Key Takeaways
- →EU AI Act penalties exceed GDPR: up to €35 million or 7% of global turnover
- →Compliance obligation is the product of risk tier, model type, and supply chain position
- →Extraterritorial reach means it applies regardless of company headquarters
- →Prohibited practices are already in force since February 2025
- →Most organizations misclassify their risk tier by ignoring GPAI model provisions
Three weeks before the EU AI Act's first prohibitions took effect in February 2025, I got a call from a Series C healthtech company in Berlin doing a company-wide AI audit ahead of the deadline. They'd built a patient triage system using an LLM fine-tuned on clinical notes. Solid product. Strong retention. The system included an emotion-recognition module that assessed patient distress levels from voice patterns during intake calls. On its own, that module was legal: emotion recognition for medical and safety reasons is the one place the Act carves out an explicit exception. Their real exposure was upstream. An AI system making automated judgments about patient care in a healthcare setting sits squarely in Annex III: high-risk. They had built the product for a year and never once assessed it against the Act's risk classification.
They had six weeks to build a defensible compliance position, not to switch anything off. 'We didn't think this applied to us,' the CTO told me. 'We're healthcare. We thought regulation meant the hospital, not the software underneath it.' I hear some version of that sentence every month now.
The Stakes Are Already Real
The EU AI Act is enforceable law now, published in the Official Journal in July 2024, with its first prohibitions in force since February 2025. The maximum penalty for deploying a banned AI practice is €35 million or 7% of worldwide annual turnover, whichever is higher. For context, that penalty ceiling exceeds GDPR's. And unlike GDPR, which took years before serious enforcement began, the European AI Office started supervising GPAI models the moment those obligations took effect in August 2025, with its own fining powers arriving a year later in August 2026.
If you deploy AI systems that serve people located in the EU, regardless of where your company is headquartered, this regulation applies to you. Extraterritorial reach. No exemptions for startups. For prohibited practices, there was no grace period: systems already in production had to comply by February 2025. Every other obligation phases in on its own schedule, but the clock is running on all of them.
The Compliance Surface Area Model
Here's the framework I use with clients to cut through the Act's 113 articles and 13 annexes. I call it the Compliance Surface Area Model. Most organisations try to understand the EU AI Act by reading it section by section. That's like trying to understand a city by reading its building codes. You need a map.
The model has three dimensions. Every AI system you operate can be located in this space, and its position tells you exactly what compliance obligations apply:
- Dimension 1: Risk Classification. Where does your system fall in the four-tier hierarchy? Unacceptable (banned), High-Risk (heavily regulated), Limited Risk (transparency obligations), or Minimal Risk (no new obligations). This determines the floor of your compliance requirements.
- Dimension 2: Model Type. Does your system use a General-Purpose AI model? If so, the GPAI provisions layer additional obligations on top of your risk classification, regardless of tier. A minimal-risk chatbot powered by a GPAI model with systemic risk still triggers GPAI compliance.
- Dimension 3: Supply Chain Position. Are you the provider (developed the AI), the deployer (uses someone else's AI in your product), or the importer/distributor? Each role has different obligations under the same risk tier. This is where most organisations get confused, and where the most compliance gaps hide.
Your compliance obligation is the product of these three dimensions, not any single one. A high-risk system using a GPAI model, deployed by a third party, has a fundamentally different compliance surface than a high-risk system using a narrow model that you built in-house. The Act treats them differently. Your compliance programme must too.
The Four Risk Tiers: What They Actually Mean
Every guide you've read about the EU AI Act lists the four risk tiers. What they don't tell you is how to think about them strategically. The tiers are a strategic constraint: they shape what you can build, how you build it, and what it costs to maintain.
Risk Tier Analysis
Strategic implications beyond the regulatory text
Eight categories of AI are outright banned today, and the Digital Omnibus adds a ninth (AI-generated child sexual abuse material and non-consensual intimate imagery) from December 2026. The ones that catch my clients off guard: emotion recognition in workplaces (yes, even for 'employee wellbeing' tools), social scoring systems (even internal 'trust scores' or gamified performance metrics), and untargeted facial image scraping. The law doesn't care about your intent. If your system's technical architecture falls within these definitions, it's prohibited. The strategic implication: audit every AI system for unintentional overlap with prohibited categories. I've found prohibited practices hiding in HR analytics suites, customer engagement platforms, and internal 'employee wellbeing' tools that quietly cross into workplace emotion recognition. These weren't designed as surveillance tools. They became them.
GPAI: The Regulatory Layer Most People Miss
The Act introduces a separate regulatory track for General-Purpose AI models, the foundation models that power everything from chatbots to code generation. This is among the first binding regulations anywhere to reach past how a system is deployed and regulate the foundation model underneath it. The implications are significant and widely misunderstood.
Standard GPAI Obligations
Every GPAI model, regardless of size, must meet four baseline requirements: technical documentation describing training methodology and capabilities, documentation for downstream providers who integrate the model into their own products, a policy for respecting EU copyright law, and a published summary of the training data used. The copyright policy requirement is already shaping how model providers negotiate content-licensing deals.
Systemic Risk: The 10²⁵ FLOPs Threshold
Models trained with more than 10²⁵ floating-point operations trigger a presumption of 'systemic risk.' The Commission can also designate models below this threshold based on capability assessments, and a provider can rebut the presumption with evidence that a specific model doesn't pose systemic risk. Systemic-risk models face additional obligations: comprehensive model evaluations, systemic risk assessment and mitigation, serious incident reporting to the European AI Office, and high-level cybersecurity protections.
If you build on top of a systemic-risk GPAI model, the frontier releases from OpenAI, Google, and Anthropic are the clearest examples, your compliance obligations don't disappear because someone else trained the model. The Act creates a shared responsibility chain. The model provider handles GPAI obligations. You handle deployment obligations. But you need contractual assurance that the provider is compliant, and you need to document that assurance for your own conformity assessment.
The GPAI provisions create a compliance supply chain. If your model provider isn't compliant, you inherit their regulatory exposure. This is the AI equivalent of a vendor risk management failure, and it's the gap I find in most deployments I audit.
If you want the full vendor-side playbook for this handoff, the third-party AI risk framework and the six-category vendor governance scorecard both cover exactly this compliance chain.
The Compliance Readiness Gap
IAPP's 2025 AI Governance Profession Report found that 77% of organisations are actively building or refining AI governance programmes, a figure that climbs to nearly 90% among organisations already using AI. But building a programme and satisfying the Act's specific risk-classification and documentation requirements are different bars. In my own engagements, most organisations haven't cleared the second one yet, and the gap is closing slower than the compliance clock is running.
The radar tells the story. Risk classification and documentation are where most organisations have made progress, since these are familiar exercises from GDPR. But human oversight mechanisms, GPAI compliance, and incident reporting? Those are AI-specific requirements with no GDPR equivalent. They require new capabilities, new roles, and new infrastructure. If you've built your compliance programme around the Minimum Viable Governance framework, you have a head start: MVG's risk-tiering discipline gives you the classification muscle the Act's four-tier system requires.
Where the Compliance Burden Falls
One of the most common questions I get from CTOs: 'Which team owns AI Act compliance?' The answer, all of them, is unhelpful. Here's the actual distribution of compliance burden across a typical organisation:
The heatmap reveals what the org chart doesn't: engineering carries the heaviest load (risk management systems and conformity testing), but legal owns documentation, and product owns human oversight design. HR is more exposed than most organisations expect: the Act's employment provisions affect recruitment AI, performance management tools, and workforce analytics. Marketing's exposure is lower but real: transparency obligations for chatbots, content generation disclosures, and deepfake labelling.
The coordination challenge is the real compliance risk. I've watched organisations where engineering built solid testing frameworks but legal hadn't created the documentation templates to capture the results. Or where product designed human oversight mechanisms that HR couldn't operationalise. The Act doesn't care which department dropped the ball. Non-compliance is non-compliance. For the governance structure that coordinates across these functions, see the Governance Playbook.
The Implementation Clock
The Act rolls out in phases, and each phase triggers specific, already-enforceable obligations. Miss one and the penalty clock doesn't wait for you to catch up.
Detailed Compliance Milestones
Each deadline is enforceable with penalties
February 2, 2025: Prohibitions
The ban on unacceptable-risk AI practices took effect. Eight categories of AI became illegal in the EU: social scoring, manipulative AI, untargeted facial scraping, emotion recognition in workplaces and schools, biometric categorisation by sensitive attributes, real-time remote biometric ID in public spaces (with narrow exceptions), predictive policing of individuals, and AI exploiting vulnerable groups. If you're still running any of these: stop. Today.
August 2, 2025: GPAI Rules
Obligations for General-Purpose AI models became applicable. Every GPAI model must have technical documentation, a training data summary, and a copyright compliance policy. Systemic-risk models face additional evaluation, mitigation, incident reporting, and cybersecurity requirements. The European AI Office supervises GPAI compliance directly, not national authorities, though its fining powers didn't arrive until a year later.
August 2, 2026: Transparency & Enforcement Powers
Article 50 transparency obligations apply: people must be told when they're interacting with AI, and new GenAI systems must mark synthetic content in a machine-readable way. This is also when the Commission and the European AI Office gain their GPAI fining powers. The regulatory sandbox deadline, originally set for this date, was postponed by the Digital Omnibus to August 2027.
December 2, 2026: CSAM Ban & Watermarking Deadline
A new Article 5 prohibition takes effect, banning AI that generates child sexual abuse material or non-consensual intimate imagery, added by the Digital Omnibus. The same date is the grace-period deadline for watermarking obligations on GenAI systems that were already on the market before August 2026.
August 2, 2027: Regulatory Sandboxes
National competent authorities must have regulatory sandboxes operational, a deadline deferred one year by the Digital Omnibus. This is a separate obligation from the high-risk enforcement dates below.
December 2, 2027: Full Enforcement (High-Risk, Standalone)
The complete set of high-risk AI system requirements (Annex III) becomes enforceable, deferred from August 2, 2026 under the Digital Omnibus. Parliament adopted the Omnibus in June 2026 and the Council gave final approval on June 29, 2026; only publication in the EU Official Journal is still pending. Risk management, data governance, documentation, conformity assessment, human oversight, accuracy standards, cybersecurity: all mandatory.
August 2, 2028: Embedded Products
Latest deadline for high-risk AI systems that are safety components of products regulated under existing EU sectoral legislation (medical devices, vehicles, aviation, etc.), deferred from August 2, 2027 under the Digital Omnibus. These systems get the longest runway because they must also comply with sector-specific conformity procedures.
The Business Case: Compliance as Competitive Advantage
For the CFOs in the room: the EU AI Act creates winners and losers in enterprise sales, and compliance cost is only one side of the ledger.
The tornado chart shows the asymmetry. Downside risk from non-compliance ranges from €15M (GPAI provider violations) to €35M (prohibited practices). The investment required for durable compliance, my estimate across a dozen engagements, averages €1 to €2 million for a mid-size enterprise. The upside? Organisations with demonstrable AI Act compliance are already commanding trust premiums in enterprise sales cycles, particularly in financial services, healthcare, and public sector procurement.
“Compliance is the price of admission to the world's most valuable regulated market, and the trust premium you build travels with you to every other jurisdiction.”
This isn't speculation: the same dynamic played out with GDPR. Organisations that invested early in data protection infrastructure used their compliance as a competitive differentiator that outlasted the regulation's novelty. The OECD AI Principles and the G7 Hiroshima AI Process are converging on the same standards. EU compliance today positions you for global compliance tomorrow.
The 90-Day Compliance Sprint
Here's the phased approach I use with clients to build EU AI Act compliance infrastructure in 90 days. It won't make you fully compliant, that's a longer journey. But it will close the highest-risk gaps and give you a defensible position if enforcement comes early.
90-Day Sprint Architecture
Inventory
Map every AI system. Classify by risk tier, model type, and supply chain position.
Triage
Identify prohibited practices (immediate action) and high-risk systems (priority compliance).
Build
Documentation frameworks, risk management systems, human oversight mechanisms.
Test
Conformity assessment dry runs. GPAI vendor audit. Incident response tabletop.
Phase 1: Inventory and Classification (Days 1-14)
Start with what you don't know. Every engagement I've run has uncovered AI systems the compliance team didn't know existed: shadow AI adopted by business units, third-party tools with embedded AI features, legacy systems with ML components nobody documented. Your first task is a complete inventory, classified across all three dimensions of the Compliance Surface Area Model.
- System inventory: Every AI system, including third-party tools with AI features. Don't forget HR platforms, customer service tools, and marketing automation: these are common sources of undocumented AI.
- Risk classification: Map each system to one of the four risk tiers. Be conservative: if a system could be high-risk under certain use cases, classify it as high-risk.
- GPAI assessment: For every system using a foundation model, document which model, who provides it, and whether the provider has published their GPAI compliance documentation.
- Supply chain mapping: For each system, document whether you are the provider, deployer, importer, or distributor. This determines your specific obligations.
Phase 2: Triage and Immediate Action (Days 15-30)
Prohibited practices first. If anything in your inventory falls under Article 5's banned categories, remediate immediately. Not next quarter. Now. The penalties are already enforceable.
Then prioritise high-risk systems by exposure: systems with the most users, the most sensitive data, and the most direct impact on individuals. These are your first conformity assessment candidates. For each, begin building the required risk management documentation. The AI Use Case Canvas is useful here: it gives you a structured evaluation of each system's risk-reward profile.
Phase 3: Build Compliance Infrastructure (Days 31-60)
- Risk management system: A continuous, iterative process, not a one-time assessment. The Act requires ongoing identification, analysis, estimation, and evaluation of risks. Build this as a living system with quarterly review cycles.
- Documentation framework: Technical documentation, instructions for use, conformity declarations, quality management system documentation. Standardise templates now: you'll need them for every high-risk system.
- Human oversight design: Meaningful human control, not rubber-stamp review. The Act requires that humans can understand the AI's outputs, can decide not to use the system, and can override or reverse outputs. Design these mechanisms at the product level.
- Data governance: Training, validation, and testing data must meet quality criteria: representativeness, accuracy, completeness. If you've built strong data governance under GDPR, extend it. If not, the GDPR compliance guide has the foundation.
Phase 4: Test and Validate (Days 61-90)
Run conformity assessment dry runs on your highest-risk systems. Document the results even when they fail, especially when they fail. Audit your GPAI vendors against the Act's transparency requirements. Run an incident response tabletop specifically for AI-related incidents (model failures, biased outputs, data leakage through inference). The output of this phase: a compliance status report for each AI system, a remediation plan for gaps, and an incident response playbook tested against realistic scenarios.
Don't aim for perfection in 90 days. Aim for defensibility. If the European AI Office or a national authority audits you once enforcement powers are fully live in August 2026, you want to demonstrate good faith effort, documented progress, and a credible plan to close remaining gaps. That's the difference between a warning and a €35M fine.
The Global Convergence
The EU AI Act doesn't exist in a vacuum. The OECD AI Principles, the G7 Hiroshima AI Process Code of Conduct, and the NIST AI Risk Management Framework are converging on the same core requirements: risk management, transparency, human oversight, and accountability. The EU is just the first to make them legally binding.
Regulatory Convergence
How global frameworks align with EU AI Act requirements
| EU AI Act | G7 Code | NIST AI RMF |
|---|---|---|
Risk classification Mandatory 4-tier | Voluntary risk-based | Framework (Govern) |
Transparency Legal requirement | Principle 4 | Map function |
Human oversight Mandatory for HR | Principle 6 | Govern function |
Incident reporting Mandatory | Voluntary | Respond function |
GPAI/Foundation models Regulated | Addressed | Not specific |
Enforcement €35M / 7% turnover | No penalties | No penalties |
The convergence pattern is clear: voluntary frameworks today become mandatory requirements tomorrow. Building to the EU AI Act standard now is how you avoid rebuilding for five more frameworks later. The G7 Code of Conduct's eleven guiding principles line up closely with the Act's requirements. NIST's four functions (Govern, Map, Measure, Manage) provide the operational scaffolding to implement them, and the NIST AI RMF crosswalk maps each function to the Act's specific articles.
Before you scale compliance across multiple jurisdictions, the 5-Pillar AI Readiness Assessment tells you whether your organisation is actually ready, beyond what the paperwork claims. And for the full jurisdiction-by-jurisdiction picture, the global AI regulation comparison guide maps how the major regimes are converging and where they still diverge. If you need to handle the GDPR layer underneath the AI Act, the AI and GDPR Compliance Guide covers the intersection in detail. And if documentation is piling up without anything actually changing in how your systems get built, Policy Is Not Control names that exact gap.
From Regulation to Strategy
The Berlin healthtech company? They kept the emotion-recognition module. It was legally sound. What they built instead was the high-risk compliance infrastructure the triage system actually needed: a risk management system, technical documentation, human oversight controls that let a clinician override any automated distress assessment, and a conformity assessment process ahead of their next major release. Writing down exactly how the triage decision worked forced a product conversation the team had avoided for a year. Some assumptions about voice-pattern reliability didn't survive contact with the documentation. What came out the other side was more defensible, and clinicians trusted it more because they could finally see how it worked.
That's the pattern I see in every successful EU AI Act engagement. The regulation forces documentation: what your AI actually does, how it makes decisions, and what happens when it fails. Organisations that treat this as a strategic exercise, not a legal checkbox, come out stronger.
Your action item: complete Phase 1 of the compliance sprint this week. Inventory your AI systems, classify them by risk tier, and identify anything that might fall under Article 5's prohibitions. If you find prohibited practices, or if you're not sure, that's the advisory conversation. I've helped a dozen organisations navigate exactly this assessment, and the difference between proactive compliance and reactive scrambling is the difference between a competitive edge and a crisis.
The healthtech CTO in Berlin told me something in our last call that I keep coming back to: 'The Act didn't slow us down. It showed us where we were building on assumptions instead of evidence.' I've found that to be true in every engagement. The EU AI Act is the most comprehensive AI regulation in the world. It's also, paradoxically, one of the most useful strategic tools available to any organisation serious about building AI that lasts.
Get Weekly Thinking
Join 2,500+ AI leaders who start their week with original insights.

Senior AI strategist helping leaders make AI real across four continents. Forbes Technology Council member, IEEE Senior Member.
Ajay's views, from 15 years in the field. Not legal or compliance advice. See full disclaimers →
Published by AI Exponent LLC