← Defici Newsbusiness

EU AI Act High-Risk Obligations Now in Force: What Every Business Deploying AI in Europe Must Do

By Defici Editorial · 11 Jul 2026

The European Union AI Act's obligations for general-purpose and high-risk AI systems came into active enforcement this month, completing the most significant phase of the regulation's phased rollout that began in August 2024. For companies operating AI systems in EU markets — regardless of where those companies are headquartered — the compliance window that many organizations had been treating as theoretical is now a legal reality.

The Act's risk classification system divides AI applications into four tiers. Unacceptable risk systems — social scoring by governments, real-time biometric surveillance in public spaces — are banned outright. High-risk systems, which include AI used in hiring decisions, credit scoring, educational assessment, critical infrastructure management, and biometric categorization, face the most stringent requirements: conformity assessments, data governance documentation, human oversight mechanisms, and registration in an EU database. Limited-risk systems, such as chatbots, face transparency requirements — users must know they are talking to an AI. Minimal-risk systems, such as spam filters, face no specific obligations.

The category that is catching most companies off guard is general-purpose AI. Foundation models from Anthropic, OpenAI, Google, and Meta that are deployed in EU-facing products are now subject to transparency obligations that require disclosure of training data sources, energy consumption during training, and technical documentation of capabilities and limitations. Models classified as having "systemic risk" — defined by a training compute threshold of 10 to the 25 floating-point operations — face additional adversarial testing and incident reporting requirements.

For practical compliance, the most immediate requirements are documentation and disclosure. Companies deploying high-risk AI systems in EU markets must be able to produce a technical file showing the system's intended purpose, risk assessment methodology, data used for training and validation, human oversight measures, and post-market monitoring plan. The documentation requirement is not optional — it is the first thing a national market surveillance authority will request in any enforcement action.

GDPR enforcement provides the most useful precedent for how AI Act enforcement will likely proceed: initial actions against large, visible cases to establish precedent, followed by broadening scope as national authorities develop enforcement capacity. The maximum fine for high-risk AI Act violations is 30 million euros or 6 percent of global annual turnover, whichever is higher.

ShareXWhatsAppLinkedIn

Get Defici News in your inbox