If you develop, use, or distribute artificial intelligence systems in Europe, you have a few months to comply. The AI Act is not a future plan – it’s law. The first deadlines hit in 2025, and fines can go up to 7% of global annual turnover. That’s higher than GDPR. Higher than the Digital Services Act.
At Meteora Web, we’ve been helping businesses build software, platforms, and automations for years. In many projects, the question is already: “Is our AI model compliant?” And the answer is often “we don’t know”. This guide gives you everything you need to understand the AI Act, classify your system, and plan your compliance. No fluff, no fear-mongering – just facts and deadlines.
What is the EU AI Act and why it matters to you
The EU AI Act (Regulation 2024/1689) is the world’s first comprehensive legal framework for artificial intelligence. It’s a regulation – directly applicable in all EU member states. Every organisation operating in the EU market, even if based outside, must comply.
The logic is simple: the riskier an AI system is for fundamental rights, health, or safety, the tighter the regulation. The approach is risk-based, not technology-based. So you need to look not only at what you do, but how you do it and what impact it may have.
Common mistakes to avoid
- Thinking the AI Act only applies to big tech. Wrong. It applies to anyone using AI in high-risk contexts (e.g. HR, credit, healthcare, insurance, education).
- Believing the AI Act is already fully in force. Partially: some rules came into force in February 2025, others will arrive by 2027.
- Confusing AI Act with GDPR. They complement each other, but the AI Act has a different scope and higher penalties.
Implementation timeline: deadlines you must know
Here is the precise calendar as of today. Mark these dates.
February 2025 – Entry into force & first provisions
The regulation entered into force 20 days after publication in the Official Journal (12 July 2024). Since February 2025, these are already applicable:
- Prohibitions on unacceptable AI practices (social scoring, subliminal manipulation, predictive policing based on individual behaviour, etc.).
- Obligations for AI literacy: anyone using or developing AI systems must ensure adequate competence levels in their staff.
August 2025 – Rules for general-purpose AI models (GPAI)
General-purpose AI models (foundation models) must comply with transparency, documentation, and systemic risk management obligations if they exceed certain computational thresholds.
August 2026 – Application for high-risk systems (Annex III)
This is the most critical deadline for most businesses. High-risk AI systems (e.g. used for credit scoring, hiring, access to essential services, medical devices, critical infrastructure) must be fully compliant: conformity assessment, technical documentation, risk management, transparency, human oversight.
August 2027 – Full application for all high-risk systems
Including those already in use before the entry into force (legacy systems). If your AI product is already on the market, you have until this date to adapt – but you must start mapping now.
The four risk categories
The AI Act classifies systems into four levels. Each has different obligations.
1. Unacceptable risk – Prohibited
Practices like government social scoring, subliminal manipulation, untargeted scraping of facial images from internet or CCTV. If your system falls into one of these categories, you must dismantle or radically modify it. Fines start at €35 million or 7% of turnover.
2. High risk – Stringent obligations
Systems used in critical areas: product safety, biometrics, critical infrastructure, education, employment, essential services, migration, justice. Obligations: conformity assessment (often with a notified body), technical documentation, risk management system, transparency, accuracy, robustness, human oversight.
3. Limited risk – Transparency obligations
Chatbots, deepfakes, systems that interact with humans: you must inform the user they are interacting with an AI system (or that the content is AI-generated). No compulsory conformity assessment, but fines for non-compliance.
4. Minimal risk – No obligations
Spam filters, games, basic recommendation systems. Free from obligations, but subject to voluntary codes of conduct.
What to do now: the operational compliance checklist
Don’t wait until August 2026. Here are concrete steps to execute immediately.
Map your AI systems
Inventory all AI systems you use, develop, or deploy. For each one, answer: what is its purpose, who uses it, what data does it process, what decisions does it make, what impact does it have on individuals.
Useful tool: the technical documentation template published by the European Commission (link below).
Risk classification
Assign each system to one of the four categories. If it’s high risk (Annex III), check if it falls under an exception (e.g. systems used only for non-decisional administrative purposes). When in doubt, assume the worst case – the burden of proof is on you.
Gap analysis
Compare your current state with the AI Act requirements for each system. What is missing? Documentation? Risk management system? Transparency? Staff AI literacy?
Implement measures
For high-risk systems: prepare technical documentation per Annex IV, implement a (cyclical) risk management system, ensure accuracy and robustness, guarantee human oversight. If needed, contact a notified body for conformity assessment (e.g. if your system uses biometrics or is a safety component).
Train your staff
Since February 2025, AI literacy is mandatory. Organise training for developers, project managers, and decision makers. No official certification is required, but you must be able to demonstrate that adequate training has been provided.
Penalties and liability
The AI Act sets out a three-tier fine system:
- Prohibited practices: up to €35 million or 7% of global annual turnover.
- Violation of high-risk system obligations: up to €15 million or 3% of turnover.
- Violation of transparency obligations: up to €7.5 million or 1% of turnover.
But fines aren’t the only risk. Civil liability for damages caused by AI systems is governed by the proposed AI Liability Directive, still under discussion. In practice, if your system fails and causes harm, you could be sued even if you didn’t violate the AI Act.
Tools and resources
Where to find official documentation and templates to get started:
- AI Act – Full text and interactive timeline (artificialintelligenceact.eu)
- Official European Commission Q&A
- European Parliament factsheet on the AI Act
At Meteora Web, we have applied similar compliance logic in business automation and data platform projects. If you need help mapping your systems or drafting technical documentation, get in touch.
In summary – what to do now
- Immediately: train staff on AI literacy and stop any unacceptable-risk practices.
- Within 3 months: complete the mapping and classify every AI system in use.
- Within 6 months: for high-risk systems, start technical documentation and risk management.
- By August 2026: all high-risk systems must be compliant.
- Monitor: the European Commission publishes updated guides and harmonised standards continuously.
The AI Act is not a roadblock. If managed well, it’s a competitive advantage: customers and partners know your product is safe, transparent, and trustworthy. Start now, because time is the scarcest resource.
Sponsored Protocol
