Verification note: Regulatory dates and thresholds in this piece are drawn from Regulation (EU) 2024/1689 as published in the Official Journal of the European Union, corroborated against EU AI Office implementation guidance. This lesson is subject to triggered accuracy review when significant EU AI Act developments occur. Last verified: May 2026.
Three months from now, the EU AI Act's full high-risk regime takes effect. If you are selling AI systems to organizations with EU operations, or if your product is already deployed there, the question your buyers are asking their legal teams right now is specific: what does it require of us, and by when? The answers depend on a classification logic that is less intuitive than it first appears.
What It Is
The EU AI Act — formally Regulation (EU) 2024/1689, published in the Official Journal of the European Union in July 2024 and entered into force August 1, 2024 — is a horizontal regulatory framework governing AI systems placed on or put into service in the EU market. It is not a sector-specific rule. It applies across industries and use cases, with obligations scaled to assessed risk. Compliance is mandatory, not voluntary, and enforcement authority sits with national market surveillance authorities coordinated through the EU AI Office.
The Act covers providers (entities that develop or place AI systems on the market), deployers (entities that use AI systems in a professional context), importers, and distributors. Obligations differ by role.
How It Works: The Staged Timeline
The Act does not arrive all at once. It has been phasing in on a fixed schedule since February 2025, and that schedule matters because different provisions carry different compliance burdens.
February 2, 2025 brought the first obligations into force: the prohibition of AI practices deemed unacceptable risk, and the requirement that organizations ensure AI literacy among staff who work with or oversee AI systems. These provisions are already in effect.
August 2, 2025 activated the general-purpose AI (GPAI) model obligations. Organizations developing or deploying foundation models in the EU have been subject to these requirements for nine months.
August 2, 2026 — the deadline now 89 days out — is when the full high-risk AI system regime becomes enforceable. This is the substantive core of the Act for most enterprise deployments.
August 2, 2027 extends the high-risk regime to AI systems embedded in regulated products covered by existing EU product safety legislation — medical devices, machinery, aviation systems, and similar categories governed under Annex I of the Act.
The Four Risk Tiers
The Act organizes AI systems into four tiers. The tier determines the obligation set. Classification follows use case, not technology — the same underlying model can sit in different tiers depending on how it is deployed.
Unacceptable risk systems are prohibited outright. This tier covers AI that manipulates persons through subliminal techniques, exploits vulnerabilities of specific groups, enables real-time remote biometric identification in public spaces by law enforcement (with narrow exceptions), and several other enumerated practices. There is no compliance path for these systems; they cannot be placed on the EU market.
High risk is the tier with the most substantive compliance requirements. A system is high-risk if it falls into one of two categories: it is itself a safety component of a regulated product (or is itself such a product), or it is listed in Annex III of the Act. Annex III covers specific use cases including AI used in critical infrastructure management, educational assessment, employment decisions, access to essential services, law enforcement, migration and border control, and administration of justice. High-risk systems require conformity assessments, technical documentation, human oversight measures, data governance controls, and registration in an EU database before deployment.
Limited risk systems face transparency obligations only. If an AI system interacts with humans (a chatbot, for instance), users must be informed they are interacting with an AI. Deepfakes and AI-generated content carry disclosure requirements. The compliance burden is comparatively light.
Minimal or no risk covers the majority of AI applications currently in use: spam filters, AI-enabled inventory management, recommendation engines in most commercial contexts. No specific obligations apply, though providers may voluntarily adopt codes of conduct.
General-Purpose AI With Systemic Risk: A Separate Track
GPAI models occupy a category that runs parallel to the tier taxonomy, not within it. Every GPAI model provider faces baseline obligations: technical documentation, compliance with EU copyright law, publication of summaries of training data. These apply regardless of how the model is eventually deployed.
A subset of GPAI models carries additional obligations under the systemic risk designation. The trigger is a training compute threshold of 10²⁵ floating-point operations, or a formal designation by the EU AI Office based on capability assessment. Models meeting this threshold must conduct adversarial testing and red-teaming, report serious incidents to the EU AI Office, implement cybersecurity protections, and report on energy consumption.
For sellers, a provider of a GPAI model is subject to GPAI obligations even if no specific downstream deployment of that model is high-risk. The obligation attaches to the model, not the deployment context.
Extraterritorial Reach
The Act applies to providers placing AI systems on the EU market regardless of where those providers are established. It also applies to providers and deployers established outside the EU when the output of their AI system is used within the EU. Importers and distributors operating in the EU carry their own compliance obligations.
A US-based company whose AI product is used by EU-based employees, customers, or government agencies is within scope. The "output used in EU" language is broad. If your system produces decisions, recommendations, or content that affects people in the EU, the extraterritorial analysis applies and requires legal review.
The Conversation You Will Have
A CIO at an agency with EU data-sharing arrangements, or a multinational enterprise with EU operations, is going to ask before August 2026 whether the AI systems they are procuring are compliant. The answer requires knowing the deployment context, not just the product. A procurement workflow tool that screens job applicants sits in Annex III. The same underlying model used to summarize internal meeting notes does not. Risk tier is a property of the use, assessed per deployment.
Worth asking in discovery: what decisions does this AI inform, and who does it affect?
Okta Concept Mapping
Closest IDAM analogue: Resource classification driving access control requirements. In IDAM, you classify a resource by sensitivity — PII database, financial system, public directory — and apply corresponding authentication and authorization requirements. The EU AI Act applies the same structural logic: classify the AI system by risk, apply proportionate compliance obligations.
Where the analogy holds: The proportionality principle is identical. Higher sensitivity means more controls, more documentation, more oversight. The framework is designed to avoid imposing enterprise-grade compliance burdens on low-stakes applications.
Where it breaks: In IDAM, resource classification is relatively stable. A database containing health records is high-sensitivity regardless of who queries it or why. In the EU AI Act, classification is use-case dependent — the same model is high-risk in one deployment and minimal-risk in another. Classification must be assessed for each deployment context. Sellers who assume their product has a fixed risk tier will give buyers incorrect compliance guidance.
The EU AI Act's implementing regulations and guidance from the EU AI Office continue to develop. Where this piece describes unsettled interpretation — particularly around Annex III scope and GPAI systemic risk designation procedures — readers should treat the framing as directional and verify against current EU AI Office publications before advising buyers.