The EU AI Act (Regulation 2024/1689) is a binding legal framework that classifies AI systems by risk level and assigns compliance obligations proportionate to that classification. It applies to providers who place AI systems on the EU market, deployers who use AI systems within the EU, and providers established outside the EU whose systems produce outputs used within the EU. It entered into force on August 1, 2024. Full implementation is staged across three years, across four distinct obligation windows.
"EU AI Act compliance" is not a single state. It is a sequence of obligations arriving on different schedules — and as of today, the most consequential deadline is 89 days out.
The Timeline, Sequentially
February 2, 2025. Prohibited practices provisions took effect alongside AI literacy obligations. Prohibited practices include AI systems that deploy subliminal manipulation techniques, exploit vulnerabilities of specific groups, enable social scoring by public authorities, and conduct real-time remote biometric identification in public spaces for law enforcement purposes (with narrow, enumerated exceptions). AI literacy obligations require providers and deployers to ensure that staff working with AI systems have sufficient understanding of those systems' capabilities and limitations. These provisions are in effect and enforceable now. (EU AI Act, Arts. 5, 4; corroborated: Reuters Legal, "EU AI Act First Obligations Take Hold," Feb. 3, 2025)
August 2, 2025. General-purpose AI model obligations became applicable. Providers of GPAI models must maintain technical documentation, comply with EU copyright law, and publish summaries of training data. Providers of GPAI models with systemic risk face additional requirements. These obligations have been in effect for nine months. (EU AI Act, Arts. 53–55)
August 2, 2026. The full high-risk AI system regime applies. This is the deadline governing most enterprise AI deployments in regulated contexts. High-risk systems must satisfy requirements for data governance, technical documentation, transparency, human oversight, accuracy, robustness, and cybersecurity before placement on the EU market or entry into service. Conformity assessments are required. This deadline is 89 days away. (EU AI Act, Arts. 9–16; corroborated: Law360, "EU AI Act High-Risk Regime: What Comes August 2026," Jan. 2026)
August 2, 2027. High-risk AI systems embedded in products already covered by existing EU product safety legislation — medical devices, machinery, vehicles — receive one additional year. This extension applies only to that embedded-product category. (EU AI Act, Art. 111(3))
The Four Risk Tiers
Unacceptable risk systems are prohibited outright. The February 2025 provisions govern this tier.
High risk systems are permitted but subject to the full compliance regime effective August 2026. Annex III of the Act enumerates high-risk use cases: AI used in critical infrastructure, education and vocational training, employment and worker management, access to essential private and public services, law enforcement, migration and border control, and administration of justice. The classification attaches to the deployment context, not the underlying model. The same foundation model is high-risk in one use case and minimal-risk in another.
Limited risk systems face transparency obligations only — primarily disclosure requirements ensuring that users know they are interacting with an AI system.
Minimal risk systems face no mandatory requirements under the Act, though voluntary codes of conduct apply.
General-Purpose AI with Systemic Risk
GPAI models are a distinct legal category. A model qualifies as GPAI if it can perform a wide range of distinct tasks and has been trained on broad data at scale. The systemic risk designation triggers when a GPAI model's training compute exceeds 10²⁵ floating-point operations (FLOPs), a threshold set in Article 51 of the Act. Models meeting this threshold — which currently includes the largest frontier models from major US AI developers — must comply with additional obligations: adversarial testing, incident reporting to the European AI Office, cybersecurity protections, and energy efficiency reporting. (EU AI Act, Art. 51; corroborated: Brookings Institution, "Understanding the EU AI Act's GPAI Provisions," Sept. 2025)
The European AI Office, established within the European Commission, holds primary supervisory authority over GPAI model providers. National market surveillance authorities handle high-risk system oversight at the member state level.
Extraterritorial Reach
Article 2 of the Act defines territorial scope. Providers placing AI systems on the EU market fall within its reach regardless of where those providers are established. Deployers located within the EU fall within it regardless of where their vendor is incorporated. Providers and deployers established entirely outside the EU fall within it when the output of their AI system is used within the EU.
Physical location of the company is not the relevant test. Location of use is.
A US-headquartered AI vendor whose system is deployed by a European public agency, or whose outputs are acted upon by users within the EU, is inside the Act's scope. The vendor's compliance posture needs to address which tier their system falls into for that specific deployment — not whether they have a general compliance program, and not whether the model passed some internal review. When a public sector buyer asks whether their US AI vendor is "EU AI Act compliant," the question underneath that is: compliant for this use case, in this context, at this tier?
Implementation guidance from the European AI Office on conformity assessment procedures for high-risk systems is still developing as of this writing. Where specific procedural requirements remain unsettled, that uncertainty is real and should be acknowledged in buyer conversations rather than papered over.
IDAM Concept Mapping
The EU AI Act's risk tiering resembles a data classification framework: assess the sensitivity of the asset, apply controls proportionate to that assessment. The structural logic is the same. Where the analogy breaks is the unit of classification. In a data classification scheme, the classification attaches to the data itself and travels with it. In the EU AI Act, the classification attaches to the deployment context. The same AI model is unregulated in one use case and subject to full conformity assessment in another. A vendor cannot achieve a single certification that covers the model across all deployments. Each use case requires its own assessment — which means a buyer asking for a compliance attestation needs to be asking about the deployment, not the product.
Production note: All implementation dates, tier definitions, GPAI thresholds, and extraterritoriality provisions must be verified against the official EU AI Act text (OJ L 2024/1689) and corroborated by a second authoritative source before publication. Verification date: pending. This is a demonstration piece.