EU AI Act moves to enforcement

The European Union’s AI Act has moved from a law on paper to a compliance calendar, with national enforcement and most operating rules due on August 2, 2026. (ai-act-service-desk.ec.europa.eu) The act entered into force on August 1, 2024, but its deadlines are staggered: banned AI practices and AI literacy rules applied from February 2, 2025, and general-purpose AI model obligations started on August 2, 2025. (eur-lex.europa.eu) (digital-strategy.ec.europa.eu) For companies selling or using “high-risk” systems, August 2, 2026 is the key date. The European Commission’s implementation timeline says that is when Annex III high-risk rules, Article 50 transparency rules, and national and European enforcement start to apply. (ai-act-service-desk.ec.europa.eu) High-risk AI is the part of the law that works most like product safety. The Dutch Authority for Digital Infrastructure said those systems can be placed on the market and used only if they meet strict requirements and carry a CE marking, the same conformity label used for products such as toys and mobile phones. (rdi.nl) One of those requirements is a risk-management system under Article 9. The law treats that system as an ongoing process tied to a high-risk tool’s whole lifecycle, not a one-time review before launch. (eur-lex.europa.eu) (dev.to) That matters because the AI Act does not sit alone. The International Association of Privacy Professionals said the act and the General Data Protection Regulation use different legal logics, and in some cases companies will need both an AI Act fundamental-rights assessment and a General Data Protection Regulation data protection impact assessment. (iapp.org) The overlap runs deeper than paperwork. The International Association of Privacy Professionals notes that Article 10(5) of the AI Act allows strictly necessary use of sensitive personal data for bias monitoring in high-risk systems, while the General Data Protection Regulation still starts from a ban on processing special-category data unless an exception applies. (iapp.org) The Netherlands is showing what enforcement could look like on the ground. A draft Dutch implementation bill published for consultation on April 20, 2026 would divide oversight across 10 regulators, with the Dutch Data Protection Authority and the State Inspectorate of Digital Infrastructure in coordinating roles. (pinsentmasons.com) That Dutch model builds on advice the Data Protection Authority and Digital Infrastructure inspectorate published in 2024 after working with 20 other supervisory authorities. Their plan was to keep sector regulators in charge where AI is embedded in products they already police, including toys and medical devices. (rdi.nl) The Dutch consultation runs until June 1, 2026, according to Pinsent Masons, even as the broader European timetable remains in flux. The Commission’s AI Act Service Desk still lists August 2, 2026 for high-risk obligations, while Pinsent Masons said a separate European simplification package could push that date back, potentially to December 2027. (pinsentmasons.com) (ai-act-service-desk.ec.europa.eu) For vendors and buyers, the immediate job is less about waiting for one final deadline than mapping which rules already apply, which authority will ask questions, and which evidence has to be ready before August 2026. (autoriteitpersoonsgegevens.nl) (iapp.org)