EU AI Act Becomes Operational

Europe’s artificial intelligence law stopped being a future problem on August 1, 2024, when the European Union Artificial Intelligence Act entered into force, and its biggest block of rules is scheduled to apply on August 2, 2026. The shift in 2026 is that companies will be judged less on promises and more on whether their systems leave a paper trail regulators can inspect. (digital-strategy.ec.europa.eu) The law does not treat every chatbot, fraud model, or hiring tool the same. It uses a risk ladder with banned uses at the top, lighter transparency duties in the middle, and the heaviest controls on “high-risk” systems such as tools used in employment, education, critical infrastructure, and access to essential services. (digital-strategy.ec.europa.eu) The first deadline already passed on February 2, 2025, when banned practices and artificial intelligence literacy duties started to apply. That list includes things like social scoring, certain emotion recognition uses in workplaces and schools, and untargeted scraping of faces from the internet or closed-circuit television footage to build facial recognition databases. (digital-strategy.ec.europa.eu) Another deadline hit on August 2, 2025, when rules for general-purpose artificial intelligence models started applying. The European Commission said those providers now have duties around documentation and transparency, which means the bloc has already moved beyond broad principles and into model-level compliance. (digital-strategy.ec.europa.eu, digital-strategy.ec.europa.eu) The August 2, 2026 date is the one that will land hardest on banks, hospitals, employers, schools, and software vendors that sell into those sectors. That is when the main obligations for many high-risk systems become applicable, including the systems listed in Annex Three of the law. (digital-strategy.ec.europa.eu, bm.consulting) For those systems, compliance looks a lot like building an aircraft maintenance log instead of shipping a normal software update. Providers are expected to have risk management, technical documentation, record-keeping, human oversight, accuracy controls, and post-market monitoring that can be shown to an auditor after deployment, not invented during an investigation. (digital-strategy.ec.europa.eu) That is why logging has become the quiet center of the story. If a company cannot show which model version ran, what data source was used, what test results were recorded, and who approved a release, it will struggle to prove conformity even if the model appears to work. (raconteur.net, securityboulevard.com) A second pressure point is standards, because European Union product laws often work by letting companies follow technical standards and then claim a “presumption of conformity.” The Commission says those harmonised standards for the Artificial Intelligence Act are meant to provide legal certainty, which is why engineers and lawyers are both watching the standard-setting process so closely. (digital-strategy.ec.europa.eu, digital-strategy.ec.europa.eu) If those standards are late, incomplete, or do not cover a specific risk, the law gives the European Commission another tool called common specifications. That is a backstop rulebook the Commission can issue when the normal standards route does not deliver what the law needs. (digital-strategy.ec.europa.eu, artificialintelligenceact.eu) The reach is not limited to companies headquartered in Paris or Berlin. The law also applies to providers outside the European Union when their systems are placed on the European market, used in the European Union, or produce outputs used there, which pulls American software firms into the same compliance calendar. (bm.consulting, digital-strategy.ec.europa.eu) So the operational change is simple to describe even if it is expensive to build. By August 2026, “we use artificial intelligence responsibly” stops being a slide in a board deck and starts meaning version histories, test records, incident reporting plans, and governance controls that a regulator can open and read. (raconteur.net, digital-strategy.ec.europa.eu)