EU AI Act enforcement

Europe’s Artificial Intelligence Act is no longer a distant framework: on Aug. 2, 2026, the main rules for many high-risk AI systems start to apply across the European Union. (ec.europa.eu) The law was adopted as Regulation (EU) 2024/1689 and published in the Official Journal on July 12, 2024. Its rollout is staggered: banned AI practices and AI literacy rules applied from Feb. 2, 2025, general-purpose AI rules from Aug. 2, 2025, and most high-risk rules from Aug. 2, 2026. (eur-lex.europa.eu; ec.europa.eu) At the center of the 2026 deadline is Article 9, which requires a risk-management system for high-risk AI. The European Commission’s AI Act Service Desk says that system must run through the product’s full lifecycle, be reviewed and updated regularly, and include testing, mitigation and user information. (ec.europa.eu) “High-risk” does not mean every chatbot or internal tool. Annex III covers specific uses such as AI for school admissions and test monitoring, hiring and worker management, credit scoring, public-benefit decisions, law enforcement, migration and parts of the justice system. (ec.europa.eu) That shifts compliance from policy decks to operating procedures. A company using AI to screen job applicants or score borrowers may need documented controls, testing records, technical files and post-market monitoring before national authorities come knocking. (ec.europa.eu; ec.europa.eu) Enforcement will not come from a single Brussels regulator for these systems. The European Commission says the AI Office will oversee implementation and general-purpose AI at the European Union level, while national market-surveillance authorities will enforce high-risk AI rules inside member states. (ec.europa.eu) That national layer was supposed to be in place before this year’s enforcement buildout. Member states were required to designate and empower national competent authorities by Aug. 2, 2025, and the Commission says those authorities include market-surveillance bodies and notifying authorities for conformity assessment. (ec.europa.eu; ec.europa.eu) For companies already dealing with privacy law, the overlap with the General Data Protection Regulation is becoming more concrete. The International Association of Privacy Professionals said this week that the Artificial Intelligence Act is a product-safety law, while the General Data Protection Regulation is a rights-based data-protection law, and some deployments will trigger both AI Act assessments and General Data Protection Regulation impact assessments. (iapp.org) The penalty backdrop is large enough to get board attention. The Act allows fines of up to 35 million euros or 7% of worldwide annual turnover for some violations, and up to 15 million euros or 3% for other operator obligations. (ec.europa.eu) The immediate question is no longer whether the European Union will regulate high-risk AI. It is whether companies can turn risk reviews, testing and documentation into routine work before Aug. 2, 2026. (ec.europa.eu; ec.europa.eu)