Live intelligence on EU AI Act interpretation, member state authorities, enforcement signals, and deadlines. Every claim cites an official source.
The EU AI Act establishes a four-tier risk classification system for AI systems. Classification determines which obligations apply, enforcement timelines, and penalty exposure. The European Commission and AI Office have published guidance clarifying interpretation across all tiers.
The European AI Office, established by the AI Act, has published guidance on GPAI (General Purpose AI) model obligations including systemic risk classification thresholds.
Systemic risk threshold: Training compute exceeding 10^25 FLOPs triggers systemic risk designation under Article 51, requiring additional red-teaming, incident reporting, and cybersecurity obligations.
📎 European AI Office — GPAI Model Obligations Guidance (2025-04-01) ↗EU member states are responsible for designating national competent authorities (NCAs) and market surveillance authorities. The Act required NCAs to be notified to the Commission by August 2, 2025. Implementation progress varies significantly across the EU-27.
The AI Act mandates member states to establish regulatory sandboxes for AI system testing. The AI Omnibus (May 2026) extended the national sandbox deadline to August 2, 2027, and created a new EU-level sandbox operated by the AI Office with priority access for SMEs and start-ups.
Themes from practitioner forums, law firm analyses, and industry group publications as of Q2 2026. What compliance teams are actually struggling with — and how the AI Omnibus changes planning.
Most organizations have AI systems already deployed that predate the Act. Retroactive classification is harder than prospective design. Compliance teams report significant uncertainty about whether AI-assisted HR tools (scheduling, performance flags, workload allocation) cross into high-risk territory under Annex III category 4 (employment).
"IAPP survey (Q4 2025): 67% of respondents cited 'determining which systems are in scope' as their top AI Act challenge."📎 IAPP — 2025 AI Governance Benchmarking Report (2025-11-01) ↗
Article 11 requires detailed technical documentation including design specifications, training data descriptions, validation metrics, and ongoing performance monitoring protocols. Organizations with third-party AI components (vendor models) struggle to obtain this documentation from vendors who treat training data and architectures as trade secrets.
"Linklaters client alert (Feb 2026): 'The documentation chain required by Article 11 will force procurement teams to renegotiate AI vendor contracts before August 2026.'"📎 Linklaters — EU AI Act: The Documentation Challenge for Deployers (2026-02-15) ↗
The Act distinguishes between providers (who develop/place AI on market) and deployers (who use AI in their operations). Deployers still face obligations for high-risk systems — particularly human oversight (Article 14), data governance for fine-tuning, and logging. Many organizations assume vendor responsibility covers them; it does not.
"Future of Life Institute analysis: deployer obligations are 'underappreciated' and will drive enforcement in sectors like financial services and healthcare where AI is deployed but not developed in-house."📎 Future of Life Institute — EU AI Act: What Deployers Need to Know (2026-01-20) ↗
Article 14 requires that high-risk AI systems be designed to allow effective oversight by natural persons. Regulators and practitioners agree this means genuine intervention capability — not just audit trails. Systems where human oversight is a rubber-stamp after the AI decision have already been flagged in Spanish AESIA guidance as non-compliant.
"CEPS policy brief (March 2026): 'Human oversight in practice requires documented procedures for override, trained operators, and evidence of actual intervention rates — not just a UI button.'"📎 CEPS — Making Human Oversight Real Under the EU AI Act (2026-03-10) ↗
The Act applies to providers who place AI on the EU market OR whose output is used in the EU — regardless of where the provider is established. US companies with no EU office but whose AI systems process data about EU individuals or are used by EU-based deployers are in scope. The 'we are a US company' defense does not apply.
"Baker McKenzie client advisory (Jan 2026): 'US-headquartered tech firms with European customers or European SaaS deployments should assume they qualify as providers or deployers under the Act and plan accordingly.'"📎 Baker McKenzie — EU AI Act Extraterritorial Reach: What US Companies Must Do Now (2026-01-15) ↗
General Purpose AI (GPAI) model providers face transparency and copyright obligations from August 2025, with systemic risk requirements for the largest models (>10^25 FLOPs training compute). The AI Office is developing GPAI Codes of Practice with industry and civil society — compliance teams should track whether their vendors are signatories.
📎 European AI Office — GPAI Code of Practice Development (2025-12-01) ↗The EU AI Omnibus provisional deal (May 7, 2026) deferred high-risk AI obligations under Annex III from August 2026 to December 2, 2027 — a 16-month extension. However, practitioners warn against treating this as a pause signal. Conformity assessments, technical documentation (Article 11), and vendor renegotiation each take 12-18 months. Organizations that pause now will face a crunch in H2 2027. Transparency obligations (Article 50) and GPAI enforcement remain on the original August 2026 timeline.
"Taylor Wessing (May 2026): 'The deal gives businesses more time to prepare, but it does not reduce the complexity of compliance. Those who treat this as a pause button will regret it in 2027.'"📎 Taylor Wessing — The EU Digital Omnibus on AI: What the Political Deal Means (2026-05-07) ↗
The AI Office and member state NCAs have signaled enforcement priorities for 2026-2027. The AI Omnibus (May 7, 2026) shifted the high-risk enforcement date to December 2027 — but transparency (Article 50) and GPAI enforcement remain on the original August 2026 timeline.
EU Council and Parliament reached a provisional deal on the Digital Omnibus on AI at 4:30am on May 7, 2026. Key changes: (1) High-risk AI obligations under Annex III deferred 16 months to December 2, 2027. (2) High-risk AI embedded in regulated products (Annex I) deferred to August 2, 2028. (3) New prohibition: AI generating non-consensual intimate imagery (NCII) banned from December 2, 2026. (4) Watermarking/content marking deadline: December 2, 2026. (5) AI Office gains stronger centralized enforcement authority over GPAI-based systems. (6) National sandbox deadline extended to August 2027; new EU-level sandbox created with SME priority. (7) SME benefits extended to 'small mid-cap' companies. Prohibited practices (Article 5) and transparency (Article 50) enforcement timelines unchanged.
📎 EU Council — Council and Parliament Agree to Simplify and Streamline AI Rules (2026-05-07) ↗The European Commission published draft guidelines on AI transparency obligations under Article 50 and opened a targeted consultation running until June 3, 2026. The guidelines clarify when chatbots, emotion recognition systems, and AI-generated content providers must disclose AI involvement. These non-binding guidelines apply from August 2, 2026 — the transparency deadline was NOT deferred by the Omnibus. This is the first Commission instrument providing interpretive guidance across the full scope of Article 50.
📎 European Commission — Consultation on Draft Guidelines for AI Transparency Obligations (Article 50) (2026-05-08) ↗Spain's AESIA published Technical Guides 13 and 14 as part of its growing AI Act compliance series. Guide 13 covers post-market monitoring (Article 72) — providers must collect, document, and analyze performance data throughout the AI system lifecycle. Guide 14 covers serious incident reporting (Article 73). AESIA has now published 16 total guides. IAPP noted AESIA's guidance output as 'genuinely pioneering regulatory work' in March 2026.
📎 AESIA — Spain's AESIA Publishes Technical Guides 13 and 14 (2026-04-01) ↗The European AI Office initiated its first formal inquiry into a GPAI model provider under Article 88 in October 2025. The inquiry focused on systemic risk assessment documentation and red-teaming protocols required under Articles 55-56. No final finding published as of May 2026.
📎 European AI Office — Press Release: First Article 88 Inquiry (2025-10-01) ↗Spanish authority AESIA issued the EU's first formal warning to a company deploying an emotion recognition system in a retail setting without the disclosures required under Article 50. The company was given 30 days to comply or face a formal infringement proceeding. This is the first enforcement action under the limited-risk transparency provisions.
📎 AESIA — Aviso Formal: Sistemas de Reconocimiento de Emociones (2026-02-20) ↗The AI Office published an enforcement priority statement. Priority sectors: financial services AI (credit decisioning), employment/HR AI (hiring and monitoring), and law enforcement AI. The Office indicated it would focus on systemic deployers — large enterprises deploying high-risk AI across EU operations — before targeting smaller providers.
📎 European AI Office — 2026 Enforcement Priorities Statement (2026-03-15) ↗The Commission published guidance on penalty calculation methodology. For providers of high-risk AI systems: up to 30 million euros or 6% of total worldwide annual turnover (whichever higher) for violations of prohibited practices; up to 20 million euros or 4% for high-risk AI obligations; up to 10 million euros or 2% for incorrect information to authorities.
📎 EU AI Act Articles 99-101 — Administrative Penalties (2024-07-12) ↗The AI Office opened a public consultation on the draft Code of Practice for marking and labelling of AI-generated content under Article 50. The consultation closes October 2, 2026 — giving stakeholders 3 months to submit feedback before the Code is finalized (expected early June 2026) and the Article 50 obligations become enforceable August 2, 2026. The second draft (March 5, 2026) simplified obligations, removed the AI-generated vs AI-assisted taxonomy, and introduced design/placement requirements for deepfake labels. Participation via the official AI Office consultation portal.
📎 Code of Practice on marking and labelling of AI-generated content — Timeline and Consultation (2026-05) ↗The AI Office's enforcement powers against GPAI model providers come into force August 2, 2026 — exactly 12 months after GPAI model obligations (Chapter V) became applicable August 2, 2025. The one-year adjustment period is ending. From this date, the AI Office may issue information requests, demand access to GPAI models, and initiate formal Article 92 evaluations. Providers who signed the GPAI Code of Practice get a structured support period; non-signatories face immediate scrutiny. GPAI model providers who have not yet signed the Code of Practice should do so before August 2026 to access the structured support pathway.
📎 Enforcement of Chapter V under the EU AI Act — GPAI Enforcement Timeline (2026-05) ↗Every Friday: new enforcement signals, guidance documents, and deadline alerts. No noise.
No spam. Unsubscribe any time. EU AI Act updates only.