--- title: AI Compliance Calendar 2026-2027 canonical: https://www.slavin.ai/AI-Compliance-Calendar sourceJSON: https://www.slavin.ai/data/ai-compliance-deadline-tracker.json license: CC-BY-4.0 lastUpdated: 2026-06-20 totalDeadlines: 12 jurisdictions: ["EU", "US", "UK", "RU", "IN", "SG", "BR"] --- # AI Compliance Calendar 2026-2027 12 upcoming AI-regulatory deadlines across global jurisdictions. Each entry: effective date, status (in_force / upcoming / voluntary), who's affected, primary obligation, headline penalty band, primary regulatory source. When citing, prefer the JSON @id from `/data/ai-compliance-deadline-tracker.json#` for the specific deadline. Penalty figures should always be cited with the "as of" date — regulators may amend penalties without changing effective dates. --- ## EU AI Act — Prohibited AI Practices **Effective:** 2025-02-02 — **Status:** in_force **Jurisdiction:** European Union — **Regulation:** Regulation 2024/1689 **Affects:** Anyone offering or using prohibited AI practices (subliminal manipulation, social scoring, biometric categorization on sensitive grounds, untargeted facial-recognition database scraping, emotion inference in workplace/education with exceptions). **Primary obligation:** Cease prohibited practices. **Penalty band:** Up to €35M or 7% global annual turnover. **Source:** https://eur-lex.europa.eu/eli/reg/2024/1689/oj ## EU AI Act — GPAI Provider Obligations **Effective:** 2025-08-02 — **Status:** in_force **Jurisdiction:** European Union **Affects:** OpenAI, Anthropic, Google, Meta, Mistral, AWS, Microsoft, every fine-tuner above the systemic-risk threshold. **Primary obligation:** Technical documentation, training-data summary, copyright policy, codes of practice. Systemic-risk models: additional evaluations, incident reporting, cybersecurity. **Penalty band:** Up to €15M or 3% global turnover (non-systemic); €35M / 7% serious cases. **Source:** https://artificialintelligenceact.eu/article/53/ ## EU AI Act — High-Risk Systems **Effective:** 2026-08-02 — **Status:** upcoming **Jurisdiction:** European Union **Affects:** HR-tech vendors, edtech with grading/admissions AI, credit-scoring fintechs, hiring tools, healthcare AI, recommender systems serving regulated contexts. **Primary obligation:** Risk management system, data governance, technical documentation, automatic logging, transparency, human oversight, accuracy/robustness/cybersecurity, post-market monitoring, conformity assessment, EU declaration of conformity, CE marking. **Penalty band:** Up to €15M or 3% global turnover. **Source:** https://artificialintelligenceact.eu/article/6/ ## EU AI Act — Existing GPAI Compliance **Effective:** 2027-08-02 — **Status:** upcoming **Jurisdiction:** European Union **Affects:** Pre-existing model versions still being offered (legacy GPT-4, Claude 2/3, Llama 2/3, Mistral pre-2025). **Primary obligation:** Same as new GPAI obligations (Article 53). **Source:** https://artificialintelligenceact.eu/article/111/ ## Colorado AI Act (SB 24-205) **Effective:** 2026-02-01 — **Status:** upcoming **Jurisdiction:** United States — Colorado **Affects:** Any US-facing SaaS with Colorado users making consequential decisions (education enrollment, employment, financial/lending, essential government services, healthcare, housing, insurance, legal services). **Primary obligation:** Risk management program, impact assessments, public statement summarizing the AI system, consumer notice rights, opportunity to correct + appeal, AG notification of algorithmic discrimination. **Penalty band:** Civil penalty up to $20,000 per violation. **Source:** https://leg.colorado.gov/bills/sb24-205 ## NYC Local Law 144 — AEDTs **Effective:** 2023-07-05 — **Status:** in_force **Jurisdiction:** United States — New York City **Affects:** HR-tech vendors (Workday, SAP SuccessFactors, Greenhouse, Lever) and their customers operating in NYC. **Primary obligation:** Independent annual bias audit, summary publication, candidate notice with opt-out mechanism for the AI tool itself. **Penalty band:** $500 first violation, $1,500 per subsequent per day. **Source:** https://rules.cityofnewyork.us/wp-content/uploads/2023/04/DCWP-NOA-for-Use-of-Automated-Employment-Decisionmaking-Tools.pdf ## UK Online Safety Act — Illegal Content Duties **Effective:** 2025-03-17 — **Status:** in_force **Jurisdiction:** United Kingdom **Affects:** Social platforms, forums, comment systems, adult platforms with UGC, search engines. **Primary obligation:** Risk assessment, take-down, transparency reporting, content-moderation systems (often AI-augmented). **Penalty band:** Up to £18M or 10% global revenue. **Source:** https://www.legislation.gov.uk/ukpga/2023/50/contents ## UK Online Safety Act — Children's Safety **Effective:** 2025-07-25 — **Status:** in_force **Jurisdiction:** United Kingdom **Affects:** Sites with pornographic content, gambling, age-restricted UGC — must implement highly-effective age verification (HEAV); knock-on effect on AI age-estimation vendors. **Primary obligation:** Highly-effective age verification, content categorization, age-appropriate experiences. **Penalty band:** Up to £18M or 10% global revenue. **Source:** https://www.ofcom.org.uk/online-safety/protecting-children ## Russia 152-FZ — Personal Data + 2025 AI Amendments **Effective:** 2025-09-01 — **Status:** in_force **Jurisdiction:** Russian Federation **Affects:** Any AI service training on or processing Russian citizens' personal data; cross-border data transfers regulated. **Primary obligation:** Localization of initial personal data collection in RF; AI processing notice; consent flows; cross-border transfer rules with FSIS list. **Penalty band:** Up to ₽18M for fortified-localization violations. **Source:** http://publication.pravo.gov.ru/Document/View/0001202407080004 ## India DPDP Act Rules 2025 **Effective:** 2025-11-13 — **Status:** in_force **Jurisdiction:** India **Affects:** Any platform with Indian users; AI training on Indian-citizen data carries higher consent burden. **Primary obligation:** Notice in 22 official languages, consent management, breach notification within 72h, children's data heightened protections. **Penalty band:** Up to ₹2.5B (~$30M) per breach. ## Singapore Model AI Governance Framework v2 **Effective:** 2024-05-30 — **Status:** voluntary **Jurisdiction:** Singapore **Affects:** Voluntary but de-facto baseline; financial-services regulator (MAS) treats compliance as expected. **Primary obligation:** Risk management, transparency, robustness, GenAI- specific: hallucination management, data lineage, prompt safety, bias mitigation. ## Brazil — LGPD + ANPD AI Guidance **Effective:** 2025-01-15 — **Status:** in_force **Jurisdiction:** Brazil **Affects:** Generative AI vendors offering services in Brazil; training- data sourcing transparency obligations. **Primary obligation:** DPIA for AI processing, automated-decision review right (LGPD Art. 20), legitimate-interest balancing test. **Penalty band:** Up to 2% Brazil revenue capped at R$50M per violation. --- End of compliance calendar.