EU AI Act

EU AI Act Compliance,
End to End

Everything you need to know about EU AI Act compliance: obligations, the four-gates risk model, conformity assessments, penalties, and how Modulos accelerates the process. Updated for the adopted Omnibus: high-risk deadlines move to December 2027, enforcement starts August 2026.

01 · The law

What the EU AI Act is

The EU AI Act (Regulation 2024/1689) is the world’s first comprehensive law on artificial intelligence. It is a product safety regulation: it treats AI the way EU law has long treated machinery and medical devices, with obligations scaled to risk. A short list of practices is banned outright. High-risk systems must pass a conformity assessment before reaching the market and keep evidence that they stay safe. Most other systems carry transparency duties or none at all.

It applies to any organization whose AI reaches people in the EU, wherever that organization is based, and its penalties scale with global turnover. The goal is not to slow AI down. It is to make AI products trustworthy enough to ship, the way CE marking did for physical products.

02 · Deadlines

The road ahead

Four dates decide your plan. Everything already in force is history you inherit, not a deadline you manage.

Today

  1. 2 Aug 2026

    in 25 days

    General application and GPAI fines

  2. 2 Dec 2026

    in 4 months

    New Article 5 prohibitions apply and watermarking grace ends

  3. 2 Dec 2027

    in 16 months

    Annex III standalone high-risk obligations

  4. 2 Aug 2028

    in 24 months

    Annex I product-embedded high-risk obligations

Behind us: in force since 1 August 2024, prohibitions and AI literacy since February 2025, GPAI model rules since August 2025.

The delay is not a pause

The Omnibus moved the high-risk deadlines. It did not move the reasons to start.

01

GPAI enforcement starts 2 August 2026

Model-provider fines under Article 101 become enforceable in weeks, not years.

02

The new bans land 2 December 2026

The NCII and CSAM prohibitions and the watermarking deadline touch anyone shipping generative features.

03

December 2027 is a start date in disguise

Inventory, classification, control design, and evidence collection take 12 to 18 months at enterprise scale.

04

Enforcement got stronger, not weaker

The Omnibus hands the AI Office investigation powers, on-site inspections, and fines of its own.

What the Omnibus Changes

The Omnibus is not just a delay: it moves the high-risk deadlines, adds new prohibitions, and keeps the August 2026 enforcement date firmly in place.

Dates shift

Annex III stand-alone high-risk to 2 December 2027; Annex I product-integrated high-risk to 2 August 2028.

New Article 5 prohibition

AI systems intended to generate non-consensual sexual or intimate imagery, and CSAM. Systems lacking effective technical safeguards are also caught. Compliance by 2 December 2026.

Watermarking grace

Article 50 transparency: transitional grace for systems already on the market before 2 August 2026; deadline 2 December 2026.

Status: adopted

Adopted by the European Parliament on 16 June 2026 and the Council on 29 June 2026. Enters into force on publication in the Official Journal, expected imminently.

Show the full change matrix
10 issues, article-by-article: current law, the adopted Omnibus, what to do now

Main high-risk AI rules (Annex III)

Current law (Regulation 2024/1689)

Under Article 113 of the enacted AI Act, the main high-risk obligations apply from 2 August 2026.

AI Omnibus as adopted (June 2026)

The adopted Omnibus shifts Annex III stand-alone high-risk obligations to 2 December 2027. Awaiting OJ publication.

What to do now

Keep inventory, classification, control design and evidence planning moving against the December 2027 date.

Product-integrated high-risk AI (Annex I)

Current law (Regulation 2024/1689)

Under Article 6(1) and Article 113, Annex I product-integrated high-risk obligations apply from 2 August 2027.

AI Omnibus as adopted (June 2026)

The adopted Omnibus shifts Annex I obligations to 2 August 2028. Awaiting OJ publication.

What to do now

Align product, legal, engineering and quality teams against the August 2028 date if AI is embedded in medical devices, machinery, radio, transport or other regulated products.

Watermarking & synthetic content

Current law (Regulation 2024/1689)

Article 50(2) transparency for AI-generated synthetic content applies from 2 August 2026 under Article 113.

AI Omnibus as adopted (June 2026)

The adopted Omnibus sets a transitional grace until 2 December 2026 for systems already on the market before 2 August 2026. Broader Article 50 transparency disclosures stay on the original schedule. Awaiting OJ publication.

What to do now

Build provenance and labelling into pipelines now if you generate synthetic images, audio, video or text aimed at the EU market.

National regulatory sandboxes

Current law (Regulation 2024/1689)

Article 57(1) sets 2 August 2026 as the deadline for Member States to establish at least one AI regulatory sandbox.

AI Omnibus as adopted (June 2026)

The adopted Omnibus postpones the Article 57(1) deadline to 2 August 2027 and expands real-world testing to Annex I systems outside sandboxes. Awaiting OJ publication.

What to do now

For sandbox-eligible programs, build the operational case (innovation goal, supervisor relationship, exit criteria) early; the slot is the bottleneck, not the deadline.

Sensitive data for bias testing

Current law (Regulation 2024/1689)

Article 10(5) allows providers to process Article 9 special-category data for bias detection and correction only when strictly necessary, with safeguards.

AI Omnibus as adopted (June 2026)

The adopted Omnibus extends the legal basis to all AI systems and general-purpose AI models, but keeps the strictly-necessary standard. The Commission proposed lowering it to "necessary"; the co-legislators rejected that change. Awaiting OJ publication.

What to do now

Plan bias testing under the existing strictly-necessary standard, with documented safeguards and a clear data-protection impact assessment.

Article 6(3) registration

Current law (Regulation 2024/1689)

Article 6(3) lets providers self-assess that an Annex III system does not pose a significant risk; Article 6(4) requires the assessment file; Article 49(2) requires registration of such systems in the EU database.

AI Omnibus as adopted (June 2026)

The adopted Omnibus preserves registration. The Commission proposed dropping the obligation for self-exempted systems; the co-legislators rejected that change. Awaiting OJ publication.

What to do now

Treat Article 6(3) self-exemption as a documentation exercise, not a hide-from-the-database exercise. Build the assessment file and the database registration as one workflow.

Prohibited practices

Current law (Regulation 2024/1689)

The Article 5 prohibitions have applied since 2 February 2025.

AI Omnibus as adopted (June 2026)

The adopted Omnibus adds a new Article 5 prohibition on AI systems intended to generate non-consensual sexual or intimate imagery of identifiable real persons, and on AI systems intended to generate child sexual abuse material. Foreseeable misuse where effective technical safeguards are absent is also caught. Compliance by 2 December 2026. Awaiting OJ publication.

What to do now

For generative-image, video, voice and avatar pipelines aimed at any EU touchpoint, design and document effective technical safeguards (consent verification, refusal training, content filters, audit logging) before deployment. Lack of safeguards is itself a trigger.

AI Office competence

Current law (Regulation 2024/1689)

Supervision of AI systems built on a GPAI model where the model and the system come from the same provider was not cleanly separated from national-authority competence.

AI Omnibus as adopted (June 2026)

The adopted Omnibus clarifies, only in same-provider GPAI model + system cases, that the AI Office takes the lead, with new enforcement powers: investigations, on-site inspections, binding commitments, and fines. National authorities remain competent in law enforcement, border management, judicial authorities, and financial institutions. Awaiting OJ publication.

What to do now

Map your supervisory contact point per use case rather than per company. A single GPAI provider deploying into multiple sectors faces different lead authorities depending on the sector.

Sectoral law interplay

Current law (Regulation 2024/1689)

AI Act Annex I lists Union harmonisation legislation (medical devices, toys, machinery, radio, watercraft, etc.) where AI Act high-risk obligations stack with sectoral product law.

AI Omnibus as adopted (June 2026)

The adopted Omnibus lets the Commission limit AI Act application via implementing acts where sectoral law has similar AI-specific requirements. Machinery is exempt from direct AI Act applicability; AI-specific health/safety routes through delegated acts under the Machinery Regulation. The "safety component" definition is narrowed to exclude systems used solely for user assistance or optimization. Do not assume relief until the implementing and delegated acts exist.

What to do now

For Annex I products, watch for the Commission implementing and delegated acts before duplicating effort. Until they are adopted, the AI Act compliance path remains the operative one.

AI literacy (Article 4)

Current law (Regulation 2024/1689)

Article 4 requires providers and deployers to take measures to ensure a sufficient level of AI literacy of their staff, applicable since 2 February 2025.

AI Omnibus as adopted (June 2026)

The adopted Omnibus softens the obligation: providers and deployers must support the development of AI literacy rather than ensure specific literacy levels. The obligation remains but is substantively weakened. Awaiting OJ publication.

What to do now

Keep role-based AI training running. Documented literacy efforts remain a cheap audit-defensibility win and feed Article 26 deployer duties either way.

03 · Scope

Does it apply to you?

Article 2 gives the Act extraterritorial reach: it binds non-EU providers and deployers the moment an AI system is placed on the EU market or its outputs are used in the Union. Follow SYS-04, the credit-scoring system on the map. Neither company is European; both are in scope.

Loading map...

A non-EU provider builds an AI credit-scoring model. A US fintech licenses it. EU customers receive credit decisions from it. Article 2 brings both the non-EU provider and the non-EU deployer into scope here, because the system is placed on the EU market and its outputs are used in the Union.

Which role are you?

Provider, deployer, importer, distributor: four of the commercial roles defined in the EU AI Act. The trap is not understanding what they mean. It is recognising which one you actually are. Most companies guess wrong, and the difference can be six figures of compliance work.

1
Article 25(1)(b)–(c)You become a Provider

You become a provider when you turn a system into a high-risk one.

Fine-tune or integrate a foundation model into an Annex III use case. If the result qualifies as high-risk under Article 6, Article 25(1)(c) reclassifies you from deployer to provider. Substantially modify an already-high-risk system and Article 25(1)(b) does the same. Provider obligations are heavy: technical documentation, conformity assessment, the Articles 9 to 15 stack.

2
Article 25(1)(a)You become a Provider

You become a provider when you rebrand a high-risk system.

White-label a third-party high-risk AI system and put your name or trademark on it, and Article 25(1)(a) says you are now the provider. The original developer’s documentation does not transfer to you. You inherit all provider obligations, even if the system was built by someone else.

3
Annex III, Article 50You are a Deployer

You become a deployer the moment you use AI on EU persons.

Internal HR screening tool that touches EU candidates? You are a deployer of a high-risk system under Annex III. Customer service chatbot interacting with EU customers? Deployer with Article 50 transparency obligations on top. Credit-scoring model used inside a fintech’s product? Deployer of high-risk AI under Annex III. “We just bought it from a vendor” is not a defence.

4
Articles 23, 24Importer or Distributor

You become an importer or distributor without realising.

Reselling a non-EU high-risk AI system into the EU market? Importer obligations under Article 23, including verifying the provider has done the conformity assessment. Acting as a SaaS reseller or marketplace in a value chain for high-risk AI? Probably distributor obligations under Article 24. The high-risk qualifier matters: these duties attach specifically to high-risk systems, not to AI in general.

Misclassification is the most expensive mistake on this page. The default assumption that “we just use AI” rarely survives contact with the Act’s definitions. Get the role right before you scope the program: every other obligation flows from it.

Not sure where you stand?

The risk calculator classifies your likely EU AI Act role and puts a number on your exposure in about three minutes.

Run the risk calculator

04 · Obligations

What do you owe, and by when?

The Act does not sort systems into tidy risk tiers. It runs four independent checks, and the obligations stack. Here is how that plays out for SYS-04, then the full stack article by article.

Pick a system

Follow the system · SYS-04 · credit-scoring model · non-EU provider, US fintech deployer, EU customers

SYS-04 enters the four checks
  1. 1

    Gate 1 · Article 5

    Prohibited practices

    Does it manipulate, socially score, or fall under the new NCII and CSAM bans?

    SYS-04 · NOpasses

    If yes: Banned. The new NCII and CSAM bans apply by 2 December 2026.

  2. 2

    Gate 2 · Article 6, Annex I and III

    High-risk classification

    Is it a safety component of a regulated product, or standalone in an Annex III domain?

    SYS-04 · YESfires

    Result: Creditworthiness assessment is Annex III point 5(b). Full high-risk stack by 2 December 2027.

  3. 3

    Gate 3 · Article 50

    Transparency duties

    Does it interact with people directly or generate synthetic content?

    SYS-04 · NOpasses

    If yes: Disclosure and marking duties; the watermarking grace ends 2 December 2026.

  4. 4

    Gate 4 · Chapter V

    General-purpose AI

    Is it a general-purpose model, or built on one you also provide?

    SYS-04 · NOpasses

    If yes: Model-level duties, in force since August 2025.

Obligations tray

Everything SYS-04 accumulated, all of it from Gate 2

  • Art. 9 risk management
  • Art. 10 data governance
  • Art. 11 technical file
  • Art. 12 logging
  • Art. 14 human oversight
  • Art. 17 QMS
  • Art. 43 conformity assessment
  • Art. 49 EU database registration
  • by 2 Dec 2027

Four checks, different stacks. Pick a system above, or run your own through all four gates.

Compliance Requirements

The Act lays out a range of requirements for high-risk AI systems. Tap any card for a plain-language summary and a link to the article.

* Required for public-law deployers and private entities providing public services, plus deployers of certain Annex III high-risk systems (creditworthiness assessment under 5(b) and life/health insurance risk assessment under 5(c)). Annex III point 2 (critical infrastructure) is excluded from the FRIA trigger.

Conformity assessment

High-risk systems must pass a conformity assessment before market entry. Most Annex III providers self-assess under Annex VI; the narrow third-party routes run through a notified body, and Annex I products follow their sectoral regimes. There is no scheduled audit afterwards: scrutiny arrives when a market surveillance authority requests your technical file, so the record has to be ready either way.

Step 1 - A high-risk AI system is developed

Establish, implement, document, and maintain a risk management system to address the risks posed by a high-risk AI system.

Step 2 - The system undergoes the conformity assessment and complies with AI requirements

- Implement effective data governance, including bias mitigation, training, validation, and testing of data sets.

- Maintain up-to-date technical documentation in a clear and comprehensive manner.

Step 3 - Registration of certain high-risk systems in the EU database under Article 49 (primarily Annex III).

- Ensure that high-risk AI systems allow for the automatic recording of events (logs) over their lifetime.

- Design systems to ensure sufficient transparency for deployers to interpret outputs and use appropriately.

Step 4 - A declaration of conformity is signed, and the AI system must bear the required CE marking under Article 48

- Develop systems to maintain an appropriate level of accuracy, robustness, and cybersecurity throughout their lifecycle.

- Ensure proper human oversight during the period the system is in use.

CE Mark

The system can be placed on the market.

Once substantial changes happen in the AI system's lifecycle, repeat from Step 2.

System placed on market

Disclaimer: The steps outlined above are intended to provide a general overview of the conformity assessment process. They should not be considered exhaustive and are not intended as legal or technical advice.

05 · Exposure

What happens if you get it wrong?

Penalties

What non-compliance costs, drawn to scale

Article 99 sets three tiers. For most undertakings the higher of a fixed cap or a share of global turnover applies. Pick a revenue and see your number.

Global revenue
Prohibited practices violationsup to €35M or 7% of global turnover
€140M
fixed cap €35M
Non-compliance with most other obligationsup to €15M or 3% of global turnover
€60M
fixed cap €15M
Supplying incorrect or misleading informationup to €7.5M or 1% of global turnover
€20M
fixed cap €7.5M

At €2B in global revenue the turnover share exceeds every fixed cap, so the percentage applies.

SMEs and start-ups take the lower of the two under Article 99(6). The adopted Omnibus extends certain SME regulatory exemptions to small mid-caps, up to 750 employees or €150M turnover; the exact scope will be confirmed by the Official Journal text.

GPAI model providers face separate fines under Article 101, enforceable from 2 August 2026.

See your exposure mapped to controls and evidence, system by system.

Request a Demo

06 · The work

How compliance actually gets done

Reading the law is the easy part. The work is an inventory that stays current, classifications you can defend, controls mapped to articles, and evidence that accumulates as a side effect of normal work. That is what the platform is for: Modulos holds CertX product conformity certificate 213-001/24 against ISO/IEC 42001:2023, and took Xayn to the first ISO/IEC 42001 certification in Germany.

Risk Management
Quantitative risk assessment with Monte Carlo simulation
Documentation & Records
AI Agents auto-generate and find evidence in your repos
Human Oversight & QMS
Built-in review workflows with full audit trail
Multi-Framework Compliance
140+ controls mapped to EU AI Act, ISO 42001, NIST AI RMF

Why Modulos for the EU AI Act

Three credentials specific to the EU AI Act, ordered by weight. The links point to the public bodies the work was done with.

CEN-CENELEC JTC 21

Highest weight

Contributed to the European AI standards that grant presumption of conformity

High-risk compliance will run through CEN-CENELEC harmonised standards: once cited in the Official Journal under Article 40, they grant a legal presumption of conformity for the requirements they cover (Articles 9 to 15). Modulos contributed to these standards through the JTC 21 working groups.

JTC 21 (CEN-CENELEC)

AESIA, Spanish AI regulatory sandbox

First EU AI Act sandbox

Supported the first EU AI Act regulatory sandbox

Spain ran the first EU AI Act regulatory sandbox, operated by AESIA, Europe’s first dedicated AI supervisory agency. It produced 16 official guidelines, the first interpretative criteria from a European public authority. Modulos supported the work of the sandbox.

AESIA

EU AI Pact

Voluntary early commitment

An EU AI Pact signatory

Modulos is a signatory of the EU AI Pact, the European Commission’s voluntary pledge to apply AI Act principles ahead of full applicability: an AI governance strategy, high-risk system mapping, and AI literacy across staff.

Public AI Pact signatory list

And the certifiable management system the proof flows into

Modulos holds CertX product conformity certification against ISO/IEC 42001 (certificate 213-001/24). ISO/IEC 42001 is not a substitute for AI Act conformity assessment, but it is the management-system spine most mature AI Act programs build on. See the ISO 42001 page.

07 · Context

How the EU AI Act stacks with other frameworks

Most organisations operate the AI Act alongside other regulations and standards rather than instead of them. Here is where the Act sits relative to the frameworks teams most often ask about.

Standard / RegulationDomainRelation to the EU AI Act
ISO/IEC 42001International AI management systemComplementary
NIST AI RMFVoluntary U.S. risk-management frameworkComplementary
GDPRBinding EU data-protection regulationDifferent layer
EU Machinery RegulationSafety-critical machinery in the EUOperational glue

EU AI Act vs ISO/IEC 42001

Complementary

ISO/IEC 42001 is the certifiable international management system standard for AI. Article 17 of the AI Act requires high-risk providers to operate a quality management system. Holding ISO 42001 certification is one of the strongest practical signals of meeting Article 17, although not formally a substitute. Most mature AI Act compliance programs land inside an ISO 42001 management system.

EU AI Act vs NIST AI RMF

Complementary

NIST AI RMF is voluntary U.S. guidance organised around four core functions (Govern, Map, Measure, Manage). The AI Act is binding EU regulation. Implementing AI RMF builds the risk-management practices Article 9 expects of high-risk providers, but it does not substitute for the Act's conformity-assessment and CE-marking requirements. See the NIST AI RMF page.

EU AI Act vs GDPR

Different layer

Both the AI Act and the GDPR are binding EU regulations, but they govern different layers. GDPR governs personal data; the AI Act governs AI systems. They overlap sharply on biometric processing, bias-testing with sensitive data, and the rights of individuals affected by automated decisions. Compliance with the GDPR does not satisfy the AI Act, and vice versa; both apply.

EU AI Act vs EU Machinery Regulation

Operational glue

Under the AI Omnibus adopted in June 2026, machinery is exempt from direct AI Act applicability. AI-specific health and safety requirements for AI systems classified as high-risk under the AI Act are routed through delegated acts under the Machinery Regulation itself, with a Commission obligation to issue guidance to economic operators. Awaiting Official Journal publication. The Canton of Zurich Innovation Sandbox for AI report still illustrates the value of running a single integrated AI management system across regimes. See the Sandbox report (PDF).

Comparing platforms? See how 20 AI governance platforms address the EU AI Act in our 2026 enterprise buyer’s guide.

By industry

How this applies in your sector

See how this plays out in the sectors where it drives the most AI governance work:

08 · Questions

FAQ about the EU AI Act

The EU AI Act (Regulation 2024/1689) is the European Union’s comprehensive law on artificial intelligence, in force since 1 August 2024. It is a product safety regulation: it bans some AI practices outright, requires conformity assessments and CE marking for high-risk AI systems, imposes transparency obligations, and sets model-level obligations for general-purpose AI providers.

Ensure Your AI Compliance

Whether you are already using or considering AI in your business, keeping these regulatory changes in mind is essential. Modulos can support your compliance journey.