Nexvyra EN · Deutsch

EU AI Act (Regulation 2024/1689) – Deadlines 2026, High-Risk Systems, Penalties

Short Answer

Regulation (EU) 2024/1689 on Artificial Intelligence (the "AI Act") entered into force on 1 August 2024 and becomes applicable in staggered phases: prohibited AI practices (Art. 5) and general governance rules since 2 February 2025; General-Purpose AI (GPAI) models rules (Arts. 51 ff.) since 2 August 2025; high-risk AI obligations (Art. 6 in conjunction with Annex III) applicable from 2 August 2026 — covering conformity assessment, CE marking, risk management, data quality, logging, transparency, human oversight; full application for embedded high-risk AI in regulated products (Annex I) from 2 August 2027. Penalties: up to €35 million or 7 % of worldwide annual turnover (whichever is higher) for violations of prohibited practices.

Key Facts

ItemValue
Legal BasisRegulation (EU) 2024/1689 of 13 June 2024 (OJ L 2024/1689)
Entry into Force1 August 2024
Prohibited Practices (Art. 5) applicable from2 February 2025
Governance & Definitions applicable from2 February 2025
GPAI Models (Arts. 51 ff.) applicable from2 August 2025
High-Risk AI (Art. 6(2), Annex III) applicable from2 August 2026
High-Risk AI in Regulated Products (Annex I) applicable from2 August 2027
Scope (Territorial)EU + placing on EU market (extraterritorial)
Affected RolesProviders, Importers, Distributors, Deployers, Authorised Representatives
Penalty Prohibited PracticesUp to €35 million OR 7 % global annual turnover (higher) [Art. 99(3)]
Penalty High-Risk ViolationsUp to €15 million OR 3 % global annual turnover [Art. 99(4)]
Penalty Incorrect InformationUp to €7.5 million OR 1 % global annual turnover [Art. 99(5)]
SME ReliefReduced fine ceilings (lower of the two values)
CE Marking RequiredFor high-risk AI before placing on market [Art. 48]
Conformity AssessmentInternal or notified body [Art. 43]
GPAI Systemic Risk Threshold10^25 FLOPs training compute [Art. 51(2)]
National Market Surveillance GermanyBundesnetzagentur (draft implementing act)
EU AI OfficeEstablished at European Commission (Brussels)

Scope of Application

The Regulation applies extraterritorially: it covers not only EU-established providers but also third-country providers whose AI system is placed on or used in the EU market (Art. 2(1)). Exemptions: national security, military AI, AI exclusively for scientific research, free software prior to placing on market. Roles:

  • Provider – develops and supplies; primary conformity assessment addressee
  • Importer – brings third-country AI into EU
  • Distributor – markets in EU
  • Deployer – uses AI professionally (not personal use)
  • Authorised Representative – EU point of contact for third-country providers
  • Prohibited Practices (Art. 5) – Since 2 February 2025

    Absolute prohibitions across all sectors:

  • Subliminal manipulation causing significant harm
  • Exploitation of vulnerabilities based on age, disability, socio-economic situation
  • Social scoring by public authorities (with exceptions)
  • Crime prediction solely based on profiling (predictive policing)
  • Untargeted scraping of facial images from internet/CCTV for databases
  • Emotion recognition in workplaces and educational institutions
  • Biometric categorisation based on sensitive characteristics (race, religion, sexual orientation)
  • Real-time remote biometric identification in public spaces by law enforcement (with narrow exceptions)
  • High-Risk AI (Art. 6, Annex III) – From 2 August 2026

    Eight areas in Annex III qualify as high-risk:

    1. Biometrics (remote identification, biometric categorisation, emotion recognition outside prohibitions)

    2. Critical infrastructure (transport, water, gas, electricity, digital infrastructure)

    3. Education (assessment, admission, examinations)

    4. Employment, personnel management (candidate screening, promotion, dismissal, performance evaluation)

    5. Access to essential services (credit scoring, social benefits, emergency services, health insurance)

    6. Law enforcement (evidence evaluation, recidivism prediction)

    7. Migration, asylum, border control (risk profiling, biometric verification)

    8. Justice and democratic processes (evidence weighting, election influence)

    Core obligations for high-risk AI (Arts. 8-27):

  • Risk management system across entire lifecycle
  • Data quality — representative, low-error, unbiased training data
  • Technical documentation in EU language
  • Automated event logging
  • Transparency for deployers (user instructions)
  • Human oversight — meaningful control and intervention capabilities
  • Accuracy, robustness, cybersecurity
  • Conformity assessment + CE marking before placing on market
  • Registration in EU high-risk AI database
  • GPAI (General-Purpose AI) – Since 2 August 2025

    Rules for foundation models such as GPT-4, Claude, Gemini, Llama, Mistral:

  • Standard GPAI: transparency, documentation, copyright compliance
  • GPAI with systemic risk (≥ 10^25 FLOPs training compute): additionally model evaluation, adversarial testing, systemic risk mitigation, cybersecurity assessment, incident reporting to the EU AI Office
  • Practical Compliance – Who Must Do What

    Provider of a high-risk AI system (Art. 16):

    1. Conduct conformity assessment (internal or notified body)

    2. Prepare technical documentation

    3. Establish quality management system

    4. Affix CE marking

    5. Register in EU high-risk AI database

    6. Post-market monitoring + incident reporting

    Deployer of a high-risk AI system (Art. 26):

    1. Use system per user instructions

    2. Ensure human oversight

    3. Retain logs for at least 6 months

    4. For public authorities: conduct Fundamental Rights Impact Assessment (FRIA) before use (Art. 27)

    5. Inform affected persons that high-risk AI is used

    6. Enable complaint right to market surveillance authority

    Common Mistakes

  • "The AI Act only affects Big Tech." False — it covers every provider, importer, distributor, and deployer using AI in the EU. SMEs are equally affected.
  • "We only use ChatGPT, no proprietary AI." Nuanced — as a deployer, Art. 26 obligations apply, especially for use in personnel management or critical areas.
  • "The AI Act only fully applies in 2027." Partially true — prohibited practices (Art. 5) applied from 2 February 2025, high-risk obligations from 2 August 2026.
  • "CE marking is covered by our TÜV certificate." False — AI Act conformity assessment is standalone. TÜV or DEKRA can act as notified body, but the certificate must explicitly attest AI Act conformity.
  • "National penalties are mild." False — the Regulation sets a binding penalty framework. Germany implements it via the AI Implementation Act. €35 million is the hard ceiling.
  • "Emotion recognition in call centres is permitted." Borderline — prohibited in workplaces (Art. 5(1)(f)), except for safety or medical reasons.
  • Sources

  • Regulation (EU) 2024/1689 (AI Act) – EUR-Lex full text: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689
  • Consolidated version: https://eur-lex.europa.eu/eli/reg/2024/1689/oj
  • EU AI Office: https://digital-strategy.ec.europa.eu/en/policies/ai-office
  • Commission FAQ – AI Act Explained: https://digital-strategy.ec.europa.eu/en/faqs/ai-act-explained
  • EU High-Risk AI Database (in development): https://ec.europa.eu/newsroom/dae/eu-ai-database
  • German BSI – AI Security: https://www.bsi.bund.de/EN/Topics/BSI/AI-and-Cybersecurity/ai_node.html
  • Bundesnetzagentur – AI Market Surveillance (in preparation): https://www.bundesnetzagentur.de/EN/Home/home_node.html
  • Change Log

  • 2026-07-02: Initial publication (English EU wave). Deadlines 2 Feb 2025 (prohibited practices), 2 Aug 2025 (GPAI), 2 Aug 2026 (high-risk), 2 Aug 2027 (full application). Penalties €35 million / 7 % global turnover. GPAI systemic risk threshold 10^25 FLOPs. | change_type=initial_publication field="topic_lifecycle" new="published" reviewed_by="Andreas Warkentin"
  • See Also

  • GDPR Article 17 – Right to Erasure
  • German AI Act version
  • Status

  • Date: 2026-07-02
  • Valid from: 2024-08-01 (entry into force), staggered application through 2027
  • Status: current
  • Source authority: A (EUR-Lex, EU Commission, EU AI Office)
  • Licence: CC BY 4.0