EU AI Act: Risk Tiers, Compliance Deadlines, and What to Do

The EU AI Act (Regulation ↗ (EU) 2024/1689) entered into force on August 1, 2024, making it the first comprehensive legal framework for artificial intelligence anywhere in the world. With prohibited-AI rules already in effect since February 2025, GPAI model obligations live since August 2025, and the full high-risk compliance deadline arriving in August 2026, the regulation is no longer a future concern — it is a present operational constraint for any organization building or deploying AI systems in the European Union.

This post covers the regulation’s structure, its risk-based compliance tiers, the phased enforcement calendar, and the specific actions AI product teams need to take before the next major deadline.

The Four Risk Tiers

The Act sorts AI systems into four categories based on the harm they could cause. The obligations scale sharply with risk level.

Unacceptable risk — banned outright

Eight categories of AI practice are prohibited. These include:

• Social scoring by public authorities — systems that rate citizens based on behavior and use those scores to restrict access to services.
• Manipulative or deceptive techniques that exploit psychological vulnerabilities to change behavior.
• Real-time remote biometric identification in publicly accessible spaces for law enforcement (with narrow exceptions for specific serious crimes and prior judicial authorization).
• Emotion inference in workplaces and educational institutions.
• Untargeted scraping of facial images to build or expand recognition databases.
• Predictive policing based solely on profiling without individual conduct.

The February 2, 2025 deadline has passed. Any organization still running systems that fall into these categories is already in violation. Penalties for prohibited-AI use can reach €35 million or 7% of global annual turnover, whichever is higher.

If you are building AI safety controls to screen out impermissible capabilities before deployment, the defensive tooling covered at guardml.io ↗ is directly relevant to this layer of compliance.

High risk — full conformity assessment required by August 2026

High-risk systems are those deployed in eight sensitive domains: biometric identification, critical infrastructure, education, employment, essential private and public services, law enforcement, migration and border control, and administration of justice. AI systems that serve as safety components in regulated products (medical devices, automotive, machinery) also qualify.

Providers of high-risk systems must:

1. Establish and maintain a risk management system throughout the system’s lifecycle.
2. Implement data governance practices — training data must be relevant, representative, and free from known biases likely to cause fundamental rights violations.
3. Produce and keep current technical documentation sufficient to assess conformity.
4. Enable automatic event logging so incidents and substantial modifications can be reconstructed. This is a direct requirement for the kind of model monitoring infrastructure that sentryml.com ↗ addresses.
5. Provide clear instructions for use to downstream deployers.
6. Design systems so a human operator can understand, monitor, and override outputs.
7. Achieve appropriate levels of accuracy, robustness, and cybersecurity.
8. Register the system in the EU database for high-risk AI ↗ before market placement.

Deployers (organizations using, rather than building, the system) carry lighter obligations: conduct fundamental rights impact assessments, implement the provider’s human-oversight measures, monitor performance, and register their use in the EU database where required.

Limited risk — transparency obligations only

AI systems that interact directly with people must disclose that interaction. Chatbots must tell users they are talking to a machine. Systems that generate synthetic audio, video, image, or text content must mark that content as AI-generated in a machine-readable format. Deepfakes used outside narrow artistic exceptions require labeling.

These obligations apply continuously — there is no single deadline.

Minimal risk — no mandatory requirements

The Act explicitly does not regulate the vast majority of current AI deployments: recommendation engines, spam filters, AI in video games, and similar low-stakes applications. Voluntary codes of conduct are encouraged but not required.

Compliance Timeline

The Act’s obligations roll out across four windows:

Date	What takes effect
Feb 2, 2025 (past)	Prohibited AI systems must be discontinued; AI literacy obligations for all EU AI deployers
Aug 2, 2025 (past)	GPAI model obligations apply to new models; AI Office begins monitoring
Aug 2, 2026	Full high-risk AI compliance: conformity assessments, CE marking, EU database registration
Aug 2, 2027	Full compliance for AI embedded in regulated products; legacy GPAI models placed before Aug 2025 must meet current standards

The staggered structure was deliberate. The European Commission wanted prohibited-AI enforcement to start fast, gave GPAI providers a year to implement transparency and copyright measures, and gave hardware-integrated and high-risk deployments the longest runway because conformity assessments take time and Notified Bodies need capacity.

What General-Purpose AI Providers Must Do

The GPAI tier covers any AI model trained on broad data and capable of performing a wide range of tasks — the class of systems that includes large language models, multimodal models, and similar foundation models.

All GPAI providers (since August 2, 2025) must:

• Publish a summary of training data that is sufficiently detailed to allow copyright holders to exercise their rights.
• Maintain technical documentation describing model architecture, training procedures, and evaluation results.
• Distribute downstream AI literacy information to business customers deploying the model.
• Respect EU copyright law — the Act’s copyright provisions apply to training data, not just outputs.

Providers of systemic-risk GPAI models — those trained on more than 10²⁵ floating-point operations — face additional obligations:

• Conduct model evaluations and adversarial testing (red-teaming), including evaluations by independent third parties.
• Track and report serious incidents to the AI Office within 15 days.
• Implement cybersecurity protections proportionate to the risks.
• Ensure the model does not generate content that could enable systemic harm.

On July 10, 2025, the European AI Office published the final GPAI Code of Practice, a voluntary compliance framework covering transparency, copyright, and safety. Amazon, Google, Microsoft, OpenAI, Anthropic, and dozens of other firms signed on shortly after publication. Adherence to the Code creates a presumption of compliance — and the AI Office has indicated it will account for Code commitments when calculating any fines, which start at €15 million or 3% of global annual turnover for GPAI violations once enforcement powers fully activate in August 2026.

Full details on the GPAI guidelines are in the AI Office’s official guidelines page ↗.

What AI Product Teams Should Do This Quarter

With the August 2026 high-risk deadline three months out, the work that needs to happen before then is largely pre-work: documentation, assessments, and structural changes that cannot be completed in a sprint.

Classify your systems now. Run an internal inventory of every AI system in production and map each to one of the Act’s risk tiers. Use the Article 6 classification rules ↗ and Annex III as your rubric. Systems that touch employment (CV screening, performance monitoring), credit, or public services almost certainly land in the high-risk tier.

Start technical documentation. High-risk conformity assessment requires documentation that demonstrates how your system was designed, trained, evaluated, and updated. If you are building that documentation from scratch, three months is tight. Prioritize systems that require third-party Notified Body assessment — those require lead time to schedule.

Audit your GPAI model supply chain. If your product calls a foundation model API, your obligations differ from your API provider’s, but they still exist. Verify that your provider has signed the GPAI Code of Practice or has equivalent documentation. Build your own downstream disclosure materials as required.

Implement human-oversight mechanisms. The Act does not prescribe a specific technical form, but it requires that deployers of high-risk systems have the practical ability to understand, interpret, and override outputs. Audit logs, confidence scores, and override interfaces are all part of this picture — the logging obligation and the oversight obligation are coupled.

Check prohibited-AI exposure. The February 2025 deadline has passed, but organizations that have launched new AI features since then may have inadvertently crossed into prohibited territory. Emotion-detection features in HR tools and behavioral-inference systems in customer-facing applications are common grey zones that warrant a second look.

The artificialintelligenceact.eu implementation timeline ↗ is the clearest public reference for tracking what is required by when.

---

Sources

• AI Act — European Commission ↗: The Commission’s official overview of the regulation, its goals, and the supporting policy infrastructure including the AI Office and AI Innovation Package.

• High-Level Summary — artificialintelligenceact.eu ↗: Practitioner-oriented summary of each chapter of the Act, maintained by the Future of Life Institute as a public reference.

• Implementation Timeline — artificialintelligenceact.eu ↗: The most up-to-date public calendar of application dates by obligation type, cross-referenced to the Act’s articles.

• Guidelines for GPAI Providers — AI Office ↗: The official AI Office guidance document accompanying the GPAI Code of Practice, published August 2025.

---

→ This post is part of the AI Policy & Regulation Hub — the complete resource index for AI regulation coverage on NeuralWatch.