EU AI Act Compliance Guide: Updated June 2026

The EU AI Act is in force, and the compliance picture just changed.

On 7 May 2026, EU institutions reached political agreement on the AI Act Omnibus, deferring the high-risk AI system obligations most organisations were preparing for in August 2026. The new deadlines are later — but the work required to meet them is exactly the same. And several obligations are already enforceable now.

This guide gives you the accurate picture: what applies today, what changed, and what a structured compliance programme looks like in 2026 and beyond.

Looking for a management system framework to operationalise your AI Act obligations? ISO/IEC 42001 is the standard built for this. See our ISO 42001 resources.

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive, legally binding framework for artificial intelligence. It classifies AI systems by risk level and sets proportionate obligations for providers, deployers, importers, and distributors.

Proposed in 2021, adopted in June 2024, and entered into force on 1 August 2024, the Act phases in obligations across a staged timeline running through to 2028.

It is extraterritorial in practice. If you place AI systems on the EU market, or if your AI outputs affect EU users, you are likely in scope — regardless of where your organisation is headquartered.

Its stated goals:

1. Promote safe, trustworthy, and transparent AI
2. Ensure accountability for AI design and deployment
3. Protect citizens from harmful or high-risk applications
4. Support innovation through consistent, predictable rules

Before reading further, here is a plain summary of what applies today:

Already enforceable:

1. Article 5 prohibitions (since 2 February 2025): Certain AI practices are banned outright. Violations carry fines up to €35 million or 7% of global annual turnover.
2. AI literacy obligations (since 2 February 2025): Providers and deployers must ensure relevant staff have sufficient AI literacy.
3. GPAI model obligations (since 2 August 2025): Providers of general-purpose AI models must comply with transparency, copyright, and safety requirements under Articles 51–55. New models placed on the market after 2 August 2025 must comply immediately. Models already on the market before that date have until 2 August 2027.

Taking effect 2 August 2026:

1. Transparency obligations (Article 50): AI systems that interact directly with people must disclose this. Synthetic audio, image, video, and text content must be labelled in a machine-readable format. Emotion recognition and biometric categorisation systems trigger disclosure requirements.

Deferred under the AI Act Omnibus (political agreement reached 7 May 2026, pending formal adoption):

1. Annex III high-risk systems (use-based): Obligations deferred to 2 December 2027. This covers recruitment tools, credit scoring, law enforcement applications, education systems, border control tools, and others.
2. Annex I high-risk systems (product-embedded): Obligations deferred to 2 August 2028. This covers AI components in medical devices, machinery, lifts, radio equipment, and similar regulated products.

Note: The Omnibus has provisional political agreement as of 7 May 2026 but is pending formal adoption and publication in the EU Official Journal. Until that happens, treat the deferred dates as your planning baseline while continuing preparation work.

The EU AI Act classifies AI systems into four risk categories, each with different obligations.

Unacceptable Risk — Prohibited

These practices are banned outright under Article 5, with effect from 2 February 2025. The AI Act Omnibus adds a further prohibition effective 2 December 2026.

Prohibited from 2 February 2025:

1. Manipulative AI techniques that exploit psychological vulnerabilities or subconscious behaviour
2. Social scoring by public authorities or on their behalf
3. Biometric categorisation systems inferring sensitive attributes (race, political opinion, religious belief, sexual orientation)
4. Untargeted facial image scraping to build recognition databases
5. Emotion recognition in workplace or educational settings
6. Real-time remote biometric identification in public spaces by law enforcement (except in narrowly defined serious cases with strict safeguards — this is not a blanket ban)

Prohibited from 2 December 2026 (via Omnibus):

1. AI systems that generate non-consensual intimate imagery, including so-called "nudifier" applications
2. AI-generated child sexual abuse material

Regulator first checks — what draws scrutiny:

1. Emotion recognition deployed in workplaces or schools
2. Biometric categorisation without a clear lawful basis
3. Missing intended purpose documentation, or absence of oversight design

High Risk — Heavily Regulated

High-risk AI systems face the most demanding compliance requirements. These are split into two categories with different deadlines following the Omnibus.

Annex III (use-based) — obligations apply from 2 December 2027: Includes AI systems used in: biometric identification, critical infrastructure, education and vocational training, employment (recruitment, performance evaluation, task allocation, promotion, termination), access to essential services (credit scoring, insurance), law enforcement, migration and asylum, administration of justice, and democratic processes.

Annex I (product-embedded) — obligations apply from 2 August 2028: Includes AI components that are safety components of regulated products: medical devices, machinery, toys, lifts, radio equipment, and vehicles governed by existing EU product safety legislation.

Note on Annex I: The Omnibus also narrows the definition of "safety component." If an AI component merely assists users or optimises performance without creating health or safety risks, it will not be classified as high-risk.

Limited Risk — Transparency Obligations

Obligations apply from 2 August 2026. Providers and deployers must inform users when they are interacting with an AI system. AI-generated synthetic content must be labelled in a machine-readable way. Specific disclosures apply to emotion recognition and biometric categorisation systems. Exceptions exist for law enforcement uses authorised by law, minor assistive editing, and certain artistic or editorial contexts.

Marking and labelling of AI-generated content (Article 50(2)) must comply by 2 August 2026, with a short deferral for watermarking standards to 2 December 2026.

Minimal Risk — Few or No Requirements

Everyday AI uses that pose minimal risk (spam filtering, basic recommendation tools) have no material obligations beyond general EU law.

The Act applies to:

1. Providers: Organisations that develop and place AI systems on the EU market, or put them into service, including outside the EU where output affects EU users.
2. Deployers: Organisations using AI systems in a professional context. Deployers have lighter but real obligations, particularly around intended purpose, human oversight, logging, and incident reporting.
3. Importers and distributors: Treated as providers if they modify a system substantially, or if the original provider is not established in the EU.
4. Product manufacturers: Those who integrate AI into regulated products under Annex I.

UK organisations: The Act does not apply in the UK domestically, but UK organisations providing AI systems to EU users or placing systems on the EU market are likely in scope. The UK maintains a separate pro-innovation, regulator-led approach with no single omnibus AI statute.

When the relevant deadline applies, providers and deployers of high-risk AI systems must implement and evidence the following:

Risk management system (Art. 9) A documented, ongoing process to identify, analyse, evaluate, and treat risks. Named owners, defined review cadence, decision rationale on record.

Data governance and traceability (Art. 10) Dataset acceptance criteria, lineage documentation, representativeness checks, bias and quality testing, and documented limitations. Applies to training, validation, and test data.

Technical documentation (Art. 11–13) System description and architecture, intended purpose with scope and limits, training/validation/test summaries, logging schema. Must be kept current and centralised.

User instructions and transparency (Art. 13) Clear instructions for safe use, disclosure of limitations, expected performance ranges, and any user-facing disclosures required under the Act.

Human oversight (Art. 14) Explicit intervention and override points, defined escalation paths, documented operator training. Operators must understand when and how to intervene.

Accuracy, robustness, and cybersecurity (Art. 15) Target performance levels, pre-release and periodic testing, adversarial robustness checks, drift monitoring, and documented security controls.

Logging and record-keeping Event logs for key operations and decisions, integrity controls, defined retention periods aligned to audit and investigation requirements.

Post-market monitoring and incident reporting Issue capture processes, corrective action tracking, and serious incident reporting to national supervisory authorities.

Third-party and GPAI dependencies External models must be managed the same way as internal ones: included in your register, with a defined intended purpose, lineage tracking, licence restrictions documented, and supplier evidence on file. Use the GPAI Code of Practice as a reference for what evidence to request from foundation model providers.

Change management Re-assess risk classification and controls whenever there is a material change to purpose, model, data, or deployment context.

SO/IEC 42001 Annex A maps directly to these Article obligations. See our practical guide to ISO 42001 Annex A controls.

A management system approach is the most reliable way to meet EU AI Act obligations at scale. The Act defines what outcomes are required; a management system defines how you deliver them consistently across teams, releases, and audits.

ISO/IEC 42001, the international standard for AI Management Systems, aligns directly with EU AI Act requirements and provides a structured framework for building repeatable governance. Achieving ISO 42001 certification also provides practical evidence of compliance intent that regulators and customers can verify. 

Phase 1: Foundations (Start Now)

Regardless of which deadline applies to you, this work underpins everything else and takes time to do properly.

1. Register and classify every AI system, including vendor and embedded AI. Write a one-paragraph intended purpose per system: who it serves, what decisions it informs or makes, and its limits and guardrails.
2. Centralise technical documentation and instructions for use. Enable event logging for key operations.
3. Define human oversight checkpoints: who intervenes, when, and how.
4. Run initial accuracy, robustness, and cybersecurity tests. Document results and limitations.

Evidence to keep: Register entries, intended-purpose statements, documentation index, logging design, test summaries.

Phase 2: Prove Control (Mature Your Programme)

1. Implement data governance: dataset acceptance criteria, lineage records, bias-testing cadence.
2. Build post-market monitoring: issue intake, corrective action workflows, serious incident triggers.
3. Begin third-party and GPAI supplier due diligence. Collect attestations, review use restrictions, and document supplier evidence. Use the GPAI Code of Practice as a reference for what providers should supply.
4. Use dashboards to track control status, open actions, and exceptions.

Evidence to keep: Dataset lineage and test evidence, post-market monitoring records, supplier questionnaires, control status reports.

Phase 3: Continuous Governance

1. Move to scheduled control testing and periodic model reviews. Re-assess on any material change.
2. Maintain a living risk register and oversight record. Keep logs and artefacts mapped to specific Act obligations for audit retrieval.
3. Monitor implementing acts and Commission guidance. Adjust templates and controls to reflect updated requirements with minimal rework.

Evidence to keep: Control test results, change assessments, management reports, incident logs, remediation tracking.

Important note: The Omnibus deferral dates are based on the provisional political agreement of 7 May 2026. Formal adoption and publication in the EU Official Journal is expected before 2 August 2026 but had not occurred at the time of this publication. Treat the deferred dates as your planning baseline and monitor for formal adoption.

The EU AI Act establishes three tiers of administrative fines under Article 99:

1. Prohibited practices (Art. 5): Up to €35 million or 7% of global annual turnover, whichever is higher.
2. Other violations of Act requirements: Up to €15 million or 3% of global annual turnover, whichever is higher.
3. Supplying incorrect or misleading information to authorities: Up to €7.5 million or 1% of global annual turnover, whichever is higher.

These are maximum figures. For SMEs and startups, the lower of the two amounts applies rather than the higher. National supervisory authorities set the actual penalty in each case, taking into account the nature, gravity, and duration of the violation.

Penalties for prohibited practices and GPAI obligations are already enforceable. Where AI systems also process personal data, GDPR obligations apply concurrently — both regimes can apply to the same system.

UK organisations serving EU users should not assume the UK approach provides sufficient cover for EU AI Act obligations. Read: EU vs UK AI regulation guide.

GRC teams did not grow when the EU AI Act arrived. The obligation to classify, document, monitor, and evidence every AI system in scope lands on the same people managing everything else.

SureCloud's GRC platform helps you convert the Act's requirements into auditable daily work, without building a separate compliance programme from scratch.

1. AI inventory and risk classification: Maintain a live register of every AI system in scope: intended purpose, risk classification, GPAI dependencies, third-party suppliers, and human oversight roles. Classification decisions are documented and retrievable.

2. Control workflows aligned to Act obligations: Configurable control sets mapped to the Act's key articles. Named owners, due dates, automated reminders, and exception tracking. Controls can be aligned to ISO 42001 simultaneously, avoiding duplication across frameworks. 

3. Evidence capture and audit pack: Centralise dataset tests, oversight logs, technical documentation, supplier attestations, and risk decisions into audit-ready records. A conformity assessment pack can be assembled from a single source, not from seven different folders.

4. Third-party and GPAI risk management: Supplier questionnaires and due diligence workflows for external AI providers and foundation model vendors. Track licence restrictions, collect evidence of provider compliance, and document your review decisions.

5. Policy lifecycle management: Version control, approval workflows, and staff attestations for AI governance policies and procedures.

6. Real-time compliance dashboards: Track control status, open remediation actions, and exceptions across every AI system in scope. Board-ready reporting without manual data assembly.

7. Gracie AI Agents with Personas and Skills: SureCloud's Gracie agents can support AI governance activities at scale: helping classify systems, drafting documentation, tracking control status, and surfacing exceptions — so your team focuses on judgement, not administration. This is not a co-pilot. It is a virtual GRC team performing activities across your AI compliance programme.