The EU AI Act in 2025: What the First Compliance Deadlines Mean for Enterprises

The EU AI Act is the world's first comprehensive AI law, and in 2025 it stopped being a future concern. Since 2 February 2025, a defined set of unacceptable-risk AI practices is banned outright across the European Union, and from 2 August 2025 obligations for general-purpose AI models apply. For any enterprise touching the EU market, compliance is now an operating requirement, not a roadmap item.

What does the EU AI Act actually regulate?

It regulates AI by risk, not by technology. The Act sorts systems into four tiers — unacceptable, high, limited and minimal risk — and attaches obligations to each. Unacceptable-risk uses, such as social scoring by public authorities and certain biometric categorisation, are prohibited. High-risk systems, including AI used in recruitment, credit scoring and critical infrastructure, carry the heaviest duties: risk management, data governance, human oversight and conformity assessment. The European Commission describes this risk-based structure as the core of the regulation, which means the first compliance question is never whether you use AI, but which risk tier each use falls into.

Which deadlines have already passed in 2025?

Two milestones are already binding. The prohibitions on unacceptable-risk AI took effect on 2 February 2025, alongside an obligation to ensure staff have a sufficient level of AI literacy. On 2 August 2025, the rules for general-purpose AI (GPAI) models began to apply, covering transparency, technical documentation and copyright compliance for model providers. The Act entered into force on 1 August 2024, but its obligations switch on in stages — and the early ones are the prohibitions, which carry the steepest penalties. Treating August 2026, when most high-risk obligations land, as the real deadline is a common and expensive misreading.

How large are the penalties for non-compliance?

Larger than GDPR's, at the top end. Breaching the prohibited-practices rules can cost up to 35 million euros or 7 percent of total worldwide annual turnover, whichever is higher, according to the text of the regulation. Other violations carry fines up to 15 million euros or 3 percent of turnover. For a multinational, 7 percent of global revenue is an existential number, which is why boards — not just engineering teams — now own AI Act exposure. The penalty design deliberately mirrors GDPR so that compliance is treated as a governance matter rather than a technical checkbox.

Does the EU AI Act apply to companies outside Europe?

Yes, and that surprises many GCC and US firms. The Act has extraterritorial reach: it applies to providers and deployers outside the EU whenever the AI system's output is used within the Union. A bank in Dubai or a SaaS vendor in Riyadh that serves EU customers, or whose model output reaches EU users, falls inside the perimeter. This mirrors GDPR's territorial logic, and it means the practical trigger is your market, not your headquarters. Enterprises across the GCC building AI systems for European clients should map exposure now.

How should an enterprise prepare for the EU AI Act?

Start with an inventory, then a risk classification. The reliable sequence is concrete: catalogue every AI system in use or in development, classify each into the Act's four risk tiers, document data sources and decision logic for anything high-risk, and assign human oversight for consequential decisions. AI-literacy training is already a legal obligation, not best practice. The same governance discipline that production AI agents demand — observable behaviour, audit trails, a human approving consequential actions — is what the Act codifies into law.

Frequently asked questions

When did the EU AI Act take effect?

The EU AI Act entered into force on 1 August 2024, but its obligations apply in phases. The ban on unacceptable-risk AI and the AI-literacy duty applied from 2 February 2025, general-purpose AI model rules from 2 August 2025, and most high-risk system obligations from 2 August 2026. The phased timeline means parts of the law are already enforceable.

What are the prohibited AI practices under the Act?

The Act bans AI uses deemed an unacceptable risk to fundamental rights. These include government social scoring, untargeted scraping of facial images to build recognition databases, emotion recognition in workplaces and schools, and certain biometric categorisation. These prohibitions have been legally binding since 2 February 2025 and carry the highest fines in the regulation.

How much can EU AI Act fines reach?

Penalties scale with the severity of the breach. Violating the prohibited-practices rules can cost up to 35 million euros or 7 percent of global annual turnover, whichever is higher. Other breaches reach 15 million euros or 3 percent of turnover. The structure deliberately exceeds GDPR's maximum to make AI compliance a board-level concern.

Does the EU AI Act apply to non-EU companies?

Yes. The Act applies to any provider or deployer whose AI system's output is used inside the EU, regardless of where the company is based. A firm in the GCC, the UK or the US serving European customers is in scope. The trigger is market reach, not company location, mirroring the extraterritorial design of GDPR.