I have been following the EU AI Act since it was a draft regulation sitting in Brussels committee rooms. Now it has teeth, a timeline, and very real consequences for every CIO managing AI deployments in Europe. If you have been watching from the sidelines waiting for someone to tell you it is safe to keep doing nothing, this is your wake-up call.
The Act entered into force on August 1, 2024. From that date, the implementation clock started ticking, and it has been ticking fast. The first hard deadlines hit on February 2, 2025, when prohibitions on the most dangerous AI practices became legally enforceable across all EU member states. Social scoring systems, subliminal manipulation tools, real-time biometric surveillance in public spaces without judicial authorization: all banned, full stop. Organizations that had any of these use cases buried in their vendor contracts had six months to sort it out. Many of them scrambled.
February 2025 also introduced mandatory AI literacy requirements. Every organization deploying or developing AI systems must now ensure that the staff working with those systems have adequate understanding of AI capabilities, limitations, and risks. That sounds reasonable enough on paper, but the operational reality is that most enterprises have no formal AI literacy program at all. They have an LLM wrapper plugged into their helpdesk and nobody trained on what that actually means for data handling.
Milestones that matter
August 2025 brought the next wave: obligations for General-Purpose AI models and the governance structures around them. This is where it gets particularly interesting for technology leaders. GPAI model providers now face transparency requirements, energy consumption reporting, and copyright opt-out obligations. If you are using a third-party foundation model in any product or workflow, your vendor’s compliance posture is now your compliance posture too. Contracts need revisiting.
The major deadline that most organizations are treating as the horizon is August 2026, when full compliance obligations for high-risk AI systems come into force. Healthcare diagnostics, hiring and HR tools, credit scoring, biometric identification, critical infrastructure management: these are the categories that carry fines of up to 35 million euros or seven percent of global annual turnover, whichever is higher. Ouch. The European Parliament voted in March 2026 to delay certain provisions around high-risk systems to give national authorities more time to set up enforcement frameworks. Do not read that as a green light to slow down. The fines are coming, and the compliance frameworks are not going to build themselves.
What this means in practice
The AI Act operates on a risk-based logic. The higher the potential impact of an AI system on people’s lives, the more stringent the requirements. The challenge is that most AI inventories inside large organizations were assembled on a best-effort basis, not a risk-classification basis. Shadow AI is rampant. Tools adopted by individual departments without central oversight are everywhere. The first practical task for any CIO right now is getting a complete, honest picture of where AI is running across the organization.
From there, the compliance roadmap is reasonably clear: classify by risk tier, assess each high-risk system against the Act’s requirements covering data governance, transparency, human oversight, and robustness, build a cross-functional team across Legal, CISO, and Data leadership, and engage vendors on their own compliance trajectories. The EU has also launched an AI Act Service Desk to support organizations navigating implementation. It is worth a visit.
One practical tip that often gets overlooked: disable vendor AI features by default, then re-enable only those you have consciously assessed and approved. The default settings on most enterprise AI tools are configured for maximum functionality, not regulatory caution. That gap is where exposure lives. The EU AI Act is the most comprehensive AI regulatory framework in the world, and whether you view it as a burden or a competitive differentiator, it is the reality operating on European soil.
Discover more from In-Movement
Subscribe to get the latest posts sent to your email.
