EU AI Act enters pipelines

The European Union’s AI Act is no longer a distant rulebook: key bans have applied since February 2, 2025, and broader duties are now moving into product teams’ release cycles. (commission.europa.eu) The law entered into force on August 1, 2024, but it applies in phases. The European Parliament’s implementation timeline says prohibited practices started applying on February 2, 2025; rules for general-purpose AI models and governance structures apply from August 2, 2025; most high-risk system rules apply from August 2, 2026; and some systems tied to regulated products run to August 2, 2027. (europarl.europa.eu) That staging is pushing compliance work upstream. A new timeline published on April 16, 2026, by Lewis Silkin maps not just the legal dates, but the rollout of guidelines and codes of practice that companies need before they can ship or buy covered systems. (lewissilkin.com) The AI Act works like a product-safety law for AI, with duties that change by risk tier and by role in the supply chain. The International Association of Privacy Professionals said this week that the law assigns design and governance responsibilities to organizations, while the General Data Protection Regulation protects individual rights over personal data. (iapp.org) For companies using AI on personal data, that means one system can trigger both regimes at once. The European Parliament’s 2025 study on EU digital laws says the overlap between the AI Act and laws including the General Data Protection Regulation creates “significant regulatory complexity.” (europarl.europa.eu) In practice, that overlap lands in documentation. The IAPP’s new mapping resource ties AI Act duties such as risk management, technical documentation, logging, human oversight and transparency to General Data Protection Regulation requirements such as lawful basis, data minimization, data protection impact assessments and data subject rights. (iapp.org) That is why “enters pipelines” is literal. Providers and deployers need to classify systems before launch, record what data and models went in, preserve logs, and show how a system can be monitored or overridden after deployment if it falls into a regulated category. (artificialintelligenceact.eu) The compliance burden is not limited to model makers. The Act’s phased schedule covers providers, deployers, importers, distributors and authorized representatives, which means procurement, legal, engineering and security teams all end up touching the same release process. (europarl.europa.eu) The next milestone is not abstract. General-purpose AI obligations have applied since August 2, 2025, and the high-risk system regime arrives on August 2, 2026, leaving companies less room to treat the AI Act as a policy debate instead of an operational checklist. (europarl.europa.eu)