EU AI Act Compliance Deadlines in Flux
While the EU AI Act is law, its implementation is causing confusion, particularly for small and medium-sized businesses. A new "Digital Omnibus Proposal" may delay some deadlines, but most obligations for high-risk systems remain imminent. Experts warn that the Act's preparatory obligations place accountability squarely on boards and C-suites, elevating compliance to a strategic, board-level concern.
The phased rollout of the AI Act means some rules are already in effect. As of February 2025, prohibitions on "unacceptable risk" AI—such as government-run social scoring and real-time biometric surveillance in public spaces (with narrow exceptions)—are enforceable. Requirements for AI literacy within organizations also kicked in on this date. The next major deadline targets General-Purpose AI (GPAI) models. Rules for these systems, including transparency and copyright-related obligations, are set to apply from August 2, 2025. The newly established European AI Office is tasked with developing Codes of Practice to provide guidance and will be the primary body supervising the most powerful GPAI models. The delay central to the "Digital Omnibus Proposal" specifically targets the complex rules for "high-risk" AI systems. Citing a lack of finalized harmonized standards and insufficient compliance infrastructure, the EU has postponed the original August 2026 deadline. This move is intended to give businesses a realistic pathway to compliance. Compliance for high-risk systems is now pegged to the readiness of these support tools. New "backstop" deadlines have been set regardless of whether standards are finalized: December 2, 2027, for high-risk systems listed in Annex III (e.g., AI in employment, education, and law enforcement) and August 2, 2028, for those in Annex I (product components like medical devices). This extension has a direct impact on agentic AI used in enterprise workflows, particularly in regulated sectors like HR. While the core compliance deadline for AI systems used in hiring and employee management is pushed back, other obligations remain; for instance, the requirement to inform and consult employee representatives before deploying high-risk AI is already in force. Enforcement will be handled by national competent authorities in each member state, coordinated by the European AI Board and the AI Office. These bodies will have the power to conduct investigations, request access to source code, and impose significant penalties. Non-compliance carries severe financial penalties structured in tiers. Using a prohibited AI system can result in fines of up to €35 million or 7% of a company's global annual turnover, whichever is higher. Violations related to high-risk systems can draw fines of up to €15 million or 3% of turnover.
