EU AI Act high-risk rules take effect August 2, 2026, with full effect by August 2, 2027. Penalties reach €35 million or 7% of global annual turnover.
The EU AI Act enters into force on August 2, 2026, creating a unified regulatory framework for artificial intelligence across all 27 EU member states and the European Economic Area. Unlike the patchwork of US state laws, the EU AI Act is a single directive with direct applicability — companies serving EU customers cannot negotiate compliance state-by-state. The regulatory environment is layered: existing data-protection obligations under GDPR remain in force and interact with new AI-specific requirements. The EU AI Act imposes transparency, documentation, and risk-assessment obligations regardless of where the company is incorporated, making it effectively extra-territorial for any business with EU users, customers, or employees.
The EU AI Act uses a risk-based compliance framework that escalates with system impact. The framework identifies four risk tiers: prohibited AI systems (facial recognition in law enforcement, social credit scoring, subliminal manipulation); high-risk systems (hiring, benefits determination, law enforcement, biometric identification, facial emotion recognition); limited-risk systems (chatbots and transparent AI); and minimal-risk systems (game AI, spam filters). High-risk systems require pre-deployment impact assessments, bias and fairness testing, documented risk mitigation, human oversight mechanisms, and transparency to end users. Limited-risk systems require transparency disclosures. The tiered approach means compliance effort scales with AI risk — but almost any business AI system will land in the high-risk or limited-risk category, triggering active obligations.
Penalties for non-compliance are severe: up to €35 million or 7% of global annual turnover, whichever is higher. Fines accumulate per violation, and per-decision violations (e.g., a non-compliant AI system used in 1,000 hiring decisions) can multiply exposure. Unlike US state laws where compliance is sector-specific, the EU AI Act applies uniformly across all industries — healthcare, finance, government, retail, recruitment, all face the same framework. Some member states have enacted opt-out rights for citizens, allowing individuals to request human-only decisions in high-risk contexts. The financial and operational stakes make EU AI Act compliance a separate, high-priority workstream from US state-law compliance.
Compliance with the EU AI Act is not a forward-looking exercise — August 2, 2026 is the enforcement start date. Businesses should treat this deadline the same way they treated GDPR's May 25, 2018 enforcement date: as a hard cutoff after which non-compliance creates daily exposure. National data-protection authorities and AI-specific regulators (newly established in many member states) will begin accepting complaints and conducting audits immediately upon enforcement. The most effective compliance strategy is to conduct an immediate AI inventory, prioritize high-risk systems for pre-deployment assessment, complete bias and fairness testing, and establish documentation and human-review processes before August 2. Attempting remediation after enforcement has begun creates longer periods of documented non-compliance and higher penalty exposure.
EU AI & digital regulations
Updated July 12, 2026The Union-level Regulations and Directives that govern AI, pulled automatically from the official EU law database (EUR-Lex). Each links to the authoritative text, with its CELEX reference and current in-force status.
Cybersecurity requirements for products with digital elements, including AI-enabled software and connected devices.
Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (Text with EEA relevance)
Extends EU product-liability rules to software and AI systems, easing the burden of proof for harm caused by AI.
Directive (EU) 2024/2853 of the European Parliament and of the Council of 23 October 2024 on liability for defective products and repealing Council Directive 85/374/EEC (Text with EEA relevance)
The world’s first comprehensive AI law. Risk-based rules for AI systems; high-risk obligations phase in through 2026–2027. Fines up to €35M or 7% of global turnover.
Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (Text with EEA relevance)
Rules on access to and sharing of IoT and machine-generated data — the raw material for training and running AI systems.
Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act) (Text with EEA relevance)
Obliges very large platforms to assess and mitigate systemic risks from their recommender and content-moderation AI, with algorithmic transparency duties.
Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) (Text with EEA relevance)
Constrains how gatekeeper platforms rank, self-preference and combine data in their AI-driven services.
Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (Text with EEA relevance)
Framework for trusted data sharing and data intermediaries, enabling lawful data reuse for AI development.
Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (Text with EEA relevance)
Transparency duties for the ranking algorithms online intermediaries use against business users.
Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services (Text with EEA relevance)
Governs automated decision-making and profiling (Art. 22) and any AI that processes personal data — the baseline every AI system in the EU must meet.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)
EU AI law news
Updated July 12, 2026Recent coverage of the EU AI Act and EU-wide AI regulation. Aggregated automatically; follow each link for the full story.
Coverage from The National Law Review on AI legislation and regulation relevant to the European Union.
Coverage from Hunton Andrews Kurth LLP on AI legislation and regulation relevant to the European Union.
Coverage from Tech Times on AI legislation and regulation relevant to the European Union.
Coverage from Digital Watch Observatory on AI legislation and regulation relevant to the European Union.
Coverage from Foley & Lardner LLP on AI legislation and regulation relevant to the European Union.