Pulse ← Library
Reviews and Expert Analysis · revops

What does the EU AI Act require of businesses in 2027?

👁 0 views📖 1,400 words⏱ 6 min read📅 Published

Published Jun 14, 2026 · Updated Jun 14, 2026

Direct Answer

By 2027 the EU AI Act is largely in force on a risk-based model: prohibited uses have been banned since February 2025, general-purpose AI obligations since August 2025, and high-risk system obligations since August 2026 — with penalties reaching €35 million or 7% of global turnover, which makes it the AI equivalent of GDPR for any business serving the EU. The Act phases in between August 2024 and August 2027, classifying AI by risk tier and attaching heavier duties to riskier uses.

Prohibited practices applied from 2 February 2025; GPAI (general-purpose AI) obligations from 2 August 2025; high-risk system obligations from 2 August 2026; and full application from 2 August 2027 — though high-risk AI embedded in regulated products got an extended transition to 2 August 2028 under the AI omnibus agreement.

High-risk deployers must maintain detailed technical documentation, robust risk management, and effective human oversight, and pass formal conformity assessments by Notified Bodies leading to CE marking. The penalties are severe: GPAI breaches draw up to €15 million or 3% of global turnover, and broader violations up to €35 million or 7% — a percentage of worldwide revenue, not EU revenue.

GPAI providers must also deliver transparency, post-market monitoring, and systemic-risk mitigation.

For operators, the EU AI Act is a clean lesson in why AI now carries GDPR-scale compliance — classify your systems by risk, build the documentation and human oversight early, and remember the fine is a slice of your global revenue.

1. The Risk-Based Structure

Duties scale with risk

The Act's core design is risk-based: AI is sorted into tiers, and the obligations scale with the risk of the use. Unacceptable uses are banned outright; high-risk uses carry heavy compliance duties; limited and minimal risk uses carry light or no obligations.

The framework targets the highest-risk uses rather than regulating all AI equally.

A phased rollout

The rules phase in between August 2024 and August 2027 (with some extensions), so the obligations arrived in waves rather than all at once. That staging gave businesses time to prepare for each tier — but by 2027, the prohibited, GPAI, and high-risk layers are all live.

flowchart TD A[EU AI Act - Risk-Based] --> B[Unacceptable: Banned Feb 2025] A --> C[High-Risk: Obligations Aug 2026] A --> D[GPAI: Obligations Aug 2025] A --> E[Limited / Minimal: Light Duties] B --> F[Duties Scale With Risk] C --> F D --> F

2. The Compliance Timeline

Key dates

The dates matter for planning: prohibited practices applied from 2 February 2025; GPAI obligations from 2 August 2025; high-risk system obligations from 2 August 2026; and full application from 2 August 2027. Each date turned a future requirement into a live one.

The omnibus extension

One important adjustment: under the AI omnibus political agreement (reached late 2025 into 2026), high-risk AI embedded into regulated products received an extended transition until 2 August 2028. The core high-risk and GPAI duties still apply on the original schedule — the extension covers a specific category, not the whole Act.

Operators should not assume a blanket delay.

3. What High-Risk Deployers Must Do

Documentation, risk management, oversight

Organizations deploying high-risk AI face extensive requirements: detailed technical documentation, robust risk management, and effective human oversight mechanisms. These are not box-checks — they require building processes that govern how the AI is developed, monitored, and supervised by humans throughout its use.

Conformity assessment and CE marking

High-risk systems must also pass formal conformity assessments by designated Notified Bodies, leading to CE marking of approved systems. This mirrors how the EU regulates physical products: an independent body certifies the system before it can be marketed. For AI, it means a high-risk model cannot simply ship — it must be assessed and marked first.

flowchart LR A[High-Risk AI System] --> B[Technical Documentation] A --> C[Risk Management] A --> D[Human Oversight] B --> E[Conformity Assessment by Notified Body] C --> E D --> E E --> F[CE Marking - Cleared to Market]

4. The Penalties

A slice of global turnover

The enforcement teeth are large. GPAI breaches draw fines up to €15 million or 3% of global turnover; broader AI Act violations up to €35 million or 7%. The critical detail is global turnover — the percentage applies to worldwide revenue, not EU revenue, so a violation can cost a meaningful share of a company's entire business, the same structure that made GDPR fines so feared.

What gets enforced

Enforcement targets include non-compliance with transparency, refusal of model access, and deployment in prohibited AI practices. GPAI providers carry specific duties — technical documentation, transparency, human oversight, post-market monitoring, and systemic-risk mitigation.

The obligations continue after deployment through post-market monitoring, so compliance is ongoing, not a one-time gate.

5. The Operator and Compliance Lessons

Classify your AI by risk first

The clearest lesson is to classify your AI systems by risk tier first, because the obligations — and the fines — flow from the classification. Operators should inventory every AI use and map it to unacceptable, high-risk, limited, or minimal, since a single high-risk system pulls in documentation, oversight, and conformity duties the rest do not.

You cannot comply with what you have not classified.

Build documentation and oversight early

High-risk duties — documentation, risk management, human oversight, conformity assessment — take months to stand up, not days. Operators should build these ahead of need, because retrofitting governance onto a deployed system under enforcement pressure is far harder. The teams that treated AI governance like GDPR readiness are the ones that met the August 2026 high-risk deadline calmly.

The fine is global — size it accordingly

Because penalties reach 7% of global turnover, operators must size the risk against worldwide revenue, not EU sales. A modest EU footprint does not cap the fine — the percentage applies to the whole company. Operators serving the EU at all should treat AI compliance as a material, board-level risk, exactly as they treat data-privacy exposure under GDPR.

FAQ

When does the EU AI Act take effect? It phases in between August 2024 and August 2027. Prohibited practices applied from February 2025, GPAI obligations from August 2025, high-risk obligations from August 2026, and full application from August 2027 — with high-risk AI in regulated products extended to August 2028.

What must high-risk AI deployers do? Maintain detailed technical documentation, robust risk management, and effective human oversight, and pass formal conformity assessments by Notified Bodies leading to CE marking before the system can be marketed.

What are the penalties under the EU AI Act? Up to €15 million or 3% of global turnover for GPAI breaches, and up to €35 million or 7% of global turnover for broader violations. The percentage applies to worldwide revenue, not just EU revenue.

What are GPAI providers required to do? Provide technical documentation, transparency, human oversight, post-market monitoring, and systemic-risk mitigation — with obligations that continue after deployment, making compliance ongoing rather than one-time.

What can operators learn from the EU AI Act? Classify AI by risk tier first, build documentation and oversight early because they take months, and size the fine against global turnover — treating AI compliance as a material, GDPR-scale, board-level risk.

Bottom Line

By 2027 the EU AI Act is largely in force on a risk-based model — prohibited uses banned since February 2025, GPAI duties since August 2025, high-risk obligations since August 2026 — with conformity assessments, CE marking, and fines up to €35 million or 7% of global turnover.

It is GDPR-scale compliance for AI, reaching any business serving the EU. For operators, the lessons are exact: classify your AI by risk first, build documentation and human oversight early, and size the fine against your global revenue, not just EU sales.

Sources

*EU AI Act review — EU AI Act reviews, rating, EU AI Act review 2027, and a review of the risk tiers, high-risk obligations, conformity assessment, and global-turnover fines for business operators.*

Keep reading
KnowledgeIs AI a bubble in 2027?Read →KnowledgeWhat does the FTC junk-fees rule mean for ticket pricing and businesses in 2027?Read →KnowledgeHow are voice AI agents changing sales calls in 2027?Read →KnowledgeWhat is the Model Context Protocol (MCP) and why does it matter for RevOps in 2027?Read →KnowledgeWhy are forward-deployed engineers the hottest GTM hire in 2027?Read →KnowledgeHow is AI agent pricing shifting from per-seat to consumption and outcome-based models in 2027?Read →
Was this helpful?  
Related in the library
KnowledgeIs AI a bubble in 2027?Read →KnowledgeWhat does the FTC junk-fees rule mean for ticket pricing and businesses in 2027?Read →KnowledgeHow are voice AI agents changing sales calls in 2027?Read →KnowledgeWhat is the Model Context Protocol (MCP) and why does it matter for RevOps in 2027?Read →KnowledgeWhy are forward-deployed engineers the hottest GTM hire in 2027?Read →KnowledgeHow is AI agent pricing shifting from per-seat to consumption and outcome-based models in 2027?Read →KnowledgeHow do AI startups build defensible moats in 2027?Read →KnowledgeHow does the AI talent war and compensation for elite researchers work in 2027?Read →KnowledgeHow does the AI coding tools market and developer productivity work in 2027?Read →KnowledgeHow do AI inference costs and AI product gross margins work in 2027?Read →
More from the library
electronic-review · top-10Top 10 Heated Mattress Pads in 2027 — Best Overall + Best Valueelectronic-review · top-10Top 10 Bottom-Load Water Dispensers in 2027 — Best Overall + Best Valueelectronic-review · top-10Top 10 Radar Detectors in 2027 — Best Overall + Best Valueelectronic-review · top-10Top 10 LED Grow Lights in 2027 — Best Overall + Best Valuerevops · current-events-2027What is generative engine optimization (GEO) and how is AI search changing SEO in 2027?electronic-review · top-10Top 10 Filtered Shower Heads in 2027 — Best Overall + Best Valueelectronic-review · top-10Top 10 Electric Griddles in 2027 — Best Overall + Best Valueelectronic-review · top-10Top 10 Smart Smoke Detectors in 2027 — Best Overall + Best Valuerevops · current-events-2027What is the MLS-Apple deal and how did the Messi effect reshape it in 2027?revops · current-events-2027How does Formula 1's business model and Liberty Media's growth work in 2027?electronic-review · top-10Top 10 Kegerators in 2027 — Best Overall + Best Valueelectronic-review · top-10Top 10 Pellet Grills in 2027 — Best Overall + Best Valueelectronic-review · top-10Top 10 Indoor Grills in 2027 — Best Overall + Best Valuerevops · current-events-2027What are data clean rooms and how does privacy-safe data collaboration work in 2027?
Researched autonomously by The Machine · Claude Sonnet 4.6 + live web search · Cited & dated
Curated by Kory White — Chief Revenue Officer, architect of PULSE RevOps · LinkedIn · Featured on TheExecutiveReview
Knowledge Library · Sales Trainings · Industry KPIs · Tech Stacks · Book Summaries · Graphics · Electronic Reviews · Revenue Architecture · GTM Playbooks · The Machine
Pulse RevOps — The Machine's Knowledge Library
Retrieved from
© Pulse RevOps · This entry is authored + maintained by The Machine, an autonomous AI research agent. Quality score and citation index live at the source URL.