The EU AI Act: What Businesses Need to Do Before August 2026

The EU AI Act became law on 1 August 2024. The first wave of prohibitions took effect on 2 February 2025. By 2 August 2026, most organizations deploying or selling AI in Europe will need to comply, or otherwise face fines of up to €35 million.

This guide covers every layer of the regulation: 

• who it applies to, 
• what it bans, 
• what it requires from high-risk systems, 
• what it means for general-purpose AI models like GPT-4 or Gemini, 
• and how the enforcement works.

All facts below are sourced directly from the official regulation text and verified against the European Commission’s published guidance.

Table of Contents:

1. What Is the EU AI Act?
2. Key Dates You Must Know
3. The Four Risk Tiers
4. What’s Outright Banned
5. High-Risk AI: The Compliance Workflow
6. General-Purpose AI Models (GPAI)
7. Who Does the Act Apply To?
8. Fines and Enforcement
9. The AI Literacy Obligation
10. What Organizations Should Do Now: A Checklist
11. Sources and Further Reading
12. The Short Version
13. FAQ

What Is the EU AI Act?

The EU AI Act – officially Regulation (EU) 2024/1689 – is the world’s first binding legal framework for artificial intelligence. It was adopted by the European Parliament on 13 March 2024, entered into force on 1 August 2024, and applies across all 27 EU member states without needing separate national implementation.

The regulation defines an AI system as “a machine-based system designed to operate with varying levels of autonomy” that generates outputs such as predictions, recommendations, decisions, or content that influence real or virtual environments. 

The definition is deliberately broad – it covers systems ranging from a CV-screening algorithm to a large language model (LLM).

The Act is built on a risk-tiered structure. It does not treat all AI the same way, for example, a spam filter and a system that decides whether someone gets a bank loan face completely different obligations. The higher the potential harm, the stricter the rules.

Key Dates You Must Know

The regulation rolls out in phases, not all at once. Here is the schedule:

• 1 August 2024: Regulation entered into force
• 2 February 2025: Prohibited AI practices banned (Chapter II). The six-month grace period from entry into force expired.
• 2 August 2025: Rules for general-purpose AI (GPAI) models apply. Governance structure (AI Office, AI Board) becomes operational.
• 2 August 2026: Main body of the Act applies to all other AI systems, including most high-risk systems. This is the headline compliance deadline.
• 2 August 2027: Deadline for AI systems embedded in regulated products (e.g. medical devices, machinery) that were already on the market before August 2026.

Source: Regulation (EU) 2024/1689, Articles 113–114  

Important Update as of May 2026:

EU Parliament and Council reached a provisional deal on May 7, 2026 to push the August 2026 deadline to December 2, 2027 for stand-alone high-risk systems, and to August 2, 2028 for AI used as safety components in regulated products. 

Author’s Note. As a formal adoption is pending, I did not update the dates in the visual or text.

The Four Risk Tiers

The Act sorts AI systems into four categories. Compliance obligations depend entirely on which tier your system falls into.

Risk Tier	Examples	What’s Required
Unacceptable (Banned)	Social scoring by governments; real-time remote biometric ID in public spaces; manipulative subliminal techniques	Fully prohibited from 2 Feb 2025
High Risk	CV-screening tools, credit scoring, critical infrastructure AI, medical devices, border control	Conformity assessment, EU database registration, human oversight, bias testing
Limited Risk	Chatbots, deepfakes, emotion-recognition systems	Transparency obligations – users must be told they are interacting with AI
Minimal Risk	AI-powered spam filters, video-game AI, basic recommendation engines	No mandatory requirements – voluntary codes of conduct encouraged

Source: Regulation (EU) 2024/1689, Articles 5, 6, 50 and Annex III

What’s Outright Banned 

Article 5 prohibits eight categories of AI practices. These have been illegal across the EU since 2 February 2025, with no exception or transition period.

The Six Core Prohibitions

• Subliminal manipulation: AI that influences people’s behavior without their awareness in ways that cause or could cause harm.
• Exploiting vulnerabilities: Systems targeting people based on age, disability, or social or economic circumstances to materially distort their behavior.
• Social scoring by public authorities: Governments or public bodies using AI to score citizens based on their social behavior or personal characteristics.
• Real-time remote biometric identification (RLBID) in public spaces: With limited exceptions, law enforcement cannot use live facial recognition in public. 
• Predictive policing based on profiling: AI that predicts criminal behavior based solely on profiling rather than objective factual evidence.
• Facial recognition databases scraped from the internet or CCTV: Building or expanding recognition databases by untargeted scraping.
• Emotion recognition in workplaces and schools: AI inferring emotional states of employees or students, with narrow exceptions for medical or safety purposes.
• Biometric categorisation to infer sensitive attributes: Using biometric data to infer political opinions, religious beliefs, sexual orientation, or race.

The real-time biometric ID rule does have narrow law-enforcement exceptions. For example, searching for missing children, preventing imminent terrorist threats, or identifying suspects in serious crimes. But these require prior judicial authorization in most cases, and each member state can choose to permit or further restrict these uses.

Source: European Commission’s Article 5 guidance page

High-Risk AI: The Compliance Workload

The High-risk AI system list covers eight domains:

• Biometric identification and categorization of natural persons;
• Management and operation of critical infrastructure;
• Education and vocational training (including exam assessment);
• Employment, worker management, and access to self-employment (CV screening, performance monitoring);
• Access to essential private and public services – credit scoring, insurance, benefits;
• Law enforcement systems;
• Migration, asylum, and border control;
• Administration of justice and democratic processes.

If your AI system falls into one of these categories, you face a substantial compliance checklist before it can be deployed.

What High-Risk Providers Must Do

• Risk management system: A documented, continuous process identifying and mitigating risks throughout the system’s lifecycle.
• Data governance: Training, validation, and test data must be relevant, representative, and free from discriminatory patterns, to the extent reasonably possible.
• Technical documentation: Detailed records describing the system’s design, development, and intended purpose, kept for 10 years after the system is placed on the market.
• Automatic logging: Systems must generate logs of their operation automatically so incidents can be traced.
• Transparency to deployers: Providers must give deployers instructions for use, including known limitations and risks.
• Human oversight: Systems must allow human intervention during operation, including the ability to override or stop the system.
• Accuracy, robustness, cybersecurity: Systems must meet performance thresholds and be protected against adversarial attacks.
• EU database registration: Operators must register high-risk systems in a public EU-wide database (the EUAI Database) before deployment.
• Conformity assessment: Depending on the system type, this may be self-assessment or a third-party audit by a notified body.

Source: Regulation (EU) 2024/1689, Articles 8–25 and Annex III

General-Purpose AI Models (GPAI)

Chapter V, which applies from 2 August 2025, introduces a separate tier for general-purpose AI models – the large foundation models that power most modern AI products.

The key threshold is 10²⁵ FLOPs (floating-point operations used during training). Models trained above this threshold are classified as GPAI models with systemic risk and face a stricter set of requirements.

Author’s Note. A reference point for FLOPs: GPT-3 (2020): ~3 × 10²³ FLOPs – below the threshold; GPT-4 (2023-2024): ~3.8 × 10²⁵ FLOPs – at or above the threshold. Because so many models now exceed 10²⁵ FLOPs, critics argue the EU AI Act’s threshold is already aging. The EU AI Office’s own guidelines acknowledge it may need updating over time.

All GPAI Providers Must:

• Prepare and maintain technical documentation;
• Comply with EU copyright law for training data;
• Publish a detailed summary of training data;
• Cooperate with the AI Office on information requests.

GPAI Models With Systemic Risk Must Also:

• Perform model evaluations, including adversarial testing (“red-teaming”);
• Report serious incidents to the AI Office within defined timeframes;
• Implement cybersecurity protections;
• Maintain an up-to-date inventory of the model’s capabilities and known limitations.

The European Commission can also designate a model as having systemic risk even if it falls below the 10²⁵ FLOPs threshold, based on factors like the number of users, cross-sector integration, or potential for irreversible societal harm.

As of May 2026, models widely considered to meet the systemic risk threshold include GPT-4 class models and similar. The AI Office is responsible for oversight and can require independent audits.

Source: Regulation (EU) 2024/1689, Articles 51–55 and Recital 110

Who Does the Act Apply To?

The territorial scope of the EU AI Act is deliberately wide. Article 2 makes clear it applies to:

• Providers placing AI systems on the EU market, regardless of whether they are based in the EU;
• Deployers using AI systems in the EU;
• Non-EU providers and deployers whose AI system outputs are used in the EU.

This means a US-based company selling an AI hiring tool used by European employers must comply, even if it has no EU offices. The same logic applies to any company whose AI system produces effects felt inside the EU.

There are narrow exemptions: military and national security AI, AI used purely for scientific research, AI components in open-source software (with conditions), and personal non-professional use.

Roles and Who Carries the Burden

Providers (those who develop or place AI systems on the market) carry the heaviest obligations, particularly for high-risk systems. They own the conformity assessment, the technical documentation, and the post-market monitoring.

Deployers (organizations using a ready-made AI system for a specific purpose) have lighter but still meaningful obligations. They must use the system according to the provider’s instructions, conduct fundamental rights impact assessments in specific cases, and implement human oversight.

Source: EU AI Act Service Desk, Article 2: Scope

Fines and Enforcement

The penalties for non-compliance are structured in three bands, and they apply to the higher of a fixed euro amount or a percentage of global annual turnover:

Violation Type	Max Fine	Or (Turnover)
Prohibited practices (e.g. social scoring)	€35,000,000	7% of global annual turnover
High-risk system non-compliance	€15,000,000	3% of global annual turnover
Providing false information to authorities	€7,500,000	1.5% of global annual turnover
SMEs / start-ups – any violation	Lower of the two figures above applies	–

SMEs (Small and Medium Sized Enterprises) and start-ups pay whichever figure is lower (the fixed cap or the turnover percentage).

Enforcement falls to national market surveillance authorities in each member state, coordinated at EU level by the AI Office. The AI Office has direct supervisory power over GPAI providers. For cross-border cases, a lead authority mechanism mirrors the GDPR’s consistency procedure.

The AI Office can also impose fines directly on GPAI providers, up to €15 million or 3% of global annual turnover, for failures like not cooperating with investigations. 

Source + Full Regulations: Regulation (EU) 2024/1689, Articles 99–101

The AI Literacy Obligation

Article 4 of the regulation introduces an obligation that often gets overlooked: AI literacy.

Both providers and deployers must “take measures to ensure, to their best extent, a sufficient level of AI literacy” among their staff who operate AI systems, taking into account their technical knowledge, experience, education, and training.

The regulation does not prescribe a specific training program. But it does draw a line: anyone using a high-risk AI system needs enough understanding to exercise meaningful oversight. If a human reviewer is simply approving decisions made by an algorithm without understanding how it reached them, that does not meet the standard.

Practically, this means documenting your AI literacy program, especially for deployments of high-risk systems. If an authority investigates an incident, they will ask whether your staff were adequately trained.

What Organizations Should Do Now: A Checklist

With the August 2026 deadline for most high-risk obligations approaching, here is a practical starting point:

1. Build Your AI Inventory

Map every AI system your organization develops or deploys. Categorize each one against the risk tiers. You cannot comply with rules you do not know apply to you.

2. Identify Your Role

For each system, determine whether your organization is a provider, deployer, or both. The obligations differ significantly.

3. Prioritize High-Risk Systems

If you have anything that falls into Annex III – CV screening, credit scoring, access management for public services – that is where compliance work should start. Conformity assessments take time.

4. Check for Prohibited Practices Now

The February 2025 prohibitions are already in effect. If you are running social scoring tools, real-time biometric ID in public spaces, or emotion-recognition in your workplace or schools, those are illegal today.

5. Review GPAI Supply Chain

If you are building products on top of foundation models, check whether your API provider has published their technical documentation, training data summaries, and incident-reporting processes. As a deployer, you may have inherited obligations.

6. Start the Literacy Program

Document what training your teams receive on the AI systems they use. It doesn’t need to be elaborate, but it needs to exist.

7. Watch for Delegated Acts

The Commission is still finalizing delegated acts covering topics like high-risk system classification thresholds and conformity assessment procedures. Sign up for updates from the AI Office or your national authority.

Sources and Further Reading

Official regulation text (EUR-Lex)

European Commission AI Office

European Parliament adoption (13 March 2024)

AI Act implementation timeline: European Commission 

GPAI Code of Practice (AI Office)

The Short Version

The EU AI Act is not a distant compliance deadline. The most consequential prohibitions, including bans on social scoring, real-time biometric surveillance, and emotion recognition in schools and workplaces, have been in force since February 2025.

For most organizations, the urgent work is an AI inventory and a risk classification exercise. Most AI tools in everyday business use – recommendation engines, spam filters, basic automation – fall into minimal risk and carry no mandatory requirements.

But if you have anything touching employment decisions, credit assessment, or public services, keep in mind that the August 2026 deadline is close and the conformity assessment process takes longer than most teams expect.

Start with the inventory. Everything else will follow from knowing what you have.

FAQ