AI Daily News
Policy & RegulationMar 15, 20263 min read

EU AI Act Enforcement Begins: What Companies Must Do Now

The first enforcement deadlines under the EU AI Act are now active — prohibited practices are banned and compliance obligations are escalating.

By Jeff Brook
JB

Jeff Brook

AI Researcher — Founder, AI Daily News

The EU AI Act is no longer theoretical. As of February 2, 2025, the prohibited practices provisions became enforceable, and the compliance timeline is accelerating through 2026. Companies building or deploying AI systems in the European market need to act now — the penalty framework is among the most severe in technology regulation.

What is already enforceable?

The first tier of obligations — the outright bans — took effect in February 2025. These prohibit:

  • Social scoring by public authorities that leads to detrimental treatment of individuals
  • Real-time remote biometric identification in public spaces for law enforcement, with narrow exceptions
  • Subliminal manipulation techniques that cause harm
  • Exploitation of vulnerabilities of specific groups based on age, disability, or social situation
  • Untargeted facial image scraping from the internet or CCTV for database building
  • Emotion recognition in workplaces and educational institutions

Violations of these prohibitions carry fines of up to 35 million euros or 7% of global annual turnover, whichever is higher. According to the European Commission's implementation guidance, these are the steepest penalties in the regulation.

What deadlines are approaching?

The compliance timeline has several critical milestones through 2026 and into 2027:

  • August 2, 2025: General-purpose AI model providers must comply with transparency obligations — model cards, training data summaries, and copyright compliance documentation.
  • August 2, 2026: The bulk of the Act becomes applicable. High-risk AI systems must meet conformity assessment requirements, quality management systems, and human oversight provisions.
  • August 2, 2027: Extended deadline for high-risk systems that are safety components of products already regulated under existing EU legislation.

The August 2025 deadline for GPAI providers is the most immediately pressing for AI companies. According to Stanford HAI's analysis, fewer than 30% of foundation model providers have published the required technical documentation as of early 2026.

How does the risk classification work?

The Act classifies AI systems into four tiers:

  1. Unacceptable risk — banned outright (already enforced)
  2. High risk — permitted with extensive compliance requirements including conformity assessments, data governance, transparency, and human oversight
  3. Limited risk — transparency obligations only (users must be informed they are interacting with AI)
  4. Minimal risk — no additional obligations beyond existing law

High-risk classification is triggered by deployment context, not capability. The same model powering a chatbot (minimal risk) becomes high-risk when used for CV screening (employment decisions) or credit scoring (access to essential services). The Annex III list specifies eight domains where AI systems are presumed high-risk.

What should companies do right now?

Five concrete steps for compliance readiness:

  1. Classify your AI systems. Map every AI deployment against the risk tiers. Pay particular attention to systems that touch employment, education, credit, law enforcement, or critical infrastructure — these are likely high-risk.

  2. Audit your foundation model documentation. If you provide or fine-tune general-purpose models, the August 2025 deadline requires technical documentation including training methodology, data governance, compute usage, and evaluation results. Start now — this documentation takes months to prepare properly.

  3. Implement human oversight mechanisms. High-risk systems must include meaningful human oversight — not rubber-stamp approval, but genuine ability to understand, intervene, and override AI decisions. Design these into your systems architecture, not as post-hoc additions.

  4. Establish a quality management system. The Act requires documented processes for data management, model monitoring, post-market surveillance, and incident reporting. If you do not already have an AI-specific QMS, build one.

  5. Monitor the regulatory guidance. The European AI Office is publishing implementation guidelines, codes of practice, and technical standards on a rolling basis. These will define the practical interpretation of the Act's requirements.

The UK, while no longer bound by EU regulation, is watching closely. The UK AI Safety Institute is developing its own evaluation frameworks that share conceptual foundations with the EU approach. Companies operating across both markets should design for the stricter standard.

The enforcement apparatus is being built in parallel with the compliance deadlines. National authorities are establishing AI regulatory sandboxes, and the European AI Office is staffing up. The question is not whether enforcement will happen, but how aggressively the early cases will be pursued.

Share this briefing

Post on XShare on LinkedIn

Your daily AI update

Join business owners who stay ahead

AI moves fast. Get the stories that matter for your business — tools, threats, and opportunities — in your inbox every morning.

Free forever. No spam. Unsubscribe anytime.