The presidency of the European Union Council and European Parliament negotiators have reached a provisional agreement to extend certain implementation deadlines for the AI Act. While most provisions were originally set to come into force on 2 August 2026, the updated timeline introduces obligations in several stages. However, this is no reason for complacency; the law’s global reach and severe penalties mean that companies must act now.
The New Timeline: A Roadmap for Compliance
The rollout of compliance obligations is now a staggered process, allowing companies to set priorities. The key dates are as follows:
Do you have a question about AI security? You can reach us here:
- 2 August 2026: The watermarking compliance deadline for generative AI systems that are not yet available on the market. This date remains unchanged.
- 2 December 2026: A transitional period focusing on some transparency obligations and a new prohibited AI practice related to systems generating non-consensual, sexual, and/or intimate content or abuse material.
- 2 December 2027: The compliance deadline for high-risk AI systems.
- 2 August 2028: The compliance deadline for high-risk AI systems used as a safety component within a product already regulated by other EU product safety legislation.
From an AIQ standpoint, this phased introduction requires strategic planning. Companies should first focus on the transparency and watermarking requirements for generative AI models, and then prepare for the more complex auditing and documentation tasks associated with high-risk systems.
The Risk Pyramid: Not All AI is Created Equal
The AI Act follows a risk-based approach, which can be visualized as a pyramid with four levels of risk. The regulation’s focus is on the high-risk category, while it introduces no new rules for systems with minimal or no risk, such as an AI spam filter.
High-risk AI systems are defined as those used in areas such as recruitment, promotion, and performance management; creditworthiness and access to financial services; and biometric identification.
In a corporate context, this means that risk classification is not just a legal formality but the foundation of a cybersecurity framework. A high-risk system must be resilient against attacks like data poisoning and model evasion. These threats directly correlate with vulnerabilities listed in the OWASP LLM Top 10, such as LLM03: Training Data Poisoning. A thorough AI security audit must assess not only the system’s intended function but also the potential for harm from malicious use, which determines its true risk level.
Generative AI and GPAI Models Under the Regulatory Microscope
The AI Act introduces special rules for general-purpose AI (GPAI) models, including large language and generative models. All GPAI model providers will be required to:
- Provide detailed technical documentation.
- Comply with EU copyright law.
- Publish a summary of training data sources.
From an AIQ standpoint, this marks the end of the ‘black box’ model era in the EU. Technical documentation and transparency about training data are essential for a security audit. This information allows us to assess vulnerabilities stemming from the training data (e.g., bias, hidden malicious data) and weaknesses in the model’s architecture. This is closely linked to GDPR’s principles of transparency and accountability and helps prevent issues like sensitive information disclosure (LLM06: Sensitive Information Disclosure) from the OWASP LLM Top 10.
Extraterritorial Reach and Heavy Fines: Why This Affects You
The reach of the AI Act extends far beyond the EU’s borders. The regulation applies to:
- Providers placing AI systems or GPAI models on the EU market, irrespective of whether the provider is established in the EU.
- Users of AI systems located within the EU.
- Providers and users established outside the EU where the output of their AI system is used in the EU.
Non-compliance can lead to significant fines, which for the most serious violations could be up to the greater of €35 million or 7% of global annual turnover.
From an AIQ standpoint, this is a regulation with a global impact, similar to GDPR. Any company with EU customers or users is obligated to assess the AI systems it uses or develops. The high fines elevate AI security from a purely technical issue to a board-level financial risk. A proactive AI security audit (red teaming) is essential to ensure compliance and avoid severe penalties. The compliance checker tool published by the EU can be a good starting point, but it is no substitute for an in-depth expert assessment.