EU AI Act Compliance 2026: What Is Actually in Force Right Now

The phased timeline: four waves, not one cliff

The EU AI Act was published in the Official Journal of the European Union on 12 July 2024 and entered into force on 1 August 2024. That date started the clock on a deliberately staggered schedule - different chapters apply at different intervals, giving organisations time to adapt by category of obligation.

The first wave landed on 2 February 2025, six months after entry into force. Chapter I (definitions and scope) and Chapter II (prohibited practices under Article 5) became enforceable on that date. Article 4, the AI literacy obligation requiring providers and deployers to ensure their staff have sufficient AI literacy, also entered into application on this date. From that point, AI systems performing unacceptable-risk functions - real-time biometric surveillance in public spaces, social scoring, subliminal manipulation, and exploitation of vulnerable groups - were banned. Penalties for violations already apply: up to 35 million euros or 7 per cent of global annual turnover, whichever is higher.

The second wave arrived on 2 August 2025, twelve months in. Chapter V (general-purpose AI, or GPAI, obligations under Articles 51-56) and Chapter VII (governance structures and the AI Office) became applicable alongside the penalties chapter. Providers of GPAI models - foundation models that can serve a wide range of downstream tasks - must now maintain technical documentation, publish a summary of training data, comply with EU copyright law, and provide downstream providers with the information they need for their own compliance. Providers of models with systemic risk (broadly, those trained above a compute threshold of 10^25 FLOPs) face additional requirements including adversarial testing and incident reporting to the AI Office.

The August 2026 deadline: what was scheduled and what changed

The original text of Article 113 set 2 August 2026 - the twenty-four month mark - as the date on which the bulk of remaining obligations would apply. That included the full high-risk AI system requirements in Chapters III and IV: risk management systems, data governance, technical documentation, logging, transparency to deployers, human oversight measures, and accuracy and robustness requirements. It also covered the deployer obligations under Article 26, and the registration obligations for high-risk systems in the EU database.

That deadline may not survive 2026 intact. In late 2025 the European Commission launched the Digital Omnibus on AI, a package of targeted amendments intended to simplify the Act's implementation and address delays in the availability of harmonised standards and national competent authorities. On 7 May 2026, the Council and the European Parliament reached a provisional political agreement on the package. The core proposed change: the application of high-risk obligations for standalone AI systems listed in Annex III (covering areas such as employment, education, critical infrastructure, and access to public benefits) would be deferred to 2 December 2027. High-risk AI embedded in regulated products under Annex I would be deferred further still, to 2 August 2028.

However, as of mid-2026, the Digital Omnibus has not yet been formally adopted or published in the Official Journal of the European Union. Until that happens, the legal deadline technically remains 2 August 2026. Formal adoption is widely expected before that date, but organisations should monitor the legislative process and not treat the provisional agreement as settled law until the Official Journal publication is confirmed.

What is actually enforceable in June 2026

Setting aside future deadlines, here is the current state of play. Prohibited practices (Article 5) have been enforceable since February 2025. Any organisation operating or deploying an AI system that falls into a prohibited category - regardless of where in the world they are based, provided the output affects people in the EU - faces enforcement risk today.

AI literacy obligations under Article 4 have also been enforceable since 2 February 2025. The obligation requires providers and deployers to ensure their staff have sufficient AI literacy - appropriate to the context, role, and degree of automation involved. No direct fine attaches to Article 4 alone, but a breach of the literacy obligation is relevant context in any broader enforcement action.

GPAI obligations (Chapter V) have been enforceable since August 2025. Providers of foundation models with EU market exposure must have their documentation and downstream obligations in order. The AI Office, established under Chapter VII, is operational and has published a code of practice for GPAI providers.

What is not yet enforceable is the full suite of high-risk obligations that were originally targeted for August 2026. That wave is the subject of the provisional Digital Omnibus agreement described above - and while the deferral proposal has strong political support, the legal deadline formally remains 2 August 2026 until the Omnibus is adopted and published. Transparency obligations for certain limited-risk AI systems (chatbots and AI-generated content disclosure) were expected to apply with the broader August 2026 package; their exact treatment under the Omnibus is still being finalised in the formal legislative process, so organisations should monitor the official text as it progresses to adoption.

Who the Act applies to, wherever they are based

The EU AI Act has extraterritorial reach in a similar pattern to the GDPR. Organisations that place AI systems on the EU market, or whose AI systems are used in the EU, fall within scope - regardless of whether the organisation is based in an EU member state. A US company selling a recruitment screening tool to EU employers, or an Australian company providing a credit scoring model to an EU bank, is subject to the Act's requirements for the applicable risk tier.

The Act distinguishes providers (who develop or place an AI system on the market) from deployers (who use a system in a professional context to serve end users). Providers carry the heavier obligations, particularly around technical documentation, conformity assessment, and the EU database registration. Deployers are not off the hook - Article 26 imposes specific obligations around human oversight, data quality for their use case, and incident reporting, all of which are part of the high-risk obligations wave proposed for deferral to December 2027 under the provisional Omnibus agreement.

Importers and distributors operating in the EU supply chain have a defined role as well, with obligations to verify that systems they handle have appropriate documentation and CE marking where required. The Act's governance structure, including the designation of national competent authorities, is still being established in some member states - a practical reality that partly prompted the Omnibus deferral.

How this maps to the AIGP exam

The IAPP Certified AI Governance Professional (AIGP) exam is not a pure regulatory compliance exam - it is a broad governance credential. The current body of knowledge, version 2.1 effective from 2 February 2026, organises 85 scored questions across four domains: foundations of AI governance (21 per cent), laws and standards (25 per cent), governing AI development (27 per cent), and governing AI deployment and use (27 per cent).

The EU AI Act features prominently in Domain 2 (laws and standards). Objectives 2.4 and 2.5 test the risk classification framework (prohibited, high-risk, limited-risk, minimal-risk), the corresponding compliance requirements, enforcement penalties, and the Act's specific requirements around human oversight, technical documentation, conformity assessments, GPAI models, and organisational roles. The AIGP body of knowledge also explicitly covers the distinction between providers, deployers, and users - which maps directly to the Act's tiered obligation structure.

What the exam does not do is test the current procedural state of the Act's implementation schedule - it does not ask you to recite which articles became enforceable on which exact date. The exam tests conceptual and applied knowledge: given a scenario, which risk tier applies, which obligations follow, and what governance controls are required. Understanding the timeline described in this article gives you the real-world framing that makes those scenario questions easier to reason through, but memorising enforcement dates is not the point.

The exam sits the full 100 questions (85 scored, 15 unscored pilot items) in 165 minutes via Pearson VUE, either online proctored or at a test centre. The passing score is 300 on a 500-point scale. The cost is $799 USD for non-members, with IAPP membership reducing that figure.

Practical implications for organisations right now

The proposed deferral of high-risk obligations does not mean organisations can defer their preparation entirely. Harmonised standards - the technical specifications that will define how conformity is demonstrated in practice - are still being developed, and organisations that start gap analyses and documentation now will be better placed when the December 2027 date arrives (assuming the Omnibus is formally adopted as agreed). The Commission's own guidance has been clear that the deferral is a pragmatic response to infrastructure readiness, not a signal that obligations have weakened.

For organisations with any GPAI exposure - whether as a provider, or as a deployer integrating a foundation model into a product - the August 2025 obligations are live today. Technical documentation, training data summaries, and copyright compliance should already be in order. If they are not, that is the most immediate enforcement risk on the table.

The prohibited practices ban is the other live enforcement vector. Any AI system performing a function listed in Article 5 is unlawful in the EU right now, full stop. Organisations should audit their deployed systems against the Article 5 list, which covers categories that are broader than they might initially appear - the prohibition on "emotion recognition" systems in workplace and educational settings has caught some organisations off guard because their use case did not seem obviously high-risk.

Member states are at different stages of standing up their national competent authorities and AI regulatory sandboxes. The original deadline for sandboxes was August 2026, but the Digital Omnibus package is also reported to affect the sandbox obligation - a potential deferral to 2 August 2027 is part of the same provisional agreement. The sandbox mechanism is worth tracking for organisations that want to test novel AI applications in a controlled regulatory environment, and several member states are actively soliciting applications regardless of the final deadline.

Preparing for the AIGP: why scenario quality matters

The AIGP exam is scenario-heavy. A question will not simply ask you to define a term - it will describe an AI deployment, name the context (say, a credit scoring tool used by a bank), and ask you to identify the applicable risk tier and what the deployer must do. Getting those questions right requires understanding not just the classification rules but the reasoning behind them: why a credit scoring tool falls into the high-risk category under Annex III, and what that means for the deployer's documentation and oversight obligations.

That kind of reasoning is difficult to develop from reading the regulation in isolation. The most effective preparation pairs the body of knowledge with questions that force you to apply rules to realistic scenarios - and that give you a worked explanation when you are wrong, not just the correct answer. Understanding why a distractor is wrong is as instructive as knowing the right answer, because the exam is built to surface exactly the conceptual gaps that look like understanding until they are tested.

A question bank where every item comes with a worked explanation and a rationale for each individual distractor - explaining why each wrong answer is wrong, not just what the right answer is - is designed to mirror the reasoning the real exam demands. That depth of explanation is what turns passive reading into active recall, which is where genuine exam confidence comes from.