Author: Rimsha Zafar
July 7, 2026

EU AI Act: What It Means, Key Deadlines, and How to Prepare for Compliance

Is your organisation ready for the most comprehensive AI regulation the world has ever seen? The EU AI Act is not a distant proposal or a draft under review. It is an active, enforceable law with deadlines already in effect and penalties that can reach up to 7% of global annual turnover.

 

Whether you build AI systems, deploy them in your operations, or simply use AI-generated outputs within the European Union, this regulation applies to you. Much like the GDPR reshaped data protection globally, the EU AI Act is set to redefine how artificial intelligence is developed, marketed, and monitored across every industry.

 

This blog breaks down every critical aspect of the EU AI Act. From its risk-based classification framework to enforcement timelines, penalty structures, and the recent Digital Omnibus deadline extension, you will find accurate, officially sourced information to help your organisation plan its compliance roadmap.

What Is the EU AI Act

The EU AI Act is the first standalone legal framework dedicated entirely to regulating artificial intelligence systems.

Origins and Legislative Journey

The European Commission first proposed the AI Act in April 2021. After extensive negotiations between the European Parliament and the Council of the EU, the final text was formally adopted in March 2024. The regulation was published in the Official Journal of the European Union on 12 July 2024 and entered into force on 1 August 2024.

 

Unlike sector-specific guidelines, the EU AI Act creates a horizontal regulatory framework. It applies across all industries and sectors where AI systems are developed, placed on the market, or put into service within the EU.

Core Regulatory Approach

The EU AI Act follows a risk-based approach. This means the level of regulatory obligation placed on an AI system depends directly on the potential harm it could cause. Low-risk systems face minimal or no requirements. High-risk systems must meet strict compliance standards before they can operate in the EU market.

 

This proportional model ensures innovation is not stifled unnecessarily while maintaining strong protections for fundamental rights, safety, and democratic values.

Scope and Applicability

The regulation applies to providers who develop or place AI systems on the EU market, deployers who use AI systems within the EU, and importers or distributors who bring AI products into the European market. Crucially, it also applies to organisations outside the EU if their AI system outputs are used within EU territory.

The Four Risk Categories Under the EU AI Act

The EU AI Act classifies all AI systems into four distinct risk tiers, each carrying different compliance obligations.

Unacceptable Risk: Prohibited AI Practices

AI systems that pose a direct threat to fundamental rights and safety are banned outright. These prohibitions have been enforceable since 2 February 2025. The banned practices include:

 

  • AI systems that deploy subliminal, manipulative, or deceptive techniques to distort behaviour and cause significant harm
  • Systems that exploit vulnerabilities related to age, disability, or socioeconomic circumstances
  • Social scoring by public authorities that leads to the detrimental treatment of individuals
  • Real-time remote biometric identification in publicly accessible spaces for law enforcement, except in narrowly defined circumstances
  • Untargeted scraping of facial images from the internet or CCTV to build facial recognition databases
  • Emotion recognition systems used in workplaces and educational institutions
  • Biometric categorisation systems that infer sensitive personal information such as race, political opinions, or sexual orientation

High-Risk AI Systems

High-risk AI systems are those embedded in regulated products or operating in sensitive domains listed under Annex III of the regulation. These include AI used in biometric identification, critical infrastructure management, education and vocational training, employment and worker management, access to essential private and public services (including credit scoring), law enforcement and border control, and migration and asylum processes.

 

Providers of high-risk systems must conduct conformity assessments, maintain detailed technical documentation, register systems in an EU database, implement risk management processes, ensure data governance standards, and provide human oversight mechanisms.

Limited Risk: Transparency Obligations

Limited-risk AI systems carry specific transparency duties. Users must be informed when they are interacting with an AI system such as a chatbot. AI-generated content, including deepfakes, must be clearly labelled. Text produced by AI and published to inform the public on matters of public interest must be identified as artificially generated.

 

These obligations ensure people can make informed decisions about the AI-generated content they encounter.

Minimal Risk: No Mandatory Requirements

AI systems that present negligible risk, such as spam filters, AI-enabled video games, and basic recommendation engines, face no mandatory compliance obligations under the Act. Providers are encouraged to follow voluntary codes of conduct, but there are no enforceable rules at this tier.

Official Implementation Timeline and Key Deadlines

The EU AI Act follows a phased implementation schedule, giving organisations time to prepare for each set of obligations.

1st August 2024: Entry into Force

The regulation officially entered into force on this date. From this point, the clock started on all subsequent compliance deadlines. Organisations were expected to begin assessing their AI systems and planning their compliance strategies.

2nd February 2025: Prohibited Practices and AI Literacy

Two obligations became enforceable on this date. First, all prohibited AI practices under Article 5 were banned. Any organisation still operating a prohibited system after this date faces the highest tier of penalties.

 

Second, the AI literacy obligation under Article 4 took effect. This requires all providers and deployers to ensure their staff and any persons dealing with AI systems on their behalf have a sufficient level of AI literacy. This applies to every organisation using AI, not just those with high-risk systems. Organisations must document their GDPR staff training and AI training measures to demonstrate compliance.

2nd August 2025: GPAI Model Obligations

Obligations for providers of general-purpose AI (GPAI) models became applicable. Providers must maintain detailed technical documentation covering model architecture, training data, computational resources used, and intended use cases. They must publish summaries of training data, comply with EU copyright law, and share relevant information with downstream providers.

 

GPAI models with systemic risk (trained using more than 10 to the power of 25 floating-point operations) face additional requirements, including rigorous risk assessments, cybersecurity measures, and serious incident reporting. The European AI Office published the final Code of Practice for GPAI providers on 10 July 2025 to support voluntary compliance.

2nd August 2026: Transparency and Other Obligations

Transparency rules under the AI Act come into full effect. Chatbot operators, deepfake creators, and AI-generated text publishers must meet their disclosure obligations. Additional governance and reporting requirements also apply from this date.

2nd December 2027: High-Risk AI Systems (Annex III) - Updated Deadline

This is the updated deadline following the Digital Omnibus agreement. On 7 May 2026, the Council of the EU and the European Parliament reached a provisional agreement to defer the application date for stand-alone high-risk AI systems from 2 August 2026 to 2 December 2027. The European Parliament formally approved this on 16 June 2026.

 

The delay was prompted by the fact that CEN-CENELEC, the European standards body responsible for developing harmonised standards for high-risk AI conformity assessment, indicated those standards would not be available until Q4 2026 at the earliest. Without published standards, organisations could not meaningfully complete conformity assessments.

2nd August 2027: Legacy GPAI Model Compliance

Providers of GPAI models that were placed on the market before 2 August 2025 must achieve full compliance by this date. New models released after August 2025 were required to comply immediately upon release.

2nd August 2028: High-Risk AI in Regulated Products

High-risk AI systems embedded in products already covered by existing EU product safety legislation (such as medical devices, machinery, and toys) must comply by this date. This extended timeline reflects the complexity of aligning AI-specific requirements with existing sectoral regulations.

General-Purpose AI (GPAI) Model Obligations

GPAI models receive dedicated treatment under the EU AI Act because of their wide-ranging capabilities and downstream applications.

What Qualifies as a GPAI Model

A GPAI model is any AI model trained on broad data at scale that can serve a variety of purposes, both directly and when integrated into other systems. Models capable of generating text, audio, images, or video from text prompts fall under this category. Large language models and multimodal foundation models are primary examples.

Standard GPAI Obligations

All GPAI providers must maintain and make available technical documentation describing the model’s architecture, input and output modalities, model size, training process, and data used. They must provide information to downstream providers so those providers can understand the model’s capabilities and limitations. Compliance with EU copyright law, including the text and data mining provisions, is mandatory.

Systemic Risk Classification

Models trained using computational power exceeding 10 to the power of 25 floating-point operations are presumed to carry systemic risk. These models face enhanced obligations, including conducting adversarial testing and red-teaming, implementing cybersecurity protections, tracking and reporting serious incidents to the European AI Office, and ensuring adequate energy efficiency documentation.

Extraterritorial Scope: How the EU AI Act Reaches Beyond Europe

The EU AI Act deliberately mirrors the extraterritorial approach of the GDPR, but with an even lower threshold for applicability.

Who Is Covered Outside the EU

Article 2 of the regulation captures three categories of non-EU entities. First, providers who place AI systems or GPAI models on the EU market, regardless of where they are established. Second, deployers located outside the EU whose AI systems produce outputs used within EU territory. Third, any provider or deployer whose system’s output ends up being used in the EU, even without direct targeting of EU customers.

 

This means a company with no EU offices, no EU staff, and no EU-based servers can still fall within scope if its AI system output is used in the Union.

Authorised Representatives

Non-EU providers of high-risk AI systems must appoint an authorised representative established in the EU. This representative accepts a written mandate to carry out obligations on the provider’s behalf, including registration, documentation, and communication with national authorities.

Comparison with GDPR Scope

While GDPR applies when companies actively target EU individuals, the EU AI Act triggers when an AI system’s output is merely used in the EU. The word ‘used’ sets a lower bar than ‘targeting,’ making the Act’s reach potentially broader. The penalty ceiling is also higher, with fines up to 7% of global turnover compared to GDPR’s 4%.

Penalties and Fines Under the EU AI Act

The EU AI Act establishes a three-tier penalty structure under Article 99, with fines scaled to the severity of the violation.

Tier One: Prohibited Practice Violations

Operating a banned AI system after 2 February 2025 attracts the highest penalties. Fines can reach up to 35 million euros or 7% of total worldwide annual turnover for the preceding financial year, whichever is higher. This tier covers all violations of Article 5 prohibited practices.

Tier Two: High-Risk and Other Obligation Breaches

Non-compliance with high-risk system requirements, GPAI obligations, and other substantive provisions can result in fines up to 15 million euros or 3% of global annual turnover. This covers failures in conformity assessment, documentation, human oversight, and risk management obligations.

Tier Three: Incorrect or Misleading Information

Supplying inaccurate, incomplete, or misleading information to national authorities or notified bodies carries fines of up to 7.5 million euros or 1% of global annual turnover. This tier also applies to failures in cooperation with regulatory investigations.

 

For SMEs and startups, fines are capped at the lower of the two amounts (fixed sum versus percentage), providing some proportional relief. However, the penalties remain significant enough to make non-compliance a serious financial risk for any organisation.

Enforcement and Governance Structure

The EU AI Act creates a multi-layered governance framework with responsibilities split between EU-level and national bodies.

The European AI Office

Established within the European Commission, the European AI Office serves as the central body for GPAI model oversight. It has the authority to conduct evaluations of GPAI models, request information from providers, and impose sanctions. The AI Office also coordinates cross-border enforcement and supports the development of harmonised standards and codes of practice.

National Market Surveillance Authorities

Each EU Member State must designate at least one notifying authority and one market surveillance authority. Notifying authorities oversee the designation of conformity assessment bodies for high-risk AI systems. Market surveillance authorities supervise and enforce compliance at the national level, with powers to investigate, issue corrective actions, and impose penalties.

Advisory Bodies

Three advisory bodies support governance. The European Artificial Intelligence Board brings together Member State representatives to coordinate enforcement. The Scientific Panel consists of 60 independent experts focused on frontier AI, technical auditing, and systemic risk. The Advisory Forum represents a diverse range of stakeholders, including industry, civil society, and academia.

AI Literacy Obligation: Article 4

Article 4 introduced one of the broadest obligations in the entire regulation, applicable to every organisation that builds or uses AI.

What the Obligation Requires

Providers and deployers must take measures to ensure a sufficient level of AI literacy among their staff and any persons dealing with AI systems on their behalf. The obligation considers the individual’s technical knowledge, experience, education, training, and the specific context in which AI systems are used.

 

There is no prescribed curriculum, no mandatory certification, and no official examination. The regulation gives organisations flexibility in how they achieve compliance, but requires documented measures that can be presented to regulators upon request.

Compliance Since February 2025

This obligation has been enforceable since 2 February 2025. Organisations that have not yet implemented AI literacy programmes are already at risk of non-compliance. A practical starting point is to audit existing training resources, identify gaps, and document all measures taken. Since August 2025, if an untrained employee causes harm using an AI system, the organisation faces direct liability.

Penalties for Non-Compliance

Failure to meet Article 4 requirements falls under the general penalty tier of Article 99, with fines up to 15 million euros or 3% of worldwide annual turnover. There is no formal requirement to appoint a dedicated AI officer, but organisations should have a clear internal structure for managing AI literacy efforts.

The Digital Omnibus: What Changed in May 2026

The Digital Omnibus represents the most significant amendment to the EU AI Act since its adoption, and understanding its impact is essential for compliance planning.

What the Digital Omnibus Covers

On 7 May 2026, the Council of the EU and the European Parliament reached a provisional agreement on targeted amendments to the EU AI Act as part of the European Commission’s broader Digital Omnibus initiative. This package was designed to simplify and streamline specific rules without altering the fundamental structure of the regulation.

Key Timeline Changes

The most impactful change is the deferral of high-risk AI system compliance deadlines. Stand-alone high-risk AI systems under Annex III now have until 2 December 2027 instead of 2 August 2026. High-risk AI systems embedded in regulated products have until 2 August 2028. The European Parliament gave final approval to this package on 16 June 2026.

Reasoning Behind the Extension

The rationale is technical rather than political. CEN-CENELEC, the European standards body tasked with developing the harmonised standards that underpin high-risk AI conformity assessment, reported that these standards would not be ready until Q4 2026 at the earliest. Without published standards, conformity assessments could not be carried out meaningfully. The extension gives both standards bodies and organisations the time needed for proper implementation.

How Organisations Should Prepare for EU AI Act Compliance

With multiple deadlines already passed and others approaching, proactive preparation is the only viable strategy.

Conduct an AI Systems Inventory

Start by mapping every AI system your organisation develops, deploys, or uses. Classify each system according to the EU AI Act’s risk categories. Identify which systems fall under prohibited practices, high-risk obligations, limited-risk transparency rules, or minimal-risk categories. This inventory forms the foundation of your compliance roadmap.

Establish Governance and Documentation

Build internal governance structures for AI oversight. Assign clear responsibilities for compliance monitoring, risk assessment, and incident reporting. Create and maintain technical documentation for all high-risk and GPAI systems. Ensure your user consent mechanisms align with transparency requirements, particularly for chatbots and AI-generated content.

Implement AI Literacy Programmes

Since the AI literacy obligation is already enforceable, organisations must ensure all relevant staff have received appropriate training. Document every training initiative, workshop, or resource provided. Tailor training to the specific roles and contexts in which employees interact with AI systems.

Plan for Conformity Assessment

If your organisation operates high-risk AI systems, begin preparing for conformity assessment well before the December 2027 deadline. This includes establishing risk management processes, data governance protocols, logging mechanisms, and human oversight controls. Monitor the development of harmonised standards by CEN-CENELEC to align your preparations accordingly.

Engage Legal and Compliance Teams

The EU AI Act intersects with existing regulations, including the GDPR, the Product Safety Regulation, and sector-specific legislation. Your legal and compliance teams should map these intersections and identify any overlapping obligations. Non-EU organisations should assess whether they need to appoint an authorised representative within the EU.

Final Thoughts

The EU AI Act is not a future concern. It is an active regulation with obligations already in force and substantial penalties for non-compliance. From prohibited practices to GPAI transparency rules and the recently extended high-risk deadlines, every organisation using AI within or connected to the EU market needs a clear compliance plan. Start your AI inventory, train your teams, and build governance structures now, because regulatory enforcement will not wait.

Simplify EU AI Act Compliance with Seers Ai

Preparing for the EU AI Act goes beyond AI systems; it starts with responsible data practices and transparent consent management. Seers helps organisations build a strong compliance foundation that supports both privacy and AI governance goals.

START FREE TODAY

Frequently Asked Questions (FAQs)

What is the main purpose of the EU AI Act?

The EU AI Act establishes a legal framework to regulate artificial intelligence systems based on the level of risk they pose to individuals and society. It aims to protect fundamental rights, ensure safety, and promote trustworthy AI development. The regulation creates clear rules for providers, deployers, and importers of AI systems operating within the European Union market.

Does the EU AI Act apply to companies outside of Europe?

The regulation has extraterritorial reach similar to the GDPR but with a lower threshold. Any organisation that places AI systems on the EU market or whose AI outputs are used within the EU falls within scope. This applies regardless of where the company is headquartered, whether or not it has offices or staff in any EU Member State.

Which AI systems are completely banned under the EU AI Act?

The regulation prohibits AI systems that use subliminal manipulation, exploit vulnerable groups, enable social scoring by public authorities, or perform untargeted facial image scraping. Emotion recognition in workplaces and educational settings is also banned. Real-time biometric identification in public spaces for law enforcement is restricted to narrowly defined exceptions.

What changed with the Digital Omnibus agreement in May 2026?

The Digital Omnibus deferred the compliance deadline for stand-alone high-risk AI systems from 2 August 2026 to 2 December 2027. High-risk systems in regulated products now have until 2 August 2028. This extension was granted because the harmonised standards needed for conformity assessments were not yet available from the European standards bodies.

What are the maximum fines under the EU AI Act?

The highest fines apply to prohibited practice violations and reach up to 35 million euros or 7% of total worldwide annual turnover, whichever is greater. Other violations can attract fines of up to 15 million euros or 3% of turnover. Supplying incorrect information to authorities carries fines up to 7.5 million euros or 1% of turnover.

What does the AI literacy obligation under Article 4 require?

Article 4 requires all AI providers and deployers to ensure their staff have sufficient understanding of the AI systems they work with. There is no mandated curriculum or certification programme. Organisations must document the training measures they implement and tailor them to each employee’s role, technical knowledge, and the specific AI systems they interact with.

How is a high-risk AI system defined under the regulation?

An AI system is classified as high-risk if it serves as a safety component in a product covered by existing EU safety legislation or falls within Annex III application areas. These areas include biometric identification, critical infrastructure, education, employment, credit scoring, law enforcement, and border management. High-risk systems require conformity assessments and EU database registration.

What obligations do GPAI model providers have under the EU AI Act?

Providers of general-purpose AI models must maintain detailed technical documentation, publish training data summaries, comply with EU copyright rules, and share model information with downstream providers. Models classified as systemic risk face additional duties, including adversarial testing, cybersecurity protections, and incident reporting to the European AI Office.

When did the first EU AI Act obligations become enforceable?

The first set of obligations became enforceable on 2 February 2025. This included the ban on all prohibited AI practices listed under Article 5 and the AI literacy requirement under Article 4. Organisations operating prohibited systems after this date face fines up to 35 million euros or 7% of global turnover.

How does the EU AI Act differ from the GDPR in terms of scope and penalties?

While both regulations have extraterritorial reach, the EU AI Act applies whenever AI output is used in the EU, which is a lower threshold than GDPR’s requirement of actively targeting EU individuals. The AI Act’s maximum fine of 7% of global turnover also exceeds GDPR’s 4% cap. Both regulations can apply simultaneously to the same organisation.

Do SMEs and startups receive any concessions under the EU AI Act?

The regulation provides proportional treatment for smaller organisations. Fines for SMEs and startups are capped at the lower of the fixed amount or the percentage-based calculation. Regulatory sandboxes are also mandated to allow smaller companies to test innovative AI systems under supervised conditions before full market deployment.

What role does the European AI Office play in enforcement?

The European AI Office sits within the European Commission and serves as the central authority for GPAI model oversight. It can evaluate models, request information from providers, and apply sanctions. The Office also coordinates cross-border enforcement activities, supports the development of harmonised standards, and works alongside national market surveillance authorities.

 

Rimsha Zafar

Rimsha is a Senior Content Writer at Seers AI with over 5 years of experience in advanced technologies and AI-driven tools. Her expertise as a research analyst shapes clear, thoughtful insights into responsible data use, trust, and future-facing technologies.

ORCIDResearchGateGoogle ScholarLinkedIn 

Unlock Accurate Insights with Google Consent Mode v2

Is Your Website at Risk of Losing Conversions?


Take our Free Cookie Audit and find out

Ready to Build Trust and Drive Business Growth?

Join 50,000+ websites using Seers.Ai to turn compliance into trust, insights, & measurable business growth.