EU AI Act, 18 Months In: First Fines, First Compliance Lessons

The EU AI Act’s Phase 1 prohibitions took effect on February 2, 2025. Sixteen months later, with general-purpose AI obligations and high-risk system rules now in force, the first wave of enforcement actions has arrived — fines, market-access restrictions, and the more quiet but consequential effect of companies pulling AI features from EU markets rather than complying.

Brussels · May 15, 2026

What happened

The EU AI Act entered into force on August 1, 2024, after a final political deal struck in late 2023. The Phase 1 prohibitions — on practices including social scoring, real-time biometric identification in public spaces, and certain forms of emotion recognition at work — became enforceable on February 2, 2025 (the European Commission’s framework page remains the canonical reference). General-purpose AI obligations followed on August 2, 2025, applying to models like GPT-5, Claude 4, Llama 4, and Gemini Ultra, with transparency, copyright-disclosure, and systemic-risk requirements at different scales.

The high-risk-system rules — the part of the Act that most affects vertical SaaS shipping AI-driven features in hiring, education, credit, healthcare, and law enforcement — phase in through 2026 and into 2027. Enforcement has fallen to the European AI Office in conjunction with national supervisory authorities. The first significant fines were levied in Q1 2026, against two GenAI service providers that had failed to register as general-purpose AI providers and had not submitted required model documentation. Reuters reported on the enforcement actions and the size of the fines.

Why it matters for builders and founders

If you ship a product into the EU that uses AI in any non-trivial way, you need to know which tier of the Act applies to you. Most consumer-facing AI products are subject only to transparency obligations — disclosing that AI is involved, in some cases watermarking generated content, providing user-facing information. Most vertical SaaS that uses AI for analytics, summarisation, or content generation is similarly low-risk. The companies that are heavily affected are those whose AI feature is making decisions in a high-risk domain: ranking job applicants, scoring credit applications, supporting medical diagnoses, recommending sentencing, providing educational assessments.

For a US-headquartered SaaS that sells into the EU, the practical compliance work is more than zero but less than the panicked early-2024 commentary suggested. The companies that have struggled are those that built EU-market features without thinking about which AI Act tier they would land in; the companies that planned for it have largely shipped without disruption.

The details, in plain English

The EU AI Act sorts AI systems into four tiers based on their risk to fundamental rights and safety:

• Unacceptable risk — banned outright. Social scoring by governments, real-time biometric identification in public spaces (with narrow exceptions), and a handful of other specific practices.
• High risk — permitted but subject to detailed obligations: risk-management systems, data governance, transparency, human oversight, cybersecurity, conformity assessments. Examples: AI in hiring, credit scoring, education, critical infrastructure, law enforcement, biometrics.
• Limited risk — transparency obligations only. Examples: chatbots (users must know they are talking to AI), generative AI (content must be marked), emotion-recognition systems (subjects must be informed).
• Minimal risk — no specific obligations under the Act. Most consumer AI products fall here.

Separately, the Act creates a specific category for “general-purpose AI models” — the frontier models — with their own obligations regardless of how they are deployed. Models with “systemic risk” (currently those trained with above 10^25 FLOPS of compute) carry additional duties: incident reporting, evaluation, cybersecurity, energy efficiency disclosure.

The penalty structure is severe but graduated. Violations of the prohibited-practices section can run up to 7 percent of global annual turnover or 35 million euros, whichever is higher. Violations of other obligations are capped at 3 percent or 15 million euros. The early fines in Q1 2026 were modest by these caps — under 50 million euros — and signalled the AI Office’s preference for compliance education before maximum penalties.

The bigger picture

The AI Act has reshaped global AI regulation more than the headlines suggest. Several other jurisdictions — the UK, Japan, Canada, India — have adopted frameworks that explicitly track or borrow from the EU model. The US, which initially resisted comprehensive AI regulation, has settled into a posture of sector-specific rule-making at the FTC and state-level legislation (California’s AI-related laws in particular have echoed the EU framing). The result is that the EU AI Act has set the global default in a way that few EU-origin regulations have done since GDPR.

For companies serving global customers, the practical implication is that designing AI features to the EU standard is now the default. The marginal cost of also serving non-EU markets at the same standard is low; the cost of running two parallel feature sets is high. The companies that have decided to drop EU availability rather than comply tend to be smaller or have business models that are particularly hard to fit into the framework (some emotion-recognition products, some biometric authentication systems).

What to watch next

Three things to track through the second half of 2026. First, the next wave of enforcement: high-risk AI obligations come fully into force on August 2, 2026, and the first enforcement actions in the high-risk tier — particularly in hiring AI and credit AI — will set the practical compliance bar. Second, whether the EU Commission updates the systemic-risk threshold (10^25 FLOPS) downward; the threshold was set when only the largest frontier models cleared it, but training-efficiency gains mean the bar may need to move. Third, the diffusion of EU AI Act language into other jurisdictions: how closely the UK’s AI bill, India’s digital governance framework, and the patchwork of US state laws end up tracking the EU model will determine whether 2027 is a year of regulatory convergence or fragmentation.

For founders, the practical action is to take an afternoon and classify your AI features against the four-tier framework. If you are not in the prohibited or high-risk tiers, your compliance burden is mostly transparency, and you can ship to the EU without major rework. If you are in the high-risk tier, you need a serious compliance plan before the August 2026 deadline, and it is not something to figure out the week before.