By Compyl Research · Last updated June 2026
The EU AI Act is the world’s first comprehensive AI law. It regulates AI by risk tier and applies to any organization that places AI systems on, or deploys them in, the EU market — regardless of where the company is headquartered. This guide is a compliance roadmap: who’s in scope, the risk tiers, provider vs. deployer duties, the enforcement timeline, and an action plan.
Key takeaways
- The Act applies extraterritorially — U.S. companies serving the EU are in scope.
- It’s risk-tiered: unacceptable (banned), high-risk (most obligations), limited (transparency), minimal.
- Obligations differ for providers (build AI) and deployers (use it).
- Key dates: GPAI obligations effective Aug 2, 2025; enforcement begins Aug 2, 2026; pre-existing models must comply by Aug 2, 2027.
Who is in scope?
The Act reaches any organization that places an AI system on the EU market or whose AI output is used in the EU — including non-EU companies. If you sell software with AI features to EU customers, or deploy AI affecting people in the EU, assume you’re in scope and classify your systems.
The risk tiers
| Tier | Treatment |
|---|---|
| Unacceptable | Prohibited (e.g., social scoring, manipulative AI) |
| High-risk | Heavily regulated — risk management, data governance, human oversight, documentation, conformity assessment |
| Limited-risk | Transparency obligations (e.g., disclose AI interaction) |
| Minimal-risk | Largely unregulated |
Provider vs. deployer obligations
Providers (who develop AI systems) carry the bulk of obligations for high-risk systems — risk management, data quality, technical documentation, human oversight design, and conformity assessment. Deployers (who put AI to use) have their own duties, including using systems per instructions, ensuring human oversight, and monitoring operation. Many organizations are both.
The enforcement timeline
- Aug 2, 2025 — obligations for general-purpose AI (GPAI) models take effect.
- Aug 2, 2026 — the European Commission begins enforcement; high-risk obligations phase in.
- Aug 2, 2027 — GPAI models on the market before Aug 2025 must be brought into compliance; remaining high-risk obligations apply.
Non-compliance carries significant fines, so in-scope organizations should be acting now.
A compliance action plan
- Inventory every AI system you build or use, including vendor AI.
- Classify each by risk tier.
- Determine your role (provider, deployer, or both) per system.
- Close gaps for high-risk systems: risk management, data governance, human oversight, documentation.
- Prepare conformity evidence and transparency disclosures.
- Operationalize with an AI governance program (see our frameworks comparison and AI governance implementation guide).
Frequently asked questions
Does the EU AI Act apply to U.S. companies?
Yes, if they place AI systems on the EU market or their AI output is used in the EU — the Act applies regardless of headquarters location.
What are the EU AI Act risk tiers?
Unacceptable (banned), high-risk (most obligations), limited-risk (transparency), and minimal-risk (largely unregulated).
What are the key EU AI Act deadlines?
GPAI obligations took effect Aug 2, 2025; enforcement begins Aug 2, 2026; models on the market before Aug 2025 must comply by Aug 2, 2027.
What’s the difference between a provider and a deployer?
Providers develop AI systems and carry most high-risk obligations; deployers use them and must follow instructions, ensure oversight, and monitor operation. Many companies are both.
About this guide. By Compyl Research. This is general information, not legal advice — consult counsel for your specific obligations. Compyl is an AI-powered, agentic GRC platform built by CISOs.
