When does the EU AI Act take effect?

The full answer

The EU AI Act (Regulation (EU) 2024/1689) entered into force on August 1, 2024. The full regulation text is published on EUR-Lex. Application follows four dates, each adding obligations for a different tier of AI system.

February 2, 2025: Prohibitions under Article 5 took effect. Eight categories of AI are banned outright: systems that manipulate behavior through subliminal techniques, exploit vulnerabilities of protected groups, conduct social scoring by public bodies, and deploy real-time biometric identification in public spaces. No grandfathering. Systems within scope had to stop operating by that date or face enforcement.

August 2, 2025: General purpose AI model obligations and governance structures became active. Foundation models now face transparency and documentation requirements. Those classified as posing systemic risk (based on training compute thresholds) must conduct adversarial testing and report incidents to the EU AI Office. National competent authorities became operational.

August 2, 2026: Full application of high-risk AI rules under Annex III. This is the date that matters most for financial institutions. Credit scoring systems, insurance risk tools, and employment screening AI are all in scope. New deployments in these categories must be registered in the EU AI database, carry conformity documentation, operate under a documented risk management system, and provide human oversight capability before going live. The European Commission's AI regulation page confirms the phased structure. Systems already in production before August 2, 2026 have a transitional window under Article 111: they must comply by August 2, 2027.

August 2, 2027: Full AI Act obligations extend to AI embedded in products governed by existing EU harmonization law (Annex I products: machinery, vehicles, medical devices, and similar). Less directly relevant to financial services.

Why this matters

For compliance and risk teams, the August 2, 2026 deadline isn't theoretical. If your institution uses AI for AML transaction monitoring, customer risk rating, or credit decisions, you need to determine whether those systems qualify as high-risk under Annex III. The answer for credit scoring is clear: yes. For fraud detection and AML monitoring, the answer depends on whether system outputs directly affect a customer's access to financial services. Regulators aren't taking a narrow view.

The compliance requirements are substantive:

• Risk management documentation must cover the entire AI lifecycle, from training data governance through deployment and post-market monitoring. A one-time assessment is not enough.
• Transparency records must show how the system reaches decisions. For institutions already dealing with high AML alert false positive rates, explainability isn't only a regulatory burden. It's an operational necessity.
• Human oversight must be genuine. The Act requires that staff can understand, monitor, and override system outputs. Rubber-stamping AI decisions will not satisfy supervisors. This directly intersects with enhanced due diligence workflows where AI assists but a human must own the decision.
• Registration in the EU's AI database must happen before deployment, not as a post-hoc exercise.

Who needs to comply with the EU AI Act is also worth examining carefully. The Act covers providers placing AI systems on the EU market and deployers using them within the EU, regardless of where those firms are headquartered. A US bank operating in Frankfurt is in scope.

Financial supervisors aren't waiting for AI Act enforcement to begin. The European Banking Authority has integrated AI governance expectations into supervisory guidance ahead of the Act's own timelines. Gaps in AI documentation are the type of finding that triggers a regulatory exam escalation. The distance between what a firm claims its AI does and what it actually does is where examiners focus. Institutions that fail this scrutiny face outcomes ranging from remediation orders to the kind of formal actions that end with a monitorship.

AI used in sanctions screening sits in a grey zone for Annex III classification. Definitive supervisory guidance on this hasn't been published. The safe assumption: any AI whose output directly affects a customer's access to services is high-risk until the institution can demonstrate otherwise through a documented analysis.

One practical point on timing: conformity assessments and technical documentation take longer than most legal and compliance teams expect. Institutions starting this work in mid-2026 will likely miss the deadline for newly deployed systems. Those with AI systems already in production before August 2, 2026 should confirm eligibility for the Article 111 transitional window and document that eligibility, since examiners will ask.

Related questions

• Who needs to comply with the EU AI Act?
• Can AI be used for AML transaction monitoring?
• What triggers a regulatory exam?
• What happens when a bank fails an AML exam?
• What is a monitorship and when is one imposed on a bank?

Related concepts and regulations

• What is the difference between CDD and EDD?
• What percentage of AML alerts are false positives?
• How does sanctions screening work?
• What is perpetual KYC?
• How often should customer risk ratings be refreshed?