What are the key EU AI Act deadlines for 2025 and 2026?

The three critical EU AI Act deadlines are: February 2, 2025 — prohibited AI practices banned (social scoring, real-time biometric surveillance in public spaces, emotion recognition in workplaces/schools); August 2, 2025 — GPAI (General-Purpose AI) model rules and governance obligations take effect; August 2, 2026 — high-risk AI system obligations fully apply, including conformity assessments, technical documentation, and registration requirements.

Which AI systems are classified as high-risk under the EU AI Act?

High-risk AI systems under the EU AI Act include those used in: critical infrastructure (energy, water, transport); educational or vocational training (student assessment, admission); employment decisions (CV screening, hiring, performance monitoring); essential private and public services (credit scoring, benefits eligibility); law enforcement and border control; administration of justice; biometric identification and categorization. Any AI system embedded in regulated products (medical devices, machinery, vehicles) is also high-risk.

EU AI Act Compliance Checklist for Enterprises (2026 Deadline)

Q: What documentation is required for EU AI Act compliance?

High-risk AI systems require: (1) Technical documentation covering system design, capabilities, limitations, and training data; (2) Risk management system documentation; (3) Data governance and management practices; (4) Transparency and user information documentation; (5) Human oversight measures; (6) Accuracy, robustness, and cybersecurity specifications; (7) Conformity assessment records; (8) EU Declaration of Conformity; (9) Registration in the EU AI database. Documentation must be maintained and updated throughout the system's lifecycle.

Q: What are the penalties for EU AI Act non-compliance?

EU AI Act penalties are tiered by violation severity: up to €35 million or 7% of global annual turnover for deploying prohibited AI systems; up to €15 million or 3% of global annual turnover for non-compliance with high-risk system obligations; up to €7.5 million or 1.5% of global annual turnover for providing incorrect information to authorities. For SMEs and startups, the lower of the two figures applies. Penalties can be applied by national market surveillance authorities in each EU member state.

← Back to all posts

EU AI Act compliance means ensuring your AI systems meet the legal requirements of Regulation 2024/1689 — classifying each system by risk tier, implementing mandatory controls, maintaining technical documentation, and registering applicable systems in the EU database. Non-compliance carries fines up to €35 million or 7% of global annual turnover.

If your enterprise uses AI — and at this point, which enterprise doesn't — the EU AI Act is not a future problem. Two of three major compliance deadlines have already passed. The third and most demanding one, covering high-risk AI systems, arrives August 2, 2026.

This guide gives you the complete picture: what the law requires, how to classify your systems, the full compliance checklist, documentation requirements, and what happens if you miss the deadline. No filler, no vague summaries — just what your legal, compliance, and AI teams need to act.

The Three EU AI Act Deadlines (And Where We Are Now)

The EU AI Act was officially published in the Official Journal on July 12, 2024, and entered into force on August 1, 2024. From that date, obligations roll out in waves:

Date	What Takes Effect	Status
February 2, 2025	Prohibitions on unacceptable-risk AI practices	Passed
August 2, 2025	GPAI model obligations, governance rules, codes of practice	Passed
August 2, 2026	High-risk AI system obligations fully apply	NOW
August 2, 2027	High-risk AI in Annex I regulated products (legacy systems)	Upcoming

The August 2026 deadline is the one that directly hits the broadest range of enterprise AI deployments. If your organization has AI systems in hiring, credit assessment, benefits decisions, critical infrastructure, or law enforcement support — you're in scope now.

"The EU AI Act is the most consequential AI regulation ever enacted. Unlike the GDPR, which applied broadly to data processing, the AI Act targets specific high-stakes uses of AI with highly specific technical and governance requirements." — European AI Office, 2025

Risk Classification: The Four Tiers

The EU AI Act uses a risk-based approach. Your compliance obligations depend entirely on which risk tier your AI systems fall into. Getting the classification right is the first — and most important — step.

Tier 1: Unacceptable Risk (Prohibited)

These AI practices are banned outright. As of February 2, 2025, deploying any of the following is illegal in the EU regardless of where your company is headquartered, if the system affects people in the EU:

Social scoring systems — AI that rates or ranks individuals based on behavior, personality, or social characteristics for purposes of denying services or opportunities
Real-time biometric surveillance in public spaces — live facial recognition by law enforcement in public areas (narrow exceptions exist for terrorism, missing children, crime prosecution)
Emotion recognition in workplaces and educational institutions — AI that infers the emotional state of workers or students
Biometric categorization by sensitive characteristics — inferring race, political opinion, religious belief, sexual orientation, or trade union membership from biometric data
Subliminal manipulation — AI that exploits subconscious vulnerabilities to alter behavior against a person's interests
Exploitation of vulnerabilities — AI targeting children, elderly, or disabled individuals through manipulation techniques
Predictive policing based solely on profiling — AI that assesses individual criminal risk without objective evidence

If you're running any of these systems, stop immediately. The risk is not just regulatory — it's reputational and potentially criminal.

Tier 2: High Risk (Heavily Regulated)

High-risk systems are permitted but face the most substantial compliance obligations. There are two categories:

Category A — AI in regulated products (medical devices, machinery, vehicles, toys, aviation equipment, etc.) — these inherit the compliance framework of the applicable product regulation plus the AI Act requirements.

Category B — Standalone high-risk AI systems defined in Annex III:

Biometric identification and categorization systems
AI managing critical infrastructure (electricity, water, gas, transport, digital infrastructure)
AI used in educational admissions, grading, student assessment, or dropout prediction
AI in recruitment, job matching, promotion, termination, performance monitoring, and task allocation
AI in credit scoring, insurance underwriting, and essential public benefits eligibility
AI assisting law enforcement in crime risk assessment, evidence evaluation, or profiling
AI in border management and migration control
AI supporting judicial decisions or alternative dispute resolution
AI used in democratic processes (voter registration, political targeting at scale)

This is where most enterprise compliance work lives. Agentic AI systems deployed in any of these domains are automatically high-risk — autonomous decision-making in regulated contexts doesn't reduce the obligation, it intensifies it.

Tier 3: Limited Risk (Transparency Obligations)

Limited-risk systems face lighter requirements focused on user transparency:

Chatbots and conversational AI — users must be told they're interacting with an AI (unless obvious from context)
AI-generated content — deepfakes, synthetic images and video must be labeled as AI-generated
Emotion recognition and biometric categorization (outside prohibited uses) — users must be informed

These obligations are already in effect. If your enterprise uses customer-facing chatbots without disclosure, you're already out of compliance.

Tier 4: Minimal Risk (No Mandatory Obligations)

AI systems like spam filters, AI-powered video games, inventory optimization tools, and basic recommendation engines fall here. No mandatory compliance obligations, though the EU encourages voluntary codes of conduct. Most AI in your enterprise stack — productivity tools, document summarization, internal search — is likely in this tier.

The Complete EU AI Act Compliance Checklist

The following checklist covers the obligations that apply to high-risk AI systems as of August 2, 2026. Work through each item with your AI governance, legal, and technical teams.

Phase 1: Inventory and Classification

1. Complete AI system inventory. List every AI system your organization deploys, purchases, or develops — including embedded AI in third-party software. Many organizations undercount because AI is embedded in SaaS tools they don't think of as "AI systems."

2. Classify each system by risk tier. Map every inventory item against the four risk tiers. Document your classification rationale. Regulatory authorities can request to see how you determined a system was not high-risk — "we assumed it wasn't" is not a defensible position.

3. Identify your role for each system. For each high-risk system, determine whether you are the provider (developer/manufacturer), deployer (using another's AI in your business), or both. Obligations differ significantly. Deployers have lighter obligations than providers but still face meaningful requirements.

4. Check for prohibited practices. Verify that no current or planned AI use falls into the unacceptable-risk category. This review must be documented. Include use cases that were "experimental" or "pilot" — the law doesn't exempt proof-of-concept deployments that are in production.

Phase 2: Governance and Accountability

5. Assign clear ownership for AI compliance. Designate an AI compliance function — whether a dedicated officer, a cross-functional team, or an expanded role for your DPO. Define accountability clearly. Regulators will ask who is responsible for each system. The answer cannot be "the vendor."

6. Establish an AI governance framework. Document your organization's policies for AI development, procurement, deployment, and monitoring. Your AI governance framework should address risk classification procedures, change management, incident response, and ongoing monitoring — not just one-time compliance checks.

7. Implement a risk management system for each high-risk AI. Article 9 requires a documented, ongoing risk management process — not a one-time assessment. This means: identifying and analyzing known and foreseeable risks, estimating and evaluating residual risks, adopting mitigation measures, and testing effectiveness before deployment and throughout the lifecycle.

8. Conduct vendor due diligence on third-party AI. If you're a deployer, you're still responsible for compliance. Review contracts with AI providers: demand compliance documentation, conformity assessments, and technical documentation access. Update procurement policies to require EU AI Act compliance as a condition of purchase.

Phase 3: Technical Documentation

9. Prepare and maintain technical documentation (Article 11). For each high-risk AI system, create documentation covering: system description and intended purpose, design and development methodology, training data description and data governance practices, system capabilities and limitations, performance metrics, testing and validation results, and known or foreseeable risks.

10. Establish data governance practices (Article 10). Training, validation, and test datasets must meet quality criteria. Document: data sources and collection methods, data processing operations, data relevance and representativeness, known biases and mitigation steps, and how personal data is handled. This documentation must be kept for 10 years after the system is placed on the market.

11. Implement automatic logging (Article 12). High-risk AI systems must automatically log events throughout operation — particularly logs that enable post-hoc reconstruction of circumstances surrounding incidents. Minimum logging requirements include: date and time of each use, the reference database used (for biometric systems), input data that led to the system's output, and identity of persons involved in verification.

12. Create user-facing instructions for use (Article 13). Providers must supply deployers with clear instructions covering: intended purpose and limitations, performance levels and potential biases, human oversight requirements, maintenance and care instructions, and what data is logged. Deployers must ensure these instructions are followed.

Phase 4: Human Oversight and Controls

13. Implement human oversight mechanisms (Article 14). High-risk AI must be designed and deployed so that humans can: understand the system's capabilities and limitations, monitor operation and detect anomalies, override or interrupt the system at any time, and decline to use the output in any given situation. Document how each of these capabilities is implemented in practice — not just in policy.

14. Train personnel who interact with high-risk AI. Deployers must ensure that staff operating or overseeing high-risk AI have sufficient AI literacy and are trained on the system's intended purpose, accuracy limitations, possible risks, and human oversight responsibilities. Training must be documented and updated when systems change.

Phase 5: Conformity and Registration

15. Complete a conformity assessment (Article 43). Providers must conduct a conformity assessment before placing a high-risk AI system on the market. For most systems, this is a self-assessment against the requirements of Articles 9–15. For biometric identification systems and AI in regulated products, third-party conformity assessment by a notified body is required. Document the assessment methodology and results.

16. Issue EU Declaration of Conformity. Once conformity assessment is complete, providers must issue and sign a Declaration of Conformity (DoC) for each high-risk AI system. The DoC must include: system name and version, the provider's identity and address, a statement that the system conforms to applicable requirements, references to standards or specifications applied, and date and signature.

17. Affix CE marking (where applicable). High-risk AI systems covered by EU harmonized product legislation must bear the CE marking, indicating conformity. For standalone AI systems in Annex III, the CE marking requirement applies but takes the form of documentation — no physical marking on software.

18. Register in the EU AI database (Article 71). Providers must register high-risk AI systems in the publicly accessible EU AI database before deployment. Required registration fields include: provider identity, system name and version, intended purpose, risk classification, summary of conformity assessment, and contact information for post-market oversight. Deployers in public-sector contexts have their own registration obligations.

Phase 6: Ongoing Compliance

19. Establish post-market monitoring (Article 72). Compliance doesn't end at deployment. Providers must implement a post-market monitoring plan to continuously evaluate system performance against stated accuracy metrics, detect new risks as deployment context evolves, and document monitoring results. Monitoring must be proportionate to the system's risk profile.

20. Implement incident reporting procedures (Article 73). Serious incidents — those resulting in death, serious harm, significant property damage, or serious fundamental rights violations — must be reported to national market surveillance authorities. Providers must report within 15 days of becoming aware of a serious incident. Deployers must notify providers immediately upon discovering an incident.

Penalties: What Non-Compliance Actually Costs

The EU AI Act penalty structure is designed to be significant enough to create real deterrence — even for large enterprises. Penalties are tiered by violation type:

Violation Type	Maximum Fine	Revenue Cap
Deploying a prohibited AI system	€35,000,000	7% of global annual turnover
Non-compliance with high-risk obligations	€15,000,000	3% of global annual turnover
Providing false or misleading information to authorities	€7,500,000	1.5% of global annual turnover

The higher of the two figures applies to large companies. The lower applies to SMEs and startups. For a company with €10 billion in global revenue, a 7% fine is €700 million — making the EU AI Act the most financially consequential AI regulation ever enacted.

National market surveillance authorities (one per EU member state) have investigative powers including: requesting documentation, conducting on-site audits, requiring system modifications, and ordering market withdrawal. The European AI Office oversees GPAI model providers directly.

"Non-compliance is not just a legal risk. It's a procurement risk. Enterprise customers — especially in regulated industries — are already requiring EU AI Act compliance attestations as a condition of doing business." — EU AI Office, March 2026

Even if your organization is headquartered outside the EU, the Act has extraterritorial scope: if your AI system's output is used in the EU, you are subject to the regulation. U.S. and APAC enterprises deploying AI for EU customers, employees, or citizens need to comply.

GPAI Models: The Additional Layer

If your organization develops or fine-tunes General-Purpose AI (GPAI) models — foundation models or large language models — you face an additional compliance layer that took effect August 2, 2025.

GPAI obligations apply to any model trained on broad data that can perform a wide range of tasks. This includes internal fine-tunes of open-source models, not just externally deployed models.

Standard GPAI obligations (all providers):

Prepare and maintain technical documentation of the model
Provide information and documentation to downstream deployers
Comply with EU copyright law and maintain a copyright compliance policy
Publish a summary of training data used

Systemic-risk GPAI obligations (models trained with >10^25 FLOPs, or designated by the European Commission):

Perform model evaluations including adversarial testing
Assess and mitigate systemic risks at the EU levelReport serious incidents to the European AI Office
Implement cybersecurity protections
Report energy consumption and compute used for training

Most enterprises using commercially available foundation model APIs (OpenAI, Anthropic, Google) are not GPAI providers. But if you've fine-tuned a model on proprietary data and deployed it at scale, get legal advice on whether GPAI obligations apply.

Agentic AI and the EU AI Act: A Critical Intersection

Autonomous AI agents — systems that plan, execute multi-step tasks, and make decisions without constant human direction — create one of the most complex classification challenges under the EU AI Act.

The key question: Does the agent's domain of action make it high-risk?

An agent that automates internal document summarization is almost certainly minimal risk. An agent that screens job applications, makes preliminary hiring recommendations, or manages credit decisioning workflows is high-risk — regardless of how "automated" the underlying process appears. The Act looks at the function and output, not the architecture.

This creates a specific challenge for enterprises deploying agentic AI across multiple departments: the same agent framework may be minimal risk in one deployment and high-risk in another, depending on what it's doing and whose decisions it influences.

Our full guide to AI agent governance frameworks covers how to build the oversight infrastructure that satisfies both the EU AI Act's human oversight requirements and the operational reality of running autonomous agents at scale.

For security teams concerned about the attack surface of autonomous agents, the AI agent security risk assessment guide for CISOs covers the intersection of security controls and regulatory compliance — including how logging and access controls required by the Act also reduce your security exposure.

Documentation Requirements in Detail

The EU AI Act's documentation requirements are more specific than any previous AI regulation. This section provides the detailed breakdown your technical and compliance teams need.

Technical Documentation (Article 11 + Annex IV)

Technical documentation must cover:

General description: System name, version, intended purpose, geographic scope, categories of users, hardware requirements
System description and general process: How the AI produces its outputs, including the logic, algorithms, and key design choices
Detailed description of elements: For trained models — architecture, training methodologies, hyperparameters, training data description; for non-trained systems — functional specifications and development approach
Information on training and testing data: Data provenance, collection methods, preprocessing, selection criteria, labeling procedures, dataset statistics, and known limitations
Changes through the lifecycle: Version control records of any significant changes, with dates and nature of changes
Assessment of measures for Union law compliance: How the system meets applicable EU law beyond the AI Act itself (GDPR, anti-discrimination law, etc.)
Detailed plan of conformity assessment: Which assessment procedure was applied and why

Retention requirement: Technical documentation must be kept for 10 years after the system is placed on the market or put into service.

Risk Management Documentation (Article 9)

Risk management is an ongoing process, not a one-time exercise. Required documentation includes:

Risk identification methodology and results
Risk analysis and estimation for each identified risk
Risk evaluation decisions (acceptable/unacceptable, mitigation required)
Risk control measures implemented
Residual risk evaluation post-mitigation
Overall residual risk assessment
Testing results confirming risk controls work as intended

Post-Market Monitoring Plan (Article 72)

The monitoring plan must specify:

Metrics for evaluating ongoing performance (accuracy, error rates, bias indicators)
Data collection mechanisms during deployment
Monitoring frequency and reporting cadence
Thresholds that trigger escalation or incident reporting
Responsibilities for monitoring activities

How to Prioritize: A Practical Approach

If you're reading this in the weeks before the August 2026 deadline and haven't yet started, here's a realistic prioritization sequence:

Week 1–2: Stop the Bleeding

Identify any systems that might be using prohibited AI practices — especially emotion recognition in workplace contexts and social scoring. These need immediate review and likely immediate shutdown.
Check your customer-facing chatbots and virtual assistants for required AI disclosure. This is a quick fix with immediate legal exposure if not done.
Pull together your AI inventory. Even a rough spreadsheet is better than nothing — you need to know what you have before you can assess what you owe.

Week 3–4: Classify and Prioritize

Complete the risk classification for your full inventory. Involve legal counsel for borderline cases.
Identify your highest-exposure high-risk systems — particularly those in employment, credit, and benefits decisions — and prioritize them for immediate compliance work.
Contact your key AI vendors to request their compliance documentation. Many vendors have prepared conformity assessment packages — ask for them now, before the deadline queue gets long.

Month 2–3: Build the Framework

Implement your risk management system for high-priority systems.
Begin technical documentation for high-risk systems, starting with the most widely deployed.
Establish the human oversight mechanisms required for each high-risk deployment.
Train personnel who work with high-risk AI systems.

Month 4–6: Complete and Register

Complete conformity assessments for all high-risk systems.
Issue EU Declarations of Conformity.
Register in the EU AI database.
Establish post-market monitoring and incident reporting procedures.

This timeline assumes substantial pre-existing governance infrastructure. If you're starting from scratch, bring in external compliance support — the documentation requirements alone are substantial, and the legal exposure for getting classification wrong is significant.

For organizations evaluating AI governance platforms to support compliance, the right platform can dramatically accelerate documentation, monitoring, and audit trail creation. Manual approaches to post-market monitoring don't scale across large AI portfolios.

Non-Human Identities and the AI Act

One underexamined dimension of EU AI Act compliance involves AI agents that operate with their own credentials, API keys, and system access — what security teams call non-human identities (NHIs).

The logging requirements under Article 12 assume that you can trace every action a high-risk AI system took, with what data, and at what time. If your AI agents operate through shared credentials or unmanaged service accounts, this traceability is impossible to achieve. You can't produce the audit trail the regulation requires if you can't distinguish one agent's actions from another's.

Building proper non-human identity governance — unique credentials per agent, scoped permissions, access logs — is not just a security best practice. For high-risk AI deployments, it's a compliance requirement. If the audit comes and you can't produce the required logs, the conformity assessment you filed is effectively false.

What iEnable Does for EU AI Act Compliance

EU AI Act compliance is ultimately a governance problem. The law requires documentation, oversight, logging, accountability, and ongoing monitoring — the same capabilities that good AI governance infrastructure provides.

iEnable is built around the principle that AI agents should operate within defined, auditable boundaries. Every AI teammate deployed through iEnable includes:

Automatic audit trails — every action logged with timestamp, context, and outcome, satisfying Article 12's logging requirements for high-risk systems
Defined authority levels — what each agent can do, what requires human approval, what is prohibited, documented from the start
Human override controls — any agent can be paused, redirected, or overridden at any time, satisfying Article 14's human oversight mandate
Least-privilege access — agents access only the systems and data required for their specific task, supporting your data governance documentation
Role-based deployment governance — who deployed what, when, with what authorization — creating the accountability chain regulators expect

This doesn't mean iEnable does your compliance work for you. You still need legal counsel, proper classification, and conformity assessments. But the operational infrastructure — the logging, the oversight controls, the audit trails — is built in rather than bolted on.

For a deeper look at what AI agent governance means in practice, and how it maps to regulatory frameworks including the EU AI Act, start with our foundational guide.

The Bottom Line

The EU AI Act is not going away, and enforcement is not theoretical. National market surveillance authorities are being staffed and empowered. The European AI Office is actively developing compliance guidance. And enterprise customers in regulated industries are already making EU AI Act compliance a procurement requirement.

The August 2, 2026 deadline for high-risk AI obligations is here. If you haven't started, start today — with the inventory, the classification, and the highest-exposure systems. If you've started, make sure you're covering the ongoing obligations — monitoring, incident reporting, and documentation maintenance — not just the one-time conformity assessment.

The companies that get this right will deploy AI with confidence. They'll have the audit trails to demonstrate compliance, the governance infrastructure to adapt as rules evolve, and the documentation to defend their systems when scrutiny comes.

The companies that don't will face fines, market withdrawal orders, and the cost of emergency compliance remediation — which is always more expensive than doing it right the first time.

FAQ: EU AI Act Compliance

What is EU AI Act compliance?

EU AI Act compliance means ensuring your AI systems meet the legal requirements of Regulation 2024/1689 — classifying each system by risk tier, implementing mandatory controls for high-risk systems, maintaining technical documentation, and registering applicable systems in the EU database. Non-compliance carries fines up to €35 million or 7% of global annual turnover.

What are the key EU AI Act deadlines?

The three main deadlines: February 2, 2025 (prohibitions on unacceptable-risk AI took effect), August 2, 2025 (GPAI model obligations took effect), and August 2, 2026 (high-risk AI system obligations fully apply). A fourth deadline in August 2027 covers high-risk AI in Annex I regulated products like medical devices and vehicles.

Which AI systems are high-risk under the EU AI Act?

High-risk systems include AI used in: employment and HR decisions (hiring, performance monitoring, termination); credit scoring and insurance underwriting; educational admissions and student assessment; critical infrastructure management; law enforcement; border control; and judicial support. AI embedded in regulated products (medical devices, vehicles, machinery) is also high-risk.

What documentation is required for EU AI Act compliance?

High-risk AI systems require: technical documentation covering design, capabilities, training data, and testing results; a risk management system with ongoing records; data governance documentation; instructions for use for deployers; human oversight implementation records; and a post-market monitoring plan. All documentation must be retained for 10 years.

What are the penalties for EU AI Act non-compliance?

Penalties are tiered: up to €35 million or 7% of global annual turnover for deploying prohibited AI; up to €15 million or 3% of turnover for non-compliance with high-risk obligations; up to €7.5 million or 1.5% of turnover for providing false information to authorities. For large enterprises, the higher figure applies. Enforcement is through national market surveillance authorities in each EU member state.

Build EU AI Act Compliance Into Your AI Deployments

iEnable's governance-first platform gives every AI agent audit trails, defined authority levels, and human oversight controls from day one — the operational infrastructure that EU AI Act compliance requires. No retrofitting. No scrambling before the audit.

See How iEnable Works →