EU AI Act Enforcement

Europe’s Artificial Intelligence Act is no longer a future compliance project: national regulators are now being assigned, and key rules are already in force. (digital-strategy.ec.europa.eu) The law entered into force on August 1, 2024. Bans on certain AI uses and a duty to ensure staff have enough AI literacy started applying on February 2, 2025; rules for general-purpose AI models started on August 2, 2025; most high-risk system obligations apply on August 2, 2026. (digital-strategy.ec.europa.eu 1) (digital-strategy.ec.europa.eu 2) In the Netherlands, compliance oversight is set to be split across 10 regulators under plans published this week, according to Pinsent Masons. Dutch privacy regulator Autoriteit Persoonsgegevens has separately said market-surveillance authorities must be designated to oversee compliance in the country. (pinsentmasons.com) (autoriteitpersoonsgegevens.nl) The structure of the law is risk-based. The European Commission says it sorts AI into prohibited uses, high-risk systems, systems with transparency duties, and lower-risk uses with lighter obligations. (digital-strategy.ec.europa.eu) For companies, the immediate job is classification: they have to work out which tools fall into the high-risk bucket. The Commission’s guidance says Annex III use cases are generally subject to the main high-risk rules from August 2, 2026, while some AI embedded in regulated products under Annex II follows on August 2, 2027. (digital-strategy.ec.europa.eu) Article 9 is one of the core deadlines in that 2026 wave. The law requires providers of high-risk AI systems to run a documented, continuous risk-management system across the system’s full lifecycle, including identifying known and reasonably foreseeable risks and testing whether controls work. (eur-lex.europa.eu) (artificialintelligenceact.eu) Enforcement will not sit only with Brussels. The Commission says member states must designate national competent authorities and market-surveillance authorities, and those national bodies will handle most supervision while a European Artificial Intelligence Board coordinates across the bloc. (digital-strategy.ec.europa.eu) (artificialintelligenceact.eu) That creates the practical problem companies have been warning about: one European regulation, but potentially many sector-by-sector supervisors. In the Dutch case, that means a business may need to deal with different authorities depending on whether its AI is used in health care, finance, telecoms, consumer products, or public services. (pinsentmasons.com) (government.nl) The first enforcement phase has already started. On February 4, 2025, the Commission published guidelines on prohibited AI practices, including rules on manipulative systems, social scoring, and some biometric uses. (digital-strategy.ec.europa.eu) The next 15 months are when the policy text turns into audits, inventories, and regulator maps. By August 2, 2026, companies using or selling high-risk AI in Europe will need more than an AI strategy deck; they will need a compliance file. (eur-lex.europa.eu) (digital-strategy.ec.europa.eu)