The EU AI Act is no longer a draft. The phased application schedule has hit its biggest milestones in 2025-2026, the AI Office is now in enforcement mode, and the harmonized standards are landing. If you sell, deploy, or develop AI systems with any EU connection, here is what 2026 actually requires.
2 February 2025 — prohibited AI practices applicable
2 August 2025 — GPAI provider obligations applicable for new models
2 August 2026 — most remaining rules applicable; full AI Office enforcement powers
2 August 2027 — pre-existing GPAI models must comply; high-risk obligations for systems already on the market
The 2 August 2026 milestone is the most consequential for builders shipping into the EU today.
The four risk tiers
The Act sorts AI systems into four buckets:
Unacceptable risk — banned. Examples: social scoring, certain biometric mass surveillance, manipulative AI targeting vulnerable groups. Already in force.
High risk — heavy compliance. Examples: AI in employment decisions, education access, critical infrastructure, law enforcement, certain medical devices. Most obligations apply 2 August 2026.
Minimal risk — voluntary codes. Most general-purpose enterprise AI falls here.
Where you land determines almost everything else. Get this wrong and you either over-spend on compliance or under-comply and risk fines.
GPAI obligations (most builders read this section)
If you provide a general-purpose AI model — including most LLMs — you have transparency obligations regardless of risk tier:
Technical documentation describing the model
Information for downstream providers integrating your model
Copyright compliance — including a public summary of training-data provenance
Cooperation with the AI Office on information requests
Models with "systemic risk" (above a compute threshold of 10^25 FLOPs at training) carry additional obligations: serious incident reporting, adversarial testing, cybersecurity protections, and energy reporting.
For most companies using GPAI models rather than providing them, the obligations flow downstream from your provider. Verify your vendor's compliance position in your contracts.
High-risk system obligations
If your system is high-risk under Annex III:
Risk management system across the lifecycle
Data governance — training, validation, test sets meet quality criteria
Technical documentation
Record-keeping (automatic logging)
Transparency to users
Human oversight measures
Accuracy, robustness, cybersecurity baseline
Quality management system
Conformity assessment before placing on market
Post-market monitoring and incident reporting
These are GDPR-grade obligations and require a real compliance program, not a checkbox. Most large enterprises that use AI in HR, lending, or healthcare are already inside this scope whether they realize it or not.
Transparency obligations (chatbots and content labeling)
Coming into broader force in 2026:
AI-system interactions with humans must be disclosed (e.g., chatbots reveal they are AI)
AI-generated text on matters of public interest must be labeled
Deepfakes must be labeled
Emotion-recognition or biometric categorization systems must inform users
Most consumer-facing AI products will need a UX update to comply.
What builders should do this quarter
If you ship AI into the EU, the 2026-pragmatic checklist:
Inventory your AI systems. Every model, every use case, every supplier.
Classify each system into a risk tier. Document the reasoning.
For each high-risk system, build the conformity package. Risk management, data governance, documentation, oversight, monitoring.
For GPAI providers, publish the documentation. Technical doc, downstream provider info, training-data summary, copyright policy.
Update vendor contracts. Where you rely on upstream models, flow obligations through. Get explicit positions on training-data, provenance, and incident reporting.
Update consumer-facing UX. Disclose AI interaction; label AI-generated content; provide opt-outs where required.
Set up a regulator-facing channel. A named accountable person and a way for the AI Office to reach you.
Penalties — why this matters
The Act's penalty structure mirrors GDPR's bite:
Up to €35M or 7% of worldwide turnover for prohibited practices
Up to €15M or 3% for high-risk system non-compliance
Up to €7.5M or 1.5% for incorrect or misleading information
The AI Office gains full enforcement powers on 2 August 2026, including the ability to demand information, order recalls, mandate mitigations, and impose fines. This is the date past which "we'll deal with it later" stops being a viable position.
Common compliance mistakes
[Inference] Across early enterprise compliance work in 2026, the recurring pitfalls:
Treating it as a one-time project. The Act creates ongoing obligations. Build a function, not a binder.
Missing the GPAI flow-down. Many companies are technically deployers, not providers, but the obligations cascade through contracts.
Confusing it with GDPR. GDPR-compliant data handling is necessary but not sufficient — the AI Act adds risk management, documentation, oversight obligations on top.
Under-classifying systems. If a system makes a decision affecting employment, education, lending, or critical infrastructure, take a second look at high-risk status.
Ignoring transparency UX. Chatbot disclosure and AI-content labeling will surprise consumer-facing teams that left it to the legal team.
Where to start
The lowest-friction starting move: pick one production AI system, run it through the four-tier classification, and write the documentation it would need under the Act. You will discover whether you have a GPAI obligation flow-down, whether you have a high-risk classification you missed, and whether your current vendors give you what you need. That single exercise calibrates the rest of the program.
The companies treating 2 August 2026 as a deadline have time. The ones treating it as a research topic do not.
Frequently Asked Questions
Does the EU AI Act apply to non-EU companies?
Yes — if you place an AI system on the EU market or its outputs are used in the EU, the Act applies regardless of where you are headquartered. The extraterritorial scope mirrors GDPR's logic.
What is the 2 August 2026 deadline specifically about?
Most remaining rules in the Act become applicable on that date, including high-risk system obligations and full AI Office enforcement powers. Pre-existing GPAI models have an extra year (until 2 August 2027) to come into full compliance.
Are open-source AI models exempt?
Open-source GPAI models have lighter obligations under the Act (some transparency requirements still apply), but the exemption is narrower than commonly assumed and does not cover models classified as carrying systemic risk.
