The European Union’s AI Act entered its first major enforcement phase on June 1, 2026, beginning the process of applying compliance requirements to the high-risk AI systems that the regulation identifies as requiring the strictest oversight. The six-month transition period that followed the Act’s passage in 2024 and the subsequent 12-month implementation window for the high-risk provisions have now closed, and the newly established EU AI Office – the regulatory body charged with overseeing compliance with the Act’s most significant provisions – has begun its first round of formal investigations into AI systems deployed by companies operating in the EU market. The investigations involve a mixture of AI applications in employment, education, financial services and law enforcement contexts, and will produce the first enforcement decisions that will define how the regulation’s requirements apply in practice.

The AI Act’s approach to regulation is tiered by risk level, and understanding the risk categorisation is essential for grasping which companies face the most immediate compliance pressure. At the top of the risk pyramid, the Act bans outright certain AI applications that the EU considers unacceptably dangerous: social scoring systems of the type used in China, real-time biometric identification in public spaces by law enforcement (with narrow exceptions), AI systems designed to manipulate users through subliminal techniques, and AI tools that exploit vulnerabilities of specific groups. These prohibitions have been in effect since February 2025 and have already required several companies to modify or discontinue specific AI applications in the EU market.

High-Risk AI Systems: The Compliance Challenge

The more commercially significant provisions that took effect June 1 apply to what the Act defines as high-risk AI systems – applications in areas including employment and HR management, educational evaluation, credit scoring, insurance risk assessment, and AI systems used in critical infrastructure. Companies deploying these systems in EU markets are now required to meet a set of substantive requirements before they can be placed on the market or put into service.

• Conformity Assessment: High-risk AI systems must undergo formal conformity assessment before deployment, either self-assessed (for most categories) or through a notified third-party body (for AI in specific high-stakes contexts).
• Technical Documentation: Detailed documentation of the AI system’s design, training data, performance characteristics, limitations and intended use cases must be maintained and available to regulators on request.
• Human Oversight: High-risk AI systems must be designed to allow meaningful human oversight and intervention, with documented procedures ensuring that human decision-makers retain genuine authority over AI-influenced outcomes in high-stakes decisions.
• Data Governance: Training, validation and testing data for high-risk AI systems must meet quality criteria that include relevance, representativeness, and freedom from errors and complete biases to the extent technically feasible.
• Transparency for Users: Natural persons interacting with or subject to AI system decisions must be informed that they are interacting with an AI system, particularly in employment decisions, credit assessments and educational evaluations.
• Accuracy and Robustness: High-risk AI systems must be designed to achieve appropriate levels of accuracy, robustness and cybersecurity resistance, with performance measures documented and accessible.

Who Is Being Investigated

The EU AI Office has not publicly identified all companies subject to its initial investigation round, but reports from multiple EU member state data protection authorities and industry sources indicate that the investigations span hiring and recruitment AI tools widely used across European employers, credit assessment systems deployed by major EU financial institutions, and student performance monitoring tools used by universities and secondary schools. The investigation focus reflects the AI Act’s stated priority of addressing AI risk in contexts where AI decisions most directly affect individuals’ economic and social opportunities.

Several US-based AI companies have been specifically mentioned in reports about the investigation scope, reflecting the AI Act’s extraterritorial reach: any company whose AI systems affect people in EU member states is subject to the Act’s requirements regardless of where the company is headquartered. This has created compliance challenges particularly for smaller AI companies that have built employment, recruiting or HR AI tools primarily for US markets and are now realising that the same tools deployed by EU-based customers are subject to significantly more prescriptive requirements than anything they face in the US market.

Penalties and Enforcement Timeline

The AI Act’s penalty structure is designed to make non-compliance economically painful for even the largest companies. Violations of the prohibited practices provisions carry fines of up to 35 million euros or 7% of global annual turnover, whichever is higher. Violations of the high-risk system requirements carry fines of up to 15 million euros or 3% of global turnover. Provision of incorrect or misleading information to regulators carries fines of up to 7.5 million euros or 1.5% of global turnover.

Regulatory enforcement at this scale and with these penalty levels takes time to mature – the GDPR, which has been in force since 2018, did not produce its first major fines until 2019 and its largest enforcement actions have continued to evolve through appeal processes that sometimes reduce or increase initial penalty amounts significantly. The AI Act’s enforcement timeline is likely to follow a similar pattern: formal investigations opened in 2026 will produce initial decisions in 2027 at the earliest, with the most significant enforcement actions involving complex technical assessments that could take longer still. But the regulatory intention is clear, and companies that have not begun their AI Act compliance programmes are already significantly behind the schedule that the regulation’s requirements imply.

For technology companies operating in the EU, the AI Act represents a compliance challenge of a different character than GDPR: rather than primarily requiring changes to data handling practices, it requires engagement with questions about AI system design, evaluation methodology, human oversight architecture and transparency that go to the core of how AI products are built and deployed. Companies that treat AI Act compliance as a box-ticking exercise risk discovering, when enforcement begins in earnest, that the regulation’s substantive requirements are more demanding than a superficial reading suggested.

The Classification Challenge: High-Risk or Not?

One of the most practically significant challenges for companies trying to navigate AI Act compliance is the classification question: does a specific AI system fall within the high-risk category that triggers the most demanding requirements, or is it a lower-risk application subject to lighter-touch transparency requirements or no specific requirements at all? The AI Act’s definition of high-risk systems is specific but not exhaustive, and the boundary cases – AI applications that touch on regulated domains but that their developers argue do not significantly affect individual rights or safety – are generating substantial legal advisory work as companies seek guidance on whether their systems require full high-risk compliance programmes.

The European Commission has published guidance documents addressing some of the most common classification questions, but guidance documents have a different legal status than the Act itself and do not provide the certainty that companies making significant compliance investments require. The EU AI Office’s initial investigation round will generate enforcement decisions that provide more authoritative guidance on classification questions, but those decisions will take time to produce and may themselves be subject to legal challenge before they become truly settled. This period of regulatory uncertainty – common in the early years of any significant new regulatory regime – is creating compliance costs for companies that must decide how cautiously to interpret the high-risk definitions without having the benefit of a developed body of enforcement precedent to guide those decisions.

The Global Regulatory Ripple Effect

The EU AI Act’s enforcement does not exist in an isolated regulatory environment – it is part of a global regulatory landscape for AI that is evolving rapidly and that shows significant variation across jurisdictions in its underlying approach and its specific requirements. The United Kingdom, which left the EU before the AI Act was proposed, has taken a deliberately different regulatory approach: rather than sector-agnostic AI-specific legislation, the UK has tasked existing sectoral regulators (the Financial Conduct Authority for financial services AI, the Care Quality Commission for healthcare AI, and so on) with applying their existing powers and developing sector-specific AI guidance. This principle-based, sectoral approach is designed to be more flexible and less burdensome on AI innovation than the EU’s prescriptive, risk-tiered approach, and the UK government has explicitly framed it as a competitive differentiator for attracting AI investment relative to the EU.

The United States federal approach has been characterised by executive orders – most recently the Biden administration’s comprehensive AI executive order of 2023 and subsequent updates – and sector-specific guidance from agencies including the FDA (for AI in medical devices), the NHTSA (for autonomous vehicles) and the EEOC (for AI in employment decisions), rather than comprehensive federal legislation. Several states have passed their own AI-related legislation, creating the kind of state-by-state patchwork that industry groups have consistently argued will be more burdensome than comprehensive federal regulation. Congress has been considering multiple AI governance bills, but the prospects for comprehensive federal AI legislation in the current session remain uncertain, leaving the US regulatory environment in a state of ongoing flux that creates its own compliance challenges for companies operating across all US states.

The divergence between the EU’s comprehensive regulatory approach, the UK’s sectoral approach and the US’s fragmented federal-state approach creates genuine complexity for multinational companies that must navigate all three simultaneously. The compliance investments required to meet EU AI Act requirements are the most substantial in absolute terms, but the expertise, governance structures and documentation systems that companies build for EU compliance often have applicability to other jurisdictions’ requirements as well, making the EU compliance programme a reasonable starting point for building global AI governance capacity even for companies whose primary market is not the European Union.