[Verification flag: All dates, thresholds, and tier definitions in this piece require verification against the official EU AI Act text (Regulation (EU) 2024/1689) before publication. Preview drafted May 6, 2026.]
The EU AI Act is a binding regulation — not a directive, not a framework, not a set of guidelines — that establishes legal obligations for organizations that place AI systems on the EU market or whose AI systems produce outputs used within the EU. It entered into force in August 2024 and applies through a staged implementation schedule, meaning different obligations became legally effective at different points. Some of those obligations are already live. Others arrive in weeks.
The Timeline You're Actually Inside
The EU AI Act is not "coming" in any general sense. It is partially in effect, and the most consequential tranche is roughly 90 days out.
February 2, 2025 — Prohibitions on unacceptable-risk AI practices took effect, along with AI literacy obligations for providers and deployers. Organizations deploying AI to EU users were legally required, from this date, to ensure their staff had sufficient AI literacy to fulfill their roles under the Act.
August 2, 2025 — Obligations for providers of general-purpose AI (GPAI) models became applicable. This includes documentation requirements, copyright compliance policies, and — for models above the systemic risk threshold — a more demanding set of requirements described in the next section.
August 2, 2026 — The full high-risk AI system regime becomes applicable. This is the tranche that governs AI systems used in consequential domains: hiring, credit, critical infrastructure, law enforcement, education, essential services. For most enterprise buyers deploying AI in these contexts, this is the operative deadline.
August 2, 2027 — High-risk AI systems embedded in products already subject to EU product safety legislation (medical devices, machinery, certain consumer products) get an additional year. This extension is narrow; it does not apply to standalone software systems.
The Four Risk Tiers
The Act classifies AI systems into four tiers based on the nature and severity of potential harm. The tier determines the compliance obligations — or whether any apply at all.
Unacceptable risk (prohibited). These practices are banned outright. The list includes AI systems that deploy subliminal manipulation techniques to distort behavior, systems that exploit specific vulnerabilities of defined groups, social scoring systems operated by public authorities, and — with narrow law enforcement exceptions — real-time remote biometric identification in publicly accessible spaces. There is no compliance path for a system that falls here. It cannot be deployed.
High risk. This tier carries the most operational weight. A system is high-risk if it falls into one of the Act's defined categories: AI used in critical infrastructure management, educational or vocational training, employment and worker management, access to essential private and public services (including credit scoring), law enforcement, migration and border control, or administration of justice. High-risk systems face requirements for risk management systems, data governance, technical documentation, logging, transparency toward users, human oversight mechanisms, accuracy and robustness standards, and registration in an EU database before market placement. They require documented processes and ongoing maintenance — the obligations persist for the system's operational life.
Limited risk. Systems in this tier face transparency obligations only. A chatbot must disclose that it is an AI system. A system generating synthetic media must label that content. The obligations are real but narrow.
Minimal risk. Most AI applications fall here. Spam filters, AI-enabled video games, basic recommendation systems. No specific obligations under the Act apply, though providers may voluntarily adopt codes of conduct.
Tier assignment follows intended purpose and deployment context. The underlying model or technology is irrelevant to the classification. The same foundation model, deployed for HR screening versus customer service, may land in different tiers.
General-Purpose AI with Systemic Risk
GPAI models — foundation models trained on broad data and capable of serving multiple purposes — occupy a distinct category in the Act. All GPAI model providers face baseline obligations: technical documentation, compliance with EU copyright law, and publishing summaries of training data.
A subset of GPAI models triggers additional requirements: those trained using compute above 10^25 floating point operations. This threshold is the Act's current proxy for systemic risk — the idea that models of sufficient scale pose risks that extend beyond any individual deployment. Models above this threshold must conduct adversarial testing and red-teaming, report serious incidents to the European AI Office, implement cybersecurity protections, and submit to model evaluations.
For foundation model providers whose training runs exceed this threshold, the obligations land closer to critical infrastructure regulation than product compliance. The European AI Office, established under the Act, holds primary supervisory authority over GPAI providers. Implementation guidance on what adversarial testing must demonstrate is still developing as of this writing.
Extraterritorial Reach
The Act applies to providers placing AI systems on the EU market and to deployers using AI systems within the EU, regardless of where those organizations are incorporated or headquartered. A US company whose AI-powered hiring tool screens candidates located in the EU is a deployer subject to the Act's high-risk requirements if that tool falls in a covered category.
Jurisdiction follows where the AI system's output is used and whether that use falls within a regulated category. Importers and distributors of AI systems also carry defined obligations under the Act, which means the compliance chain extends through vendor relationships.
Okta Concept Mapping
The EU AI Act's risk tier structure resembles access control policy tiers in one important way: both frameworks ask "what's at stake if this goes wrong?" before deciding what controls apply. The analogy holds for triage — it gives you a way to quickly assess whether a system warrants scrutiny. Where it breaks: access control tiers are enforced at a moment in time (the request is granted or denied), while EU AI Act tiers assign obligations that persist across the system's entire operational lifecycle. A high-risk AI system doesn't get approved once and move on. It carries continuous requirements for logging, human oversight, and documentation for as long as it's deployed. That's a fundamentally different compliance model, and the access control intuition will mislead you if you carry it too far.
All dates and thresholds in this piece require verification against the official EU AI Act text (Regulation (EU) 2024/1689) and corroborating sources before publication. Flag for accuracy review upon any significant EU AI Act implementation development.