When does the EU AI Act apply?

The Act entered into force on 1 August 2024 and applies in phases. Prohibitions on unacceptable AI practices applied from February 2025. Obligations for general-purpose AI models applied from August 2025. Obligations for high-risk systems under Annex III apply from August 2026, with full application by August 2027.

Does the EU AI Act apply to companies outside the EU?

Yes. The Act applies to non-EU providers placing AI systems on the EU market and to non-EU providers and deployers where the output of the AI system is used in the Union. The reach mirrors the extraterritorial scope of the GDPR.

What is a high-risk AI system?

A high-risk AI system is one listed in Annex III of the Act or used as a safety component of a product covered by Union harmonisation legislation listed in Annex I. Annex III covers biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, and justice.

What are the maximum penalties under the EU AI Act?

Up to €35 million or 7 percent of global annual turnover for violations of the prohibition on unacceptable AI practices. Up to €15 million or 3 percent of turnover for other obligation infringements. Up to €7.5 million or 1 percent for supplying incorrect information to authorities.

Do I need a conformity assessment for my AI system?

Only if the system is classified as high-risk. Most high-risk AI systems require a conformity assessment based on internal control before being placed on the market. Certain biometric systems require third-party conformity assessment by a notified body.

Does the EU AI Act apply to general-purpose AI?

Yes. Title VIII of the Act sets specific obligations for providers of general-purpose AI models, with additional obligations for models presenting systemic risk. These obligations applied from August 2025.

Who enforces the EU AI Act?

Enforcement is shared between national market surveillance authorities designated by each Member State and the European AI Office, which sits within the European Commission and oversees general-purpose AI models.

Does ISO 42001 certification mean we comply with the EU AI Act?

No. ISO 42001 certification covers an AI management system and supports many AI Act obligations but does not constitute conformity with the Act. Compliance with the Act requires system-specific evidence and, for high-risk systems, conformity assessment.

Last reviewed: May 2026 · 14 min read · Category: EU Regulation

The EU AI Act: Scope, Requirements, and Compliance Guide for 2026

What is the EU AI Act?

Regulation (EU) 2024/1689, commonly referred to as the EU AI Act, is the European Union's horizontal regulation of artificial intelligence. It entered into force on 1 August 2024 and applies in phases through August 2027. The Act establishes a risk-based framework: AI practices considered unacceptable are prohibited, high-risk AI systems are subject to extensive requirements, and limited-risk systems carry transparency obligations only.

Who does the EU AI Act apply to?

The Act applies to providers placing AI systems on the EU market, to deployers using AI systems in the EU, and to providers and deployers established outside the EU where the output of the AI system is used within the Union. This extraterritorial reach mirrors the structure of the GDPR and means many non-EU organisations are in scope.

Non-EU organisations

A US-based AI provider selling a high-risk AI system to a European bank is subject to the same obligations as a European provider. A non-EU SaaS company whose AI features are accessed by European users is in scope as a provider for those features. See does the EU AI Act apply to US companies for a detailed analysis.

EU AI Act risk classification: the four tiers

The Act classifies AI systems into four tiers. Unacceptable risk practices — social scoring by public authorities, exploitative targeting of vulnerabilities, untargeted scraping of facial images — are prohibited from February 2025. High-risk AI systems are permitted but subject to conformity assessment, technical documentation, risk management, human oversight, and registration in the EU database. Limited-risk systems, including most chatbots, carry transparency obligations. Minimal-risk systems carry no specific obligations.

High-risk AI systems: the complete list

High-risk AI systems are listed in Annex III of the Act and include systems used in biometric identification, critical infrastructure management, education and vocational training, employment and worker management, access to essential services, law enforcement, migration and border control, and administration of justice and democratic processes. AI systems that serve as safety components of products covered by EU harmonisation legislation listed in Annex I are also classified as high-risk.

For a detailed list and the obligations that follow, see our guide on high-risk AI systems.

EU AI Act enforcement timeline and deadlines

The Act applies in phases. February 2025: prohibitions on unacceptable practices apply. August 2025: obligations for providers of general-purpose AI models apply. August 2026: obligations for high-risk systems under Annex III apply. August 2027: full application including high-risk systems that are safety components of products under Annex I. See our dedicated enforcement timeline for the complete schedule and transitional provisions.

EU AI Act fines and penalties

Penalties scale with the severity of the infringement. Violation of the prohibition on unacceptable AI practices can result in administrative fines up to €35 million or 7 percent of global annual turnover, whichever is higher. Other infringements of obligations applicable to providers, deployers, and notified bodies can result in fines up to €15 million or 3 percent of turnover. Supplying incorrect information to authorities can result in fines up to €7.5 million or 1 percent of turnover. See our penalties guide for enforcement structure and supervisory authority allocation.

How ISO 42001 supports EU AI Act compliance

ISO 42001 provides a management system framework that addresses many AI Act obligations, particularly those relating to risk management, governance, documentation, and human oversight. An organisation operating a certified ISO 42001 management system covering its in-scope AI systems will be in a substantially better position to demonstrate compliance during a regulatory inspection. ISO 42001 does not, on its own, satisfy the technical requirements of high-risk systems under Articles 9 to 15 of the Act, which require system-specific evidence.

Which software tools support EU AI Act compliance?

Several compliance platforms released EU AI Act framework support during 2025. Vanta and OneTrust offer the most complete coverage as of mid-2026. Drata, Sprinto, Secureframe, and Thoropass each cover a substantial subset of provider obligations, with deployer obligations and GPAI requirements typically less mature.

See our comparison of EU AI Act compliance software →