The EU AI Act Is Already Enforcing — Most Companies Don't Know What It Bans

The Regulation That Has Already Started

When companies talk about preparing for the EU AI Act, they often frame it as future compliance work — something to plan for in the coming years. That framing is incorrect.

The EU AI Act entered into force on August 1, 2024. The prohibition of unacceptable-risk AI practices became enforceable on February 2, 2025. The transparency obligations for general-purpose AI models apply from August 2026. High-risk system requirements take effect progressively through 2027.

The regulation is not arriving. It has already arrived — and one of its enforcement phases began more than a year ago.

What Is Already Banned

Since February 2, 2025, the following AI applications are prohibited within the European Union:

Social scoring by public authorities: AI systems that evaluate or classify individuals based on their social behavior or personal characteristics to assign them a score that determines how they are treated in unrelated contexts. This is the practice associated with China's social credit system, now banned for EU public bodies.

Cognitive behavioral manipulation: AI systems that use subliminal techniques, exploit psychological vulnerabilities, or apply techniques that users are not aware of to manipulate their behavior in ways that harm them. This applies regardless of whether the deployer is a public or private entity.

Real-time remote biometric identification in public spaces: With narrow law enforcement exceptions, AI systems that identify people biometrically in real time in publicly accessible spaces are prohibited. This covers most commercial facial recognition applications in retail, events, and public infrastructure.

Exploitation of specific groups: AI systems that target children, people with disabilities, or other vulnerable groups in ways that exploit their vulnerabilities to manipulate their decisions.

Predictive policing based on profiling: AI systems that profile individuals to assess or predict the likelihood of criminal behavior based solely on characteristics not connected to actual behavior or criminal activity.

If your company is deploying any of these applications — or if a vendor is deploying them on your behalf for your EU operations — you are already in violation.

What Becomes Mandatory in August 2026

The August 2026 deadline is the next major enforcement milestone. By then, providers and deployers of general-purpose AI (GPAI) models — essentially, large language models and similar foundation models — must comply with transparency requirements:

• Disclose that content was generated by AI in contexts where this is not obvious to end users
• Implement watermarking or disclosure mechanisms for AI-generated audio, video, images, and text in relevant contexts
• Maintain technical documentation of how the model was trained, its capabilities, and its known limitations
• Publish summaries of copyrighted data used in training

For high-impact GPAI models — those assessed to have systemic risk, such as the most advanced available large language models — additional obligations apply, including adversarial testing (red-teaming), incident reporting to the European Commission, and cybersecurity measures.

Businesses that use AI-generated content in customer communications, marketing, or any public-facing context without adequate disclosure mechanisms have less than three months to reach compliance.

High-Risk AI Systems: What They Are and What They Require

High-risk AI systems face the most extensive compliance requirements. The full high-risk framework becomes mandatory 36 months after entry into force — meaning by August 2027. But compliance preparation must begin now, given the technical documentation, testing, and registration requirements involved.

An AI system is classified as high-risk if it falls into specific categories, including:

• Employment and HR: AI used to recruit, screen, rank, or manage workers and self-employed individuals. This includes CV scanning and ranking tools, AI-assisted interview analysis, performance monitoring systems, and AI-driven promotion or termination decisions. As of March 2026, staffing businesses using AI to screen, rank, or match candidates are now subject to high-risk requirements.

• Credit and financial services: AI that evaluates creditworthiness or establishes credit scores, life insurance risk classifications, and similar financial profiling.

• Essential private and public services: AI that determines access to essential services including health insurance, social benefits, and utilities.

• Education: AI that determines access to educational institutions, evaluates student performance, or monitors exam behavior.

• Critical infrastructure: AI integrated in the management of water, electricity, gas, heating, and transportation systems.

• Law enforcement: AI used to assess crime risk, analyze evidence, or evaluate witness reliability.

High-risk systems must, among other requirements:

• Undergo conformity assessment before deployment
• Maintain detailed technical documentation
• Implement human oversight mechanisms
• Register in a public EU database of high-risk AI systems
• Establish quality management systems covering data governance, risk management, and post-market monitoring

The Fine Structure

Non-compliance with the EU AI Act is not primarily addressed through warnings and remediation periods. The regulation imposes direct financial penalties:

Violation type	Maximum fine
Prohibited AI practices (already in force)	€35 million or 7% of global annual turnover, whichever is higher
Obligations for high-risk systems or GPAI providers	€15 million or 3% of global annual turnover
Providing incorrect or misleading information to authorities	€7.5 million or 1.5% of global annual turnover

For a company with €1 billion in global revenue, the maximum fine for deploying a prohibited AI application is €70 million (7% of revenue). For a company with €500 million in revenue, it is €35 million. The EU AI Act fine structure is comparable in severity to GDPR — and enforcement is expected to follow a similar trajectory.

The Brazil Connection

The EU AI Act does not operate in isolation from Brazilian companies. Three distinct exposure channels exist:

Direct EU exposure: Any company with EU subsidiaries, EU employees, EU customers, or AI systems deployed in the EU market is subject to the regulation regardless of where the company is headquartered. The AI Act, like GDPR, applies based on where the AI system operates, not where the company is incorporated.

The GDPR precedent and Brazil's LGPD: The EU AI Act explicitly builds on the GDPR framework. Brazilian companies already operating under LGPD compliance programs will find significant structural overlap — AI systems that handle personal data face combined LGPD and EU AI Act obligations when they touch EU data subjects.

Brazil's own AI legislation: Brazil is actively developing its own AI regulatory framework, explicitly modeled on the EU AI Act. Bills under consideration in Brazil's Congress follow the EU's risk-based classification approach. Companies that build EU AI Act compliance programs now are building the operational foundation for whatever Brazilian regulation emerges in the next 12-24 months.

The Inventory Gap Is the Compliance Gap

The most common reason companies are unprepared for the EU AI Act is the same as the reason they are unprepared for most AI governance requirements: they do not have a complete inventory of the AI systems they are using.

You cannot assess the risk classification of AI systems you do not know about. You cannot verify whether a vendor's AI tool meets transparency requirements if you have never asked. You cannot demonstrate conformity assessment for a high-risk AI system if you did not know it was high-risk when you deployed it.

IBM IBV research found that only 18% of organizations maintain a current and complete AI inventory. Under the EU AI Act, that 82% without a complete inventory is, by definition, unable to confirm compliance — with a regulation that has already begun enforcement.

The Action Sequence

For companies that have not yet begun EU AI Act compliance preparation, the logical sequence is:

Step 1 — AI inventory: Map every AI system currently in use, including SaaS tools with embedded AI, custom-built systems, and AI provided by third-party vendors. For each: what does it do, who uses it, what data does it process, what decisions does it influence?

Step 2 — Risk classification: Apply the EU AI Act risk taxonomy to each system in your inventory. Which are prohibited? Which are high-risk? Which face transparency requirements? Which are minimal-risk and largely unregulated?

Step 3 — Immediate remediation: For any system classified as prohibited or that raises serious questions about prohibited practice classification, halt deployment and seek legal assessment before August 2026.

Step 4 — Transparency compliance: For any GPAI model or AI-generated content in customer-facing contexts, implement appropriate disclosure mechanisms ahead of the August 2026 transparency deadline.

Step 5 — High-risk preparation: For systems classified as high-risk, begin the documentation, testing, and conformity assessment process immediately. The 2027 deadline is closer than it appears when the required technical documentation and governance infrastructure are factored in.

Step 6 — Vendor diligence: For every AI capability provided by a third-party vendor, obtain documentation of their EU AI Act compliance status. Under the Act, deployer obligations are real even when the AI system was built by a vendor.

Frequently Asked Questions About the EU AI Act

Does the EU AI Act apply to companies outside the EU?
Yes, if the AI system produces outputs that are used within the EU or the company has EU customers or employees. The Act's territorial scope mirrors GDPR's extraterritorial reach.

Are there exemptions for small companies?
The Act includes some accommodations for SMEs, including simplified documentation requirements and access to regulatory sandboxes. However, the prohibition on unacceptable-risk practices and the basic transparency requirements apply regardless of company size.

What if we use a US AI vendor — is the vendor responsible?
The Act distinguishes between providers (who develop the AI model) and deployers (who put it into use in their context). Deployers bear their own compliance obligations, including verifying that the AI systems they deploy meet the Act's requirements. The compliance chain runs through both provider and deployer.

How does the EU AI Act relate to GDPR for data-intensive AI applications?
They are complementary. GDPR governs personal data processing. The EU AI Act governs AI system deployment. An AI system that processes personal data must comply with both. In practice, this means that AI used in HR, customer service, credit assessment, and similar contexts faces obligations under both frameworks simultaneously.

What is the first thing a company should do today?
Build the inventory. No other compliance action is possible without knowing what AI systems are in use. A Shadow AI diagnostic — mapping tools, data access, use cases, and current governance — is the foundational step for everything that follows.

---

Intrabit supports companies in mapping their AI tool landscape, classifying systems under the EU AI Act risk framework, and building the governance infrastructure required for compliance. The first conversation is free.

Further Reading

• AI Compliance in Regulated Industries
• AI-BOM: The Shadow AI Inventory Your Enterprise Needs
• Generative AI and Data Privacy
• How to Audit AI Usage Across Your Enterprise