turning It Into a Junk Drawer

The global backdrop explains why the tracker will not stay tidy. Mind Foundry reported in January 2026 that at least 69 countries had proposed more than 1,000 AI-related policy initiatives, and 72 countries had active AI frameworks.[6] That is context, not a reason to build a world-law spreadsheet no one can maintain. The calendar should start with jurisdictions tied to actual deployments, customers, employees, vendors, and data flows.

Calendar fieldWhy it matters
JurisdictionPrevents a single AI use from being reviewed only under the law that was easiest to find
RoleSeparates provider, deployer, employer, covered business, and vendor obligations
TriggerShows whether the rule applies because of hiring, consumer decisions, model provision, training-data disclosure, or another use
Effective dateKeeps active, incoming, and proposed obligations from blending together
Penalty or enforcement exposureHelps triage review without turning the tracker into scare copy
Source and last-reviewed dateMakes stale-law risk visible, especially after changes like Colorado’s repeal and replacement
Uncertainty notePreserves unsettled items such as the EU delay proposal or federal preemption challenges without pretending they are resolved
Named ownerStops the obligation from living in a shared inbox

Tooling can help once the fields are clear. If the organization is deciding whether to manage this in GRC software, contract tools, privacy platforms, or a dedicated AI governance product, the AI compliance software buying guide is the more useful next stop. If the current question is whether certification would reduce diligence friction or create false comfort, use the AI compliance certification decision framework.

The maintenance cadence should match the risk of change. EU AI Act high-risk timing needs review before August 2, 2026 and again after any Council action. Colorado needs review after SB 26-189 implementation materials develop and before January 1, 2027. California ADMT work needs evidence of full-compliance readiness before January 2027. NYC employment tools need an annual audit cycle tied to actual use, not fiscal-year convenience.

In Q3 2026, the safer posture is not to bet on one EU delay, one federal challenge, or one vendor assurance. It is to keep a unified, source-checked AI compliance calendar that shows overlapping obligations as they are: sometimes active, sometimes incoming, sometimes contested, and always capable of becoming someone else’s emergency if they are not assigned now.

References

  1. US Companies Face EU AI Act’s Possible August 2026 Compliance Deadline, Holland & Knight, April 2026.
  2. Colorado Replaces Landmark AI Act: An Overview of the New SB 26-189 Framework, Finnegan, May 2026.
  3. US AI Hiring Laws Compliance Guide 2026, ConsultILS.
  4. 2026 AI Laws Update: Key Regulations and Practical Guidance, Gunderson Dettmer, February 2026.
  5. 2026 AI Legal Forecast: From Innovation to Compliance, Baker Donelson, January 2026.
  6. AI Regulations Around the World, Mind Foundry, January 2026.

Corrections & feedback

Submit corrections, report new regulatory developments, or flag jurisdiction-specific clarifications. Comments are moderated. Nothing in comments constitutes legal or compliance advice.

Comments

Join the discussion with an anonymous comment.

Loading comments...
Blogarama - Blog Directory