Last updated: March 2026
I still get this question at least once a week. Sometimes from startup founders. Sometimes from compliance officers at banks. Once, memorably, from a VP of Product at a Fortune 500 company who was about to launch an AI feature across 14 European markets.
“So the EU AI Act — is it passed? Or is it still being debated?”
It’s passed. It’s law. Parts of it have been enforceable for over a year. Penalties are live. And the biggest compliance deadline is five months away.
I don’t blame anyone for the confusion. The AI Act had one of the longest, most publicly messy legislative journeys in EU history. It was proposed in 2021. Debated for three years. Amended hundreds of times. Went through trilogues that nearly collapsed.
Every tech publication on Earth wrote about it using future tense — “the proposed AI Act,” “the draft AI regulation,” “if it passes” — for so long that the language stuck in people’s heads.
Then it passed. And a lot of people didn’t update their mental model.
So let me set the record straight, once and for all.
The Short Answer: Yes, EU AI Act Is the Law (And It’s Here to Stay)
| Question | Answer |
|---|---|
| Is the EU AI Act law? | Yes. It is Regulation (EU) 2024/1689. |
| When was it adopted? | 13 June 2024 |
| When was it published? | 12 July 2024, in the Official Journal of the EU |
| When did it enter into force? | 1 August 2024 |
| Is any of it enforceable right now? | Yes. Prohibited AI practices have been banned since 2 February 2025. GPAI obligations since 2 August 2025. Penalties are live. |
| When does the big deadline hit? | 2 August 2026 — high-risk AI system obligations become enforceable |
| Is it still a proposal? | No. It is a directly applicable EU Regulation with legal force across all 27 member states. |
How We Got Here: The Legislative Journey of EU AI Act
The reason people still think the AI Act is a proposal is because it spent three and a half years being one. Here’s the full arc.
| Date | What Happened |
|---|---|
| April 2018 | European Commission publishes its first AI strategy and forms the High-Level Expert Group on AI |
| April 2019 | High-Level Expert Group publishes Ethics Guidelines for Trustworthy AI — the intellectual foundation for what becomes the AI Act |
| February 2020 | Commission releases White Paper on AI, launching public consultation on regulation |
| 21 April 2021 | Commission publishes the original legislative proposal — this is the moment people remember as the “start” of the AI Act |
| December 2022 | Council of the EU (member states) adopts its General Approach — its negotiating position |
| 14 June 2023 | European Parliament adopts its negotiating position with significant amendments, including new provisions on foundation models and generative AI |
| December 2023 | Trilogue negotiations between Parliament, Council, and Commission reach political agreement after marathon sessions |
| 13 March 2024 | European Parliament votes to approve the final text — 523 votes in favour, 46 against, 49 abstentions |
| 21 May 2024 | Council of the EU formally adopts the regulation |
| 13 June 2024 | Regulation (EU) 2024/1689 is formally signed |
| 12 July 2024 | Published in the Official Journal of the EU — this is the legally authoritative text |
| 1 August 2024 | Enters into force — the 20-day post-publication period expires and the law becomes operative |
| 2 February 2025 | Prohibited AI practices and AI literacy obligations become enforceable |
| 2 August 2025 | GPAI obligations, governance bodies, penalty regime become enforceable |
| 2 August 2026 | High-risk AI system obligations become enforceable |
| 2 August 2027 | Product-embedded AI and legacy GPAI compliance deadline |
The key distinction people miss: “Entered into force” (1 August 2024) doesn’t mean “fully enforceable.” The EU AI Act uses a phased rollout. Different obligations kick in at different dates.
But the law itself has been law since August 2024. It’s not a proposal. It’s not a draft. It’s not pending.
What’s Already Enforceable Under EU AI Act Right Now
As of March 2026, here’s what’s live and carrying penalties:
Since 2 February 2025 — Prohibited practices are banned:
- Social scoring
- Subliminal manipulation causing harm
- Exploitation of vulnerabilities (age, disability, economic situation)
- Real-time remote biometric identification in public spaces (with narrow law enforcement exceptions)
- Emotion recognition in workplaces and educational institutions
- Untargeted facial recognition scraping
- Biometric categorisation inferring sensitive characteristics
- Predictive policing based solely on profiling
Penalty: up to €35 million or 7% of global turnover.
Since 2 August 2025 — GPAI and governance:
- GPAI model providers must maintain technical documentation, publish training data summaries, comply with copyright law, and supply downstream providers with integration information
- GPAI models with systemic risk: adversarial testing, incident reporting, cybersecurity
- EU AI Office, AI Board, Scientific Panel, and Advisory Forum are operational
- Member states were required to designate national competent authorities
- Penalty regime is enforceable (up to €15M/3% for most violations; up to €7.5M/1% for incorrect information)
The GPAI Code of Practice was published on 10 July 2025. Twenty-six major AI providers signed, including Microsoft, Google, Amazon, OpenAI, and Anthropic.
What’s Coming Next in EU AI Act
| Date | What Becomes Enforceable |
|---|---|
| 2 August 2026 | High-risk AI obligations (Annex III): risk management, data governance, technical documentation, human oversight, conformity assessment, CE marking, EU database registration, post-market monitoring. Transparency rules (Article 50). AI regulatory sandboxes must be operational. GPAI penalty enforcement by AI Office. |
| 2 August 2027 | Product-embedded AI (Annex I) obligations. Legacy GPAI models (on market before August 2025) must be compliant. Full enforcement across all remaining provisions. |
| 2 August 2030 | Legacy high-risk systems used by public authorities must comply. |
| 31 December 2030 | Large-scale IT systems (Annex X) must comply. |
The Digital Omnibus caveat: In November 2025, the European Commission proposed the Digital Omnibus package, which could push high-risk deadlines to December 2027 (Annex III) and August 2028 (Annex I). This proposal is being debated by Parliament and Council and has not been adopted.
Until it is, August 2026 is the binding deadline. Don’t plan around a delay that doesn’t exist yet. Get a demo and don’t risk!
Why People Still Think EU AI Act Is a Proposal
I’ve thought about this a lot, and there are a few reasons the confusion persists.
The long gestation. The AI Act was publicly debated for over three years before adoption. Most people encountered it during this period and formed their impression of it as “that thing the EU is working on.” Mental models are sticky.
Media language. Even after formal adoption, many outlets continued using hedging language — “the upcoming AI Act,” “when the AI Act takes effect.” This is technically accurate for the phased obligations but creates the impression that nothing is live yet.
The phased rollout. Because different provisions become enforceable at different times, it’s easy to conclude that “it hasn’t started yet” if you only know about the August 2026 high-risk deadline. But prohibited practices have been banned for over a year.
The Digital Omnibus. The fact that the Commission proposed amendments in November 2025 — including deadline extensions — reinforces the perception that things are still in flux. And they are, for certain provisions. But the core regulation is settled law.
Comparison to GDPR. People remember GDPR as having a clear “before” and “after” — 25 May 2018. The AI Act’s phased approach doesn’t have that single dramatic switchover date, which makes it harder to anchor in memory.
What EU AI Act Means for Your Company
If you’re reading this and realising you’ve been operating under the assumption that the AI Act is still a proposal, here’s your immediate action plan:
| Priority | Action | Why Now |
|---|---|---|
| Urgent | Verify you have no prohibited AI practices in operation | These have been banned since February 2025. Penalties are live. €35M or 7%. |
| Urgent | If you provide GPAI models, verify you meet Chapter V obligations | Enforceable since August 2025. Documentation, copyright, downstream info. |
| High | Classify all your AI systems by risk tier | You need to know what you have before you can comply by August 2026. |
| High | Start technical documentation for high-risk systems | Annex IV documentation is extensive and cannot be done in the last month. |
| High | Determine your role per system (provider, deployer, both) | Your obligations depend entirely on your role in the value chain. |
| Medium | Budget for compliance | High-risk compliance costs €200K–€1.2M depending on system complexity. |
| Ongoing | Monitor the Digital Omnibus | Timelines may shift, but treat August 2026 as binding until formally changed. |
Industry Reality Check
“We thought we had more time” — FinTech, Berlin
A fintech credit scoring company assumed the AI Act was still being negotiated. They discovered in late 2025 that prohibited practices had already been enforceable for months. Fortunately, none of their systems fell under Article 5 — but they hadn’t checked. The audit took three weeks and cost them two product launch cycles.
“Our investors asked about it” — HealthTech, Amsterdam
A healthtech startup raising Series B was asked by their lead investor: “Is the AI Act law, and are you compliant?” The founder said “it’s still a proposal.” The investor’s legal team corrected them in the next meeting. The round closed, but with a compliance milestone attached to the term sheet.
“Our EU customers started asking for documentation” — SaaS, San Francisco
A US SaaS company selling HR analytics to European enterprises started receiving compliance questionnaires from procurement teams in Q3 2025. The questions referenced specific AI Act articles. The company had assumed the regulation was “years away.” They scrambled to produce technical documentation and nearly lost a seven-figure contract.
“We were already non-compliant and didn’t know” — Retail, Milan
A retailer using AI-powered surveillance cameras with demographic profiling in stores discovered that biometric categorisation based on sensitive characteristics — inferring customer ethnicity for marketing analytics — had been prohibited since February 2025. They disabled the feature and engaged legal counsel. No enforcement action followed, but only because no complaint had been filed yet.
How EYREACT Can Help
The AI Act isn’t coming. It’s here. EYREACT gives you the compliance infrastructure to deal with what’s already enforceable and prepare for what’s coming in August 2026 — risk classification, Living Compliance Binders, evidence management, gap analysis, and 400+ rules mapped directly from the regulation.
Stop planning for a proposal. Start complying with a law. Get a demo today!
FAQ
Is the EU AI Act actually passed and in effect?
Yes. Regulation (EU) 2024/1689 was adopted on 13 June 2024, published on 12 July 2024, and entered into force on 1 August 2024. It is a directly applicable EU Regulation — meaning it applies in all 27 member states without needing national implementing legislation.
Is any of it enforceable right now?
Yes. Prohibited AI practices have been enforceable since 2 February 2025. GPAI model obligations since 2 August 2025. The penalty regime is live. The AI Office is operational. This is not a future event — it’s current law.
When is the main compliance deadline?
2 August 2026 for high-risk AI systems under Annex III (credit scoring, recruitment, education, insurance, law enforcement, etc.). 2 August 2027 for AI embedded in regulated products (medical devices, machinery, vehicles). The Digital Omnibus proposes extending these, but the proposal hasn’t been adopted.
Is the AI Act still being amended?
The core regulation is settled. However, the Digital Omnibus proposal (November 2025) suggests targeted amendments including deadline extensions for high-risk obligations, relaxed AI literacy requirements, and permission to process sensitive data for bias detection. These amendments are being negotiated and have not been adopted. The fundamental structure of the AI Act — risk tiers, prohibited practices, GPAI obligations, enforcement framework — is not changing.
Does it apply outside the EU?
Yes. Like GDPR, the AI Act has extraterritorial reach. It applies to any organisation placing AI systems on the EU market, putting them into service in the EU, or producing outputs used within the EU — regardless of where the organisation is headquartered.
Is the AI Act a directive or a regulation?
A regulation. This is a critical distinction. EU directives must be transposed into national law by each member state, creating potential variations. EU regulations apply directly and uniformly across all member states. The AI Act is directly applicable — it doesn’t need national implementing laws to take effect (though member states do need to designate enforcement authorities and set national penalty rules).
What’s the difference between “entered into force” and “applicable”?
“Entered into force” (1 August 2024) means the law exists and is operative. “Applicable” or “enforceable” refers to when specific obligations must be complied with. The AI Act uses a phased approach: different obligations become applicable at different dates between February 2025 and August 2027. The law is in force now. Not all obligations are applicable yet. But many are.
I’ve seen articles saying the deadline was pushed to 2027. Is that true?
The Digital Omnibus proposes extending high-risk deadlines to December 2027 (Annex III) and August 2028 (Annex I), conditional on harmonised standards being available. This proposal is being debated and has not been adopted. Until it is, the original deadlines (August 2026 and August 2027) are binding. Planning around an unadopted proposal is a compliance risk.
Where can I read the actual law?
The authoritative text is published on EUR-Lex: https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng. It’s available in all 24 official EU languages. Don’t rely on third-party summaries as your primary source — read the text.
This article is for informational purposes only and does not constitute legal advice. Organisations should seek qualified legal counsel for jurisdiction-specific compliance guidance.
