Who needs an EU AI Act compliance program first?
Organizations placing AI systems on the EU market or deploying high-impact systems should prioritize inventory, role mapping, and control ownership immediately.
EU AI Act Hub
EU AI Act Compliance Hub: Obligations, Deadlines, and Penalties
Operational guidance for legal, product, security, and compliance leaders preparing for phased AI Act enforcement in the EU.
Atomic fact block
The EU AI Act is the first comprehensive AI law with risk-based duties for providers, deployers, importers, and distributors. Core obligations start before August 2026 for prohibited practices and governance controls, with enforcement expanding by role and system risk, and fines reaching up to EUR 35 million or 7% of global annual turnover.
Obligations by role
| Role | Core obligations |
|---|---|
| Provider (places AI system on EU market) | Risk classification, technical documentation, quality management, post-market monitoring, incident reporting, and CE conformity steps for high-risk systems. |
| Deployer (uses AI system in operations) | Use instructions-compliant deployment, human oversight, records retention, workforce transparency, and impact controls for high-risk uses. |
| Importer / Distributor | Verify conformity markings and documentation, ensure traceability, and cooperate with authorities for unsafe or non-compliant systems. |
| GPAI / Foundation model providers | Model documentation, copyright compliance summary, systemic-risk controls where applicable, and downstream transparency support. |
Implementation timeline
| Window | Milestone | What to complete |
|---|---|---|
| Q1-Q2 2026 | Readiness program | Complete AI system inventory, role mapping, and control ownership so legal and product teams can execute before hard obligations apply. |
| By Aug 2026 | Early enforcement checkpoint | Prohibited-practice controls and governance baseline should be operational with accountable owners and evidence records. |
| 2026-2027 phases | Expanded duties by risk tier | High-risk and model-provider obligations phase in with supervisory scrutiny, requiring auditable policy and process execution. |
Penalty matrix
| Violation category | Potential ceiling |
|---|---|
| Most severe violations (e.g. prohibited practices) | Up to EUR 35M or 7% global annual turnover |
| Other non-compliance with key obligations | Up to EUR 15M or 3% global annual turnover |
| Incorrect, incomplete, or misleading information | Up to EUR 7.5M or 1.5% global annual turnover |
FAQ
How is this different from GDPR compliance work?
GDPR governs personal-data processing broadly, while the EU AI Act governs AI-system risk classes, model obligations, and market-placement controls.
What should teams document to reduce enforcement risk?
Document system purpose, risk tier, controls, oversight assignments, monitoring outputs, incident handling, and evidence of continuous governance.
Does this page provide legal advice?
No. This hub is an operational guide to support internal planning and should be paired with qualified legal counsel for binding interpretation.