EU AI Act becomes operational

Europe’s artificial intelligence law is no longer a future compliance project. Since February 2, 2025, bans on a small set of unacceptable uses and a duty to train staff in artificial intelligence literacy have already applied, and since August 2, 2025, rules for general-purpose models have applied too. (eur-lex.europa.eu) The next big date is August 2, 2026. That is when most rules for high-risk systems start applying, including systems used in hiring, education, critical infrastructure, law enforcement, and other Annex Three categories named in the law. (eur-lex.europa.eu) The law works like airport security, not a blanket ban. Europe sorts systems into prohibited, high-risk, transparency, and general-purpose buckets, and the bucket decides how much paperwork, testing, and monitoring the company has to do. (digital-strategy.ec.europa.eu) That is why the work is shifting from lawyers to engineers. A company cannot prove a model is behaving properly with a slide deck; it needs logs, version records, access controls, incident processes, and technical files that show what data, model, and safeguards were actually used in production. (raconteur.net) For a high-risk system, the regulation asks for a risk-management system, data governance, technical documentation, record-keeping, human oversight, accuracy, robustness, and cybersecurity. Those are not policy words on paper; they map to concrete build tasks inside software and machine-learning pipelines. (eur-lex.europa.eu) Record-keeping is becoming the center of the job. If a bank, hospital, or employer cannot show which model version made a decision, which person approved it, and which data fed it, it will struggle to show compliance when an auditor or regulator asks questions months later. (raconteur.net) The same shift is hitting systems built on top of large shared models. The European Commission says providers of general-purpose models have been under their own obligations since August 2, 2025, and it backed a voluntary code of practice published on July 10, 2025 to help companies show how they meet those duties. (digital-strategy.ec.europa.eu) Regulators are also getting more specific about autonomous software agents. Firms are being pushed to treat an agent like a worker with a badge and a manager: give it a defined identity, limit what systems it can touch, and keep a trail of what it did and who was supposed to supervise it. (securityboulevard.com) Data lineage is turning into another audit target. That means being able to trace a prediction back through the chain of training data, fine-tuning data, prompts, retrieval sources, and downstream outputs, the same way a food company traces ingredients back to a farm. (securityboulevard.com) Europe has already started filling in the gray areas with guidance. The Commission published guidelines on prohibited practices on February 4, 2025, covering examples such as harmful manipulation, social scoring, and some forms of real-time remote biometric identification. (digital-strategy.ec.europa.eu) So the practical change in 2026 is simple: if an artificial intelligence system affects jobs, school places, benefits, policing, or other sensitive decisions in Europe, the question is no longer just “is our policy compliant.” The question is “can we prove, from the system itself, who built it, what it used, how it was watched, and what happened when it failed.” (eur-lex.europa.eu)