When does the EU AI Act take full effect?

The EU AI Act's general application date is August 2, 2026, exactly 24 months after the regulation entered into force on August 1, 2024. Most provisions become legally binding across all 27 EU member states on this date. High-risk AI system obligations under Annex III have an extended deadline of August 2, 2027, but preparatory compliance requirements begin in 2026.

What are the maximum fines under the EU AI Act?

The EU AI Act imposes fines of up to €35 million or 7% of worldwide annual turnover for prohibited AI practices, and up to €15 million or 3% of worldwide annual turnover for other violations. Recidivism doubles fines. For context, 7% of Alphabet's annual revenue would be approximately $24.5 billion.

78% of Enterprises Aren't Ready for the EU AI Act. In 107 Days, the Fines Start at 7% of Global Revenue.

One hundred and seven days. That is how long companies selling AI products into the European Union have before Regulation (EU) 2024/1689, the EU AI Act, reaches its general application date on August 2, 2026, triggering enforcement powers, transparency mandates, and a penalty framework that makes GDPR fines look like parking tickets.

A 2026 readiness report from Vision Compliance found that 78% of enterprises are unprepared for their obligations. Not underprepared, not slowly getting around to it, not hampered by ambiguous guidance while making a good-faith effort to comply. Unprepared.

Every American tech executive should read that number twice, because the EU AI Act is not a domestic European regulation that stops at the continent's borders. It applies to any company that places an AI system on the EU market, or whose AI system's output is used in the EU, regardless of where the company is headquartered. Microsoft's Copilot, Google's Gemini, Amazon's Alexa, Meta's recommendation algorithms, Salesforce's Einstein, Oracle's AI suite: every one of these products touches EU users, and every one of their parent companies faces a maximum fine of 7% of worldwide annual turnover for prohibited practices under Article 101.

Seven percent of worldwide annual turnover. Run those numbers.

Fine Exposure Nobody Is Talking About

Here is the original calculation. Take the five largest U.S. tech companies by revenue and apply the EU AI Act's two penalty tiers: 7% of global turnover for prohibited AI practices including manipulative systems, social scoring, and unauthorized biometric surveillance, and 3% for other violations such as failing transparency, logging, or conformity requirements.

Company	2025 Revenue	Max Fine (7%)	Max Fine (3%)
Amazon	$638B	$44.7B	$19.1B
Apple	$395B	$27.7B	$11.9B
Alphabet	$350B	$24.5B	$10.5B
Microsoft	$245B	$17.2B	$7.4B
Meta	$161B	$11.3B	$4.8B

Amazon's theoretical maximum penalty is $44.7 billion, a figure that exceeds the GDP of more than 70 countries and illustrates the sheer mathematical absurdity of what is technically possible under the statute's ceiling provisions. No regulator has ever levied a fine approaching that magnitude, and Article 99 requires penalties to be "proportionate" and "dissuasive," which means actual fines will be smaller. But the ceilings define the negotiating range, and they have a way of becoming less theoretical than skeptics expect. When GDPR was enacted, critics called the 4%-of-turnover cap performative. Then Luxembourg's data protection authority fined Amazon €746 million in 2021, and Ireland fined Meta €1.2 billion in 2023. Cumulative GDPR fines have reached €7.1 billion. Ceiling numbers stop being theoretical when regulators have institutional motivation to use them.

What Changes on August 2

The EU AI Act entered into force on August 1, 2024. Its provisions phase in over three years, not all at once, and the August 2, 2026 date triggers the broadest tranche. Here is what activates:

Transparency obligations for generative AI. Every chatbot, image generator, and AI-synthesized audio or video system must disclose to users that content is AI-generated, and providers must implement technical solutions like metadata tagging or watermarks under Article 50. A marketing firm using AI voiceovers must add "AI-generated audio" labels; a news outlet running AI-written summaries must say so; a social media platform displaying AI-modified images must watermark them.

Full enforcement powers. National market surveillance authorities and the EU AI Office gain authority to investigate, seize non-compliant systems, and impose remedies, deploying the same institutional enforcement infrastructure that produced GDPR's €7.1 billion in cumulative penalties across thousands of cases since 2018, now pointed squarely at artificial intelligence.

Automatic logging requirements. High-risk AI systems must "technically allow for the automatic recording of events over the lifetime of the system," per Article 12, and no manual documentation substitute is acceptable. Logs must cover situations where the system might present a risk, data for post-market monitoring, and data for operational oversight, with a six-month minimum retention period that applies regardless of business model, data volume, or storage cost constraints. Here is the catch: no finalized technical standard exists yet. Both relevant drafts, prEN 18229-1 and ISO/IEC DIS 24970, remain incomplete, meaning companies are building to a regulation that defines outcomes without specifying how to achieve them.

Mandatory preparatory compliance for high-risk systems. Full obligations for Annex III high-risk systems covering recruitment algorithms, credit scoring, biometric identification, and educational assessment tools do not activate until August 2, 2027, but August 2, 2026 initiates the mandatory preparation phase: fundamental rights impact assessments, technical documentation, quality management systems, and notifications to the EU database. If your HR software screens resumes, your insurance model prices risk, or your educational platform grades exams, the compliance clock is already running and every month of delay compounds the scramble that August 2027 will bring.

Brussels Effect, Again

Critics frame the EU AI Act as European overregulation, a brake on innovation that will kneecap the continent's AI sector while Silicon Valley races ahead unencumbered. Evidence tells a more complicated story. A survey by ACT | The App Association of more than 1,000 technology companies across the EU, UK, and U.S. found that 60% of EU and UK small-to-mid tech companies face delayed access to frontier AI models, with 58% of developers reporting regulation-driven launch delays, more than a third stripping or downgrading features to comply, and annual cost per affected firm ranging from $186,000 to $528,000 in lost revenue and foregone savings.

And yet. GDPR did not merely regulate Europe. It rewrote global privacy law. Researchers at CEPA have documented the "Brussels Effect," in which the EU's regulatory standards propagate worldwide because multinational companies find it cheaper to adopt one global standard than to maintain parallel compliance regimes. More than 160 countries now have data protection laws modeled on or influenced by GDPR: California's CCPA, Brazil's LGPD, Japan's revised APPI. Brussels did not conquer the world's privacy law by force; it did it by market gravity.

That dynamic is virtually certain to repeat with AI regulation, because companies that sell into the EU will build to the AI Act's requirements and those requirements will become the global floor, just as GDPR's requirements became the global floor for data privacy within five years of enforcement. What remains uncertain is not whether the Brussels Effect applies but whether it takes hold before or after a wave of enforcement actions concentrates minds.

GDPR's Enforcement Timeline Predicts What Comes Next

GDPR took effect on May 25, 2018. France's CNIL fined Google €50 million in January 2019, roughly seven months later. Ireland's DPC fined WhatsApp €225 million in September 2021, about 40 months in. Amazon's €746 million fine from Luxembourg in July 2021 marked the first billion-euro-scale penalty. By January 2026, cumulative fines had reached €7.1 billion, a sum that makes clear the EU's enforcement apparatus is not decorative.

GDPR's early years were slow because enforcement was novel, with regulators building institutional capacity from scratch, hiring specialists, developing investigation procedures, negotiating cross-border jurisdiction through untested legal channels that sometimes took years to resolve. Those institutions now exist. Those same data protection authorities, those same procedural playbooks, that same political constituency that rewards visible enforcement of consumer protections. Created specifically for AI Act oversight, the EU AI Office has been operational since early 2024 and will not face the same cold-start problem that characterized GDPR's first year.

A reasonable prediction: the first significant AI Act fine will arrive within 12 months of the August 2026 enforcement date, measured from a baseline of far more sophisticated enforcement machinery than GDPR had at birth, with investigators who have spent eight years learning how to build cases against American technology companies operating in European markets. A nine-figure fine is plausible within 18 to 24 months.

Strongest Case Against Panic

Three arguments push back against the "compliance cliff" framing, and they deserve full consideration because dismissing legitimate counterarguments is how AI policy discourse degenerates into advocacy dressed up as analysis.

First, the European Commission's Digital Omnibus package, proposed in November 2025, includes a potential delay of Annex III high-risk obligations to December 2027. Both the Council and Parliament adopted negotiating positions in March 2026, and trilogues are underway. If this passes, it grants an additional 16 months for the most burdensome requirements, which would constitute a meaningful reprieve for companies building complex conformity assessment processes. But nothing has been enacted into law, and the general provisions, transparency mandates, enforcement powers, and penalty framework that activate on August 2, 2026, are not part of the proposed delay.

Second, the Act's risk-based framework means most AI systems fall into the "minimal risk" or "limited risk" categories and face lighter obligations. A spam filter is not treated the same as a credit scoring model. That 78% unpreparedness figure applies to enterprises broadly, but many of those enterprises may deploy only low-risk systems, and panic is not warranted for every company using AI to generate email subject lines or sort customer support tickets into priority queues.

Third, Article 99 mandates that penalties be "proportionate" and account for company size and economic viability. Maximum fines are ceilings, not floors. GDPR's enforcement record shows actual penalties ranging from €5,000 for small violations to €1.2 billion for systematic abuse by the world's largest companies, with most fines landing in the six- to eight-figure range that is painful but survivable for the companies that receive them.

These arguments are valid. They are also precisely the arguments companies used to justify GDPR inaction in 2017 and 2018, before the enforcement wave arrived and the comfortable assumption that regulators would not actually use their powers collided with the reality that political incentives reward enforcement.

Limitations

Revenue figures used in the fine exposure table are approximate 2025 estimates based on public financial filings and analyst consensus. Actual fines will be proportionate to the severity of violation, not automatically calculated at the maximum rate. Vision Compliance's 78% unpreparedness figure has not been independently verified by this publication, and the survey methodology has not been publicly disclosed in sufficient detail to assess sampling bias or response rates. ACT's survey was commissioned by an industry trade group that has an institutional position opposing EU AI regulation, which may influence framing though the underlying data points appear methodologically sound when compared against independent surveys from Deloitte and McKinsey that found similar compliance gaps. Digital Omnibus trilogues are ongoing and could materially change the compliance timeline for high-risk systems. This analysis does not constitute legal advice.

What You Can Do

If you lead a tech company selling AI products into Europe: Conduct an AI system inventory before June 2026. Map every product to the Act's risk tiers, designate an EU representative under Article 25 if you have no EU establishment, and for generative AI systems, implement content labeling and watermarking before August 2. Transparency obligations are not debatable, delayed, or ambiguous.

If you work in HR, finance, or insurance: Your AI recruitment screens, credit scoring models, and risk pricing algorithms are explicitly classified as high-risk under Annex III. Full compliance is not required until August 2027, but the preparatory phase begins now, which means starting fundamental rights impact assessments, documenting your training data governance, and building audit trails that will satisfy regulators who have spent eight years learning what inadequate documentation looks like from GDPR cases. Companies that start in mid-2026 will find consultants booked, standards still unfinalized, and competitors who began earlier already through their first compliance cycle.

If you build AI agents or deploy autonomous systems: Article 12's logging requirements are mandatory for high-risk systems, and the standard has not been finalized, but that uncertainty is not an excuse for inaction. Build tamper-evident logging now. Sign each action cryptographically, chain receipts, and ensure six-month retention regardless of what the final technical standard specifies. Whether the standard adopts NIST FIPS 204 post-quantum signatures or another scheme, any implementation that ensures automatic recording, tamper evidence, and durable retention will satisfy the regulation's intent.

If you invest in AI companies: Add EU AI Act compliance status to your due diligence checklist, because the Act creates a new category of regulatory risk for any AI company with European revenue exposure, and the difference between a portfolio company that invested in compliance early and one that treated it as a future problem will become financially material the moment enforcement begins. Companies that are compliant early gain a competitive moat; those that wait face enforcement risk and lost market access in a region representing $18 trillion in GDP.

Bottom Line

What the EU built with GDPR, it is now doing to artificial intelligence, except the penalties are larger, the enforcement infrastructure is more mature, and the regulated technology touches more of the economy than personal data ever did. In 107 days, transparency obligations for every generative AI system operating in Europe become legally enforceable, backed by fines that scale to 7% of worldwide revenue. Three-quarters of enterprises are not ready. Brussels Effect dynamics all but guarantee that what Europe mandates today, the rest of the world will adopt within five years, because multinational companies will do what they always do when faced with the choice between maintaining parallel compliance regimes and adopting one global standard: they will choose the standard that is already written. Companies that build to the AI Act's requirements now will own the compliance moat. Those that wait are betting that the EU will be more lenient with AI than it was with data privacy. GDPR's €7.1 billion in fines says that is a bad bet.