The EU AI Act – the current state of play

The obligations in the AI Act apply to providers (such as developers), deployers (users), importers, distributors, and product manufacturers of "AI systems" and providers of "general-purpose AI models".  The most onerous obligations are borne by providers. 

The definition is broad but with a focus on autonomy and inference capabilities to distinguish AI from conventional software operating by reference to predetermined rules.  The Commission provided guidelines on the "AI system" definition in February 2025, breaking it down into seven components and clarifying how they apply across the pre-deployment (build) phase and post-deployment (use) phase – not all seven components must be present throughout both phases.

In a similar way to the GDPR, the AI Act applies to entities established outside the EU, as well as to those within the EU, if they put AI systems on the market or into service in the EU or the output of the AI system is used in the EU. 

The obligations under the AI Act vary according to how the AI is categorised: 

• prohibitive risk – AI systems that pose an unacceptable risk and so are banned under the AI Act.
• high risk – AI systems that create a high risk to the health and safety or fundamental rights of individuals and so are subject to some of the most onerous obligations.
• limited risk – AI systems that pose a transparency risk.

There are separate sets of obligations for general-purpose AI models and systems ("GPAI") – systems trained on large amounts of data that have a wide range of uses and are often integrated into other downstream systems and applications.  The two regimes are not mutually exclusive: a GPAI model can become part of a high-risk system subject to high-risk obligations in addition to GPAI obligations.  There are two tiers of obligations for GPAI: a set of obligations that apply to all GPAI models and an additional set of obligations that apply to a subset of GPAI models with "systemic risk".   Models with systemic risk are those which have high impact capabilities (which are presumed if the computational power exceeds a designated threshold) or they are designated as such by the Commission. 

Many AI systems will not fall into any of these categories and fall outside the AI Act's scope, although organisations developing and using such systems are still subject to an "AI literacy" obligation (to inform and train their staff/supply chain engaging with AI on the risks and impacts of AI, dependant on the relevant context).  The AI literacy requirement is to be relaxed, but not removed, by the AI Omnibus.  

The AI Act has a staged application, with different timings for the different categories of AI. The following sets out the timings of key obligations (as revised by the AI Omnibus).

2 February 2025 – Prohibited AI Systems' ban and the AI literacy obligation began to apply

Prohibited AI systems are banned completely.  In-scope organisations must ensure that no prohibited AI systems are being used, whether as a product offering or within the business.  The vast majority of organisations will have had no engagement with these banned activities, although perhaps a watch out for some may be the ban on emotion recognition in the workplace and in education. The EU Commission has published Guidelines on prohibited AI practices.

The AI literacy obligation also began to apply to providers and deployers of AI systems from February 2025.

2 August 2025 – rules for new GPAI models and systems 

Requirements on GPAI models that apply from 2 August 2025 only apply to new GPAI models put on the market on or after that date. GPAI models on the market prior to that date will have a further two years to comply (i.e. until 2 August 2027).  GPAI models must meet additional transparency requirements and providers must maintain technical documentation recording the training and testing process of the underlying model, as well as documentation to supply to downstream providers which allows them to understand the capabilities and limitations of the system. Systemic risk GPAI models are subject to a further layer of obligations, e.g. providers must perform adversarial testing to identify and mitigate system risks, document these risks and track and report incidents to the EU AI Office.

The Code of Practice and Commission's Guidelines for GPAI models were published shortly before the August 2025 deadline.

2 August 2026 – most transparency obligations apply

Providers of AI systems intended to interact directly with people, or which generate synthetic audio, image, video or text content will be subject to transparency obligations. Users of emotion recognition or biometric categorisation systems or of AI systems to generate deep fakes will also be subject to transparency obligations.  Disclosing to end-users the fact that content has been generated or manipulated by AI and that they are interacting with an AI-system will be key to compliance.  The Commission has issued draft guidelines on the implementation of the transparency obligations for certain AI systems (May 2026) alongside a draft Code of Practice on marking and labelling AI-generated content (December 2025).

These transparency obligations take effect on 2 August 2026, except that…

2 December 2026 – watermarking of synthetic AI content

…in relation to AI systems generating or manipulating synthetic content, placed on the market before 2 August 2026, the obligation to ensure that the system’s outputs are marked in a machine-readable format and detectable as artificially generated or manipulated, is postponed by the AI Omnibus for four months, until 2 December 2026.

2 December 2027 – obligations for standalone "high-risk" systems 

The obligations on high-risk AI systems are postponed by the AI Omnibus, with separate, fixed deadlines applying to each of the two main high-risk categories: (i) standalone high-risk systems listed in Annex III; and (ii) high-risk AI systems subject to existing EU product harmonisation legislation listed in Annex I.  The 2 December 2027 deadline only applies to Annex III systems. 

The Commission published draft guidelines on high-risk system classification  on 19 May 2026, which work through each of the eight Annex III areas in detail with examples.  The guidelines clarify that intended purpose is determined by looking at instructions for use, promotional materials, and technical documentation as a whole - a provider cannot escape high-risk classification by excluding high-risk uses in its terms of service if the product positioning tells a different story.  

Even where a system falls within an Annex III use case, there is a filter allowing providers to exempt systems that do not materially influence decision-making (although the Commission confirms that the presence/absence of human review is irrelevant to classification; its only relevance is to compliance obligations). The four conditions - narrow procedural task, improving a previously completed human activity, detecting decision-making patterns without replacing a completed human assessment, and preparatory task - are exhaustive and must be interpreted narrowly. None of these four conditions is available where a system performs profiling of individuals. Where a provider relies on one of those conditions to self-exempt, it must document that conclusion before placing the system on the market and register the system in the EU database - an obligation that earlier AI Omnibus drafts had proposed to remove but which has been reinstated.

The worked examples in the guidelines are instructive.  For example, in relation to AI tools used in recruitment and workforce management, among the most widely deployed AI tools by businesses of all sizes, the Commission confirms as high-risk systems: automated job-matching and ranking tools generating quantitative scores used to shortlist candidates; candidate sourcing tools searching social media and CV databases to generate shortlists; and systems scoring applicants' written or oral responses to generate rankings determining who proceeds to interview.

2 August 2028 – obligations for high-risk AI systems subject to existing EU product harmonisation legislation

The other category of "high-risk" systems comprises any AI system which is a safety component of or is itself a product subject to EU product safety regulations and required to undergo a third-party conformity assessment pursuant to that legislation. The full list of legislation is set out at Annex I of the AI Act, covering medical devices, toys, radios, PPE etc.  The AI Omnibus clarifies that AI components that merely assist users or optimise performance without creating health or safety risks fall outside this category.  Obligations in respect of these systems have been delayed by twelve months until 2 August 2028.

There are important carve-outs from these deadlines:

• There will be no enforcement in respect of any high-risk system in the private sector on the market prior to the applicable compliance deadline, provided the system is not significantly changed after that date.
• Pre-existing high-risk systems intended for public authority use will have until 2 August 2030 to comply.

Providers of high-risk AI systems will be subject to a range of obligations, including:

• conformity assessments. 
• registration of the system in a new EU AI database.
• implementing detailed rules on areas such as human oversight, data quality and governance, transparency, accuracy and cybersecurity.
• post-market monitoring system and incident reporting.

Users of high-risk AI systems will have fewer, but still considerable obligations, e.g.:

• using technical and organisational measures to comply with a provider's instructions for the use of the system. 
• assigning human oversight to competent, trained personnel. 
• ensuring relevant and representative input data for the AI system's intended purpose.
• monitoring the operation of the system, keeping logs of its operation and reporting risks and incidents.
• informing workers' representatives when using high-risk systems in the workplace.

There is a tiered approach to penalties with maximum fines of up to €35 million or 7% of worldwide group turnover (whichever is the greater) for breach of provisions related to banned AI, fines of up to €15 million or 3% of worldwide group turnover for certain violations relating to other systems and €7.5 million or 1% worldwide group turnover for certain false reporting breaches.

The European Commission has established an AI Office to enforce the AI Act - it will have the exclusive power to monitor, supervise and enforce against providers of GPAI models and over AI systems based on GPAI models where the model and the system are developed by the same provider, but national authorities retain competence in areas such as law enforcement, border management, and financial services.

The EU AI Board, made up of representatives from Member States, will advise and assist and help ensure a consistent implementation of the AI Act. Member States were also required to designate national authorities to enforce the regulation.

The deadline for the establishment of national AI regulatory sandboxes has been postponed to 2 August 2027 under the Omnibus, giving authorities and innovators additional time to develop safe, real-world experimentation environments.

The postponement of the main high-risk deadlines should not be treated as an invitation to pause preparation. The volume of documentation, conformity assessment, and registration obligations that will need to be in place before the new deadlines is substantial. Codes of practice, guidelines, standards and templates should help to clarify what practical and technical steps organisations are expected to take, but these have sometimes been slow to emerge. 

Remember that readying your business for compliance with the EU AI Act is only part, albeit an important part, of managing risks associated with AI.   You should also:

• check that you are complying with existing legislation – in particular, the GDPR (as we explain further in this briefing).
• be clear in staff policies and contracts with suppliers on how your data can be used and specify what can and cannot be inputted into AI systems to prevent the leaking of confidential and proprietary information and personal data of staff/customers.
• check who owns the intellectual property rights in the output produced by AI system and whether your business is protected in respect of third party intellectual property infringement claims (as we explain in this briefing).
• appropriately allocate responsibility for AI in your contracts with suppliers.

The Technology & Commercial Transactions team at Travers Smith, alongside experts from around the firm, are helping clients to address the complex legal challenges that AI technology poses.