The EU Artificial Intelligence Act entered into force on August 1, 2024, with a staggered implementation timeline that began producing enforceable obligations in early 2025. The Act applies to AI systems placed on the EU market or put into service in the EU, regardless of where the provider is established. This means U.S. organizations that develop or deploy AI systems used by EU residents or EU-based organizations must understand their obligations under EU law.
The 2025 Implementation Timeline
- February 2, 2025: Prohibited AI practices took effect. Organizations must have ceased any activities involving prohibited AI systems by this date.
- May 2, 2025: Codes of Practice for General-Purpose AI models finalized. GPAI providers have this as a compliance reference.
- August 2, 2025: General-Purpose AI (GPAI) obligations became applicable. Providers of GPAI models, including large language models and foundation models, face transparency, documentation, and copyright compliance requirements.
- August 2, 2026: High-risk AI system requirements under Annex III take full effect, including conformity assessments, technical documentation, and registration in the EU database of high-risk AI systems.
- August 2, 2027: Additional high-risk systems already regulated under existing EU product safety legislation must comply.
What Is Prohibited
The AI Act's prohibited practices represent the EU's judgment that certain AI applications are fundamentally incompatible with fundamental rights and EU values. The prohibitions that took effect February 2, 2025 include AI systems that manipulate persons through subliminal techniques, that exploit vulnerabilities of specific groups such as children or persons with disabilities, and that use real-time remote biometric identification in publicly accessible spaces by law enforcement, with narrow national security exceptions.
Also prohibited are AI systems that perform social scoring of natural persons by public authorities, AI that infer emotions in workplace or educational settings except for specific medical or safety reasons, and AI systems that build facial recognition databases through untargeted scraping of facial images from the internet or from CCTV footage. For U.S. companies, the critical question is whether any AI system used or sold in the EU falls into these categories.
High-Risk AI: What It Means for U.S. Vendors
Annex III of the AI Act defines high-risk AI systems across eight areas: critical infrastructure, education, employment and worker management, access to essential private and public services, law enforcement, migration and border control, administration of justice, and democratic processes. U.S. companies selling AI systems into EU agencies, financial institutions, healthcare organizations, or HR technology markets are likely operating in one or more of these categories.
High-risk systems require conformity assessments before market placement, ongoing human oversight mechanisms, robust technical documentation, logging and audit trail capabilities, accuracy and robustness testing, and registration in the EU database. These requirements are substantive and require significant internal program investment. Vendors who have not yet begun gap assessments should start immediately, given that Annex III requirements take effect in August 2026.
General-Purpose AI Obligations Since August 2025
The GPAI provisions apply to providers of AI models with broad capabilities, including large language models and multimodal foundation models. Obligations include publishing technical documentation describing the model's training, capabilities, and limitations; complying with copyright law during training data selection; and making summaries of training data available to the public. Models estimated to use more than 10 to the power of 25 FLOPs of compute during training also face additional systemic risk requirements.
Action Steps for U.S. Organizations
- Conduct a jurisdictional analysis. Determine whether your AI systems are used by EU residents or deployed by EU-based organizations. The Act's scope is broad and extraterritorial reach is real.
- Audit your AI portfolio against the prohibited practices list. This is not optional; violations can result in fines up to 35 million euros or 7 percent of global annual turnover, whichever is higher.
- Classify your AI systems against the risk tiers. Understand which systems fall under high-risk Annex III categories and begin conformity assessment preparation for the August 2026 deadline.
- If you are a GPAI provider, review your documentation practices now. August 2025 GPAI obligations are already in effect.
- Build a compliance roadmap that accounts for the 2026 and 2027 deadlines. The window for preparation is narrowing.
The EU AI Act is the most comprehensive AI regulation in the world. U.S. organizations with EU market exposure cannot treat it as a European problem. The extraterritorial scope means compliance is a business requirement for any organization with EU operations or customers.