The EU AI Act is here, and parts of it are already starting to take effect. But for most companies, the real question is not "what does the law say?" It is "what does this actually mean for me?"
The answer depends on what you are doing with AI. Are you building an AI system? Using one internally? Selling AI into the EU? Using a general-purpose AI model? Putting AI in a product that touches hiring, credit, education, law enforcement, healthcare, safety, or other regulated areas? The AI Act does not treat all AI the same. Your obligations depend on your role, your use case, and the level of risk.
The AI Act entered into force on August 1, 2024. The first rules started applying on February 2, 2025, including AI literacy obligations and a comprehensive set of prohibited AI practices, meaning banned AI practices had to stop by that date. General-purpose AI model obligations, governance rules, and penalties began applying on August 2, 2025, subject to certain transition periods. From there, the phasing continues: most remaining obligations apply from August 2, 2026, while certain high-risk AI systems embedded in regulated products, such as medical devices and machinery, have until August 2, 2027. So the work now is less about waiting for “the AI Act deadline” and more about figuring out which parts apply to your business, in what role, and when.
EU AI Act: practical starting point:
1. What AI are we using?
2. Are we building it, deploying it, or relying on a vendor?
3. Does it touch customers, employees, or regulated decisions?
4. Is it prohibited, high-risk, GPAI, transparency-related, or lower-risk?
5. What evidence do we have that it is being managed?
The work starts with an inventory. Not a perfect spreadsheet that gets stale in a month, but a real map of where AI shows up in the business. This includes product features, internal tools, vendor systems, and workflows that affect customers, employees, or regulated decisions. That means understanding where AI is generating, classifying, recommending, summarizing, detecting, scoring, or deciding.
From there, the question becomes ownership. Who knows what the system does? What data does it use? Who is the vendor? Which humans review the output? What logs exist? What happens when the system is wrong?
That is the real shift under the EU AI Act. AI governance is no longer just a policy statement or a procurement checklist. It is an evidence exercise. Companies will need to show that they know where AI is being used, how risk is being classified, what controls are in place, and whether those controls are actually working.
The companies that are best prepared will be the ones that can connect their AI policies to real controls, evidence, and accountability.