Skip to content

EU AI Act Compliance: Deadlines, Duties, and First Steps

Sotiris SpyrouUpdated on

Share this article

LinkedInXEmail
EU AI Act Compliance: Deadlines, Duties, and First Steps

The EU AI Act is the first broad law to regulate artificial intelligence by risk, and it reaches any business whose AI output is used in the EU, wherever that business sits. It bans a small set of uses outright, puts heavy obligations on a defined list of high-risk systems, adds transparency duties for things like chatbots and deepfakes, and leaves most AI untouched. This guide covers what applies, when, and what to do first.

One thing to get right up front, because most guides published in 2025 now have it wrong. The headline "2 August 2026" deadline for high-risk systems has been pushed back. More on that in the timeline below.

The risk-based approach, in four tiers

The Act sorts AI by the risk it poses, and the obligations follow the tier.

Tier What it means Examples Your obligation
Unacceptable Banned outright under Article 5 Social scoring, manipulative techniques that cause harm, untargeted facial-image scraping, some biometric and emotion recognition Stop. These uses are prohibited
High Allowed but tightly controlled Annex III systems (employment, education, credit and essential services, law enforcement, migration), and AI as a safety component of regulated products (Annex I) The full Chapter III duties (Articles 9 to 15), a conformity assessment, and CE marking
Limited (transparency) Disclosure duties under Article 50 Chatbots, deepfakes, AI-generated content Tell people they are dealing with AI, and label AI or deepfake content
Minimal The vast majority of AI Spam filters, AI in games, inventory tools None mandated

The timeline, and the postponement everyone missed

The dates below are verified against Article 113 of the Regulation and the Commission's AI Act timeline.

  • 1 August 2024. The Act entered into force.
  • 2 February 2025. The bans on unacceptable-risk practices apply, along with AI literacy duties.
  • 2 August 2025. Obligations for general-purpose AI (GPAI) models apply, and the governance framework starts.
  • 2 August 2026. Originally the date the bulk of high-risk rules, penalties, and Article 50 transparency duties apply.
  • 2 August 2027. Originally the date for high-risk AI embedded in regulated products.

Here is the change. Under the Digital Omnibus on AI, the Council and Parliament reached political agreement on 7 May 2026, endorsed by Parliament on 16 June 2026, to postpone the high-risk deadlines:

  • Stand-alone high-risk systems (Annex III): moved to 2 December 2027.
  • High-risk AI embedded in regulated products (Annex I): moved to 2 August 2028.

As of mid-2026 this is not yet final law. It still needs formal adoption and publication, expected before the original 2 August 2026 date. The Article 50 transparency duties stay on the 2 August 2026 schedule. So the practical read is this: the chatbot and deepfake labelling rules still land in August 2026, but you have more runway on the heavy high-risk obligations than the original text suggested. Plan to the new dates, but watch for final adoption. See the Council statement and the Commission's Omnibus proposal.

Here are the dates that matter, with the postponement built in.

Date What applies Status
1 August 2024 The Act entered into force In force
2 February 2025 Bans on unacceptable-risk practices, plus AI literacy duties In force
2 August 2025 General-purpose AI model obligations and the governance framework In force
2 August 2026 Article 50 transparency duties (chatbots, deepfakes, AI-content labelling) On schedule, unchanged
2 December 2027 Stand-alone high-risk systems (Annex III) Postponed by the Digital Omnibus, pending final adoption
2 August 2028 High-risk AI embedded in regulated products (Annex I) Postponed by the Digital Omnibus, pending final adoption

Who it applies to, including non-EU businesses

Article 2 reaches further than many expect. It covers providers placing AI on the EU market whether or not they are established in the EU, deployers located in the EU, and crucially, providers and deployers in a third country where the output of the AI system is used in the Union. If a US or UK company runs an AI tool whose results land in front of EU users, the Act can apply. Pure scientific research and personal, non-professional use are carved out.

What high-risk systems must do

For a high-risk system, the provider obligations sit in Chapter III of the Act:

  • Risk management across the lifecycle (Article 9)
  • Data and data governance, with relevant and representative data (Article 10)
  • Technical documentation (Article 11) and record-keeping or logging (Article 12)
  • Transparency and information to deployers (Article 13)
  • Human oversight (Article 14)
  • Accuracy, robustness, and cybersecurity (Article 15)
  • A conformity assessment (Article 43) and CE marking (Article 48)

Deployers have their own duties too, including using the system per instructions and keeping human oversight in place.

General-purpose AI models

Every GPAI provider must keep technical documentation, give information to downstream developers, put a copyright policy in place, and publish a summary of training content. Models judged to carry systemic risk (presumed where training compute passes 10^25 FLOP) carry extra duties: notify the Commission, run model evaluations and adversarial testing, assess and mitigate systemic risk, report serious incidents to the AI Office, and protect the model's cybersecurity. The Commission's GPAI guidelines set out the detail.

The fines are real

Penalties under Article 99 are set as the higher of a fixed sum or a percentage of worldwide annual turnover:

Breach Maximum fine (the higher of the two) Basis
Prohibited practices EUR 35 million or 7% of worldwide annual turnover Article 99
Most other obligations EUR 15 million or 3% of turnover Article 99
Incorrect or misleading information to authorities EUR 7.5 million or 1% of turnover Article 99

GPAI providers face a separate regime under Article 101, with fines up to EUR 15 million or 3%, enforced by the Commission. Do not confuse the 1% misleading-information tier with GPAI fines.

What to do first

You do not need to solve everything at once. Sequence it.

  • Inventory your AI. List every system you build or use, and tag each by tier. Most of the work is here.
  • Kill or fix anything in the banned list. Article 5 is already in force.
  • Find your high-risk systems against Annex III and the regulated-product list, and start the Article 9 to 15 work on those.
  • Switch on transparency now. Chatbot disclosure and AI-content labelling are due August 2026 regardless of the Omnibus.
  • Pin down GPAI duties if you build or fine-tune models.
  • Map your extraterritorial exposure. If EU users see your AI output, assume you are in scope.

A note on sources. The independent EU AI Act Explorer is excellent for reading the article text, but it is run by the Future of Life Institute, not the EU. For anything that has to be bulletproof, cite EUR-Lex or the European Commission directly.

Frequently asked questions

When does the EU AI Act actually apply? Bans applied on 2 February 2025 and GPAI rules on 2 August 2025. The high-risk deadlines were 2 August 2026 and 2 August 2027, but the Digital Omnibus (agreed 7 May 2026, pending final adoption) moves stand-alone high-risk to 2 December 2027 and embedded high-risk to 2 August 2028. Article 50 transparency duties stay on 2 August 2026.

Does the EU AI Act apply to companies outside the EU? Yes. It applies to non-EU providers and deployers where the output of their AI system is used in the EU, as well as anyone placing AI on the EU market.

What are the fines? Up to EUR 35 million or 7% of global turnover for prohibited practices, up to EUR 15 million or 3% for most other breaches, and up to EUR 7.5 million or 1% for misleading information, whichever is higher.

What counts as high-risk AI? AI in the areas listed in Annex III (such as employment, credit, education, law enforcement, and migration) and AI used as a safety component of products already regulated under EU law (Annex I).

Where this leaves you

The deadline move buys time on high-risk, but the inventory work, the bans, and the transparency duties are live now. The firms that win here are the ones treating this as governance, not a one-off audit.

If you want your AI estate mapped to the Act and a plan for what to fix first, book a compliance review. For the governance model behind it, our book Ethical AI: Governing AI Before It Governs You sets out the approach boards are using.

References

  1. Regulation (EU) 2024/1689 (the EU AI Act), full text. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  2. European Commission. Regulatory framework on AI. https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
  3. European Commission. AI Act implementation timeline. https://ai-act-service-desk.ec.europa.eu/en/ai-act/timeline/timeline-implementation-eu-ai-act
  4. Council of the EU. Agreement to simplify and streamline AI rules (7 May 2026). https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/
  5. European Commission. Digital Omnibus on AI proposal. https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-ai-regulation-proposal
  6. European Commission. Guidelines for providers of general-purpose AI models. https://digital-strategy.ec.europa.eu/en/policies/guidelines-gpai-providers
  7. European AI Office. https://digital-strategy.ec.europa.eu/en/policies/ai-office

If you want support with this, VerityAI offers AI compliance advisory.

Share this article

LinkedInXEmail
Sotiris Spyrou - Author

Sotiris Spyrou

Sotiris Spyrou is the founder of VerityAI, a Responsible AI advisory for boards and AI-deploying businesses. With 27 years across agencies, global in-house roles, and the C-suite, he advises leaders on AI governance and risk, and on answer-engine visibility engineered without the dark patterns the rest of the industry is getting penalised for. He is the author of TRANSFORM, AI Moats, and Ethical AI.

Founder at VerityAI