AI Governance

EU AI Act Compliance: 2026 Timeline & Obligations

Standarity Editorial Team·AI Governance & ISO 42001 Practitioners
··7 min read

EU AI Act compliance means meeting the obligations set out in Regulation (EU) 2024/1689, the world's first comprehensive law governing artificial intelligence. The Act takes a risk-based approach, placing the strictest duties on prohibited and high-risk uses while leaving most low-risk systems largely untouched. It applies to providers and deployers both inside and outside the EU whenever an AI system is placed on the EU market or its output is used within the Union.

What is the EU AI Act?

The EU AI Act is a horizontal regulation that governs how artificial intelligence is developed, placed on the market, and used across the European Union. Rather than banning technology outright, it classifies AI systems by the risk they pose to health, safety, and fundamental rights, then attaches proportionate obligations to each tier. Because it is a regulation rather than a directive, it applies directly in all member states without the need for national transposition, which makes consistent, EU-wide enforcement far more likely than under a patchwork of local laws.

The EU AI Act entered into force on 1 August 2024, with prohibited-practice bans applying from 2 February 2025 and general-purpose AI (GPAI) model obligations from 2 August 2025 (European Commission, 2025).

Who must comply, and the four risk tiers

The Act reaches almost any organisation that touches AI in a professional context. Providers, the organisations that develop an AI system and place it on the market under their own name, carry the heaviest burden. Deployers, the businesses and public bodies that use an AI system professionally, have lighter but still meaningful duties. Crucially, the rules are extraterritorial: a company based outside the EU is caught whenever the output of its system is used inside the Union. Every system is then sorted into one of four risk tiers.

  • Prohibited (unacceptable risk): practices such as social scoring, untargeted facial-image scraping, manipulative subliminal techniques, and workplace or classroom emotion recognition are banned outright.
  • High-risk: systems used in areas like biometrics, critical infrastructure, education, employment, credit scoring, law enforcement, and border control, or acting as a safety component in a regulated product.
  • Limited risk: systems such as chatbots and generative tools that carry transparency obligations, for example telling users they are interacting with AI or labelling synthetic content.
  • Minimal risk: the vast majority of applications, such as spam filters and AI in video games, which face no new obligations beyond voluntary codes.

The EU AI Act compliance timeline

The Act applies in phases rather than all at once, giving organisations time to prepare for the heavier obligations. In our experience, mapping your systems against these dates early is the single most useful planning step, because the classification you land on determines how much work is actually required.

  • 1 August 2024: the EU AI Act enters into force.
  • 2 February 2025: bans on prohibited AI practices and AI literacy obligations begin to apply.
  • 2 August 2025: obligations for general-purpose AI (GPAI) models apply, along with governance and penalty provisions.
  • 2 August 2026: the bulk of the regulation applies, including transparency duties and, originally, high-risk obligations for systems listed in Annex III.
  • 2 August 2027: obligations apply for high-risk AI embedded in regulated products covered by existing EU product-safety law (Annex I).

One important caveat for 2026: on 7 May 2026 the Council and European Parliament reached a political agreement on the Digital Omnibus, which proposes deferring the stand-alone high-risk (Annex III) obligations from 2 August 2026 to 2 December 2027, and the Annex I product-embedded obligations to 2 August 2028 (Council of the EU, 2026). The agreement still needs formal adoption before it takes legal effect, and it leaves the prohibited-practice bans, GPAI rules, and Article 50 transparency duties in place. Treat 2 August 2026 as the working deadline unless and until the deferral is confirmed in the Official Journal.

Obligations for high-risk AI systems

High-risk systems attract the most demanding requirements, and most of them must be satisfied before the system reaches the market. Providers bear the primary responsibility, but deployers must also use the system as intended, maintain human oversight, and monitor its operation. The core obligations for providers are as follows.

  • Establish a risk management system that runs across the entire lifecycle of the AI system.
  • Apply data governance measures so training, validation, and testing data are relevant, representative, and appropriately checked for bias.
  • Produce detailed technical documentation and keep it up to date.
  • Design automatic logging so events can be traced and serious incidents monitored.
  • Build in effective human oversight and demonstrate accuracy, robustness, and cybersecurity.
  • Complete a conformity assessment, register the system in the EU database, and maintain a quality management system before placing it on the market.

Penalties for non-compliance

The Act uses a tiered penalty structure, and the ceilings are deliberately higher than those under the GDPR. In each case the fine is the higher of a fixed amount or a percentage of worldwide annual turnover, though a proportionality mechanism means smaller organisations face the lower of the two figures. Breaching the ban on prohibited practices sits at the top of the scale.

Breaching the ban on prohibited AI practices can trigger fines of up to EUR 35 million or 7% of total worldwide annual turnover, whichever is higher; most other high-risk breaches carry up to EUR 15 million or 3%, and supplying misleading information to authorities up to EUR 7.5 million or 1% (Article 99, EU AI Act).

A practical EU AI Act readiness checklist

Compliance is far more manageable when broken into discrete, sequenced steps. The following checklist reflects the order we recommend organisations work through as they prepare.

  • 1. Build an inventory of every AI system you develop, buy, or deploy, and note whether you are the provider or the deployer.
  • 2. Classify each system against the four risk tiers, flagging anything that may be prohibited or high-risk.
  • 3. Confirm any GPAI models in use and check that their providers meet documentation and transparency duties.
  • 4. Run a gap assessment for high-risk systems against the risk management, data governance, documentation, logging, and oversight requirements.
  • 5. Assign clear ownership and establish AI governance roles, policies, and an approval workflow.
  • 6. Deliver AI literacy training so staff who build or use these systems understand their obligations.
  • 7. Prepare conformity assessment and EU database registration evidence ahead of the applicable deadline.
  • 8. Set up ongoing post-market monitoring and serious-incident reporting.

How the EU AI Act fits with global AI governance

The EU AI Act does not sit in isolation. Voluntary frameworks give you the operational scaffolding to meet its legal demands, and much of the work overlaps. Our guide to the NIST AI Risk Management Framework walks through a practical, controls-based approach to identifying and treating AI risk that maps neatly onto the Act's risk management obligations. For a certifiable management system, our ISO 42001 implementation roadmap explains how to stand up an AI management system that provides the governance, documentation, and continual-improvement structures regulators expect. If you are weighing the two, our comparison of ISO 42001 and the NIST AI RMF sets out where each adds the most value.

For teams starting from scratch, understanding what an AI management system actually is provides the foundation for everything above, and our set of governance questions every board should ask helps leadership steer the programme with the right level of oversight. Used together, these frameworks turn EU AI Act compliance from a one-off scramble before a deadline into a repeatable, auditable capability, which is exactly what a risk-based regulation of this scale demands.

Frequently Asked Questions

When does the EU AI Act take effect?

The EU AI Act entered into force on 1 August 2024 and applies in phases. Bans on prohibited practices applied from 2 February 2025, GPAI model obligations from 2 August 2025, and the bulk of the rules from 2 August 2026, with product-embedded high-risk obligations following in August 2027.

Who has to comply with the EU AI Act?

Any organisation that provides or deploys AI systems connected to the EU market must comply. Providers who develop and place systems on the market carry the heaviest duties, while deployers who use them professionally have lighter obligations. The rules are extraterritorial, so non-EU companies are caught whenever their system output is used inside the Union.

What are the four risk categories under the EU AI Act?

The Act sorts AI into four tiers: prohibited (unacceptable-risk practices that are banned), high-risk (systems in sensitive areas such as employment, credit, biometrics, and critical infrastructure), limited risk (systems with transparency duties, such as chatbots), and minimal risk (most everyday applications, which face no new obligations).

What are the penalties for breaching the EU AI Act?

Fines reach up to EUR 35 million or 7% of worldwide annual turnover for prohibited practices, up to EUR 15 million or 3% for most other high-risk breaches, and up to EUR 7.5 million or 1% for supplying misleading information. The higher of the fixed amount or the turnover percentage generally applies.

Does the EU AI Act apply to companies outside the EU?

Yes. The Act has extraterritorial reach. Providers and deployers based outside the EU fall within scope whenever they place an AI system on the EU market or the output of their system is used within the Union, regardless of where the organisation is established.

Have the high-risk AI deadlines been delayed?

A political agreement on the Digital Omnibus reached on 7 May 2026 proposes deferring stand-alone high-risk (Annex III) obligations from 2 August 2026 to 2 December 2027, and product-embedded obligations to 2 August 2028. The change is not yet formally adopted, so organisations should keep preparing for the original deadlines until it is confirmed.

Explore Courses on Udemy

Intermediate

Implement GenAI Governance Step by Step

Intermediate

The NIST AI Risk Management Framework (AI RMF)

Intermediate

ISO/IEC 42001: Artificial Intelligence Management System