EU AI Act compliance means meeting the obligations set out in Regulation (EU) 2024/1689, the world's first comprehensive law governing artificial intelligence. The Act takes a risk-based approach, placing the strictest duties on prohibited and high-risk uses while leaving most low-risk systems largely untouched. It applies to providers and deployers both inside and outside the EU whenever an AI system is placed on the EU market or its output is used within the Union.
What is the EU AI Act?
The EU AI Act is a horizontal regulation that governs how artificial intelligence is developed, placed on the market, and used across the European Union. Rather than banning technology outright, it classifies AI systems by the risk they pose to health, safety, and fundamental rights, then attaches proportionate obligations to each tier. Because it is a regulation rather than a directive, it applies directly in all member states without the need for national transposition, which makes consistent, EU-wide enforcement far more likely than under a patchwork of local laws.
The EU AI Act entered into force on 1 August 2024, with prohibited-practice bans applying from 2 February 2025 and general-purpose AI (GPAI) model obligations from 2 August 2025 (European Commission, 2025).
Who must comply, and the four risk tiers
The Act reaches almost any organisation that touches AI in a professional context. Providers, the organisations that develop an AI system and place it on the market under their own name, carry the heaviest burden. Deployers, the businesses and public bodies that use an AI system professionally, have lighter but still meaningful duties. Crucially, the rules are extraterritorial: a company based outside the EU is caught whenever the output of its system is used inside the Union. Every system is then sorted into one of four risk tiers.
- Prohibited (unacceptable risk): practices such as social scoring, untargeted facial-image scraping, manipulative subliminal techniques, and workplace or classroom emotion recognition are banned outright.
- High-risk: systems used in areas like biometrics, critical infrastructure, education, employment, credit scoring, law enforcement, and border control, or acting as a safety component in a regulated product.
- Limited risk: systems such as chatbots and generative tools that carry transparency obligations, for example telling users they are interacting with AI or labelling synthetic content.
- Minimal risk: the vast majority of applications, such as spam filters and AI in video games, which face no new obligations beyond voluntary codes.
The EU AI Act compliance timeline
The Act applies in phases rather than all at once, giving organisations time to prepare for the heavier obligations. In our experience, mapping your systems against these dates early is the single most useful planning step, because the classification you land on determines how much work is actually required.
- 1 August 2024: the EU AI Act enters into force.
- 2 February 2025: bans on prohibited AI practices and AI literacy obligations begin to apply.
- 2 August 2025: obligations for general-purpose AI (GPAI) models apply, along with governance and penalty provisions.
- 2 August 2026: the bulk of the regulation applies, including transparency duties and, originally, high-risk obligations for systems listed in Annex III.
- 2 August 2027: obligations apply for high-risk AI embedded in regulated products covered by existing EU product-safety law (Annex I).
One important caveat for 2026: on 7 May 2026 the Council and European Parliament reached a political agreement on the Digital Omnibus, which proposes deferring the stand-alone high-risk (Annex III) obligations from 2 August 2026 to 2 December 2027, and the Annex I product-embedded obligations to 2 August 2028 (Council of the EU, 2026). The agreement still needs formal adoption before it takes legal effect, and it leaves the prohibited-practice bans, GPAI rules, and Article 50 transparency duties in place. Treat 2 August 2026 as the working deadline unless and until the deferral is confirmed in the Official Journal.
Obligations for high-risk AI systems
High-risk systems attract the most demanding requirements, and most of them must be satisfied before the system reaches the market. Providers bear the primary responsibility, but deployers must also use the system as intended, maintain human oversight, and monitor its operation. The core obligations for providers are as follows.
- Establish a risk management system that runs across the entire lifecycle of the AI system.
- Apply data governance measures so training, validation, and testing data are relevant, representative, and appropriately checked for bias.
- Produce detailed technical documentation and keep it up to date.
- Design automatic logging so events can be traced and serious incidents monitored.
- Build in effective human oversight and demonstrate accuracy, robustness, and cybersecurity.
- Complete a conformity assessment, register the system in the EU database, and maintain a quality management system before placing it on the market.
Penalties for non-compliance
The Act uses a tiered penalty structure, and the ceilings are deliberately higher than those under the GDPR. In each case the fine is the higher of a fixed amount or a percentage of worldwide annual turnover, though a proportionality mechanism means smaller organisations face the lower of the two figures. Breaching the ban on prohibited practices sits at the top of the scale.
Breaching the ban on prohibited AI practices can trigger fines of up to EUR 35 million or 7% of total worldwide annual turnover, whichever is higher; most other high-risk breaches carry up to EUR 15 million or 3%, and supplying misleading information to authorities up to EUR 7.5 million or 1% (Article 99, EU AI Act).
A practical EU AI Act readiness checklist
Compliance is far more manageable when broken into discrete, sequenced steps. The following checklist reflects the order we recommend organisations work through as they prepare.
- 1. Build an inventory of every AI system you develop, buy, or deploy, and note whether you are the provider or the deployer.
- 2. Classify each system against the four risk tiers, flagging anything that may be prohibited or high-risk.
- 3. Confirm any GPAI models in use and check that their providers meet documentation and transparency duties.
- 4. Run a gap assessment for high-risk systems against the risk management, data governance, documentation, logging, and oversight requirements.
- 5. Assign clear ownership and establish AI governance roles, policies, and an approval workflow.
- 6. Deliver AI literacy training so staff who build or use these systems understand their obligations.
- 7. Prepare conformity assessment and EU database registration evidence ahead of the applicable deadline.
- 8. Set up ongoing post-market monitoring and serious-incident reporting.
How the EU AI Act fits with global AI governance
The EU AI Act does not sit in isolation. Voluntary frameworks give you the operational scaffolding to meet its legal demands, and much of the work overlaps. Our guide to the NIST AI Risk Management Framework walks through a practical, controls-based approach to identifying and treating AI risk that maps neatly onto the Act's risk management obligations. For a certifiable management system, our ISO 42001 implementation roadmap explains how to stand up an AI management system that provides the governance, documentation, and continual-improvement structures regulators expect. If you are weighing the two, our comparison of ISO 42001 and the NIST AI RMF sets out where each adds the most value.
For teams starting from scratch, understanding what an AI management system actually is provides the foundation for everything above, and our set of governance questions every board should ask helps leadership steer the programme with the right level of oversight. Used together, these frameworks turn EU AI Act compliance from a one-off scramble before a deadline into a repeatable, auditable capability, which is exactly what a risk-based regulation of this scale demands.