The EU AI Act enters its enforcement phase: what you need to know

Gerónimo
Gerónimo
Fractional CTO
7 min read

We’ve been hearing about the EU AI Act for years as something that would “eventually arrive”. Well, it’s here: August 2, 2026 was marked from the start as the day of full application of the regulation, and although the timeline has shifted over the past few months (we’ll get to that in the timeline below), it remains a turning point for any company using AI in Europe, or offering its services to European users.

I’ve talked to quite a few companies over the past months and I keep running into two extremes: those who believe this doesn’t apply to them because “we don’t do AI”, and those who are freezing initiatives out of fear of the regulation. I think both positions stem from not fully understanding the regulation, so this post is meant as an introduction to the key ideas, without going into legal detail.

Before anything else, two details that are often overlooked. The AI Act (Regulation (EU) 2024/1689) is a regulation, not a directive: it applies directly across all Member States without waiting for national laws. And it has extraterritorial scope: if your company is based outside the EU but your AI systems are used within European territory, it applies to you too. It’s the same Brussels effect we already saw with the GDPR.

How it rolls out: the updated timeline

The regulation doesn’t take effect all at once, it rolls out in phases. And here’s where most of the confusion comes from: in May 2026, the political agreement on the “Digital Omnibus” postponed the high-risk obligations. A lot of content published before that date says “all high-risk obligations” take effect in August 2026, and that’s no longer correct. This is the updated timeline:

August 1, 2024
Entry into force
The regulation enters into force and the phased rollout schedule begins.
February 2, 2025
Prohibitions and literacy
Unacceptable-risk practices become banned and AI literacy training for staff becomes mandatory (Article 4).
August 2, 2025
General-purpose models
Obligations for providers of GPAI models (large language models) take effect, and European governance kicks off (AI Office).
August 2, 2026 Estás aquí
Transparency
The transparency obligations under Article 50 take effect: disclosing when AI is involved and labelling synthetic content.
December 2, 2027
High risk (Annex III)
Postponed by the Omnibus: obligations for high-risk systems in employment, education, credit, biometrics, migration, etc.
August 2, 2028
High risk in products (Annex I)
Also postponed: AI embedded as a safety component in regulated products (medical devices, machinery, toys...).

The four risk levels

This is the first thing to internalize: the AI Act doesn’t regulate “AI” in the abstract, it regulates the uses we put it to. The same model can carry no obligations at all, or plenty, depending on what you use it for.

The table follows the European Commission’s official classification (note that the Commission calls the third tier “transparency risk”, not “limited risk”):

CategoríaUnacceptable riskHigh riskTransparency riskMinimal or no risk
StatusProhibitedStrict obligationsDisclosure obligationsNo obligations
What it isA clear threat to people's safety, livelihoods, or rightsUses that can pose serious risks to health, safety, or fundamental rightsUses where people must know an AI is involved, to preserve trustThe vast majority of AI systems in use today across the EU
Examples
The regulation bans 8 practices:
  • Harmful manipulation and deception
  • Exploitation of vulnerabilities
  • Social scoring
  • Predicting individual crimes
  • Mass scraping for facial recognition databases
  • Emotion recognition at work and in education
  • Biometric categorisation of protected characteristics
  • Real-time remote biometric identification in public spaces for law enforcement
  • Safety components of critical infrastructure
  • Access to education (e.g. exam scoring)
  • Employment and worker management (e.g. CV screening)
  • Access to essential services (e.g. credit scoring)
  • Biometrics
  • Law enforcement
  • Migration and border control
  • Justice
  • Chatbots
  • Generative AI
  • Deepfakes and AI-generated texts published to inform the public on matters of public interest
  • AI-powered video games
  • Spam filters
  • Basic recommenders
  • Most internal tooling
ObligationsNone: they are directly banned
  • Risk assessment and mitigation
  • Dataset quality
  • Activity logging and traceability
  • Technical documentation
  • Information for the deployer
  • Human oversight
  • Robustness, cybersecurity and accuracy
  • Disclosing that you are interacting with an AI
  • Making generated content identifiable
  • Visibly labelling deepfakes and content of public interest
None. Voluntary codes of conduct
Applies fromFebruary 2025December 2027 (Annex III) and August 2028 (AI embedded in products)August 2026

Based on the European Commission’s official classification: digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai

On top of this there’s a separate regime for general-purpose models (GPAI). If you’re a company that only uses these models via an API, those obligations aren’t yours, they belong to the provider. Yours depend on how you use them.

What takes effect on August 2, 2026

What takes effect now, and hasn’t been postponed, are the transparency obligations under Article 50:

  • AI interaction: if your system interacts with people (a chatbot, for example), they must know they’re talking to an AI, unless it’s obvious from the context.
  • Synthetic content: if you generate or manipulate images, video, or audio with AI that could appear authentic (deepfakes), you must label them as such.
  • Public-interest texts: AI-generated texts published to inform the public about matters of public interest must be identified, unless there is human editorial review and responsibility.
  • Technical marking: providers of generative AI must technically mark their outputs as artificially generated, in a machine-readable format.

This affects far more companies than it seems. You don’t need to train models or do credit scoring: having a customer-support chatbot or publishing AI-generated content is enough.

Penalties

The penalty regime is one of the toughest in European digital law. Fines are calculated on the fixed amount or the percentage of global annual turnover, whichever is higher:

€35M / 7%
Prohibited AI practices
€15M / 3%
Breaching high-risk, transparency, or GPAI obligations
€7.5M / 1%
Providing incorrect information to the authorities
Proportionality criteria are foreseen for SMEs, but the obligation to comply is the same.

FAQ

Does the AI Act apply to me if I only use third-party AI?
Very likely yes. The regulation covers both providers and deployers of AI systems used in the EU, including companies that only integrate third-party models. Your obligations depend on the risk level of the use you make of them.
What exactly changes on August 2, 2026?
The transparency obligations under Article 50 take effect: disclosing when someone is interacting with an AI and labelling synthetic content. The prohibitions and GPAI rules were already in force before.
Wasn't everything postponed by the Digital Omnibus?
Not everything. The Omnibus (political agreement from May 2026) postponed high-risk obligations under Annex III to December 2027 and those under Annex I to August 2028. The Article 50 transparency obligations were not postponed and take effect from August 2026.
What happens if I use a customer-support chatbot?
It's a typical case of transparency risk: you must inform users that they're talking to an AI, unless it's obvious from the context. It's one of the obligations that takes effect now.
Is it forbidden to use models hosted outside the EU?
No, the AI Act doesn't ban using AI models or providers hosted outside the EU. What generally does restrict that is the GDPR: transferring personal data to countries outside the European Economic Area (EEA) without a valid transfer mechanism in place (such as an adequacy decision or Standard Contractual Clauses). It's a data protection matter, not an AI Act one.

The AI Act is about to enter its enforcement phase, so it’s not advisable to keep delaying work on making sure you comply with the regulation.

For most companies, the first step is simple and doesn’t require lawyers: take stock of the AI systems in use (your own and third-party), classify them by risk level, and from there work out which obligations apply and when.

This post is an informational introduction, not legal advice. To classify your systems and understand your specific obligations, consult specialized legal counsel.

AI AI regulation EU AI Act compliance european union