🚨 NeuralTrust has raised $20M
Products
Agent Runtime SecurityProtect agent interactions in real time
Agent GatewayConnect agents to models and tools securely
Agent Posture ManagementDiscover and govern every agent in the company
AI Red TeamingTest your models with adversarial attacks
Get Started
Read the docsDownload CISO guideGitHub
Resources
Resources center
Guides
Blog
Newsletter
Developers
Documentation
Company
About us
Partners
Careers
News
Contact
Social media
Sign inGet a demo
Back

EU AI Act Enterprise Compliance Guide 2026

Roger Howroyd June 26, 2026
Share
EU AI Act Enterprise Compliance Guide 2026

The EU AI Act requires organizations to classify every AI system they develop or deploy by risk tier, implement mandatory controls for high-risk systems, and comply with phased enforcement deadlines running from February 2025 through December 2027.

Formally known as Regulation (EU) 2024/1689, it is the world's first comprehensive mandatory AI regulation. Prohibited AI practices have been enforceable since 2 February 2025. GPAI model obligations apply since 2 August 2025. Transparency obligations activate 2 August 2026. Following the AI Act Omnibus political agreement of 7 May 2026, the main high-risk AI system deadline has been deferred, Annex III systems must comply by 2 December 2027, and Annex I product-embedded systems by 2 August 2028.

The Act is extraterritorial: any organization deploying AI to EU users is in scope, regardless of where it is headquartered. Fines reach up to €35 million or 7% of global annual turnover, higher than GDPR.

TL;DR - Key Takeaways

  • The EU AI Act phases its obligations across four dates: February 2025 (prohibited practices), August 2025 (GPAI models), August 2026 (transparency), December 2027 / August 2028 (high-risk systems, deferred by the AI Omnibus).
  • The AI Act applies to any organization placing AI on the EU market or whose AI outputs affect EU users, regardless of where the organization is based.
  • High-risk AI systems (Annex III) include AI used in: recruitment, credit scoring, critical infrastructure, education, and law enforcement, each now subject to a December 2027 compliance deadline.
  • Compliance for high-risk systems requires: risk management system, data governance, technical documentation, record-keeping, human oversight, conformity assessment, CE marking, and EU database registration.
  • TrustGuard and TrustLens directly support the human oversight (Article 14) and post-market monitoring (Article 72) obligations required for high-risk AI systems.

What is the EU AI Act and who does it apply to?

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024. It is a risk-based regulation: the obligations placed on an organization depend entirely on what type of AI system it develops or deploys, and how risky that system is.

It applies to you if any of the following are true:

  • You are an AI provider (you develop an AI system) and place it on the EU market or put it into service in the EU.
  • You are an AI deployer (you use a third-party AI system) in the EU.
  • You are an importer or distributor of AI systems in the EU.
  • You are based outside the EU, but the outputs of your AI system are used in the EU.

This extraterritorial scope is one of the most important aspects of the Act for non-European companies to understand. A U.S.-based enterprise deploying an AI-powered recruitment tool to EU employees, or a SaaS company whose LLM-powered product is used by EU customers, is in scope.

Definition: A provider under the EU AI Act is any natural or legal person that develops an AI system or a general-purpose AI model with a view to placing it on the market under its own name or trademark, or putting it into service under its own name or trademark. A deployer is any natural or legal person that uses an AI system under its own authority. (Source: EU AI Act, Article 3, Regulation (EU) 2024/1689)

The EU AI Act risk pyramid: four tiers explained

The EU AI Act classifies every AI system into one of four risk tiers. Your compliance obligations, and the severity of potential fines, depend entirely on which tier your system falls into. The pyramid below illustrates the structure, from the most to least regulated.

Tier 1: Unacceptable Risk (Prohibited)

The highest risk tier comprises AI practices so harmful to fundamental rights and EU values that they are banned outright under Article 5. These prohibitions have been in force since 2 February 2025, there is no grace period and no compliance pathway. If your organization operates a system in this category, it must be decommissioned immediately.

Examples include AI-based social scoring by public or private entities, subliminal manipulation techniques, and real-time remote biometric identification in public spaces by law enforcement (with narrow exceptions). The AI Omnibus of May 2026 added a further prohibition on non-consensual intimate image generation, effective 2 December 2026. (Source: EU AI Act, Article 5, Regulation (EU) 2024/1689)

Tier 2: High Risk (Heavily regulated)

High-risk AI systems are the most regulated category still permitted. These are AI systems with the potential to cause significant harm if they fail or are misused. For example, AI used in law enforcement, recruitment, credit scoring, critical infrastructure, or education.

As the image shows, most regulated AI systems in enterprise environments fall here. Following the AI Omnibus, Annex III high-risk systems (use-based) must comply by 2 December 2027, and Annex I systems embedded in regulated products by 2 August 2028. The full compliance requirements for this tier are covered in the section below.

EU AI Act risk pyramid showing four tiers: Unacceptable Risk, High Risk, Limited Risk, and Minimal Risk Source: Trail

Tier 3: Limited Risk (Transparency obligations)

Limited-risk systems include AI with a risk of manipulation or deceit: chatbots, emotion recognition systems, and generative AI that produces synthetic content. The obligation here is disclosure: users must be informed they are interacting with an AI system.

These transparency obligations (Article 50) take effect on 2 August 2026. Synthetic audio, image, video, and text content must also carry machine-readable labels from that date. Violations carry fines of up to €15 million or 3% of global annual turnover. (Source: EU AI Act, Article 50, Regulation (EU) 2024/1689)

Tier 4: Minimal Risk (No specific obligations)

The vast majority of AI systems currently deployed fall into this category: spam filters, AI-enabled video games, recommendation engines, and similar tools. The EU AI Act imposes no specific obligations on minimal-risk systems, though the European Commission encourages voluntary codes of conduct.

Self-assessment tip: Before assuming your system is minimal risk, verify it does not fall under any Annex III use case. The Commission's draft classification guidelines of May 2026 adopt an expansive interpretation — more systems qualify as high-risk than a literal reading of the Act suggests.

The EU AI Act compliance timeline: every deadline explained

The Act's obligations phase in across four key dates. The following table reflects the updated deadlines after the AI Act Omnibus political agreement reached on 7 May 2026. (Source: European Commission, digital-strategy.ec.europa.eu; Council of the EU, May 2026)

DateWhat appliesWho is affectedFine exposure
2 Feb 2025 ✅ Already in forceProhibited AI practices (Article 5) + AI literacy obligations (Article 4)All operators of AI systems in the EUUp to €35M or 7% of global turnover
2 Aug 2025 ✅ Already in forceGPAI model obligations (Articles 51–55): technical documentation, copyright compliance, safety requirementsProviders of general-purpose AI models (LLMs, foundation models)Up to €15M or 3% of global turnover
2 Aug 2026Transparency obligations (Article 50): chatbots must disclose AI nature; synthetic content must carry machine-readable labelsAll providers and deployers of AI systems that interact with peopleUp to €15M or 3% of global turnover
2 Dec 2027 (deferred by Omnibus)High-risk AI systems — Annex III (use-based): recruitment, credit scoring, critical infrastructure, education, law enforcement, migrationProviders and deployers of Annex III high-risk systemsUp to €30M or 6% of global turnover
2 Aug 2028 (deferred by Omnibus)High-risk AI systems — Annex I (product-embedded): medical devices, machinery, toys, civil aviationProviders of AI embedded in regulated productsUp to €30M or 6% of global turnover

Image showing the compliance timeline for the EU AI Act, affecting all enterprises that use AI and have European users.

Important note on the AI Omnibus: The political agreement of 7 May 2026 deferred the Annex III high-risk deadline from August 2026 to December 2027. This deferral is pending formal legislative adoption, expected before 2 August 2026. Organizations should plan for the deferred dates while monitoring for formal adoption. (Source: Latham & Watkins, May 2026)

What is already prohibited, and already enforceable

Since 2 February 2025, the following AI practices are banned outright under Article 5. Operating a system in any of these categories is an active violation carrying fines of up to €35 million or 7% of global annual turnover:

  • Social scoring: AI systems that evaluate or classify people based on their social behavior, producing detrimental or unfavorable treatment.
  • Subliminal manipulation: AI that exploits subconscious vulnerabilities to influence behavior in ways that harm people.
  • Biometric categorization by sensitive attributes: Inferring race, political opinion, religious belief, or sexual orientation from biometric data.
  • Untargeted facial recognition scraping: Compiling facial recognition databases by scraping the internet or CCTV footage without targeting.
  • Emotion recognition in workplaces and educational institutions: With narrow exceptions for medical or safety purposes.
  • Real-time remote biometric identification in public spaces: By law enforcement, with narrow exceptions for serious crimes.
  • Predictive criminal profiling: Risk assessment of individuals based on profiling or personality traits alone.
  • Non-consensual intimate imagery generation: Added by the AI Omnibus; prohibited from 2 December 2026. (Source: AI Act Omnibus political agreement, Council of the EU, 7 May 2026)

Review your AI portfolio against this list now. If any deployed system falls into these categories, it must be decommissioned, there is no grace period for prohibited practices.

What are high-risk AI systems and is yours one?

High-risk AI systems face the most demanding compliance obligations. Under Article 6 of the Act, a system is high-risk if it falls into one of two categories:

Category 1: Product-embedded AI (Article 6(1)): AI that functions as a safety component of a product governed by EU harmonisation legislation listed in Annex I (medical devices, machinery, civil aviation, toys, etc.) and where that product requires third-party conformity assessment.

Category 2: Use-based AI (Article 6(2), Annex III): AI used in any of the following eight areas:

Annex III AreaExample AI systems
BiometricsRemote biometric identification, biometric categorization
Critical infrastructureAI managing traffic, water, energy, or financial systems
EducationAI determining access to education or assessing students
EmploymentAI for recruitment, CV screening, performance monitoring, promotion decisions
Essential private servicesAI for credit scoring, life insurance risk assessment, emergency call prioritization
Law enforcementAI for crime risk assessment, evidence evaluation, criminal profiling
Migration and border controlAI for asylum application assessment, risk scoring at borders
Justice and democracyAI assisting courts, arbitration, democratic processes

(Source: EU AI Act, Annex III, Regulation (EU) 2024/1689; EU AI Act Service Desk, Annex III. The legislative rationale for the Annex III high-risk categories is set out in Recitals 48–63 of Regulation (EU) 2024/1689, which explain why each use-case area poses sufficient risk to health, safety, or fundamental rights to warrant mandatory controls.)

Exception: A system listed in Annex III is not considered high-risk if it does not materially influence decision-making outcomes and does not pose a significant risk of harm (Article 6(3)). However, providers who claim this exception must document their assessment before placing the system on the market, and must register the system in the EU database regardless.

On 19 May 2026, the European Commission published draft guidelines on the classification of high-risk AI systems. The guidelines adopt an expansive interpretation, substantially more AI systems integrated into regulated products may fall within the high-risk regime than a straightforward reading of the Act suggests. Businesses should revisit prior scope assessments in light of these guidelines. (Source: Osborne Clarke, May 2026)

What compliance requires for high-risk systems

If your AI system is classified as high-risk, the following obligations apply under Chapter III of the Act. These must be in place before the system is placed on the market or put into service:

1. Risk management system (Article 9)

A continuous, iterative risk management process covering the full lifecycle of the AI system. Must identify and analyze known and foreseeable risks, estimate their likelihood and impact, and implement appropriate risk management measures.

2. Data and data governance (Article 10)

Training, validation, and testing datasets must be relevant, sufficiently representative, and — to the best extent possible — free of errors and complete. Data governance practices must be documented.

3. Technical documentation (Article 11 + Annex IV)

Comprehensive documentation demonstrating compliance, sufficient for competent authorities to assess conformity. Must be prepared before the system is placed on the market and kept up to date throughout its lifecycle.

4. Record-keeping / automatic logging (Article 12)

High-risk AI systems must be capable of automatically recording events (logs) relevant to identifying risks and substantial modifications throughout the system's lifecycle.

5. Transparency and instructions for use (Article 13)

Clear instructions for use must be provided to deployers, covering the system's intended purpose, performance characteristics, known limitations, and the human oversight measures required.

6. Human oversight (Article 14)

Systems must be designed to allow deployers to effectively oversee, monitor, interpret, override, or stop the AI system's outputs. This is not a checkbox, it requires technical implementation of override mechanisms.

7. Accuracy, robustness, and cybersecurity (Article 15)

High-risk AI systems must achieve appropriate levels of accuracy and resilience against attempts to alter outputs through adversarial attacks, data poisoning, or model manipulation.

8. Conformity assessment (Article 43)

Most Annex III high-risk systems undergo internal conformity assessment (self-assessment against the requirements above, following the procedure in Annex VI). Systems embedded in Annex I products require third-party assessment through a notified body.

9. EU declaration of conformity (Article 47) + CE marking (Article 48)

Once the conformity assessment is complete, providers must draw up an EU declaration of conformity and affix the CE marking to the system.

10. EU database registration (Article 49)

Providers must register high-risk AI systems in the EU AI Act database before placing them on the market.

TrustGuard provides the runtime monitoring and behavioral oversight infrastructure required by Article 14 (human oversight) and Article 72 (post-market monitoring), generating the tamper-evident logs and anomaly alerts that high-risk system operators need to demonstrate ongoing compliance.

See how TrustGuard supports EU AI Act Article 14 compliance

GPAI model obligations, already in force

If your organization provides a general-purpose AI (GPAI) model, a model trained on large amounts of data capable of performing a wide range of tasks, Article 53 obligations have applied since 2 August 2025:

  • Technical documentation must be maintained and provided to the EU AI Office on request.
  • Training data transparency: a summary of training data content must be published.
  • Copyright compliance policy: a policy for respecting copyright law during training must be in place.
  • Machine-readable summaries of training data must be made available for downstream providers.

GPAI models classified as having systemic risk (trained with more than 10²⁵ FLOPs, or designated by the EU AI Office) face additional obligations under Article 55: adversarial testing, incident reporting to the EU AI Office, and cybersecurity safeguards.

Providers of GPAI models already on the market before 2 August 2025 have until 2 August 2027 to achieve full compliance. (Source: legiscope.com EU AI Act Timeline; EU AI Act, Articles 51–55)

Your EU AI Act compliance checklist

Use this checklist to assess your current compliance status across all phases of the Act:

Immediate (already required):

  • ☐ Audit all AI systems against the Article 5 prohibited practices list and decommission any that qualify
  • ☐ Implement AI literacy obligations (Article 4): ensure relevant staff understand AI capabilities and limitations
  • ☐ If you provide a GPAI model: confirm technical documentation, training data summary, and copyright compliance policy are in place

By 2 August 2026:

  • ☐ Implement transparency disclosures for all AI systems that interact directly with people (Article 50)
  • ☐ Ensure synthetic audio, image, video, and text content carries machine-readable labeling

Preparation for December 2027 (Annex III high-risk systems):

  • ☐ Classify all AI systems against Annex III: document any non-high-risk assessments
  • ☐ Begin building risk management system (Article 9) for each high-risk system
  • ☐ Commission technical documentation (Article 11)
  • ☐ Implement automatic logging / record-keeping (Article 12)
  • ☐ Design human oversight mechanisms (Article 14)
  • ☐ Commission conformity assessment (Article 43)
  • ☐ Register systems in the EU AI database (Article 49)
  • ☐ Affix CE marking where required (Article 48)

TrustLens automates the AI system discovery and posture monitoring required at the foundation of EU AI Act compliance, giving you a complete, continuously updated inventory of every AI system in your organization, including shadow AI tools that may fall under the Act's scope.

Start your EU AI Act compliance assessment with TrustLens

FAQs about EU AI Act compliance

1. Does the EU AI Act apply to my company if we are based outside the EU?

Yes. The Act is extraterritorial. If you place AI systems on the EU market, or if the outputs of your AI systems are used in the EU, you are in scope regardless of where your company is headquartered. This applies to U.S., UK, and other non-EU organizations. (Source: surecloud.com EU AI Act Compliance Guide, June 2026)

2. What are the fines for non-compliance with the EU AI Act?

Fines depend on the type of violation. Violations of Article 5 prohibited practices carry fines of up to €35 million or 7% of global annual turnover (whichever is higher). Violations related to high-risk systems carry fines of up to €30 million or 6% of global turnover. Transparency violations carry fines of up to €15 million or 3% of global turnover. These exceed GDPR's maximum penalties. (Source: legiscope.com)

3. Has the August 2026 high-risk AI deadline been delayed?

Yes. The AI Act Omnibus political agreement of 7 May 2026 deferred the main Annex III high-risk AI system deadline from 2 August 2026 to 2 December 2027. Annex I product-embedded systems have until 2 August 2028. The transparency obligations (Article 50) still take effect on 2 August 2026 as originally planned. (Source: Council of the EU, May 2026)

4. What is a conformity assessment under the EU AI Act?

A conformity assessment is the process by which a provider verifies that a high-risk AI system meets all the requirements of Chapter III of the Act before placing it on the market. For most Annex III systems, this is an internal self-assessment following the procedure in Annex VI. For AI embedded in products regulated under Annex I legislation, third-party assessment by a notified body is required. (Source: EU AI Act, Article 43)

5. Do deployers of AI systems have obligations under the EU AI Act?

Yes. Deployers of high-risk AI systems have specific obligations under Article 26, including: implementing human oversight as instructed by the provider, monitoring the system during use, logging operation where possible, reporting serious incidents, and conducting fundamental rights impact assessments where required. Deployers are not passive — they share compliance responsibility with providers.

Key Takeaways

  • The EU AI Act's prohibited practices (Article 5) have been enforceable since February 2025: any organization still operating a prohibited AI system is in active violation today.
  • The AI Omnibus (May 2026) deferred the Annex III high-risk deadline to December 2027, but this deferral is pending formal adoption, and transparency obligations still activate in August 2026.
  • High-risk classification is broader than many organizations expect: the Commission's May 2026 draft guidelines adopt an expansive interpretation that captures more systems than a literal reading of the Act suggests.
  • Compliance for high-risk systems is not a point-in-time audit, it requires continuous risk management, ongoing logging, and post-market monitoring throughout the system's operational life.
  • The combination of NeuralTrust TrustGuard, TrustLens, and TrustTest addresses the three most operationally demanding EU AI Act requirements: human oversight and monitoring (Article 14), post-market monitoring (Article 72), and pre-deployment security testing (Article 15).

Related articles

About the Author

Roger Howroyd is Head of Global SEO and AI at NeuralTrust, where he leads the company's search strategy across SEO, AEO, GEO, and LLM optimization, helping position NeuralTrust as the authoritative voice in AI agent security for both search engines and generative AI systems. He specializes in AI-powered search, content strategy, backlink development, and SEM. Connect on LinkedIn

NeuralTrust is an AI agent security platform, recognized in the Gartner 2025 Market Guide for AI Gateways. Headquartered in Barcelona with ISO 27001 certification.

Subscribe to our newsletter

Share

Related posts

View all
11 Best AI Cybersecurity Tools [2026]
Blog
Roger HowroydJune 26, 2026

11 Best AI Cybersecurity Tools [2026]

Read more
Chain-of-Thought Hijacking: How Longer Reasoning Breaks AI Safety
Blog
Alessandro PignatiJune 25, 2026

Chain-of-Thought Hijacking: How Longer Reasoning Breaks AI Safety

Read more
NIST AI RMF 1.0 Implementation Guide for Enterprises 2026
Blog
Roger HowroydJune 25, 2026

NIST AI RMF 1.0 Implementation Guide for Enterprises 2026

Read more

Join the leaders securing the agent ecosystem

Get a Demo