EU AI Act Compliance: What You Need to Know
Enforcement reality is bifurcated. GPAI obligations under the EU AI Act are now in force. Annex III high-risk requirements likely slip to December 2, 2027 under the 3rd Omnibus trilogue (May 13, 2026 · 2nd attempt failed April 28). For any organization with EU customers, this is two separate compliance tracks · not one.
The four-tier risk classification
The EU AI Act categorizes every AI system into four tiers · each with escalating obligations:
- Prohibited risk (Article 5): banned outright — subliminal manipulation · social scoring · real-time biometric ID in public spaces · emotion recognition in workplace/education. Already in force since February 2025.
- High-risk (Annex III): recruitment · credit scoring · educational assessment · law enforcement · critical infrastructure · medical devices. Conformity assessment · technical documentation · human oversight · post-market monitoring required.
- Limited risk (Article 50): chatbots · deepfakes · emotion recognition · biometric categorization. Transparency obligations · AI-generated content must be machine-readable as such.
- Minimal risk: the rest. No specific obligations. Voluntary codes of conduct.
Correct tier classification is the foundation. Misclassification is the most common enforcement trigger — fines per Article 99 scale by tier and undertaking size.
High-risk requirements — non-negotiable for Annex III systems
If you build or deploy a high-risk system listed in Annex III · the Act mandates:
- Risk management system across the AI lifecycle (Article 9)
- Data governance — training, validation, and testing datasets meeting quality criteria (Article 10)
- Technical documentation — pre-deployment and continuously updated (Article 11 · Annex IV)
- Automatic record-keeping — system logs preserved for audit (Article 12)
- Transparency · instructions for use · human oversight (Articles 13-14)
- Accuracy · robustness · cybersecurity (Article 15)
- Conformity assessment · CE marking · post-market monitoring · serious-incident reporting (Articles 43, 48, 72)
These aren't theoretical. They demand operational changes across AI development, deployment, and monitoring — typically 12-18 months of preparation before the deadline lands.
Transparency obligations and GPAI models
GPAI providers (general-purpose AI models — LLMs, diffusion models, multimodal foundation models) face Article 53-55 obligations, now in force:
- Technical documentation of training data · process · evaluation
- Copyright compliance policy · TDM opt-out respect
- Detailed summary of training content published
- For "systemic risk" models (10²⁵ FLOPs threshold): adversarial testing · serious-incident tracking · cybersecurity · energy reporting
Downstream deployers inherit transparency obligations · users must be informed when interacting with AI · AI-generated content must be marked detectable per Article 50(2).
The bifurcated enforcement timeline · LOCKED
The EU AI Act phases enforcement across multiple deadlines. The May 2026 trilogue update splits the picture:
- Feb 2, 2025 · IN FORCE: Prohibited practices · AI literacy obligations · banned systems unusable.
- GPAI obligations · now in force: GPAI obligations · Article 99 penalties · governance bodies operational.
- Aug 2, 2026 (likely): Annex III high-risk for recruitment / credit / education was scheduled here · 3rd Omnibus trilogue 13 May 2026 expected to shift this.
- Dec 2, 2027 (probable): Annex III high-risk requirements · conformity assessments · technical documentation · post-market monitoring. (2nd Omnibus failed April 28, 2026 · 3rd in trilogue.)
- Aug 2, 2027: Annex II high-risk (machinery, toys, medical devices) requirements.
Decompose by track: GPAI-track ships now (no delay coming) · high-risk-track ships anyway because 12-18 months of prep starts before the deadline. Treat the bifurcation as the operating reality · not as an excuse to wait.
What to do now
Waiting is foreclosed — GPAI obligations are now in force. Proactive organizations are already executing five workstreams:
1. AI system inventory: Catalog every AI system — vendor solutions · internal models · third-party APIs · embedded ML. Tag each with purpose · risk tier · data dependencies · downstream consumers.
2. Tier-by-tier risk assessment: For each system · determine prohibited / high-risk / limited / minimal classification. Document the analysis · re-run quarterly as systems change.
3. Governance structure: Establish policies · accountability lines · deployment-decision authority · monitoring cadence. Article 26 deployer obligations don't run themselves.
4. Technical controls: Audit logs · model performance monitoring · bias detection · fundamental-rights impact assessments (FRIA) for public-sector deployers. The evidence Article 12 expects.
5. Vendor / GPAI documentation: Demand Annex IV-grade documentation from every GPAI provider you use. Renegotiate contracts now · before you become the upstream by default.
How acipta's EU AI Act suite accelerates compliance
The acipta.ai EU AI Act & ISO 42001 suite ships at launch window opening. What the suite automates:
- Automated classification — agents analyze your AI inventory against Annex III · Article 5 · Article 50 criteria · assign risk tiers · flag conformity-assessment candidates
- Article 11 / Annex IV documentation — technical documentation generated from system telemetry · not authored in spreadsheets
- Control mapping — EU AI Act requirements mapped to your existing controls · gaps surfaced · ISO 42001 alignment included
- Continuous monitoring — Article 72 post-market obligations · serious-incident detection · audit-ready evidence on demand
Every verdict signed at write time with Ed25519 · deterministically replayable for five years. Audit-defensible by construction.
The global trajectory · why GPAI compliance matters beyond Europe
The EU AI Act is the first comprehensive AI regulation globally — but not the last. The UK AI Bill · Colorado SB 24-205 · Texas TRAIGA · NYC AEDT · California SB 1047 successors · Brazil's AI Bill all cite Annex III definitions or borrow the four-tier structure. Organizations that build defensible AI governance for the EU also satisfy the parallel US-state and UK frameworks emerging through 2027.
GPAI obligations are now in force. The Annex III delay buys preparation time · not exemption. Start now.
Ready to achieve EU AI Act compliance ahead of the enforcement timeline?
Start Your AI Governance Program