The European Union's Artificial Intelligence Act entered into force on August 1, 2024, representing "the world's first comprehensive legal framework for AI." This regulation applies to any organization developing, deploying, or using AI systems in the EU market, regardless of location.
Key implementation dates
Risk-based framework
Unacceptable risk (prohibited)
The following systems are banned as of February 2, 2025:
Social scoring
Biometric categorization
Real-time remote biometric identification in public spaces
Predictive policing
Emotion recognition in workplaces and educational institutions
Untargeted scraping of facial images
Exploitation systems
Penalties: Up to 35 million EUR or 7% of global annual turnover, whichever is higher.
High-risk AI systems
These require stringent compliance requirements:
Employment and HR
Education and vocational training
Essential services
Law enforcement
Migration and border control
Administration of justice
Critical infrastructure
Healthcare
Limited risk (transparency requirements)
Chatbots
Emotion recognition systems
Biometric categorization
Generated content (deepfakes)
Recommendation systems
Penalties for limited risk violations: Up to 15 million EUR or 3% of global annual turnover, whichever is higher.
Minimal risk
The vast majority of AI applications fall into minimal risk and face no mandatory requirements under the Act, though voluntary adherence to codes of conduct is encouraged.
Examples include:
Organizations deploying minimal risk AI are still subject to general EU law -- GDPR, product safety directives, consumer protection regulations -- but face no AI Act-specific obligations beyond basic AI literacy for staff who work with these systems.
General Purpose AI models
The EU AI Act introduced a distinct regulatory tier for General Purpose AI (GPAI) models -- large foundation models capable of performing a wide range of tasks, including large language models. These obligations became effective August 2, 2025.
Standard GPAI obligations
All GPAI model providers must:
Systemic risk GPAI models
GPAI models exceeding 10^25 FLOPs in training compute are classified as posing systemic risk and face additional requirements:
As of August 2025, the European AI Office published an initial list of models likely meeting the systemic risk threshold. Organizations operating GPAI APIs or embedding foundation models into customer-facing products should evaluate whether their upstream model providers have complied with these obligations, since downstream use can create liability exposure.
Compliance timelines and key dates
Understanding the phased rollout is essential for building a realistic compliance roadmap.
| Date | Obligation | Who It Affects |
|---|---|---|
| August 1, 2024 | Act enters into force | All |
| February 2, 2025 | Prohibited practices banned; AI literacy requirements apply | All EU AI deployers |
| August 2, 2025 | GPAI model obligations; EU AI Office governance rules; notified body designations begin | GPAI providers; high-risk AI developers |
| February 2, 2026 | High-risk AI in Annex I (regulated products) must comply | Manufacturers of AI-enabled regulated products |
| August 2, 2026 | Full regulation applies to all high-risk AI (Annex III); limited risk transparency rules enforceable | All organizations deploying AI in the EU |
| August 2, 2027 | Certain legacy AI systems (already on market before August 2026) must be brought into compliance | Organizations with pre-existing AI deployments |
The February 2, 2025 deadline has already passed. Organizations that have not yet taken inventory of their AI systems and assessed whether any fall into prohibited or high-risk categories are already behind the compliance curve on the literacy and prohibition requirements.
The August 2026 full enforcement date is the critical horizon for most enterprise organizations. Two years sounds like a long runway, but conformity assessments, technical documentation, and human oversight implementations for high-risk systems typically take 12--18 months from initiation to completion.
Technical requirements for high-risk AI systems
Organizations deploying high-risk AI -- including HR screening tools, credit scoring systems, medical AI, and education assessment platforms -- must implement specific technical capabilities before deployment and maintain them throughout the system's operational life.
Risk management system
A risk management system must be established, implemented, documented, and maintained throughout the entire lifecycle of the AI system. This is not a one-time assessment -- it requires:
The risk management system must be subject to regular systematic updates.
Data and data governance
High-risk AI systems must use training, validation, and testing data that meets quality criteria. Specifically:
Many organizations underestimate the data governance burden. Demonstrating that training data was collected lawfully, was examined for bias, and remains traceable requires documentation infrastructure that most ML teams have not historically maintained.
Technical documentation
Before placing a high-risk AI system on the EU market or putting it into service, providers must compile technical documentation demonstrating compliance. This documentation must remain current throughout the system's life. Required content includes:
This documentation is not internal-only. It must be made available to national supervisory authorities on request, and certain elements must be provided to downstream deployers who integrate the system.
Transparency and user information
Providers of high-risk AI systems must ensure deployers receive information covering:
Human oversight
High-risk AI systems must be designed and developed so that they can be effectively overseen by natural persons during the period of use. Oversight measures must enable the individuals responsible to:
This requirement is not satisfied by a nominal override button. Regulators have signaled in guidance that meaningful human oversight requires that the person reviewing AI output has sufficient information to exercise genuine judgment -- not merely rubber-stamp AI decisions.
Accuracy, robustness, and cybersecurity
High-risk AI systems must achieve appropriate levels of accuracy throughout their lifecycle. Providers must:
How RAIL Score maps to EU AI Act requirements
The EU AI Act does not mandate any specific evaluation tool or methodology. What it mandates are outcomes: demonstrable safety, documented performance, bias assessment, and ongoing monitoring. RAIL Score addresses these requirements across its 8 dimensions in ways that directly support compliance evidence generation.
Reliability → Accuracy and robustness requirements
The Act requires providers to document AI system accuracy metrics and test for robustness under adversarial conditions. RAIL Score's Reliability dimension provides a continuous, quantified signal for factual accuracy and calibration. Running RAIL evaluations on a representative test set generates machine-readable accuracy evidence that can be included in technical documentation. Reliability scores below 7.0 on sensitive outputs indicate a robustness gap requiring remediation before deployment.
Fairness → Data bias assessment and non-discrimination
High-risk AI data governance requirements include examination for biases that could affect fundamental rights. RAIL Score's Fairness dimension evaluates outputs for differential treatment across demographic groups. Systematic fairness scoring across a stratified test dataset provides documented bias assessment evidence. For HR and credit scoring systems -- where fairness failures carry legal liability beyond the AI Act itself -- ongoing production fairness monitoring generates the audit trail required by both regulators and internal governance boards.
Safety → Risk management system
The Act's risk management requirement demands identification and mitigation of risks associated with the system's use. RAIL Score's Safety dimension flags harmful, toxic, or dangerous outputs in production. Integrating Safety scoring into the deployment pipeline provides continuous evidence that the risk management system is operational, not just documented.
Transparency → User information and transparency obligations
Limited risk transparency requirements and high-risk user information requirements both demand that AI systems communicate their nature, limitations, and reasoning appropriately. RAIL Score's Transparency dimension evaluates whether outputs honestly represent uncertainty and limitations. Low transparency scores on outputs involving consequential recommendations (credit, medical, legal) signal compliance gaps in the user-facing layer.
Privacy → GDPR alignment and data governance
High-risk AI data requirements overlap significantly with GDPR. RAIL Score's Privacy dimension identifies when outputs contain or solicit unnecessary personal data, which is a compliance signal for both regimes. For systems processing health, financial, or other sensitive data categories, Privacy scoring provides documented evidence of ongoing data minimization monitoring.
Accountability → Technical documentation and traceability
The Act's documentation requirements demand traceable reasoning and auditable decision paths. RAIL Score's Accountability dimension measures whether outputs provide traceable reasoning or leave users in a decisional black box. For systems subject to human oversight requirements, accountability scores below 6.0 on consequential outputs indicate that the oversight mechanism lacks the information it needs to function.
Inclusivity and User Impact → Fundamental rights and intended purpose
The Act requires high-risk AI to perform consistently across different groups and to actually deliver its intended purpose. RAIL Score's Inclusivity dimension monitors for differential output quality across user groups. User Impact dimension scores measure whether the system is delivering value aligned with its stated purpose -- a direct input to conformity assessment.
Enforcement and penalties
The EU AI Act establishes a three-tier penalty structure:
Tier 1 -- Prohibited practices: Up to 35 million EUR or 7% of worldwide annual turnover (whichever is higher). This tier applies to violations of the prohibitions that took effect February 2, 2025. Deploying a prohibited social scoring system or real-time biometric identification system in public spaces falls here.
Tier 2 -- Other violations: Up to 15 million EUR or 3% of worldwide annual turnover. This covers failures to comply with high-risk AI requirements, GPAI obligations, and limited risk transparency requirements.
Tier 3 -- Incorrect or misleading information: Up to 7.5 million EUR or 1% of worldwide annual turnover. This applies to providing incorrect, incomplete, or misleading information to notified bodies or national competent authorities in the context of conformity assessment.
For SMEs and startups, penalty caps are calculated at the lower percentage tier of global turnover or the absolute amount, whichever is lower.
Enforcement structure
Each EU member state must designate one or more national competent authorities (NCAs) responsible for enforcement. NCAs have powers to:
The European AI Office, established within the European Commission, has direct enforcement authority over GPAI providers and coordinates cross-border cases involving high-risk AI.
Extraterritorial reach
The AI Act applies to providers placing AI systems on the EU market regardless of where the provider is established. It also applies to deployers located in the EU. This means:
The territorial scope mirrors GDPR's approach: where the data subject (or AI-affected person) is located determines applicability, not where the provider is incorporated.
Practical compliance roadmap
Months 1--3: Inventory and triage
The first priority is knowing what you have. Organizations routinely discover AI systems they did not formally document as "AI" -- rule-based decision engines embedded in HR software, scoring models in credit workflows, automated content moderation systems.
Actions:
Deliverable: AI system register with risk classification, responsible owner, and compliance gap assessment for each system.
Months 4--6: High-risk compliance foundations
For each high-risk AI system identified, begin building the required compliance infrastructure in parallel.
Actions:
Deliverable: Technical documentation drafts, data governance gap analysis, human oversight assessment, continuous monitoring implementation.
Months 7--12: Conformity assessment and operational readiness
Actions:
Deliverable: Completed conformity assessments, EU AI database registrations, operational post-market monitoring, incident reporting procedures in place.
Ongoing: Maintenance and monitoring
Compliance is not a point-in-time certification. The Act's risk management system requirement is explicitly ongoing. Practical sustainability requires:
Conclusion
The EU AI Act is the most consequential AI regulation currently in force anywhere in the world. For most organizations, the prohibitions are straightforward to comply with -- avoid building social scoring systems, biometric surveillance, and predictive policing tools. The real compliance work is in the high-risk category and GPAI obligations, where the requirements are specific, technical, and ongoing.
The organizations best positioned for August 2026 full enforcement are those that started their inventory and gap assessment work in 2024 and 2025. For organizations that have not yet begun, the window for orderly compliance is narrowing but not closed.
RAIL Score provides continuous, multi-dimensional evaluation across all 8 RAIL dimensions that maps directly to EU AI Act evidence requirements: documented accuracy assessment, bias monitoring, safety evaluation, transparency checking, and accountability tracing. Organizations can use the RAIL Evaluator to assess their AI outputs against these dimensions today -- generating the kind of structured, quantified compliance evidence that technical documentation and post-market monitoring obligations require. For a walkthrough of how RAIL Score fits into your specific compliance architecture, request a demo.