The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive horizontal regulation of artificial intelligence. Adopted in 2024 and progressively applicable across 2025, 2026 and 2027, it sets binding rules on AI systems placed on the EU market or whose output is used in the EU, regardless of where the provider is established. The 2 August 2026 deadline is the most operationally significant moment: it is the date by which most of the Act's obligations, including the high-risk AI system rules, become enforceable.
This guide explains the four risk tiers, who is concerned, the staggered application timeline, sanctions, the relationship with ISO/IEC 42001, and how to build a compliance roadmap that survives audit. It is intended for AI governance leads, CISOs, compliance officers, product managers, and legal teams across the EU, UK and Switzerland.
At Abilene Academy, we train AI governance practitioners on PECB ISO 42001 Lead Implementer, Lead Auditor, and Lead AI Risk Manager. The pages that follow reflect what our trainers see in the field: which clauses are misread, where ISO 42001 helps and where it does not, and what differentiates paper compliance from audit-ready compliance before August 2026.
Key EU AI Act application date
2 August 2026. Source: Regulation (EU) 2024/1689, Article 113. Most obligations of the EU AI Act, including the high-risk AI system rules of Chapter III, become applicable on this date across all 27 EU member states.
Maximum sanction under the EU AI Act
EUR 35 million or 7% of total worldwide annual turnover, whichever is higher. The maximum administrative fine for breaches of the prohibited AI practices in Article 5. Source: Regulation (EU) 2024/1689, Article 99.
What is the EU AI Act?
EU AI Act in brief
Regulation (EU) 2024/1689 of the European Parliament and of the Council, laying down harmonised rules on artificial intelligence. The regulation entered into force on 1 August 2024 and applies in stages between 2 February 2025 and 2 August 2027. As a regulation (not a directive), it applies directly in all 27 EU member states without national transposition.
The EU AI Act is a risk-based horizontal regulation of artificial intelligence. Rather than targeting specific sectors or use cases, it classifies AI systems by the risk they pose to fundamental rights, safety and society, and imposes obligations proportional to that risk. The Act covers the full AI value chain: providers (those who develop or place AI systems on the market), deployers (those who use them in professional contexts), importers, distributors, and authorised representatives. It applies regardless of where the provider is established whenever the AI system is placed on the EU market or its output is used in the EU.
The Act is part of the EU's broader digital strategy that includes the GDPR, the Digital Services Act, the Digital Markets Act, NIS 2 and DORA. It coexists with sector-specific regulations, medical devices, automotive safety, financial services, rather than replacing them. AI systems embedded in regulated products inherit obligations from both regimes.
The risk-based approach: four tiers
Pyramid diagram of the EU AI Act four-tier risk classification: unacceptable risk (prohibited), high risk (extensive obligations), limited risk (transparency obligations), minimal risk (no specific obligations).
EU AI Act compliance deadlines: the staggered timeline
The EU AI Act applies in stages, not all at once. Article 113 of the regulation sets four key application dates spread across 2025, 2026 and 2027. Each marks a different bundle of obligations becoming legally enforceable. Organisations should map their AI inventory against this timeline to understand which obligations apply when.
Vertical timeline of EU AI Act application dates from August 2024 (entry into force) through August 2027 (high-risk AI in regulated products): 1 Aug 2024 entry into force, 2 Feb 2025 prohibited practices and AI literacy, 2 Aug 2025 GPAI obligations and governance, 2 Aug 2026 main application date, 2 Aug 2027 regulated products.
For most organisations, 2 August 2026 is the deadline that matters. The prohibited practices have been applicable since February 2025; the general-purpose AI provider rules since August 2025. What becomes enforceable in August 2026 is the full operational regime for high-risk AI systems, risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy, robustness, cybersecurity, along with the conformity assessment, EU declaration of conformity, CE marking, and post-market monitoring obligations.
Who does the EU AI Act apply to?
The Act covers six categories of actors along the AI value chain:
- Providers: entities that develop an AI system or have one developed and place it on the EU market or put it into service under their own name. Carry the heaviest obligations, especially for high-risk systems.
- Deployers (users): entities that use an AI system in a professional context within the EU. Bear obligations on intended-use compliance, human oversight, data input, log retention and impact assessment for certain high-risk uses.
- Importers: entities established in the EU that place on the market an AI system bearing the name of a non-EU provider. Must verify the provider's compliance documentation before placing the system on the market.
- Distributors: entities in the supply chain that make an AI system available on the EU market, other than the provider or importer. Must verify the CE marking and accompanying documentation.
- Manufacturers: entities placing an AI system on the market alongside a product they manufacture, under their own name.
- Authorised representatives: EU-based representatives appointed by non-EU providers. Hold a copy of the technical documentation and the EU declaration of conformity, and cooperate with authorities on behalf of the provider.
Extraterritorial reach: UK, US and Switzerland in scope
Article 2 sets out an unusually broad territorial scope. The Act applies to providers and deployers established outside the EU when the output produced by the AI system is used in the EU. A US SaaS vendor whose AI scores CVs for an EU employer falls within scope. A UK fintech using an AI credit decision engine on EU customers falls within scope. A Swiss medical-device manufacturer placing an AI-enabled diagnostic on the EU market falls within scope. There is no "adequacy" mechanism comparable to GDPR; the regulation simply applies.
The UK approach: principles-based, not horizontal
The UK is developing its own AI regulation framework based on principles-based supervision by existing regulators (ICO, CMA, FCA, MHRA, Ofcom). The Cyber Security and Resilience Bill and the broader UK AI Bill (still in consultation as of 2026) are expected to introduce sector-specific obligations rather than a horizontal Act. UK firms with EU customers must comply with the EU AI Act regardless of UK domestic regulation; the two regimes will likely coexist.
High-risk AI systems: the operational core of the Act
Most operational compliance work focuses on high-risk AI systems. The Act defines high risk in two ways. First, AI systems used as safety components in products covered by EU harmonisation legislation listed in Annex I (medical devices, automotive, machinery, toys, lifts, etc.) inherit high-risk status from the underlying product regulation. Second, AI systems used in the eight areas listed in Annex III are high-risk by default:
- Biometric identification and categorisation (where not already prohibited under Article 5)
- Critical infrastructure management (road traffic, water, gas, electricity, digital infrastructure)
- Education and vocational training (admission, evaluation, behaviour monitoring)
- Employment, worker management and access to self-employment (recruitment, CV screening, task allocation, performance evaluation, termination)
- Access to essential private and public services (creditworthiness, public benefits, emergency call dispatch, health and life insurance pricing)
- Law enforcement (risk assessment, polygraphs, evidence reliability, profiling, predictive policing)
- Migration, asylum and border control management
- Administration of justice and democratic processes
Common pitfall: under-scoping high-risk
The most common compliance failure is not classifying high-risk systems as such. Organisations underestimate scope because they think "high risk" implies dangerous when it actually captures everyday business AI, CV screening tools, customer credit scoring, employee monitoring software, AI-assisted hiring assessments. An inventory of AI systems mapped against Annex III is the single most important first step.
The seven obligations for high-risk AI providers
- 1. Risk management system (Article 9): documented, iterative process identifying and mitigating reasonably foreseeable risks to health, safety and fundamental rights throughout the AI system's lifecycle.
- 2. Data governance (Article 10): training, validation and testing data must be relevant, sufficiently representative, free of errors, and complete. Examined for biases that could lead to discrimination.
- 3. Technical documentation (Article 11): comprehensive documentation enabling authorities to assess compliance. Includes system architecture, training data, validation methods, performance metrics.
- 4. Record-keeping (Article 12): automatic logging of events during operation to ensure traceability and post-market monitoring.
- 5. Transparency and provision of information to deployers (Article 13): clear instructions for use, including system capabilities, limitations, expected level of accuracy, and human oversight measures.
- 6. Human oversight (Article 14): system design enabling effective human oversight by natural persons, including the ability to override, stop or reverse system outputs.
- 7. Accuracy, robustness and cybersecurity (Article 15): appropriate level of performance, resilience against errors, faults or inconsistencies, and protection against attempts to alter use or performance through unauthorised access.
Deployer obligations: lighter but still substantive
Deployers, the organisations using AI systems professionally, carry lighter but real obligations under Article 26. They must use high-risk AI systems in accordance with the provider's instructions for use, assign human oversight to competent persons, ensure input data is relevant for the intended purpose, monitor operation and notify the provider of any serious incident, retain logs for at least six months, and inform workers' representatives and affected workers before deploying a high-risk system at the workplace. Public-sector deployers and deployers in banking and insurance face an additional fundamental rights impact assessment obligation under Article 27.
General-purpose AI: a regime of its own
General-purpose AI (GPAI) models, the foundation models behind systems like ChatGPT, Claude, Gemini, and open-source alternatives, are regulated under a separate regime (Chapter V, Articles 51 to 56) that became applicable on 2 August 2025. All GPAI providers must maintain technical documentation, provide information to downstream providers integrating the model, establish a copyright compliance policy, and publish a sufficiently detailed summary of training data. Providers of GPAI models classified as having systemic risk (currently triggered by training compute above 10^25 FLOPs) bear additional obligations: model evaluation, systemic risk assessment, serious incident reporting to the AI Office, and adequate cybersecurity measures.
Are you a GPAI deployer or provider?
Organisations using GPAI through commercial APIs (OpenAI, Anthropic, Google) are downstream deployers, not providers. But organisations fine-tuning open-source GPAI models for their own products may become providers themselves under the Act, with the full provider obligations attaching. The legal classification turns on whether the fine-tuning substantially modifies the model.
Sanctions: among the highest in EU regulation
The EU AI Act provides for some of the highest administrative fines in EU regulation, exceeding even GDPR ceilings. Article 99 establishes three sanction tiers based on the type of breach:
EU AI Act administrative fines by breach category (Article 99)
Breach category: Prohibited AI practices (Article 5)
Breach category: Other breaches of obligations
Breach category: Incorrect/incomplete/misleading info to authorities
Breach category: SMEs and start-ups
Enforcement is national. Each member state designates one or more market surveillance authorities to enforce the Act on its territory, with the AI Office at EU level handling GPAI provider supervision and coordinating cross-border cases. The exact authority varies by member state; France relies on a multi-authority model coordinated by ANSSI and the CNIL, Germany on the BSI and the BfDI, Ireland on a designated cross-sector authority. The European Artificial Intelligence Board ensures consistent application.
EU AI Act and ISO 42001: the operationalisation path
ISO/IEC 42001:2023 is the international standard for AI management systems, and it provides the most direct path to operationalise EU AI Act compliance. The standard's structure mirrors the high-risk AI provider obligations in Chapter III of the Act, while adding management system controls familiar to anyone trained on ISO 27001 or ISO 9001.
Mapping between EU AI Act high-risk obligations and ISO 42001 controls
EU AI Act obligation: Risk management (Art. 9)
EU AI Act obligation: Data governance (Art. 10)
EU AI Act obligation: Technical documentation (Art. 11)
EU AI Act obligation: Record-keeping (Art. 12)
EU AI Act obligation: Transparency (Art. 13)
EU AI Act obligation: Human oversight (Art. 14)
EU AI Act obligation: Accuracy/robustness/cybersecurity (Art. 15)
ISO 42001 is not a compliance shortcut; certification does not substitute for the AI Act's specific conformity assessment, CE marking and post-market monitoring obligations. But it does provide audit-ready evidence for most high-risk obligations, structures the documentation that authorities will request, and demonstrates a management commitment that mitigates sanctions in the event of a breach. For organisations starting from zero, ISO 42001 is the most efficient framework to scaffold an AI governance programme.
Building the EU AI Act compliance roadmap
With August 2026 less than three months out, the compliance window is narrow. A defensible roadmap has six steps, each producing concrete deliverables that hold up under audit.
- 1. AI inventory: identify every AI system in development or production, including third-party AI integrated into your products or workflows. Without inventory there is no compliance.
- 2. Classification: map each system against the four risk tiers and Annex III categories. Document the rationale; it will be the first thing authorities ask about.
- 3. Gap analysis: for high-risk systems, assess current state against Articles 9 to 15. For deployers, against Article 26. For GPAI users, against the downstream obligations.
- 4. Governance setup: appoint accountable owners (AI governance lead, AI risk officer), define escalation paths, integrate AI risk into existing enterprise risk frameworks.
- 5. Implementation: deploy the risk management system, data governance controls, technical documentation, logging, transparency mechanisms, human oversight procedures, and cybersecurity measures.
- 6. Conformity assessment and monitoring: complete the appropriate conformity assessment procedure (self-assessment or notified body, depending on system type), prepare EU declaration of conformity, affix CE marking where required, establish post-market monitoring.
Organisations already certified ISO 27001 or running mature GDPR programmes have a head start; the data governance, documentation, access control, and incident-response controls overlap substantially. Organisations starting from zero need 12 to 18 months for a credible compliance programme; with three months to August 2026, the practical strategy is to triage by risk and conformance criticality.
Training and certification: the EU AI Act practitioner paths
Three PECB certification paths cover the operational competencies that the EU AI Act demands. They address distinct roles and converge on a common goal: building organisations that can demonstrate, not just claim, AI governance.
ISO 42001 Lead Implementer (5 days)
The ISO 42001 Lead Implementer certification is the reference for professionals responsible for designing, deploying and managing an AI management system aligned with ISO 42001:2023. It is the path that converts directly into operational EU AI Act readiness: the management system clauses scaffold the high-risk obligations, and the controls in Annex A produce the documentation authorities will inspect. For AI governance leads, CISOs taking on AI scope, and compliance officers in regulated sectors.
ISO 42001 Lead Auditor (5 days)
The ISO 42001 Lead Auditor certification trains professionals to plan, conduct and report on first-, second- and third-party audits of AI management systems. With the EU AI Act introducing notified body conformity assessments for certain high-risk systems, qualified ISO 42001 Lead Auditors are in short supply across the EU and UK. Suitable for internal auditors, consultants, and professionals building independent audit credibility.
Lead AI Risk Manager (5 days)
The Lead AI Risk Manager certification focuses on the AI-specific risk methodology that the EU AI Act demands under Article 9. It covers AI risk identification, classification, assessment, mitigation and monitoring across the full AI lifecycle. The methodology integrates with ISO 31000 enterprise risk frameworks while addressing AI-specific dimensions: model drift, training-data bias, adversarial robustness, explainability, and emergent behaviour. Best suited for risk officers, AI ethics leads, and practitioners building a risk-first AI governance practice.
Abilene Academy is the only PECB Titanium Partner in Switzerland, with a 99% pass rate on PECB exams and more than 2,500 professionals trained in 120 countries. All three certifications are available in classroom, virtual-live, eLearning and self-study formats, in English and French. To situate AI governance within the broader regulatory landscape, see also our complete NIS 2 directive guide and complete DORA compliance guide.
The field perspective from Alexis Hirschhorn, Senior Trainer, Abilene Academy
"The August 2026 deadline does not move. What we see at our clients is a consistent pattern: the technical compliance work is achievable in three to six months once the inventory is honest. What kills timelines is the inventory itself; most organisations do not know how many AI systems they actually run, who owns them, or what training data flows through them. Build the inventory first; the rest is execution."
Sources and references
- Regulation (EU) 2024/1689: EU AI Act (EUR-Lex, European Parliament and Council, 13 June 2024).
- European Commission AI Act page (DG CONNECT, official implementation tracking and guidance).
- European AI Office (EU-level supervision of GPAI providers, coordination of national authorities).
- ISO/IEC 42001:2023 (International Organization for Standardization, AI management systems standard).
- PECB ISO 42001 certification suite (PECB, official certification reference for ISO 42001 Lead Implementer and Lead Auditor).
