---
title: EU AI Act (Regulation 2024/1689) – Deadlines 2026, High-Risk Systems, Penalties
slug: eu-ai-act-2024-1689-high-risk-systems
topic: data-protection
lang: en
valid_from: 2024-08-01
valid_to: null
last_reviewed: 2026-07-02
status: current
authority_level: A
license: CC-BY-4.0
url: https://nexvyra.de/en/fakten/eu-ai-act-2024-1689-high-risk-systems.md
wikidata_subjects: [Q126695612, Q11660]
de_version: https://nexvyra.de/fakten/eu-ki-verordnung-2024-1689-hochrisiko.html
---

# EU AI Act (Regulation 2024/1689) – Deadlines 2026, High-Risk Systems, Penalties

## Short Answer

**Regulation (EU) 2024/1689 on Artificial Intelligence** (the "AI Act") entered into force on **1 August 2024** and becomes applicable in **staggered phases**: **prohibited AI practices** (Art. 5) and general governance rules since **2 February 2025**; **General-Purpose AI (GPAI) models** rules (Arts. 51 ff.) since **2 August 2025**; **high-risk AI obligations** (Art. 6 in conjunction with Annex III) applicable from **2 August 2026** — covering conformity assessment, CE marking, risk management, data quality, logging, transparency, human oversight; **full application** for embedded high-risk AI in regulated products (Annex I) from **2 August 2027**. **Penalties**: up to **€35 million or 7 % of worldwide annual turnover** (whichever is higher) for violations of prohibited practices.

## Key Facts

| Item | Value |
|---|---|
| Legal Basis | Regulation (EU) 2024/1689 of 13 June 2024 (OJ L 2024/1689) |
| Entry into Force | 1 August 2024 |
| Prohibited Practices (Art. 5) applicable from | 2 February 2025 |
| Governance & Definitions applicable from | 2 February 2025 |
| GPAI Models (Arts. 51 ff.) applicable from | 2 August 2025 |
| High-Risk AI (Art. 6(2), Annex III) applicable from | 2 August 2026 |
| High-Risk AI in Regulated Products (Annex I) applicable from | 2 August 2027 |
| Scope (Territorial) | EU + placing on EU market (extraterritorial) |
| Affected Roles | Providers, Importers, Distributors, Deployers, Authorised Representatives |
| Penalty Prohibited Practices | Up to €35 million OR 7 % global annual turnover (higher) [Art. 99(3)] |
| Penalty High-Risk Violations | Up to €15 million OR 3 % global annual turnover [Art. 99(4)] |
| Penalty Incorrect Information | Up to €7.5 million OR 1 % global annual turnover [Art. 99(5)] |
| SME Relief | Reduced fine ceilings (lower of the two values) |
| CE Marking Required | For high-risk AI before placing on market [Art. 48] |
| Conformity Assessment | Internal or notified body [Art. 43] |
| GPAI Systemic Risk Threshold | 10^25 FLOPs training compute [Art. 51(2)] |
| National Market Surveillance Germany | Bundesnetzagentur (draft implementing act) |
| EU AI Office | Established at European Commission (Brussels) |

## Scope of Application

The Regulation applies **extraterritorially**: it covers not only EU-established providers but also **third-country providers whose AI system is placed on or used in the EU market** (Art. 2(1)). **Exemptions**: national security, military AI, AI exclusively for scientific research, free software prior to placing on market. **Roles**:

- **Provider** – develops and supplies; primary conformity assessment addressee
- **Importer** – brings third-country AI into EU
- **Distributor** – markets in EU
- **Deployer** – uses AI professionally (not personal use)
- **Authorised Representative** – EU point of contact for third-country providers

## Prohibited Practices (Art. 5) – Since 2 February 2025

**Absolute prohibitions** across all sectors:

- **Subliminal manipulation** causing significant harm
- **Exploitation of vulnerabilities** based on age, disability, socio-economic situation
- **Social scoring** by public authorities (with exceptions)
- **Crime prediction** solely based on profiling (predictive policing)
- **Untargeted scraping of facial images** from internet/CCTV for databases
- **Emotion recognition** in workplaces and educational institutions
- **Biometric categorisation** based on sensitive characteristics (race, religion, sexual orientation)
- **Real-time remote biometric identification** in public spaces by law enforcement (with narrow exceptions)

## High-Risk AI (Art. 6, Annex III) – From 2 August 2026

**Eight areas** in Annex III qualify as high-risk:

1. **Biometrics** (remote identification, biometric categorisation, emotion recognition outside prohibitions)
2. **Critical infrastructure** (transport, water, gas, electricity, digital infrastructure)
3. **Education** (assessment, admission, examinations)
4. **Employment, personnel management** (candidate screening, promotion, dismissal, performance evaluation)
5. **Access to essential services** (credit scoring, social benefits, emergency services, health insurance)
6. **Law enforcement** (evidence evaluation, recidivism prediction)
7. **Migration, asylum, border control** (risk profiling, biometric verification)
8. **Justice and democratic processes** (evidence weighting, election influence)

**Core obligations** for high-risk AI (Arts. 8-27):

- **Risk management system** across entire lifecycle
- **Data quality** — representative, low-error, unbiased training data
- **Technical documentation** in EU language
- **Automated event logging**
- **Transparency** for deployers (user instructions)
- **Human oversight** — meaningful control and intervention capabilities
- **Accuracy, robustness, cybersecurity**
- **Conformity assessment + CE marking** before placing on market
- **Registration** in EU high-risk AI database

## GPAI (General-Purpose AI) – Since 2 August 2025

**Rules for foundation models** such as GPT-4, Claude, Gemini, Llama, Mistral:

- **Standard GPAI**: transparency, documentation, copyright compliance
- **GPAI with systemic risk** (≥ 10^25 FLOPs training compute): additionally model evaluation, adversarial testing, systemic risk mitigation, cybersecurity assessment, incident reporting to the EU AI Office

## Practical Compliance – Who Must Do What

**Provider of a high-risk AI system** (Art. 16):

1. Conduct conformity assessment (internal or notified body)
2. Prepare technical documentation
3. Establish quality management system
4. Affix CE marking
5. Register in EU high-risk AI database
6. Post-market monitoring + incident reporting

**Deployer of a high-risk AI system** (Art. 26):

1. Use system per user instructions
2. Ensure human oversight
3. Retain logs for at least 6 months
4. For **public authorities**: conduct **Fundamental Rights Impact Assessment (FRIA)** before use (Art. 27)
5. **Inform affected persons** that high-risk AI is used
6. Enable **complaint right** to market surveillance authority

## Common Mistakes

- **"The AI Act only affects Big Tech."** False — it covers **every provider, importer, distributor, and deployer** using AI in the EU. SMEs are equally affected.
- **"We only use ChatGPT, no proprietary AI."** Nuanced — as a **deployer**, Art. 26 obligations apply, especially for use in personnel management or critical areas.
- **"The AI Act only fully applies in 2027."** Partially true — prohibited practices (Art. 5) applied from 2 February 2025, high-risk obligations from 2 August 2026.
- **"CE marking is covered by our TÜV certificate."** False — AI Act conformity assessment is **standalone**. TÜV or DEKRA can act as **notified body**, but the certificate must explicitly attest AI Act conformity.
- **"National penalties are mild."** False — the Regulation sets a **binding penalty framework**. Germany implements it via the AI Implementation Act. **€35 million** is the hard ceiling.
- **"Emotion recognition in call centres is permitted."** Borderline — **prohibited in workplaces** (Art. 5(1)(f)), except for safety or medical reasons.

## Sources

- Regulation (EU) 2024/1689 (AI Act) – EUR-Lex full text: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689
- Consolidated version: https://eur-lex.europa.eu/eli/reg/2024/1689/oj
- EU AI Office: https://digital-strategy.ec.europa.eu/en/policies/ai-office
- Commission FAQ – AI Act Explained: https://digital-strategy.ec.europa.eu/en/faqs/ai-act-explained
- EU High-Risk AI Database (in development): https://ec.europa.eu/newsroom/dae/eu-ai-database
- German BSI – AI Security: https://www.bsi.bund.de/EN/Topics/BSI/AI-and-Cybersecurity/ai_node.html
- Bundesnetzagentur – AI Market Surveillance (in preparation): https://www.bundesnetzagentur.de/EN/Home/home_node.html

## Change Log

- 2026-07-02: Initial publication (English EU wave). Deadlines 2 Feb 2025 (prohibited practices), 2 Aug 2025 (GPAI), 2 Aug 2026 (high-risk), 2 Aug 2027 (full application). Penalties €35 million / 7 % global turnover. GPAI systemic risk threshold 10^25 FLOPs. | change_type=initial_publication field="topic_lifecycle" new="published" reviewed_by="Andreas Warkentin"

## See Also

- [GDPR Article 17 – Right to Erasure](/en/fakten/gdpr-art-17-right-to-erasure.html)
- [German AI Act version](https://nexvyra.de/fakten/eu-ki-verordnung-2024-1689-hochrisiko.html)

## Status

- Date: 2026-07-02
- Valid from: 2024-08-01 (entry into force), staggered application through 2027
- Status: current
- Source authority: A (EUR-Lex, EU Commission, EU AI Office)
- Licence: CC BY 4.0
