EU AI Act Compliance Guide: Deadlines, Risk Tiers, and What You Must Do Now
Published: February 10, 2026 | Regulatory Analysis
Critical Compliance Dates
Aug 1, 2024 — EU AI Act entered into force
Feb 2, 2025 — Prohibited AI practices banned (PASSED)
Aug 2, 2025 — GPAI model obligations effective (PASSED)
Aug 2, 2026 — Full high-risk AI enforcement (6 MONTHS AWAY)
€35M / 7% — Maximum fine for prohibited practices (whichever is higher)
Sources: European Commission, EU AI Act Official Text, GDPR Local
The EU AI Act is no longer theoretical. It's the world's first comprehensive AI regulation, and with full enforcement for high-risk systems arriving August 2, 2026, organizations have exactly six months to achieve compliance or face penalties that could reach billions for the largest companies. This isn't about checking boxes—it's about fundamentally rethinking how AI systems are built, deployed, and governed.
The Enforcement Timeline: Where We Are Now
Aug 1, 2024EU AI Act enters into force
Feb 2, 2025Prohibited AI practices banned — social scoring, manipulative AI, emotion recognition in workplaces
Aug 2, 2025General-Purpose AI (GPAI) model obligations effective — transparency, documentation, copyright compliance
Aug 2, 2026High-risk AI system requirements enforced — conformity assessments, CE marking mandatory
Aug 2, 2027Extended deadline for AI embedded in regulated products (medical devices, vehicles)
The August 2026 deadline is particularly significant: if your high-risk AI system doesn't have a CE mark by August 2, 2026, you cannot legally sell it in the EU market. Not "shouldn't." Not "might face penalties." Cannot.
While the European Commission has discussed potential delays due to implementation challenges, the deadlines remain unchanged. Organizations that wait for clarity will find themselves scrambling.
The Four Risk Tiers: Understanding Your Obligations
The EU AI Act uses a risk-based approach, categorizing AI systems into four tiers with escalating requirements:
Risk Level
Requirements
Examples
Penalties
Unacceptable
Banned outright
Social scoring, manipulative AI, real-time biometric ID in public spaces, emotion recognition at work/school
€35M or 7% turnover
High Risk
Conformity assessments, risk management, data governance, technical documentation, CE marking
Credit scoring, hiring/recruiting tools, medical diagnostics, law enforcement, critical infrastructure
€15M or 3% turnover
Limited Risk
Transparency and disclosure obligations
Chatbots, deepfakes, generative AI systems
€7.5M or 1% turnover
Minimal Risk
No specific obligations (voluntary codes of conduct encouraged)
Spam filters, video games, inventory management
—
The Prohibited Practices (Already in Force)
Since February 2, 2025, these AI practices are banned in the EU:
Social scoring by public authorities that leads to detrimental treatment
Manipulative AI using subliminal techniques to distort behavior and cause harm
Exploitation AI targeting vulnerabilities related to age, disability, or socioeconomic circumstances
Predictive policing based solely on profiling or personality traits
Untargeted facial recognition scraping from the internet or CCTV to build databases
Emotion recognition in workplace and educational settings
Biometric categorization inferring protected characteristics (race, political views, sexual orientation)
Real-time remote biometric identification in public spaces (with narrow law enforcement exceptions)
If any of your AI systems fall into these categories, they must have been shut down by February 2025. The grace period is over.
High-Risk AI: The August 2026 Compliance Challenge
High-risk AI systems face the most demanding requirements. These include AI used in:
Law enforcement (evidence assessment, crime prediction)
Migration and border control
Justice and democratic processes
Mandatory Requirements for High-Risk Systems
Before placing a high-risk AI system on the EU market, providers must:
Risk Management System: Establish and maintain a documented risk management process throughout the AI system's lifecycle
Data Governance: Ensure training data meets quality standards, is representative, and minimizes bias
Technical Documentation: Prepare comprehensive documentation for regulatory verification
Logging and Traceability: Design systems that generate logs enabling audit and oversight
Human Oversight: Build systems that enable meaningful human oversight and intervention
Accuracy and Robustness: Achieve required levels of accuracy, security, and resilience
Conformity Assessment: Complete either self-assessment or notified body assessment
EU Database Registration: Register the system in the European AI database
CE Marking: Affix the CE conformity mark before market placement
"Think of the EU AI Act like GDPR, but for algorithms. If GDPR was about data rights, the AI Act is about decision rights—ensuring humans remain in control of automated decisions that affect their lives."
General-Purpose AI Model Obligations
Since August 2025, providers of general-purpose AI models (like large language models) face specific horizontal obligations:
Standard GPAI Requirements:
Provide technical documentation to the European AI Office
Prepare summaries of training data content
Maintain policies respecting EU copyright law
Share relevant information with downstream deployers
Systemic Risk GPAI (Additional Requirements):
GPAI models with systemic risk (e.g., models trained with significant compute) face additional obligations including model evaluations, adversarial testing, incident tracking, and cybersecurity requirements.
The European AI Office is developing a General Purpose AI Code of Practice to provide detailed compliance guidance. GPAI models already on the market have until August 2027 for full compliance.
The Penalty Structure: Why This Matters
Violation Type
Maximum Fine
% of Global Turnover
Prohibited AI practices
€35 million
7%
Non-compliance with provider/deployer duties
€15 million
3%
GPAI model violations
€15 million
3%
Misleading or inaccurate information to authorities
€7.5 million
1%
The turnover percentage clause is critical: for the largest global technology companies, 7% of global turnover could mean fines in the tens of billions of euros. This isn't theoretical—it's the same structure that made GDPR enforcement genuinely impactful.
Compliance Checklist: What to Do Now
Inventory all AI systems — Catalog every AI system your organization develops, deploys, or distributes that affects the EU market
Classify by risk tier — Determine which of the four categories each system falls into, and document your reasoning
Verify prohibited practice compliance — Confirm no systems fall under the eight banned categories (deadline already passed)
Begin high-risk documentation — Start technical documentation, risk assessments, and conformity assessment planning now (6 months to deadline)
Establish AI governance — Assign clear responsibility for AI compliance, create approval processes, and ensure AI literacy training
Implement human oversight mechanisms — Build the technical and organizational capability for meaningful human control
Assess GDPR overlap — Ensure AI systems comply with data protection requirements alongside AI Act obligations
Monitor guidance updates — Track European Commission and European AI Office guidance as implementation clarifies
The Strategic Perspective: Beyond Compliance
The EU AI Act represents a fundamental shift in how societies govern artificial intelligence. But viewing it purely as a compliance burden misses the larger picture.
Organizations that build robust AI governance frameworks now will have a competitive advantage. As AI becomes more powerful and more integrated into critical decisions, the organizations that can demonstrate trustworthy, explainable, and accountable AI systems will win customer trust and regulatory favor.
The EU's approach is already influencing global standards. Similar frameworks are emerging in other jurisdictions, and multinational companies will increasingly need to meet AI governance requirements regardless of where they're headquartered.
The clock is ticking. August 2026 is six months away. The organizations that treat this as a strategic priority—not a last-minute scramble—will be the ones that thrive in the regulated AI future.