EU AI Act: Complete Compliance Guide (2025–2028)

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive AI law. It applies in tiers: prohibited practices from February 2025, GPAI rules from August 2025, and high-risk AI obligations from December 2027 (Annex III) and August 2028 (Annex I) after the 2026 omnibus amendments.

What is the EU AI Act?

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive horizontal legal framework for artificial intelligence. It entered into force on 1 August 2024 and applies progressively across four risk tiers.

The Act uses a risk-based approach: the higher the potential harm, the stricter the obligations. It does not govern all software — only systems that qualify as AI under the definition in Art. 3(1) and Annex I, which covers machine learning, logic- and knowledge-based approaches, and statistical models.

Who must comply?

The AI Act applies to four categories of actors:

Providers — organisations that develop AI systems or general-purpose AI models and place them on the EU market or put them into service in the EU
Deployers — organisations or individuals that use AI systems under their own authority in a professional context
Importers — entities established in the EU that import AI systems from third countries
Distributors — entities in the supply chain other than providers and importers

Geographic reach: the Act applies whenever the AI system's output is used in the EU, regardless of the provider's location. A US-based provider whose AI is used by European companies is in scope.

The four risk tiers

Risk tier	Scope	Key rule
Unacceptable risk	Manipulative AI, social scoring, real-time biometric ID, emotion recognition at work	Prohibited — Art. 5
High risk	Annex III (standalone) and Annex I (embedded in regulated products)	Conformity assessment, QMS, CE marking, registration
Limited risk	Chatbots, deepfakes, AI-generated content	Transparency obligations — users must know
Minimal risk	Spam filters, AI in video games, recommendation systems	No mandatory obligations

Application timeline

Obligation	Applies from
Prohibited practices (Art. 5)	2 February 2025
GPAI rules — Chapter 5	2 August 2025
Codes of practice for GPAI	2 August 2025
High-risk AI — Annex III standalone	2 December 2027 (extended by 2026 omnibus)
High-risk AI — Annex I embedded	2 August 2028 (extended by 2026 omnibus)

The 2026 Digital Omnibus on AI extended the two high-risk AI deadlines by 16 and 24 months respectively, without changing the obligations themselves.

High-risk AI systems: what triggers full obligations?

An AI system is high-risk under Annex III if it falls into one of these eight areas:

Biometric identification and categorisation
Critical infrastructure management (energy, water, transport)
Education and vocational training (access decisions, grading)
Employment — recruitment, performance assessment, promotion decisions
Essential private and public services (credit scoring, insurance, emergency services)
Law enforcement (risk assessment, evidence evaluation)
Migration, asylum, border control
Administration of justice and democratic processes

An additional filter applies (Art. 6(3)): Annex III systems must pose a significant risk of harm to health, safety, or fundamental rights. Low-risk AI tools in these sectors may be exempt.

Key compliance obligations for high-risk AI providers

Risk management system (Art. 9) — continuous process throughout the lifecycle
Data governance (Art. 10) — training, validation, and testing datasets must be appropriate
Technical documentation (Art. 11 + Annex IV) — before placing on market
Transparency and logging (Art. 12–13) — automatic logging, user instructions
Human oversight (Art. 14) — measures enabling humans to monitor and intervene
Accuracy, robustness, cybersecurity (Art. 15)
Quality management system (Art. 17)
Conformity assessment (Art. 43) — third-party for some categories
EU database registration (Art. 71)
CE marking (Art. 48) before placing on market

Convergence with DORA and NIS2

Financial institutions face overlapping obligations across AI Act, DORA, and NIS2. The AI Act's risk management system (Art. 9) maps closely to DORA's ICT risk management framework (Art. 5–16). Dual-mapping documentation reduces compliance burden. See our convergence analysis →.

Official AI Act Compliance Deadline Calendar

Updated 2026-06-19 · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.

Obligation	Applies to	Original date	New date	Status	Countdown	Legal basis
Prohibited Practices (Art. 5)	All providers and deployers	2 February 2025	2 February 2025	active	—	AI Act Art. 5
GPAI Rules (Chapter 5)	GPAI model providers	2 August 2025	2 August 2025	active	—	AI Act Art. 51-56
High-risk AI — Annex III (standalone)	Providers of standalone Annex III systems	2 August 2026	2 December 2027	deferred	—	AI Omnibus 2026 Art. 6(2)
High-risk AI — Annex I (embedded)	AI embedded in Annex I regulated products	2 August 2026	2 August 2028	deferred	—	AI Omnibus 2026 Art. 6(1)
AI-Generated Content Marking	Providers of generative GPAI systems	2 August 2025	2 August 2025	active	—	AI Act Art. 50(2)
Regulatory Sandboxes	National competent authorities	2 August 2026	2 August 2026	active	—	AI Act Art. 57

⬇ Download JSON · CC BY 4.0

AI Act meets DORA and NIS2

Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.

Explore regulation-dora.eu ↗

Frequently Asked Questions

When does the EU AI Act fully apply?

The AI Act applies in tiers. Prohibited practices (Art. 5): 2 February 2025. GPAI rules: 2 August 2025. High-risk AI standalone systems (Annex III): 2 December 2027 (extended by the 2026 omnibus). High-risk AI embedded in regulated products (Annex I): 2 August 2028.

Who does the EU AI Act apply to?

The AI Act applies to providers (who develop or place AI on the EU market), deployers (who use AI in professional contexts), importers, and distributors. It applies whenever the AI system's output is used in the EU, regardless of where the provider is established.

What are the fines for non-compliance with the AI Act?

Fines vary by violation: up to €35 million or 7% of global annual turnover for prohibited practice violations; up to €15 million or 3% for most other violations; up to €7.5 million or 1.5% for providing incorrect information.

Is the EU AI Act the same as the GDPR for AI?

The AI Act and GDPR are separate regulations that interact. GDPR governs personal data processing; the AI Act governs AI systems regardless of whether they process personal data. Many high-risk AI systems processing personal data must comply with both.

Stay ahead of AI Act changes

Get compliance alerts when deadlines or obligations change.

No spam. One-click unsubscribe.