EU AI Act Primer: Timelines and Obligations
And the cost of non compliance
EU AI Act: the obligations most companies overlook (and what non-compliance actually costs)
The EU AI Act is the world's first comprehensive AI law. This guide breaks down the risk categories, obligations for providers and deployers, updated compliance timelines, and what your organisation needs to do now.
In this guide:
- What is the EU AI Act?
- EU AI Act risk categories explained
- What providers of high-risk AI systems must do
- What deployers of high-risk AI systems must do
- General-purpose AI model obligations
- EU AI Act compliance timeline (post-Omnibus update)
- Penalties for non-compliance
- How the EU AI Act compares with ISO 42001 and NIST AI RMF
- Where to start: a practical compliance checklist
- How Modulos helps organisations meet EU AI Act obligations
What is the EU AI Act?
The EU AI Act (Regulation 2024/1689) is the European Union's binding legal framework for artificial intelligence. Published in the Official Journal on 12 July 2024, it establishes harmonised rules for the development, deployment and use of AI systems across all 27 EU member states.
Unlike voluntary frameworks such as the NIST AI Risk Management Framework or ISO/IEC 42001, the EU AI Act carries legal force. Organisations that provide or deploy AI systems within the EU must comply or face significant fines. Importantly, the regulation applies based on where the AI system is used, not where the organisation is headquartered. A US-based company deploying an AI system that affects people in the EU falls within scope.
The Act uses a risk-based approach: the higher the risk an AI system poses to health, safety or fundamental rights, the stricter the obligations. This means not every AI system triggers the same requirements. Understanding where your systems sit in the risk hierarchy is the essential first step toward compliance.
EU AI Act risk categories explained
The EU AI Act classifies AI systems into four risk tiers. Each tier carries different obligations, ranging from an outright ban to no specific requirements at all.
Unacceptable risk: prohibited AI practices
AI systems that pose a clear threat to fundamental rights are banned entirely. Examples include social scoring by public authorities, real-time remote biometric identification in public spaces (with narrow law enforcement exceptions), exploitation of vulnerable groups, and subliminal manipulation techniques. As of the Omnibus deal, non-consensual generation of sexual or intimate imagery using AI is now also prohibited. These bans have been in force since 2 February 2025.
High risk: high-risk AI systems
The most compliance-intensive category. High-risk systems fall into two groups: Annex III systems classified by use case (employment, education, credit scoring, biometrics, law enforcement, migration, critical infrastructure) and Annex I systems embedded in products already regulated under EU harmonisation legislation (medical devices, machinery, vehicles). High-risk systems face mandatory requirements around risk management, data governance, technical documentation, human oversight, accuracy, robustness and cybersecurity.
Limited risk: transparency obligations
AI systems that interact with people, generate synthetic content, or are used for emotion recognition or biometric categorisation must meet specific transparency requirements. Users must be informed they are interacting with an AI system, and AI-generated or manipulated content must be machine-readably labelled. Chatbots, deepfake generators and AI content tools fall here.
Minimal risk: no specific obligations
The vast majority of AI systems (spam filters, AI-enabled video games, inventory management) fall into this category and face no specific regulatory obligations under the Act. Voluntary codes of conduct are encouraged but not required.
Key post-Omnibus change: Article 6(3) registration obligations survived the Omnibus amendments. Even if a provider self-assesses their Annex III system as non-high-risk, they must still register it in the EU database. The strategy of classifying out of scope to avoid obligations no longer works.
What providers of high-risk AI systems must do
Providers are the organisations that develop or place a high-risk AI system on the EU market. Their obligations under the EU AI Act are substantial and span the full system lifecycle:
- Risk management system (Article 9): Establish and maintain a documented, continuous risk management process covering identification, estimation, evaluation and mitigation of risks to health, safety and fundamental rights.
- Data governance (Article 10): Ensure training, validation and testing datasets are relevant, representative, free of errors and subject to appropriate governance practices, including bias examination.
- Technical documentation (Article 11): Produce and maintain detailed documentation that demonstrates compliance with the Act's requirements, before the system is placed on the market.
- Record-keeping and logging (Article 12): Build automatic logging capabilities into the system so that events can be traced throughout the system's lifecycle.
- Transparency and information (Article 13): Design the system so that deployers can interpret its output and use it appropriately. Provide clear instructions for use.
- Human oversight (Article 14): Build in measures that allow human operators to effectively oversee the AI system and intervene or interrupt when necessary.
- Accuracy, robustness and cybersecurity (Article 15): Ensure appropriate levels of accuracy, robustness against errors and attacks, and cybersecurity throughout the system's lifecycle.
- Conformity assessment: Before placing a high-risk system on the market, complete the applicable conformity assessment procedure, draw up an EU declaration of conformity, and affix the CE marking.
- Registration: Register the system in the EU database before placing it on the market or putting it into service.
- Quality management system: Maintain a documented quality management system covering compliance strategy, design and development procedures, testing, data management, risk management, post-market monitoring, incident reporting and communication with authorities.
- Post-market monitoring: Actively monitor the system after deployment and take corrective action if issues arise, including reporting serious incidents to competent authorities.
What deployers of high-risk AI systems must do
Deployers are organisations that use high-risk AI systems in their operations (as opposed to developing them). The EU AI Act deliberately uses the term "deployer" rather than "user" to distinguish organisational use from individual use. Deployer obligations include:
- Use in accordance with instructions: Operate the system strictly according to the provider's instructions for use.
- Human oversight: Assign competent, trained individuals to oversee the AI system's operation.
- Input data quality: Ensure that input data is relevant and sufficiently representative for the system's intended purpose.
- Monitoring: Monitor the system's operation and report to the provider or distributor if a serious incident occurs or if the system presents an unexpected risk.
- Data protection impact assessment: Where required under GDPR, carry out a data protection impact assessment before putting the system into service.
- Fundamental rights impact assessment: Certain deployers (public bodies, private entities providing public services, credit scoring, insurance pricing) must carry out an assessment of the system's impact on fundamental rights before deployment.
General-purpose AI model obligations
The EU AI Act introduces a dedicated regime for general-purpose AI (GPAI) models, such as large language models. These rules apply to the model provider regardless of how downstream deployers integrate the model.
All GPAI providers must maintain technical documentation, provide information to downstream providers who integrate the model into their AI systems, establish a policy for copyright compliance, and publish a sufficiently detailed summary of the training data used.
GPAI models classified as posing systemic risk face additional obligations: model evaluation, adversarial testing, serious incident tracking and reporting to the European Commission, and adequate cybersecurity protections. The threshold for systemic risk classification is currently set at 10^25 FLOPs of cumulative training compute, though the Commission may update this.
EU AI Act compliance timeline (post-Omnibus update)
On 7 May 2026, EU negotiators finalised the Digital Omnibus amendments to the AI Act. The most significant change is a staggered deferral of compliance deadlines for high-risk systems. Below is the updated timeline:
| Date | Milestone | Status |
|---|---|---|
| 2 Feb 2025 | Prohibited AI practices banned. AI literacy obligations began for all providers and deployers. | In force |
| 2 Aug 2025 | GPAI model obligations and governance provisions became applicable. Notified body requirements took effect. | In force |
| 2 Aug 2026 | Transparency obligations (Article 50) apply. Penalties framework becomes fully enforceable. Most remaining provisions applicable. | Upcoming |
| 2 Dec 2026 | Watermarking and synthetic content labelling for AI systems placed on the market before August 2026 (4-month grace period). | Upcoming |
| 2 Aug 2027 | National regulatory sandboxes must be established. SME simplification provisions fully operational. | Upcoming |
| 2 Dec 2027 | Annex III high-risk system obligations apply (employment, education, credit scoring, biometrics, law enforcement, migration). Primary compliance deadline for most enterprises. Deferred 16 months from the original August 2026 date. | Key deadline |
| 2 Aug 2028 | Annex I high-risk system obligations apply (AI in regulated products: medical devices, machinery, vehicles, radio equipment). | Upcoming |
Why December 2027 is closer than it sounds: Nineteen months may seem comfortable, but enterprise governance procurement cycles run 12 to 18 months from initial scoping to full implementation. An organisation starting its RFP process in Q1 2027 is unlikely to be compliant by December. The Omnibus deal is confirmed as the final deadline adjustment. There will be no further extensions.
Penalties for non-compliance
The EU AI Act's penalty structure is designed to be proportionate but severe enough to incentivise compliance:
| Violation type | Maximum fine |
|---|---|
| Prohibited AI practices | Up to €35 million or 7% of global annual turnover, whichever is higher |
| High-risk system obligations | Up to €15 million or 3% of global annual turnover |
| Incorrect information to authorities | Up to €7.5 million or 1.5% of global annual turnover |
| GPAI model obligations (transparency, watermarking) | Up to €15 million or 3% of global annual turnover |
For SMEs and startups, fines are capped at the lower of the two amounts. The Omnibus amendments extended simplified compliance to mid-cap companies with up to 750 employees and €150 million in annual revenue.
How the EU AI Act compares with ISO 42001 and NIST AI RMF
The EU AI Act does not exist in isolation. Many organisations need to comply with multiple AI governance frameworks simultaneously. Understanding where they overlap and where they diverge is critical for efficient compliance.
| Dimension | EU AI Act | ISO/IEC 42001 | NIST AI RMF |
|---|---|---|---|
| Jurisdiction | European Union | Global (voluntary) | United States (voluntary) |
| Legal status | Binding regulation | Certifiable standard | Voluntary framework |
| Risk approach | Four-tier classification | Organisation-defined risk criteria | Govern, Map, Measure, Manage |
| Scope | AI systems placed on the EU market | Any organisation developing or using AI | US organisations, globally adopted |
| Certification | Conformity assessment + CE marking | Third-party certification available | No formal certification |
| Enforcement | Fines up to 7% of global turnover | Market / procurement requirement | No enforcement mechanism |
| Overlap with EU AI Act | - | ~50% control overlap | ~40% functional overlap |
The overlap between frameworks is significant. An organisation that has implemented ISO/IEC 42001 will have already addressed roughly half of the EU AI Act's technical requirements around risk management, documentation and governance. A platform that maps controls across frameworks can eliminate this duplication entirely, allowing a single piece of evidence to satisfy multiple requirements simultaneously.
Where to start: a practical compliance checklist
Regardless of where your organisation is on its AI governance journey, these steps provide a structured path toward EU AI Act readiness:
- Inventory your AI systems. You cannot comply with a regulation if you do not know what falls within scope. Catalogue every AI system your organisation develops, deploys or procures, including shadow AI that teams may have adopted without central oversight.
- Classify each system by risk tier. Determine whether each system qualifies as prohibited, high-risk, limited-risk or minimal-risk under the Act's criteria. Pay particular attention to Annex III use cases.
- Assess your current gaps. For each high-risk system, map existing controls against the Act's requirements (Articles 8 through 15). Identify where documentation, risk management, human oversight or technical safeguards fall short.
- Assign accountability. Designate clear ownership for AI governance within your organisation. This typically involves a cross-functional team spanning legal, compliance, data science and engineering.
- Implement a risk management system. Build or adopt a continuous, documented risk management process that covers identification, estimation, evaluation and treatment of AI-specific risks.
- Prepare technical documentation. Begin compiling the documentation required for conformity assessment. This includes system descriptions, design choices, training data characteristics, testing results and performance metrics.
- Establish post-market monitoring. Put processes in place to monitor deployed systems, capture incidents and trigger corrective actions when performance degrades or new risks emerge.
- Engage with a purpose-built platform. Spreadsheets and generic GRC tools are not designed for the AI Act's specific requirements. A dedicated AI governance platform can automate evidence collection, map controls across frameworks and generate audit-ready documentation.
How Modulos helps organisations meet EU AI Act obligations
Modulos is a purpose-built AI governance platform designed to operationalise EU AI Act compliance alongside ISO/IEC 42001, NIST AI RMF and other frameworks from a single workspace.
Built-in EU AI Act scoping
Modulos includes a structured questionnaire that walks teams through the Act's classification logic, determining whether each AI system is prohibited, high-risk, limited-risk or minimal-risk. The output feeds directly into the compliance workflow, so classification decisions are documented and auditable from day one.
Cross-framework control mapping
The Modulos Governance Graph maps individual controls to requirements across the EU AI Act, ISO/IEC 42001, NIST AI RMF, OWASP and GDPR simultaneously. Where frameworks overlap (roughly 50% between the EU AI Act and ISO 42001), a single control implementation satisfies both requirements. This eliminates duplicate work and reduces the overall compliance burden.
Quantitative risk management
Where most tools offer qualitative risk ratings (red, amber, green), Modulos quantifies AI risk in monetary terms using Monte Carlo simulation. This gives risk officers and boards a concrete understanding of exposure in euros or dollars, not abstract colour codes, and directly supports the Act's requirement for documented risk estimation.
Automated evidence collection
The Modulos Scout AI agent and Control Assessment Agent collect evidence directly from your existing tools (GitHub, Bitbucket, Confluence, Google Drive, AWS, Azure) and map it to the relevant requirements. This automates the most time-consuming element of compliance: gathering and organising proof that your controls actually work.
Shadow AI discovery
You cannot govern what you cannot see. Modulos integrates with development tools and cloud platforms to discover AI systems that teams may have deployed outside formal governance processes, a critical first step in building a complete AI inventory.
Audit-ready documentation
Modulos generates the technical documentation, risk assessments and compliance reports that regulators and certification bodies require. When audit time arrives, the evidence is already structured, traceable and ready for review.
Flexible deployment
Modulos supports SaaS, private cloud and on-premise deployment, with European data residency by default. For organisations in regulated industries where data sovereignty is non-negotiable, this removes a common procurement blocker.
Modulos was Europe's first governance platform to achieve ISO 42001 conformity in 2024, independently evaluated by CertX. This is not a self-declaration: it means the platform's own AI governance practices have been assessed and certified against the same standard it helps customers implement.
Ready to start your EU AI Act compliance journey?
Modulos maps your AI systems against every applicable requirement, automates evidence collection and produces audit-ready documentation. Request a demo and we will walk you through how the platform operationalises EU AI Act compliance for your organisation.
