EU AI Act — Compliance Requirements 2026 and Beyond

TLDR:

The EU AI Act is the world’s first comprehensive horizontal AI regulation, in force from August 2024 with tiered compliance deadlines through 2028. It classifies AI systems by risk—prohibited, high-risk, limited-risk, minimal-risk—with corresponding obligations. The Act has extraterritorial reach: any organization with AI systems used in the EU or producing outputs affecting EU residents must comply.

Risk Tiers and Obligations

Prohibited AI systems (e.g., social scoring, manipulative subliminal techniques, real-time biometric identification in public spaces with limited exceptions) are banned outright. High-risk systems—those used in critical infrastructure, education, employment, essential services, law enforcement, migration, and justice—face the strictest obligations: data governance, technical documentation, record-keeping, human oversight, accuracy/robustness, post-market monitoring, and CE conformity assessment. Limited-risk systems (chatbots, deepfakes) face transparency obligations. General-purpose AI (GPAI) and foundation models face their own framework.

Key Deadlines

The Act’s obligations apply in tiers: prohibitions (February 2025), general-purpose AI obligations (August 2025), high-risk system requirements originally August 2026 but recently delayed to December 2027 in some categories, and sector-specific obligations August 2028. Companies should track the specific deadlines applicable to their systems, as the European Parliament has voted on delays for certain provisions.

Penalties

Penalties for non-compliance are substantial: up to €35 million or 7% of total worldwide annual turnover (whichever is higher) for prohibited AI violations, up to €15 million or 3% of turnover for high-risk obligation breaches, and up to €7.5 million or 1.5% of turnover for providing incorrect information. National authorities can also withdraw non-compliant systems from the EU market. Companies should map their AI systems against the Act’s risk tiers, implement governance programs, and document compliance—mirroring the post-GDPR compliance build-out.