High-risk AI system providers now face mandatory audits, incident reporting, and transparency requirements. Non-compliance fines can reach €35M or 7% of global revenue.
€35M
Max Fine
or 7% global revenue
Jun 2026
Compliance Deadline
for high-risk systems
12,000+
Affected Companies
EU-facing AI providers
8
Prohibited Categories
outright banned AI uses
The EU AI Act is being rolled out in three phases over 24 months following its August 2024 publication in the Official Journal. Phase 1 (effective February 2025) prohibited the most egregious AI uses: social scoring, real-time biometric surveillance in public spaces, and manipulation of vulnerable persons. Phase 2 — now entering force — is where the operational burden really begins for most companies. It covers high-risk AI systems across 8 Annex III categories. Phase 3, arriving in August 2026, will extend rules to general-purpose AI models (GPAIs) including foundation models like GPT, Claude, and Gemini.
If your AI system is used by, or to make decisions about, EU residents — even if your company is headquartered in the US, UK, or Asia — you are subject to the EU AI Act. The territorial scope is similar to GDPR. 'Placing on the market' or 'putting into service' in the EU triggers compliance obligations regardless of where your servers are.
For high-risk AI providers, the Act requires a formal conformity assessment before deployment, which involves documenting the system's purpose, training data provenance, and risk management process. Systems must be registered in the EU's new AI Act database (similar to how medical devices are registered). There must be a human oversight mechanism — the law specifically prohibits fully autonomous decision-making in consequential domains without a human review option. Technical documentation must be kept for 10 years and provided to national authorities on request. Incident reporting is mandatory: any serious incident must be reported to the relevant national market surveillance authority within 15 business days.
Official Journal publication; 24-month implementation clock starts
Prohibited practices banned; GPAI initial obligations
High-risk system obligations: audits, registration, transparency
National authorities start formal compliance checks and fines
GPAI model rules: foundation models must publish training summaries
“The EU AI Act is the GDPR moment for AI. Companies that ignored GDPR scrambled and paid millions in fines. Smart companies will treat EU AI Act compliance as a competitive advantage — especially in B2B, where enterprise buyers now demand it.”
Lena Baumgartner
Partner, AI Compliance, Freshfields Bruckhaus Deringer
Start with an AI system inventory — catalog every AI tool deployed in or targeting the EU. Classify each against the Annex III high-risk list. Appoint an AI Compliance Officer if you have more than 50 employees. Document your risk management processes. The EU has published a free self-assessment tool at digital-strategy.ec.europa.eu.
Priya Nair
AI Policy & Legal Analyst · AIToolsHub
Covering artificial intelligence trends, product launches, and market analysis for AIToolsHub. Focused on making AI developments accessible and actionable for builders, buyers, and business leaders.
ChatGPT
General-purpose AI subject to GPAI rules from Aug 2026
Claude
Anthropic's Claude — strong privacy and safety documentation
Zendesk AI
Customer support AI — may trigger transparency obligations
Harvey AI
Legal AI — may fall under high-risk justice category
Adoption momentum score.
Top 5 AI stories every Monday. No noise, just signal.
Internal benchmarks allegedly show GPT-5 achieving near-human performance on graduate-level STEM tasks, with a 92% pass rate on the GPQA Diamond benchmark — a 34-point jump over GPT-4o.
The Claude maker has become the world's second most valuable AI company, overtaking Mistral and Cohere. The capital will fund Claude 4 development and expanded cloud infrastructure.
The open-source release includes three model sizes and a new mixture-of-experts architecture. Developers are already fine-tuning it for specialized use cases within hours of release.