Is your organisation ready for the most comprehensive AI regulation the world has ever seen? The EU AI Act is not a distant proposal or a draft under review. It is an active, enforceable law with deadlines already in effect and penalties that can reach up to 7% of global annual turnover.
Whether you build AI systems, deploy them in your operations, or simply use AI-generated outputs within the European Union, this regulation applies to you. Much like the GDPR reshaped data protection globally, the EU AI Act is set to redefine how artificial intelligence is developed, marketed, and monitored across every industry.
This blog breaks down every critical aspect of the EU AI Act. From its risk-based classification framework to enforcement timelines, penalty structures, and the recent Digital Omnibus deadline extension, you will find accurate, officially sourced information to help your organisation plan its compliance roadmap.
The EU AI Act is the first standalone legal framework dedicated entirely to regulating artificial intelligence systems.
The European Commission first proposed the AI Act in April 2021. After extensive negotiations between the European Parliament and the Council of the EU, the final text was formally adopted in March 2024. The regulation was published in the Official Journal of the European Union on 12 July 2024 and entered into force on 1 August 2024.
Unlike sector-specific guidelines, the EU AI Act creates a horizontal regulatory framework. It applies across all industries and sectors where AI systems are developed, placed on the market, or put into service within the EU.
The EU AI Act follows a risk-based approach. This means the level of regulatory obligation placed on an AI system depends directly on the potential harm it could cause. Low-risk systems face minimal or no requirements. High-risk systems must meet strict compliance standards before they can operate in the EU market.
This proportional model ensures innovation is not stifled unnecessarily while maintaining strong protections for fundamental rights, safety, and democratic values.
The regulation applies to providers who develop or place AI systems on the EU market, deployers who use AI systems within the EU, and importers or distributors who bring AI products into the European market. Crucially, it also applies to organisations outside the EU if their AI system outputs are used within EU territory.
The EU AI Act classifies all AI systems into four distinct risk tiers, each carrying different compliance obligations.
AI systems that pose a direct threat to fundamental rights and safety are banned outright. These prohibitions have been enforceable since 2 February 2025. The banned practices include:
High-risk AI systems are those embedded in regulated products or operating in sensitive domains listed under Annex III of the regulation. These include AI used in biometric identification, critical infrastructure management, education and vocational training, employment and worker management, access to essential private and public services (including credit scoring), law enforcement and border control, and migration and asylum processes.
Providers of high-risk systems must conduct conformity assessments, maintain detailed technical documentation, register systems in an EU database, implement risk management processes, ensure data governance standards, and provide human oversight mechanisms.
Limited-risk AI systems carry specific transparency duties. Users must be informed when they are interacting with an AI system such as a chatbot. AI-generated content, including deepfakes, must be clearly labelled. Text produced by AI and published to inform the public on matters of public interest must be identified as artificially generated.
These obligations ensure people can make informed decisions about the AI-generated content they encounter.
AI systems that present negligible risk, such as spam filters, AI-enabled video games, and basic recommendation engines, face no mandatory compliance obligations under the Act. Providers are encouraged to follow voluntary codes of conduct, but there are no enforceable rules at this tier.
The EU AI Act follows a phased implementation schedule, giving organisations time to prepare for each set of obligations.
The regulation officially entered into force on this date. From this point, the clock started on all subsequent compliance deadlines. Organisations were expected to begin assessing their AI systems and planning their compliance strategies.
Two obligations became enforceable on this date. First, all prohibited AI practices under Article 5 were banned. Any organisation still operating a prohibited system after this date faces the highest tier of penalties.
Second, the AI literacy obligation under Article 4 took effect. This requires all providers and deployers to ensure their staff and any persons dealing with AI systems on their behalf have a sufficient level of AI literacy. This applies to every organisation using AI, not just those with high-risk systems. Organisations must document their GDPR staff training and AI training measures to demonstrate compliance.
Obligations for providers of general-purpose AI (GPAI) models became applicable. Providers must maintain detailed technical documentation covering model architecture, training data, computational resources used, and intended use cases. They must publish summaries of training data, comply with EU copyright law, and share relevant information with downstream providers.
GPAI models with systemic risk (trained using more than 10 to the power of 25 floating-point operations) face additional requirements, including rigorous risk assessments, cybersecurity measures, and serious incident reporting. The European AI Office published the final Code of Practice for GPAI providers on 10 July 2025 to support voluntary compliance.
Transparency rules under the AI Act come into full effect. Chatbot operators, deepfake creators, and AI-generated text publishers must meet their disclosure obligations. Additional governance and reporting requirements also apply from this date.
This is the updated deadline following the Digital Omnibus agreement. On 7 May 2026, the Council of the EU and the European Parliament reached a provisional agreement to defer the application date for stand-alone high-risk AI systems from 2 August 2026 to 2 December 2027. The European Parliament formally approved this on 16 June 2026.
The delay was prompted by the fact that CEN-CENELEC, the European standards body responsible for developing harmonised standards for high-risk AI conformity assessment, indicated those standards would not be available until Q4 2026 at the earliest. Without published standards, organisations could not meaningfully complete conformity assessments.
Providers of GPAI models that were placed on the market before 2 August 2025 must achieve full compliance by this date. New models released after August 2025 were required to comply immediately upon release.
High-risk AI systems embedded in products already covered by existing EU product safety legislation (such as medical devices, machinery, and toys) must comply by this date. This extended timeline reflects the complexity of aligning AI-specific requirements with existing sectoral regulations.
GPAI models receive dedicated treatment under the EU AI Act because of their wide-ranging capabilities and downstream applications.
A GPAI model is any AI model trained on broad data at scale that can serve a variety of purposes, both directly and when integrated into other systems. Models capable of generating text, audio, images, or video from text prompts fall under this category. Large language models and multimodal foundation models are primary examples.
All GPAI providers must maintain and make available technical documentation describing the model’s architecture, input and output modalities, model size, training process, and data used. They must provide information to downstream providers so those providers can understand the model’s capabilities and limitations. Compliance with EU copyright law, including the text and data mining provisions, is mandatory.
Models trained using computational power exceeding 10 to the power of 25 floating-point operations are presumed to carry systemic risk. These models face enhanced obligations, including conducting adversarial testing and red-teaming, implementing cybersecurity protections, tracking and reporting serious incidents to the European AI Office, and ensuring adequate energy efficiency documentation.
The EU AI Act deliberately mirrors the extraterritorial approach of the GDPR, but with an even lower threshold for applicability.
Article 2 of the regulation captures three categories of non-EU entities. First, providers who place AI systems or GPAI models on the EU market, regardless of where they are established. Second, deployers located outside the EU whose AI systems produce outputs used within EU territory. Third, any provider or deployer whose system’s output ends up being used in the EU, even without direct targeting of EU customers.
This means a company with no EU offices, no EU staff, and no EU-based servers can still fall within scope if its AI system output is used in the Union.
Non-EU providers of high-risk AI systems must appoint an authorised representative established in the EU. This representative accepts a written mandate to carry out obligations on the provider’s behalf, including registration, documentation, and communication with national authorities.
While GDPR applies when companies actively target EU individuals, the EU AI Act triggers when an AI system’s output is merely used in the EU. The word ‘used’ sets a lower bar than ‘targeting,’ making the Act’s reach potentially broader. The penalty ceiling is also higher, with fines up to 7% of global turnover compared to GDPR’s 4%.
The EU AI Act establishes a three-tier penalty structure under Article 99, with fines scaled to the severity of the violation.
Operating a banned AI system after 2 February 2025 attracts the highest penalties. Fines can reach up to 35 million euros or 7% of total worldwide annual turnover for the preceding financial year, whichever is higher. This tier covers all violations of Article 5 prohibited practices.
Non-compliance with high-risk system requirements, GPAI obligations, and other substantive provisions can result in fines up to 15 million euros or 3% of global annual turnover. This covers failures in conformity assessment, documentation, human oversight, and risk management obligations.
Supplying inaccurate, incomplete, or misleading information to national authorities or notified bodies carries fines of up to 7.5 million euros or 1% of global annual turnover. This tier also applies to failures in cooperation with regulatory investigations.
For SMEs and startups, fines are capped at the lower of the two amounts (fixed sum versus percentage), providing some proportional relief. However, the penalties remain significant enough to make non-compliance a serious financial risk for any organisation.
The EU AI Act creates a multi-layered governance framework with responsibilities split between EU-level and national bodies.
Established within the European Commission, the European AI Office serves as the central body for GPAI model oversight. It has the authority to conduct evaluations of GPAI models, request information from providers, and impose sanctions. The AI Office also coordinates cross-border enforcement and supports the development of harmonised standards and codes of practice.
Each EU Member State must designate at least one notifying authority and one market surveillance authority. Notifying authorities oversee the designation of conformity assessment bodies for high-risk AI systems. Market surveillance authorities supervise and enforce compliance at the national level, with powers to investigate, issue corrective actions, and impose penalties.
Three advisory bodies support governance. The European Artificial Intelligence Board brings together Member State representatives to coordinate enforcement. The Scientific Panel consists of 60 independent experts focused on frontier AI, technical auditing, and systemic risk. The Advisory Forum represents a diverse range of stakeholders, including industry, civil society, and academia.
Article 4 introduced one of the broadest obligations in the entire regulation, applicable to every organisation that builds or uses AI.
Providers and deployers must take measures to ensure a sufficient level of AI literacy among their staff and any persons dealing with AI systems on their behalf. The obligation considers the individual’s technical knowledge, experience, education, training, and the specific context in which AI systems are used.
There is no prescribed curriculum, no mandatory certification, and no official examination. The regulation gives organisations flexibility in how they achieve compliance, but requires documented measures that can be presented to regulators upon request.
This obligation has been enforceable since 2 February 2025. Organisations that have not yet implemented AI literacy programmes are already at risk of non-compliance. A practical starting point is to audit existing training resources, identify gaps, and document all measures taken. Since August 2025, if an untrained employee causes harm using an AI system, the organisation faces direct liability.
Failure to meet Article 4 requirements falls under the general penalty tier of Article 99, with fines up to 15 million euros or 3% of worldwide annual turnover. There is no formal requirement to appoint a dedicated AI officer, but organisations should have a clear internal structure for managing AI literacy efforts.
The Digital Omnibus represents the most significant amendment to the EU AI Act since its adoption, and understanding its impact is essential for compliance planning.
On 7 May 2026, the Council of the EU and the European Parliament reached a provisional agreement on targeted amendments to the EU AI Act as part of the European Commission’s broader Digital Omnibus initiative. This package was designed to simplify and streamline specific rules without altering the fundamental structure of the regulation.
The most impactful change is the deferral of high-risk AI system compliance deadlines. Stand-alone high-risk AI systems under Annex III now have until 2 December 2027 instead of 2 August 2026. High-risk AI systems embedded in regulated products have until 2 August 2028. The European Parliament gave final approval to this package on 16 June 2026.
The rationale is technical rather than political. CEN-CENELEC, the European standards body tasked with developing the harmonised standards that underpin high-risk AI conformity assessment, reported that these standards would not be ready until Q4 2026 at the earliest. Without published standards, conformity assessments could not be carried out meaningfully. The extension gives both standards bodies and organisations the time needed for proper implementation.
With multiple deadlines already passed and others approaching, proactive preparation is the only viable strategy.
Start by mapping every AI system your organisation develops, deploys, or uses. Classify each system according to the EU AI Act’s risk categories. Identify which systems fall under prohibited practices, high-risk obligations, limited-risk transparency rules, or minimal-risk categories. This inventory forms the foundation of your compliance roadmap.
Build internal governance structures for AI oversight. Assign clear responsibilities for compliance monitoring, risk assessment, and incident reporting. Create and maintain technical documentation for all high-risk and GPAI systems. Ensure your user consent mechanisms align with transparency requirements, particularly for chatbots and AI-generated content.
Since the AI literacy obligation is already enforceable, organisations must ensure all relevant staff have received appropriate training. Document every training initiative, workshop, or resource provided. Tailor training to the specific roles and contexts in which employees interact with AI systems.
If your organisation operates high-risk AI systems, begin preparing for conformity assessment well before the December 2027 deadline. This includes establishing risk management processes, data governance protocols, logging mechanisms, and human oversight controls. Monitor the development of harmonised standards by CEN-CENELEC to align your preparations accordingly.
The EU AI Act intersects with existing regulations, including the GDPR, the Product Safety Regulation, and sector-specific legislation. Your legal and compliance teams should map these intersections and identify any overlapping obligations. Non-EU organisations should assess whether they need to appoint an authorised representative within the EU.
The EU AI Act is not a future concern. It is an active regulation with obligations already in force and substantial penalties for non-compliance. From prohibited practices to GPAI transparency rules and the recently extended high-risk deadlines, every organisation using AI within or connected to the EU market needs a clear compliance plan. Start your AI inventory, train your teams, and build governance structures now, because regulatory enforcement will not wait.
Preparing for the EU AI Act goes beyond AI systems; it starts with responsible data practices and transparent consent management. Seers helps organisations build a strong compliance foundation that supports both privacy and AI governance goals.
START FREE TODAYThe EU AI Act establishes a legal framework to regulate artificial intelligence systems based on the level of risk they pose to individuals and society. It aims to protect fundamental rights, ensure safety, and promote trustworthy AI development. The regulation creates clear rules for providers, deployers, and importers of AI systems operating within the European Union market.
The regulation has extraterritorial reach similar to the GDPR but with a lower threshold. Any organisation that places AI systems on the EU market or whose AI outputs are used within the EU falls within scope. This applies regardless of where the company is headquartered, whether or not it has offices or staff in any EU Member State.
The regulation prohibits AI systems that use subliminal manipulation, exploit vulnerable groups, enable social scoring by public authorities, or perform untargeted facial image scraping. Emotion recognition in workplaces and educational settings is also banned. Real-time biometric identification in public spaces for law enforcement is restricted to narrowly defined exceptions.
The Digital Omnibus deferred the compliance deadline for stand-alone high-risk AI systems from 2 August 2026 to 2 December 2027. High-risk systems in regulated products now have until 2 August 2028. This extension was granted because the harmonised standards needed for conformity assessments were not yet available from the European standards bodies.
The highest fines apply to prohibited practice violations and reach up to 35 million euros or 7% of total worldwide annual turnover, whichever is greater. Other violations can attract fines of up to 15 million euros or 3% of turnover. Supplying incorrect information to authorities carries fines up to 7.5 million euros or 1% of turnover.
Article 4 requires all AI providers and deployers to ensure their staff have sufficient understanding of the AI systems they work with. There is no mandated curriculum or certification programme. Organisations must document the training measures they implement and tailor them to each employee’s role, technical knowledge, and the specific AI systems they interact with.
An AI system is classified as high-risk if it serves as a safety component in a product covered by existing EU safety legislation or falls within Annex III application areas. These areas include biometric identification, critical infrastructure, education, employment, credit scoring, law enforcement, and border management. High-risk systems require conformity assessments and EU database registration.
Providers of general-purpose AI models must maintain detailed technical documentation, publish training data summaries, comply with EU copyright rules, and share model information with downstream providers. Models classified as systemic risk face additional duties, including adversarial testing, cybersecurity protections, and incident reporting to the European AI Office.
The first set of obligations became enforceable on 2 February 2025. This included the ban on all prohibited AI practices listed under Article 5 and the AI literacy requirement under Article 4. Organisations operating prohibited systems after this date face fines up to 35 million euros or 7% of global turnover.
While both regulations have extraterritorial reach, the EU AI Act applies whenever AI output is used in the EU, which is a lower threshold than GDPR’s requirement of actively targeting EU individuals. The AI Act’s maximum fine of 7% of global turnover also exceeds GDPR’s 4% cap. Both regulations can apply simultaneously to the same organisation.
The regulation provides proportional treatment for smaller organisations. Fines for SMEs and startups are capped at the lower of the fixed amount or the percentage-based calculation. Regulatory sandboxes are also mandated to allow smaller companies to test innovative AI systems under supervised conditions before full market deployment.
The European AI Office sits within the European Commission and serves as the central authority for GPAI model oversight. It can evaluate models, request information from providers, and apply sanctions. The Office also coordinates cross-border enforcement activities, supports the development of harmonised standards, and works alongside national market surveillance authorities.
Rimsha ZafarRimsha is a Senior Content Writer at Seers AI with over 5 years of experience in advanced technologies and AI-driven tools. Her expertise as a research analyst shapes clear, thoughtful insights into responsible data use, trust, and future-facing technologies.
Take our Free Cookie Audit and find out
Join 50,000+ websites using Seers.Ai to turn compliance into trust, insights, & measurable business growth.
United Kingdom
24 Holborn Viaduct
London, EC1A 2BN
Get our monthly newsletter with insightful blogs and industry news
By clicking “Subcribe” I agree Terms and Conditions
Seers Group © 2026 All Rights Reserved
Terms of use | Privacy policy | Cookie Policy | Sitemap | Do Not Sell or Share My Personal Information.