EU AI Act Goes Operational

The European Union’s AI Act is no longer just a policy blueprint: key rules already apply, and the main compliance regime for high-risk AI starts on August 2, 2026. (eur-lex.europa.eu) The law was published in the Official Journal on July 12, 2024 and entered into force on August 1, 2024, but the obligations phase in over three years. The European Commission’s AI Act Service Desk lists February 2, 2025 for bans and AI literacy, August 2, 2025 for general-purpose AI rules, August 2, 2026 for most of the Act, and August 2, 2027 for some product-safety-linked high-risk systems. (eur-lex.europa.eu, ai-act-service-desk.ec.europa.eu) High-risk AI is the part many companies are now working toward. Under the Act, Annex III systems include uses such as employment, education, access to essential services, law enforcement, migration, and parts of justice and democratic processes. (eur-lex.europa.eu) Article 9 is the core operating rule for those systems. It requires a risk-management system that runs continuously through the life of the model or tool, including testing, identifying known and reasonably foreseeable risks, and adopting control measures before the system is placed on the market or put into service. (eur-lex.europa.eu, artificialintelligenceact.eu) That pushes companies beyond policy statements and into evidence. Providers of high-risk AI also face requirements on data governance, technical documentation, logging, human oversight, accuracy, robustness, cybersecurity, post-market monitoring, and serious-incident reporting. (eur-lex.europa.eu) The timetable matters now because some obligations are already live. Since February 2, 2025, the Act’s prohibited practices and AI literacy rules have applied, and since August 2, 2025, rules for general-purpose AI models and the governance structure around enforcement have applied. (ai-act-service-desk.ec.europa.eu, paulweiss.com) For many businesses, the immediate job is basic mapping. Law firms and compliance advisers have been telling clients to inventory where AI is used, decide whether any system falls into a high-risk bucket, and line up AI Act controls with existing General Data Protection Regulation, product-safety, and sector-specific compliance work. (mondaq.com, dlapiper.com) There is still some moving guidance around the edges. The Commission’s service desk notes a Digital Omnibus proposal that would link the application of rules for high-risk AI embedded in regulated products to the availability of support tools, including harmonised standards. (ai-act-service-desk.ec.europa.eu) The practical deadline, though, has not moved for most organizations using Annex III systems. By August 2, 2026, regulators expect not just AI policies, but records showing the system was tested, risks were tracked, and someone can prove how decisions were controlled. (ai-act-service-desk.ec.europa.eu, artificialintelligenceact.eu)