The EU AI Act Is Now Live. Here’s What Actually Kicks In and When

The EU AI Act entered into force on 1 August 2024, but its rules do not apply all at once. The regulation uses a phased timeline that stretches into 2027, meaning most companies building or deploying AI systems in Europe face a moving set of deadlines rather than a single compliance cliff.

The law is structured around risk tiers. Systems deemed to pose an unacceptable risk are banned outright. High-risk systems, such as those used in hiring, credit scoring, or critical infrastructure, carry the heaviest documentation and oversight requirements. Lower-risk systems face lighter transparency obligations, and most everyday AI tools fall outside the strict regime entirely.

What has already taken effect

The first set of obligations became applicable on 2 February 2025, roughly six months after the law entered into force. These cover the prohibited-practice provisions and a requirement that organizations ensure a baseline level of AI literacy among staff working with these systems.

The banned categories include AI used for social scoring by public authorities, certain forms of biometric categorization, and systems designed to manipulate behavior in ways likely to cause harm. Real-time remote biometric identification in public spaces by law enforcement is restricted, with narrow exceptions.

Rules for general-purpose AI

Obligations for providers of general-purpose AI models, the category that includes large language models, began applying in August 2025. These cover technical documentation, transparency about training data summaries, and compliance with EU copyright rules. Models judged to carry systemic risk face additional requirements around risk assessment and incident reporting.

To help providers meet these obligations, the European Commission has worked with industry and civil society on a code of practice for general-purpose AI. Adherence to the code is voluntary but offers a presumption of compliance, a structure that has drawn both interest and criticism from major model developers over how prescriptive the final text should be.

The high-risk deadlines still ahead

The bulk of the high-risk system requirements phase in later. Many of these obligations are set to apply from August 2026, with a further set of rules for high-risk systems embedded in regulated products extending to August 2027. This longer runway reflects the complexity of the conformity assessments, registration steps, and post-market monitoring that high-risk providers will need to put in place.

Enforcement sits with a combination of national authorities in each member state and the European AI Office, which coordinates oversight of general-purpose models at the EU level. Penalties scale with the severity of the violation. The most serious breaches, such as deploying a prohibited system, can draw fines of up to 35 million euros or 7 percent of global annual turnover, whichever is higher.

Why the timeline matters beyond Europe

The staggered structure means companies cannot treat the Act as a finished obligation. A firm shipping a general-purpose model today faces a different compliance picture than one preparing a high-risk hiring tool for the 2026 deadlines.

The extraterritorial reach is the part that travels furthest. The Act applies to providers placing AI systems on the EU market regardless of where they are based, and to deployers using outputs inside the bloc. For developers in Asia building models or applications with European users, that creates an incentive to align documentation and risk practices with EU expectations even when domestic rules are lighter or still taking shape.

Whether the Act becomes a de facto global standard, as the EU's data-protection regime did, depends on how consistently national regulators enforce it and how the general-purpose AI provisions hold up against fast-moving model capabilities. For now, the practical task for most companies is mapping their systems against the risk tiers and tracking which deadline applies to which product.