EU AI Act (Regulation 2024/1689) – Deadlines 2026, High-Risk Systems, Penalties
Short Answer
Regulation (EU) 2024/1689 on Artificial Intelligence (the "AI Act") entered into force on 1 August 2024 and becomes applicable in staggered phases: prohibited AI practices (Art. 5) and general governance rules since 2 February 2025; General-Purpose AI (GPAI) models rules (Arts. 51 ff.) since 2 August 2025; high-risk AI obligations (Art. 6 in conjunction with Annex III) applicable from 2 August 2026 — covering conformity assessment, CE marking, risk management, data quality, logging, transparency, human oversight; full application for embedded high-risk AI in regulated products (Annex I) from 2 August 2027. Penalties: up to €35 million or 7 % of worldwide annual turnover (whichever is higher) for violations of prohibited practices.
Key Facts
| Item | Value |
| Legal Basis | Regulation (EU) 2024/1689 of 13 June 2024 (OJ L 2024/1689) |
| Entry into Force | 1 August 2024 |
| Prohibited Practices (Art. 5) applicable from | 2 February 2025 |
| Governance & Definitions applicable from | 2 February 2025 |
| GPAI Models (Arts. 51 ff.) applicable from | 2 August 2025 |
| High-Risk AI (Art. 6(2), Annex III) applicable from | 2 August 2026 |
| High-Risk AI in Regulated Products (Annex I) applicable from | 2 August 2027 |
| Scope (Territorial) | EU + placing on EU market (extraterritorial) |
| Affected Roles | Providers, Importers, Distributors, Deployers, Authorised Representatives |
| Penalty Prohibited Practices | Up to €35 million OR 7 % global annual turnover (higher) [Art. 99(3)] |
| Penalty High-Risk Violations | Up to €15 million OR 3 % global annual turnover [Art. 99(4)] |
| Penalty Incorrect Information | Up to €7.5 million OR 1 % global annual turnover [Art. 99(5)] |
| SME Relief | Reduced fine ceilings (lower of the two values) |
| CE Marking Required | For high-risk AI before placing on market [Art. 48] |
| Conformity Assessment | Internal or notified body [Art. 43] |
| GPAI Systemic Risk Threshold | 10^25 FLOPs training compute [Art. 51(2)] |
| National Market Surveillance Germany | Bundesnetzagentur (draft implementing act) |
| EU AI Office | Established at European Commission (Brussels) |
Scope of Application
The Regulation applies extraterritorially: it covers not only EU-established providers but also third-country providers whose AI system is placed on or used in the EU market (Art. 2(1)). Exemptions: national security, military AI, AI exclusively for scientific research, free software prior to placing on market. Roles:
Provider – develops and supplies; primary conformity assessment addressee
Importer – brings third-country AI into EU
Distributor – markets in EU
Deployer – uses AI professionally (not personal use)
Authorised Representative – EU point of contact for third-country providers
Prohibited Practices (Art. 5) – Since 2 February 2025
Absolute prohibitions across all sectors:
Subliminal manipulation causing significant harm
Exploitation of vulnerabilities based on age, disability, socio-economic situation
Social scoring by public authorities (with exceptions)
Crime prediction solely based on profiling (predictive policing)
Untargeted scraping of facial images from internet/CCTV for databases
Emotion recognition in workplaces and educational institutions
Biometric categorisation based on sensitive characteristics (race, religion, sexual orientation)
Real-time remote biometric identification in public spaces by law enforcement (with narrow exceptions)
High-Risk AI (Art. 6, Annex III) – From 2 August 2026
Eight areas in Annex III qualify as high-risk:
1. Biometrics (remote identification, biometric categorisation, emotion recognition outside prohibitions)
2. Critical infrastructure (transport, water, gas, electricity, digital infrastructure)
3. Education (assessment, admission, examinations)
4. Employment, personnel management (candidate screening, promotion, dismissal, performance evaluation)
5. Access to essential services (credit scoring, social benefits, emergency services, health insurance)
6. Law enforcement (evidence evaluation, recidivism prediction)
7. Migration, asylum, border control (risk profiling, biometric verification)
8. Justice and democratic processes (evidence weighting, election influence)
Core obligations for high-risk AI (Arts. 8-27):
Risk management system across entire lifecycle
Data quality — representative, low-error, unbiased training data
Technical documentation in EU language
Automated event logging
Transparency for deployers (user instructions)
Human oversight — meaningful control and intervention capabilities
Accuracy, robustness, cybersecurity
Conformity assessment + CE marking before placing on market
Registration in EU high-risk AI database
GPAI (General-Purpose AI) – Since 2 August 2025
Rules for foundation models such as GPT-4, Claude, Gemini, Llama, Mistral:
Standard GPAI: transparency, documentation, copyright compliance
GPAI with systemic risk (≥ 10^25 FLOPs training compute): additionally model evaluation, adversarial testing, systemic risk mitigation, cybersecurity assessment, incident reporting to the EU AI Office
Practical Compliance – Who Must Do What
Provider of a high-risk AI system (Art. 16):
1. Conduct conformity assessment (internal or notified body)
2. Prepare technical documentation
3. Establish quality management system
4. Affix CE marking
5. Register in EU high-risk AI database
6. Post-market monitoring + incident reporting
Deployer of a high-risk AI system (Art. 26):
1. Use system per user instructions
2. Ensure human oversight
3. Retain logs for at least 6 months
4. For public authorities: conduct Fundamental Rights Impact Assessment (FRIA) before use (Art. 27)
5. Inform affected persons that high-risk AI is used
6. Enable complaint right to market surveillance authority
Common Mistakes
"The AI Act only affects Big Tech." False — it covers every provider, importer, distributor, and deployer using AI in the EU. SMEs are equally affected.
"We only use ChatGPT, no proprietary AI." Nuanced — as a deployer, Art. 26 obligations apply, especially for use in personnel management or critical areas.
"The AI Act only fully applies in 2027." Partially true — prohibited practices (Art. 5) applied from 2 February 2025, high-risk obligations from 2 August 2026.
"CE marking is covered by our TÜV certificate." False — AI Act conformity assessment is standalone. TÜV or DEKRA can act as notified body, but the certificate must explicitly attest AI Act conformity.
"National penalties are mild." False — the Regulation sets a binding penalty framework. Germany implements it via the AI Implementation Act. €35 million is the hard ceiling.
"Emotion recognition in call centres is permitted." Borderline — prohibited in workplaces (Art. 5(1)(f)), except for safety or medical reasons.
Sources
Regulation (EU) 2024/1689 (AI Act) – EUR-Lex full text: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689
Consolidated version: https://eur-lex.europa.eu/eli/reg/2024/1689/oj
EU AI Office: https://digital-strategy.ec.europa.eu/en/policies/ai-office
Commission FAQ – AI Act Explained: https://digital-strategy.ec.europa.eu/en/faqs/ai-act-explained
EU High-Risk AI Database (in development): https://ec.europa.eu/newsroom/dae/eu-ai-database
German BSI – AI Security: https://www.bsi.bund.de/EN/Topics/BSI/AI-and-Cybersecurity/ai_node.html
Bundesnetzagentur – AI Market Surveillance (in preparation): https://www.bundesnetzagentur.de/EN/Home/home_node.html
Change Log
2026-07-02: Initial publication (English EU wave). Deadlines 2 Feb 2025 (prohibited practices), 2 Aug 2025 (GPAI), 2 Aug 2026 (high-risk), 2 Aug 2027 (full application). Penalties €35 million / 7 % global turnover. GPAI systemic risk threshold 10^25 FLOPs. | change_type=initial_publication field="topic_lifecycle" new="published" reviewed_by="Andreas Warkentin"
See Also
GDPR Article 17 – Right to Erasure
German AI Act version
Status
Date: 2026-07-02
Valid from: 2024-08-01 (entry into force), staggered application through 2027
Status: current
Source authority: A (EUR-Lex, EU Commission, EU AI Office)
Licence: CC BY 4.0