The EU AI Act isn't a future event — key parts are already enforceable, and the penalties are serious. If you build or ship AI that touches EU users, the implementation timeline matters now.
Two things make this Act worth understanding even if you're not based in the EU. First, like GDPR before it, it applies based on who you affect, not where you sit — if EU users touch your system, you're in scope. Second, it's risk-tiered: the obligations scale with how much harm a system could do. Most of the panic about the Act comes from people imagining the strictest tier applies to everything. It doesn't. The first real task is figuring out which tier you're actually in.
The risk tiers, briefly
The Act sorts AI systems into bands. Prohibited practices — things like social scoring or certain manipulative or biometric uses — are simply banned. High-risk systems — those used in areas like hiring, credit, education, critical infrastructure or medical devices — carry the heaviest obligations. Limited-risk systems mainly carry transparency duties (telling people they're interacting with AI). And a large amount of ordinary software falls into minimal-risk, where the Act asks little. Knowing your band tells you almost everything about your workload.
The dates that are already live
- Feb 2, 2025 — bans on prohibited AI practices and AI-literacy obligations took effect.
- Aug 2, 2025 — rules for general-purpose AI (GPAI) models and the penalty regime kicked in: fines up to €35M or 7% of global turnover for prohibited practices, €15M / 3% for other breaches.
A fine of 7% of global turnover is not a parking ticket — for a large company it can exceed the GDPR ceiling. The penalty regime being live now is what turns this from a compliance project you can defer into one with a real clock on it.
What's coming
- Aug 2, 2026 — full application for high-risk systems: conformity assessments, technical documentation, CE marking, EU database registration.
- Aug 2, 2027 — pre-2025 GPAI models must be compliant; extended transition (to 2028) for AI embedded in regulated products.
The Act is risk-tiered, not blanket. The first job isn't compliance — it's classification: which of your systems are prohibited, high-risk, or limited-risk?
A worked example
Imagine a recruitment platform that uses AI to rank candidates. Hiring is explicitly a high-risk domain, so this isn't a "transparency notice and move on" situation — by August 2026 it needs a conformity assessment, technical documentation describing how the system works and what data it uses, demonstrable human oversight of its decisions, and registration in the EU database. Now contrast that with the same company's internal AI tool that drafts job-ad copy: that's minimal-risk and carries almost no obligation. Two AI features, same company, wildly different workloads — and the only way to know which is which is to classify them deliberately rather than treating "we use AI" as a single compliance bucket. Getting the classification wrong in either direction is costly: under-classify and you risk the fines; over-classify and you bury a harmless tool in needless paperwork.
What this means for your team
For most teams the practical work is the same set of disciplines that make AI trustworthy regardless of jurisdiction — which is why doing it well is rarely wasted effort:
- Inventory and classify first. List every AI system that touches EU users and assign each a risk tier. You can't plan compliance work you haven't scoped.
- Get your documentation in order. High-risk systems need technical documentation, conformity assessments and registration. Start the paper trail now, not in mid-2026.
- Build in human oversight. The Act expects a person to be able to understand, supervise and override high-risk systems — the same human-in-the-loop pattern that already underpins regulated AI in healthcare and finance.
- Govern your data and be transparent. Know what data trains and feeds your systems, and tell users when they're dealing with AI.
The reassuring part is that none of this is exotic. Data governance, oversight, transparency and documentation are the foundations of any AI system you'd actually want to depend on. The Act mostly makes mandatory what good engineering already recommends. If you need help classifying your systems or building the documentation a conformity assessment expects, our team can take that on.
Why this is worth doing even outside the EU
It's tempting for non-EU teams to file this under "someone else's problem." That's usually a mistake for two reasons. First, the reach is extraterritorial — as with GDPR, what matters is whether EU users are affected, not where your servers live, and most products of any scale eventually touch EU users. Second, the EU AI Act is shaping up to be the template other jurisdictions borrow from, the same way GDPR became the de facto blueprint for privacy law worldwide. Building the documentation, oversight and classification discipline now is less a compliance tax and more an investment in being ready for whatever your own regulator ships next. And even setting regulation aside entirely, a system whose risks you've classified, whose decisions a human can supervise, and whose behaviour you can document is simply a better-engineered system — one you can trust, debug and defend. The Act, read generously, is a forcing function for habits you'd want anyway.
Sources
- EU Artificial Intelligence Act — Implementation Timeline