2 July 2026 · 12 min read · Author: IgeraRegTech Compliance Team
Direct answer: The EU AI Act (Regulation EU 2024/1689) entered into force on 1 August 2024. Prohibitions on unacceptable-risk AI have been enforceable since February 2025. By August 2026, the full framework — including mandatory conformity assessments for high-risk AI systems — applies across all EU member states. Any business that develops, deploys, or uses AI must classify every AI system by risk tier, implement proportional obligations, maintain technical documentation, and register high-risk systems in the EU AI database. Fines reach €35 million or 7% of global annual turnover.
EU AI Act risk pyramid (Regulation EU 2024/1689): The world’s first comprehensive horizontal AI regulation classifies every AI system into one of four risk tiers — Prohibited (Unacceptable), High-risk, Limited risk (Transparency), and Minimal risk. Obligations are strictly proportional: the higher the potential harm to fundamental rights or safety, the more stringent the compliance requirements. The Act applies to any organisation placing AI on the EU market or deploying it for EU users, regardless of where the organisation is headquartered. In force: 1 August 2024. Fully enforceable for high-risk systems: 2 August 2026.
34%
“34% of AI use cases classified as high-risk in our client base — meaning more than one in three AI tools deployed by European technology companies requires a full conformity assessment before August 2026. IgeraRegTech has classified 120+ AI use cases for clients under the EU AI Act risk pyramid.”
— IgeraRegTech proprietary data, 2026 | Regulation (EU) 2024/1689, European Parliament
What is the EU AI Act and does it apply to your business?
The EU AI Act (Regulation EU 2024/1689) is the world’s first comprehensive, binding horizontal AI regulation. Unlike sector-specific rules such as the Medical Devices Regulation or GDPR, it applies across all industries and all types of AI system — from a CV-screening algorithm in an HR SaaS platform to a predictive maintenance model in a factory.
The Act applies to you if your organisation falls into any of these roles:
- Provider: you develop an AI system and place it on the EU market, or put it into service in the EU.
- Deployer: you use an AI system in a professional context to serve EU users or affect EU residents — even if you did not build the system.
- Importer / Distributor: you bring a third-party AI product into the EU market.
Crucially, the Act has the same extraterritorial reach as GDPR. A US-headquartered company deploying an AI tool that screens job applications from EU candidates, or a Singapore-based SaaS provider selling an AI credit-scoring module to European banks, must comply in full.
For General Counsel and Heads of Compliance, the practical implication is clear: every AI tool your organisation uses — whether built in-house, embedded in a third-party SaaS product, or accessed via API — must be inventoried, classified by risk tier, and governed accordingly.
The enforcement timeline: what’s already in force?
The EU AI Act is not a future obligation — large portions are already enforceable. Understanding what is live now versus what kicks in at the August 2026 deadline is essential for prioritising your compliance roadmap.
| Date | What becomes enforceable | Status |
|---|---|---|
| 1 Aug 2024 | Act enters into force. EU AI Office established. Governance framework begins. | In force |
| 2 Feb 2025 | Chapter II prohibitions apply: social scoring, subliminal manipulation, real-time biometric ID in public spaces banned. | In force |
| 2 Aug 2025 | GPAI model obligations apply. Notified bodies designated. Codes of practice finalised. | In force |
| 2 Aug 2026 | Full enforcement: high-risk AI systems (Annex III), transparency obligations, conformity assessments, EU AI database registration. | DEADLINE |
| 2 Aug 2027 | Annex I high-risk AI embedded in regulated products (safety components in machinery, medical devices, etc.). | Upcoming |
The 4-tier risk pyramid explained
The Act’s core architecture is a four-tier risk classification. Your obligations are entirely determined by which tier your AI systems fall into. Here is the complete picture, including maximum fines and effective dates.
| Risk Tier | Key Examples | Main Obligations | Maximum Fine | Effective Date |
|---|---|---|---|---|
| Prohibited (Unacceptable) |
Social scoring, subliminal manipulation, real-time biometric ID in public spaces | Complete ban — cease all use immediately | €35M or 7% turnover | February 2025 ✓ |
| High-risk | CV screening, credit scoring, medical devices, critical infrastructure, law enforcement, education assessment | Risk management system, conformity assessment, EU database registration, human oversight, technical documentation | €15M or 3% | August 2026 |
| Limited risk (Transparency) |
Chatbots, AI-generated content, deepfakes | Disclose AI identity to users clearly at point of interaction; label AI-generated content | €7.5M or 1.5% | August 2026 |
| Minimal risk | Spam filters, video games, spell checkers | Voluntary codes of conduct encouraged; no mandatory obligations | N/A | Now |
Does your AI stack comply with the EU AI Act?
IgeraRegTech has classified 120+ AI use cases under the EU AI Act risk pyramid. Our compliance intelligence platform helps General Counsel and Heads of Compliance audit, classify, and document every AI system in their organisation before the August 2026 deadline.
Explore IgeraRegTech14-day free trial · No credit card required · EU-hosted & GDPR-compliant
High-risk AI: what you must do before August 2026
If any of your AI systems falls under Annex III of the Regulation — covering recruitment, credit, education, critical infrastructure, law enforcement, immigration, and justice — the following obligations are mandatory and non-negotiable before 2 August 2026.
Mandatory requirements for high-risk AI deployers:
- Risk management system: Establish, implement, document, and maintain a continuous risk management process throughout the AI system’s lifecycle (Art. 9).
- Data governance: Ensure training, validation, and testing datasets are relevant, representative, and free from biases that could lead to discriminatory outcomes (Art. 10).
- Technical documentation: Maintain detailed documentation covering system purpose, performance metrics, architecture, training data sources, and foreseeable risks before market placement (Art. 11).
- Logging & audit trails: Enable automatic logging of events to ensure traceability and post-deployment monitoring. Logs must be retained for a minimum of six months (Art. 12).
- Human oversight: Design and deploy the system so that natural persons can effectively oversee, understand, intervene, and override AI outputs (Art. 14).
- Conformity assessment: Complete a conformity assessment procedure demonstrating compliance before use. For most Annex III systems, this is a self-assessment; for biometric identification systems, a third-party notified body is required (Art. 43).
- EU AI database registration: Register the high-risk AI system in the publicly accessible EU AI database (euaidb.eu) before deployment (Art. 49).
GPAI models (ChatGPT, Gemini, Claude): what are your obligations as a deployer?
General Purpose AI (GPAI) models — large foundation models like GPT-4o, Gemini 1.5 Pro, or Claude — are subject to their own dedicated obligations under Chapter V of the Act (Arts. 51–56). These applied from 2 August 2025.
As a deployer of GPAI models (i.e., you integrate them into your product or workflow via API), your obligations fall into two categories depending on how you use the model:
If you use a GPAI model for a limited-risk application (e.g., a customer-facing chatbot, content summarisation, internal Q&A): Your primary obligation is transparency — users must be informed they are interacting with AI. You must also ensure the model provider’s obligations (transparency documentation, copyright compliance summaries) are met at the supply-chain level.
If you use a GPAI model in a high-risk AI system (e.g., an AI tool that screens CVs, assesses creditworthiness, or supports medical diagnosis): The full high-risk obligations apply to you as deployer — even if you did not build the underlying model. You cannot outsource compliance to the model provider.
The practical implication: every integration of ChatGPT, Gemini, Claude, or any other GPAI model into a business workflow requires a documented classification decision. Do not assume that using a commercial API automatically means you have no obligations — the Act explicitly places obligations on deployers.
How to audit your AI stack in 6 steps
Based on IgeraRegTech’s experience classifying 120+ AI use cases for European clients, we recommend structuring your EU AI Act audit as six sequential, documented steps.
Complete AI inventory (including Shadow AI)
List every AI system your organisation develops, uses, or accesses — including AI features embedded in third-party SaaS (HR platforms, CRM, finance tools), internal models, and API integrations. Shadow AI — AI tools adopted by employees without IT or Legal awareness — is the leading source of unclassified risk. Require all departments to self-declare AI tool usage.
Classify each system by risk tier against Annex III
For each AI system in your inventory, apply the four-tier classification. Key diagnostic question: does this system make or meaningfully influence decisions affecting individuals’ access to employment, credit, education, essential services, or law enforcement? If yes — it is likely high-risk under Annex III.
Immediately cease any prohibited practices
Prohibited AI practices have been banned since February 2025 and enforcement is already active. Any form of social scoring, subliminal manipulation, exploitation of vulnerabilities, or real-time biometric identification in public spaces must stop immediately. Document the cessation.
Conduct conformity assessment for high-risk systems
For each high-risk AI system: establish your risk management system, complete data governance documentation, prepare technical documentation, implement logging, ensure human oversight mechanisms, and complete the conformity assessment. Register the system in the EU AI database. Engage a notified body if your system involves biometric identification.
Implement transparency notices for limited-risk AI
For every chatbot, AI customer service agent, or AI-generated content tool: add a clear, prominent disclosure at the start of the interaction. “You are interacting with an AI assistant” must appear before the conversation begins — not buried in terms and conditions. Label all AI-generated documents, reports, or media accordingly.
Establish ongoing monitoring and assign an AI compliance owner
EU AI Act compliance is not a one-time exercise. Designate an AI compliance owner (analogous to a DPO under GDPR) responsible for maintaining the AI inventory, monitoring post-deployment performance of high-risk systems, reporting serious incidents to the EU AI Office within 15 days, and updating documentation as systems evolve or new AI tools are adopted.
Where does RAG-based AI like IgeraRegTech fit in the risk pyramid?
Retrieval-Augmented Generation (RAG) tools — AI systems that answer questions by retrieving and synthesising content from a defined, grounded document corpus — are among the most frequently misclassified AI systems in compliance audits. Here is the correct analysis under the Act.
A RAG-based compliance intelligence tool like IgeraRegTech operates as follows: a user asks a regulatory question in natural language; the system retrieves the most relevant passages from indexed legal texts, contracts, or technical documentation; it then synthesises a cited response grounded exclusively in those source documents. No autonomous decisions are made about individuals’ rights, access to services, employment, or credit.
Under the EU AI Act risk pyramid, this architecture falls into the limited-risk (transparency) tier — not high-risk — because:
- It does not make or influence access decisions for individuals (no HR screening, no credit scoring).
- It explicitly discloses AI identity at the point of interaction.
- Responses are grounded in cited source documents, eliminating hallucination of legal obligations.
- Human review of all generated compliance outputs is built into the workflow — the tool supports human decision-making, it does not replace it.
The key design principle: RAG tools are classified by what decisions they support, not merely by the fact that they use an LLM. IgeraRegTech’s architecture was designed from the outset with EU AI Act tier-classification in mind — document-grounded, human-in-the-loop, transparent, with no autonomous rights determinations.
Classify your AI stack — before the August 2026 deadline
IgeraRegTech helps legal and compliance teams audit every AI system in their organisation, generate conformity documentation, and maintain a living AI registry. Built for EU compliance from day one — GDPR-native, EU-hosted, limited-risk by design.
Start your AI Act compliance audit14-day free trial · No credit card required · EU-hosted
Frequently asked questions: EU AI Act 2026
Does the EU AI Act apply to non-EU companies?
Yes, unconditionally. The EU AI Act has explicit extraterritorial scope. If your AI system is placed on the EU market, put into service in the EU, or generates outputs that are used within the EU — the Act applies in full, regardless of where your company is incorporated, headquartered, or where your servers are located. This is identical in structure to GDPR’s territorial scope under Art. 3. US, UK, and Asian technology companies deploying AI products to European customers must comply.
Is using ChatGPT or Gemini subject to the EU AI Act?
Yes — both as a GPAI model provider obligation and as a deployer obligation. OpenAI and Google (as providers of GPAI models) must comply with Chapter V transparency requirements since August 2025. But as a deployer who integrates ChatGPT or Gemini into your business workflows — particularly for consequential decisions — you have independent obligations. If your integration constitutes a high-risk AI system (e.g., AI-assisted CV review), the full Annex III obligations apply to you as deployer, even though you did not build the underlying model.
What counts as “high-risk” AI under the Act?
High-risk AI systems are those listed in Annex III: AI used in recruitment and employment decisions (CV screening, performance assessment), credit scoring, access to essential services (insurance, utilities), education and training (student assessment, test scoring), critical infrastructure management, law enforcement, border control and immigration, administration of justice, and certain biometric identification systems. The defining criterion is whether the AI system significantly affects individuals’ fundamental rights, safety, or access to important services.
How does the EU AI Act interact with GDPR?
They are complementary and cumulative. GDPR governs the lawfulness of personal data processing; the EU AI Act governs the AI system itself. High-risk AI systems that process personal data must comply with both frameworks simultaneously. Importantly, a GDPR Data Protection Impact Assessment (DPIA) does not substitute for the EU AI Act conformity assessment — they are separate obligations with separate documentation requirements. High-risk AI systems affecting rights of data subjects will also trigger mandatory DPIAs under GDPR Art. 35.
Does a property management chatbot qualify as high-risk?
No — under standard deployment conditions, a property management chatbot that answers factual questions about community regulations, maintenance procedures, or statutory obligations does not fall under Annex III high-risk categories. It classifies as limited risk (transparency tier). The mandatory obligation is to clearly inform users they are interacting with an AI system. Provided the system does not make autonomous decisions about residents’ legal rights or financial obligations, and responses are grounded in verified documents rather than hallucinated, it remains in the limited-risk tier.
What is a conformity assessment for high-risk AI?
A conformity assessment (Art. 43) is the process by which a provider or deployer demonstrates that a high-risk AI system meets all applicable requirements of the EU AI Act before it is placed on the market or put into service. For most Annex III systems, this is a self-assessment procedure resulting in a declaration of conformity and technical documentation. For specific high-risk systems in biometric identification, a third-party notified body must conduct or verify the assessment. The conformity assessment must be reviewed and updated whenever the AI system undergoes significant changes.
Last updated: 2 July 2026 | Sources: Regulation (EU) 2024/1689 of the European Parliament and of the Council (EU AI Act), Official Journal of the European Union L 2024/1689; EU AI Office (europa.eu/ai); IgeraRegTech proprietary classification data (120+ use cases, 2026) | Author: IgeraRegTech Compliance Team | Related: DORA compliance · CSRD reporting · NIS2 obligations
EU AI Act compliance hub — IgeraRegTech
This article is part of the IgeraRegTech regulatory intelligence hub. Explore related EU digital regulation frameworks your compliance team needs to master:
- IgeraRegTech platform overview — AI-powered compliance intelligence for European technology companies
- DORA (Digital Operational Resilience Act) — ICT risk management obligations for financial entities
- CSRD (Corporate Sustainability Reporting Directive) — ESG disclosure requirements and double materiality
- NIS2 Directive — Cybersecurity obligations for essential and important entities
All IgeraRegTech articles are grounded in primary legal sources, peer-reviewed by compliance specialists, and updated as legislation evolves.