EU AI Act Compliance: Track the Risk Tiers and Phased 2025-2027 Deadlines Without Missing a Change
The EU AI Act (Regulation (EU) 2024/1689) applies in phases from February 2025 through 2027 and beyond. RegSpace monitors the sources that move, scores your policies against the obligations, and shows the gaps so your counsel can act on draft intelligence, not guesswork.
What is EU AI Act?
The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) is the European Union's horizontal law governing artificial intelligence. Adopted by the European Parliament and the Council and published in the Official Journal in 2024, it entered into force on 1 August 2024 and applies in phases, with the bulk of the regime applying from 2 August 2026. It takes a risk-based approach: AI systems are sorted into prohibited, high-risk, limited-risk (transparency) and minimal-risk categories, with separate rules for general-purpose AI (GPAI) models. Obligations and penalties scale with the risk a system poses to health, safety and fundamental rights.
Who does EU AI Act apply to?
The Act reaches well beyond EU-based AI labs. It applies based on where an AI system or its output is used, not only where the provider sits, so many non-EU organisations are in scope.
- Providers that develop or place AI systems or general-purpose AI models on the EU market, including non-EU providers whose systems or outputs are used in the EU
- Deployers (users) of AI systems established in or located in the EU, for example HR teams using AI recruitment tools or banks using AI credit scoring
- Importers and distributors that make third-party AI systems available in the EU market
- Product manufacturers that embed high-risk AI into products already covered by EU product safety law (Annex I), such as machinery, medical devices and lifts
- Non-EU organisations whose AI system output is used inside the EU, even when the system itself runs elsewhere
- Authorised representatives appointed by non-EU providers to act on their behalf in the EU
Key EU AI Act obligations
Respect the prohibited-practice red lines (Article 5)
Certain uses are banned outright, including untargeted scraping of facial images to build recognition databases, social scoring by public authorities, manipulative or exploitative AI, and (with narrow exceptions) real-time remote biometric identification in public spaces. These prohibitions have applied since 2 February 2025.
Meet the high-risk system requirements
AI used in areas such as recruitment, credit scoring, education, critical infrastructure and law enforcement (Annex III), and AI embedded in regulated products (Annex I), must implement a risk management system, data governance, technical documentation, logging, human oversight, accuracy, robustness and cybersecurity, plus conformity assessment and registration.
Provide transparency for limited-risk systems (Article 50)
Users must be told when they are interacting with an AI system (for example a chatbot), and AI-generated or manipulated content such as deepfakes and synthetic media must be disclosed and, where applicable, machine-readable as AI-generated.
Comply with general-purpose AI (GPAI) model obligations
Providers of GPAI models must maintain technical documentation, publish a summary of training content, and have a policy to respect EU copyright law. GPAI models posing systemic risk carry additional duties including model evaluation, systemic-risk assessment and mitigation, and serious-incident reporting.
Ensure AI literacy across staff (Article 4)
Providers and deployers must take measures to ensure a sufficient level of AI literacy among staff and others operating AI systems on their behalf, taking account of their technical knowledge, experience and the context of use. This duty applies from 2 February 2025.
Maintain documentation, oversight and post-market monitoring
High-risk providers must keep technical documentation and automatically generated logs, set up a post-market monitoring system, and report serious incidents to the relevant authorities; deployers must follow instructions for use and assign competent human oversight.
Be ready for enforcement and significant penalties
The Regulation sets tiered fines: up to EUR 35 million or 7% of total worldwide annual turnover for prohibited-practice breaches, up to EUR 15 million or 3% for most other obligation breaches, and up to EUR 7.5 million or 1% for supplying incorrect information, subject to the higher or lower figure as specified.
Key dates
- 1 August 2024Regulation (EU) 2024/1689 entered into force, starting the phased application clock.
- 2 February 2025Prohibited AI practices (Article 5) and the AI literacy obligation (Article 4) began to apply.
- 2 August 2025Obligations for general-purpose AI (GPAI) models, governance and notified bodies provisions, confidentiality rules and most penalty provisions began to apply. GPAI models already on the market before this date have until 2 August 2027 to comply.
- 2 August 2026The general application date: the bulk of the Act applies, including high-risk obligations for Annex III use-case systems such as recruitment and credit scoring.
- 2 August 2027Obligations apply to high-risk AI embedded in products already regulated under EU law (Annex I), and GPAI models placed on the market before 2 August 2025 must be brought into compliance.
- Pending (Digital Omnibus on AI)A provisional political agreement reached on 7 May 2026 would defer high-risk deadlines (Annex III towards 2 December 2027 and Annex I towards 2 August 2028) and simplify some duties. These changes take legal effect only once formally adopted and published in the Official Journal, which has not yet occurred, so the dates above remain the current law until then.
How RegSpace helps with EU AI Act
Draft, source-linked intelligence for your team to review. Not legal advice.
Weekly-monitors the EU institutions and trackers relevant to you (for example the Official Journal, the European Commission and the AI Office) and drafts a source-linked digest of changes, so if the Digital Omnibus is adopted, guidance lands, or a delegated act moves a deadline, you see it with the citation attached. Where a change hits a policy you have published, Watcher prepares DOCX track-changes redlines for your counsel to review.
Scores your uploaded AI governance policies, acceptable-use rules and notices against the AI Act corpus and shows where each obligation is missing, partial or covered, with a gap score, so you can prioritise the high-risk and transparency requirements that need work.
Builds your compliance profile by crawling your website and classifying your published policies, giving a starting picture of where AI-related obligations may touch your business. Your counsel reviews and edits the profile so scope decisions stay with qualified people.
Gives you the registers and workflow to evidence the work: a risk register with a 5x5 matrix for AI risk assessment, a controls library mapped to obligations, DPIA and incident records, vendor and asset registers, plus a review and approval workflow and dashboards so accountability is documented.
Scores vendor and third-party risk and reconciles your privacy notice against your registers, useful where AI systems process personal data or rely on external model and data providers that need to be tracked.
EU AI Act FAQ
Who does the EU AI Act apply to?
It applies to providers, deployers, importers and distributors of AI systems, plus providers of general-purpose AI models. Crucially it reaches non-EU organisations too: if your AI system is placed on the EU market or its output is used in the EU, you are likely in scope regardless of where you are based.
When does the EU AI Act take effect?
It entered into force on 1 August 2024 and applies in phases. Prohibited practices and AI literacy applied from 2 February 2025, GPAI and governance rules from 2 August 2025, most of the Act (including Annex III high-risk obligations) from 2 August 2026, and Annex I product-embedded high-risk obligations from 2 August 2027. A pending Digital Omnibus, provisionally agreed on 7 May 2026, may defer some high-risk dates once it is formally adopted.
What are the four risk tiers in the EU AI Act?
Prohibited (banned uses under Article 5), high-risk (strict requirements and conformity assessment for Annex III use cases and Annex I product-embedded AI), limited-risk (transparency duties such as disclosing chatbots and AI-generated content), and minimal-risk (no specific obligations, covering most AI). General-purpose AI models are governed by a separate dedicated regime.
What counts as a high-risk AI system?
Two groups: AI used in listed areas such as recruitment, credit and insurance scoring, education, essential services, critical infrastructure, migration and law enforcement (Annex III), and AI used as a safety component of, or itself a product covered by, existing EU product safety law (Annex I), such as medical devices, machinery and lifts.
What are the penalties for breaching the EU AI Act?
Fines are tiered. Breaching the prohibited-practice rules can cost up to EUR 35 million or 7% of total worldwide annual turnover, whichever is higher. Most other breaches reach up to EUR 15 million or 3%, and supplying incorrect or misleading information up to EUR 7.5 million or 1%, with proportionate caps for SMEs and start-ups.
Does RegSpace make me compliant with the EU AI Act?
No. RegSpace produces draft regulatory intelligence and gap analysis for your qualified counsel to review; it is not legal advice and does not create a lawyer-client relationship. It does not file anything with a regulator, guarantee compliance, or replace your legal team. Every monitoring item is source-linked so your experts can verify it and decide what to do.
Stay ahead of EU AI Act changes, automatically.
RegSpace monitors the regulators that touch you, scores your policies against the law, and drafts the redlines. Every claim cited, every output lawyer-reviewed.