The EU AI Act is the world’s first comprehensive AI law, and 2026 is the year its rules start to bite for most businesses. Because the obligations arrive in stages, there is persistent confusion about what is actually mandatory today. Here is the picture in plain terms.
What already applies
The Act entered into force on August 1, 2024. The first obligations — bans on “unacceptable risk” practices such as social scoring and manipulative AI, plus AI literacy requirements for staff — began applying in February 2025. In August 2025, transparency and documentation obligations kicked in for providers of general-purpose AI models, the category that covers large language models.
What is coming
The largest wave — full obligations for high-risk AI systems — phases in through 2026 and 2027. Organizations deploying AI in hiring, lending, education, healthcare, and critical infrastructure face requirements around risk management, data quality, human oversight, logging, and conformity assessment.
Why it matters
The AI Act does for AI what GDPR did for data: it sets a de facto global baseline. Vendors selling into Europe are already adjusting their products for everyone, not just EU customers, because maintaining separate versions is costly. If your roadmap includes AI features touching EU users, compliance planning belongs in 2026 budgets, not 2027 apologies.
Who should care
Compliance and legal teams, product managers shipping AI features into the EU, and startups selling AI tools to European enterprises — expect AI Act questions in procurement questionnaires from now on.