EU Act hits implementation phase

Europe wrote its artificial intelligence law in 2024, but the hard part starts in 2026, when companies have to prove that actual systems, logs, approvals, and warning labels line up with the text on paper. The European Union’s rollout is staggered: banned uses started on February 2, 2025, general-purpose model rules started on August 2, 2025, and most remaining rules, including many high-risk system duties, start on August 2, 2026. (digital-strategy.ec.europa.eu 1) (digital-strategy.ec.europa.eu 2) (ai-act-service-desk.ec.europa.eu) That timeline matters because the law splits artificial intelligence into buckets, and each bucket triggers a different kind of work. A chatbot model provider has to produce technical documentation, a copyright policy, and a public summary of training content, while a company using a hiring or credit-scoring system may face the high-risk rulebook instead. (digital-strategy.ec.europa.eu) (ai-act-service-desk.ec.europa.eu) The phrase companies keep running into is “high-risk artificial intelligence,” which means systems used in areas like employment, education, essential services, and law enforcement where a bad output can block a job, a loan, or a benefit. For those systems, the law does not ask for a one-page policy; it asks for a risk management system, data governance, technical documentation, record-keeping, human oversight, and accuracy, robustness, and cybersecurity controls. (ai-act-service-desk.ec.europa.eu) That is why lawyers are being pulled into conversations that used to belong only to engineers and operations teams. If a company cannot show where training data came from, which model version was deployed on March 14, 2026, who approved a threshold change, or how a human can step in before a harmful decision lands, it is missing pieces the Act explicitly names. (ai-act-service-desk.ec.europa.eu) (newsletter.aipolicybulletin.org) The model layer is only one part of the puzzle, because the law also reaches the system wrapped around the model. A general-purpose model can be compliant on its own paperwork, but the company that turns it into a résumé screener or insurance triage tool still has to document the workflow, the inputs, the outputs, and the human review points for that specific use. (digital-strategy.ec.europa.eu) (newsletter.aipolicybulletin.org) The European Commission has tried to turn some of that abstract language into operating instructions. It issued guidelines for general-purpose model providers in July 2025, and it received the final General-Purpose Artificial Intelligence Code of Practice on July 10, 2025, after a process involving 13 experts and more than 1,000 stakeholders. (digital-strategy.ec.europa.eu 1) (digital-strategy.ec.europa.eu 2) Even there, the code is voluntary, not a magic stamp that makes the problem disappear. The Commission and the European Artificial Intelligence Board said on August 1, 2025 that the code is an “adequate voluntary tool” to help providers demonstrate compliance, which means firms can use it, but they still need evidence inside their own systems. (digital-strategy.ec.europa.eu 1) (digital-strategy.ec.europa.eu 2) Another deadline is coming for systems people can actually see. On August 2, 2026, transparency rules start applying to tools that interact with people, detect emotions, sort people by biometric traits, or generate deepfakes, and those systems must tell users or viewers that the content is artificial in the situations the law covers. (ai-act-service-desk.ec.europa.eu) (ai-act-service-desk.ec.europa.eu) For high-risk systems, the paperwork also turns into a market-access test. The Act requires a conformity assessment before a covered system is placed on the market, and compliant high-risk systems carry the same kind of Conformité Européenne, or CE, marking Europeans already see on products from toys to machinery. (artificialintelligenceact.eu) (ai-act-service-desk.ec.europa.eu) That is why companies are discovering that “artificial intelligence governance” really means building a factory for evidence. Data lineage, version control, incident logs, reviewer sign-offs, deployment records, and post-market monitoring are becoming as important as the model itself, because the Act is moving from interpretation to inspection. (securityboulevard.com) (ai-act-service-desk.ec.europa.eu)