On March 13, 2024, the European Parliament officially adopted the EU AI Act with a decisive vote of 523 in favor, 46 against, and 49 abstentions, establishing the world’s first binding legal framework for artificial intelligence. The legislation took effect on August 1, 2024, kicking off a multi-stage implementation period with its most critical milestone set for August 2026. As the deadlines approach, the conversation is shifting from broad policy discussions to the nitty-gritty details of practical implementation.
The Phased Implementation Timeline
The legislator has mandated a phased rollout to give market players time to prepare. It is crucial to understand that this is not a single, all-encompassing deadline but a carefully scheduled process. The key dates are as follows:
Do you have a question about AI security? You can reach us here:
- February 2, 2025: Deadline for compliance with rules on prohibited AI practices. This is the first and most urgent step, targeting systems that pose an unacceptable risk, such as social scoring systems or manipulative technologies.
- August 2, 2025: Rules for General-Purpose AI (GPAI) models come into play. This imposes significant transparency and documentation obligations on developers of large language models (LLMs) and other foundational models.
- August 2026: Most core provisions of the legislation will begin to apply. This marks the end of the 24-month implementation period and is the date by which most companies must be fully compliant.
- August 2027: A longer, 36-month transition period applies to a specific group of high-risk AI systems, namely those covered by the product safety legislation under Annex I.
The Risk-Based Approach: What It Means in Practice
The centerpiece of the AI Act is its risk-based framework, which categorizes AI systems based on their potential impact on fundamental rights. Systems classified as “high-risk”—detailed in Annex I of the legislation—are subject to significantly stricter obligations.
From an AIQ standpoint, this approach draws a direct parallel to the concept of a Data Protection Impact Assessment (DPIA) under GDPR. In a corporate context, this means the first and non-negotiable step in the compliance process is an internal AI audit and risk assessment. Companies must accurately map and classify the AI systems they develop or use. Without this, it is impossible to determine specific obligations and develop an effective compliance strategy. Failure to classify, or incorrect classification, can lead to severe legal and financial consequences.
The Cost of Non-Compliance and its Link to the OWASP LLM Top 10
Violating the Act carries serious penalties. For infringements involving prohibited AI systems, fines can reach up to €35 million or 7% of a company’s total global annual turnover, whichever is higher. This clearly signals that lawmakers view non-compliant AI applications as a top-tier risk.
In our view at AIQ, compliance is not merely a legal exercise but a fundamental task of cybersecurity and business risk management. The requirements set forth by the AI Act—such as robustness, transparency, human oversight, and data governance—align closely with mitigating the vulnerabilities identified in the OWASP LLM Top 10.
- Transparency requirements (e.g., documenting model capabilities and limitations) help prevent risks like LLM06: Sensitive Information Disclosure and LLM09: Overreliance.
- Provisions on robustness directly target defenses against LLM01: Prompt Injection and LLM03: Insecure Output Handling.
- Strict data governance rules are essential for reducing the risks of LLM04: Model Poisoning and related data leakage vulnerabilities.
In a business context, this means that a thorough AI security audit that incorporates the OWASP LLM Top 10 not only uncovers technical vulnerabilities but also lays the groundwork for legal compliance. The two domains can no longer be treated separately.
Preparing for the 2026 Deadline
Global tech firms and all companies operating in the EU market must achieve full compliance by August 2026 at the latest. While some industry critics argue that strict enforcement could hinder European competitiveness, other reports suggest that clear regulations are providing the legal certainty needed for long-term investments.
AIQ anticipates a spike in demand for AI auditing services and compliance software as companies rush to meet the August 2026 deadline. Organizations that begin their preparation now will gain a significant competitive advantage over those who leave action to the last minute. The time to assess, classify, and remediate AI systems is now.