Deadlines, Penalties, and Your Next Steps

The EU AI Act does not switch on all at once. Different obligations take effect on different dates:

FEBRUARY 2, 2025 — ALREADY ACTIVE: AI Literacy obligation (Article 4) — you must ensure your staff has sufficient AI literacy. Prohibited practices (Article 5) — the 8 banned AI practices are already illegal.

AUGUST 2, 2025: Rules for general-purpose AI models take effect — this covers foundation models like GPT, Claude, Gemini, and others. Codes of practice for general-purpose AI providers.

AUGUST 2, 2026 — THE BIG DATE: ALL main obligations take effect. High-risk AI requirements (risk management, documentation, conformity assessment, etc.). Transparency obligations. Deployer obligations. Penalties become fully enforceable. This is the date most companies need to be ready for.

AUGUST 2, 2027: Rules for high-risk AI systems embedded in products covered by existing EU safety legislation (Annex I products like medical devices, cars, toys, machinery).

The EU AI Act has three tiers of penalties (Article 99), and they are serious:

Tier 1 — Prohibited practices: Up to 35 million euros or 7% of global annual turnover, whichever is higher. This is the penalty for using any of the 8 banned AI practices from Article 5.

Tier 2 — Non-compliance with main obligations: Up to 15 million euros or 3% of global annual turnover. This covers failure to meet high-risk requirements, transparency obligations, and deployer obligations.

Tier 3 — Providing false information: Up to 7.5 million euros or 1% of global annual turnover. This is the penalty for giving incorrect, incomplete, or misleading information to authorities.

For SMEs and startups, the EU explicitly designed proportionate penalties: the cap is always the LOWER of the percentage amount or the fixed euro amount. So if you are a small company, you pay the percentage-based fine, not the fixed amount.

For context: the GDPR's maximum fine is 20 million euros or 4% of turnover. The EU AI Act goes significantly higher — up to 35 million euros or 7% of turnover. The EU is signaling that AI compliance is taken even more seriously than data protection.

Here is what you should do, starting today:

Step 1: Inventory your AI systems. Make a complete list of every AI system your company uses or develops. Include vendor tools — if you use AI-powered software from a third party, you are a deployer and have obligations.

Step 2: Classify each system. Use the Witness Classifier to determine the risk level of each AI system. Is it minimal, limited, high-risk, or potentially prohibited? This takes about 10 minutes per system.

Step 3: Determine your role. For each AI system, figure out whether you are the provider, the deployer, or both. Use the Witness Role Classifier for this. Remember that modifying or rebranding AI can shift your role to provider.

Step 4: Start documentation early. For high-risk systems, begin your technical documentation now. The Annex IV documentation requirements are extensive — it is much easier to build them gradually than to rush them before the deadline. The Witness Documentation Generator walks you through every required field.

Step 5: Train your people. AI literacy is already required since February 2025. Share this course with your colleagues. Document who was trained, when, and on what topics. The Witness AI Literacy tool helps you build a formal training program.

Witness provides a complete toolkit for EU AI Act compliance, designed for SMEs who need to comply without hiring expensive consultants:

Classifier: Determine the risk level of your AI system through a guided questionnaire. Takes about 10 minutes. Role Classifier: Figure out whether you are a Provider, Deployer, or both — including detection of role-shifting scenarios.

Obligation Tracker: See all your obligations in one place with status tracking and deadline monitoring. Technical Documentation Generator: Build Annex IV compliant documentation with 42 guided fields, legal references, and contextual help.

FRIA Generator: Create your Fundamental Rights Impact Assessment with a structured template, risk matrix, and integration with GDPR DPIA requirements. AI Literacy Module: Document your training program, define roles, and generate compliance evidence.

Conformity Assessment: Prepare for conformity assessment with a QMS checklist, declaration of conformity builder, and CE marking guidance. Risk Management System: Build and document your Article 9 Risk Management System.

And this Academy: The free educational course you just completed. It helps satisfy the AI literacy obligation from Article 4 — for you and your entire team.