European AI Act: full application and lessons from the first cycle

Actualizado: 2026-05-03

The European AI Act entered into force in August 2024 with a staggered application calendar. The first parts—absolute prohibitions and basic transparency obligations—started applying in February 2025. General-purpose model obligations arrived in August 2025. And in August 2026, seven months ago, the Act entered full application for high-risk systems. The first complete compliance cycle ends now, and with it come the first practical conclusions without the institutional narrative.

Key takeaways

• Transparency obligations on AI-generated content were absorbed at low cost because the technical work already existed.
• Identifying which systems qualify as «high risk» has been the main operational bottleneck.
• Effective human supervision and incident logs are the most unexpected costs.
• The most widespread non-compliance: notification of users affected by automated decisions.
• First-cycle sanctions are pedagogical, not punitive; real pressure will start from 2027.

What’s complied with effortlessly

Some Act obligations have been absorbed easily because they matched practices serious companies already had. Transparency about AI-generated content, mandatory since 2025, has integrated into most products without issue:

• Visible notices on generated images and videos.
• Watermarks when technically feasible.
• Labeling in automated conversations.

Prohibition of unacceptable uses—generalized social scoring, biometric identification in public spaces without judicial authorization—also caused no serious problems because no serious European company planned them.

Risk-management and impact-assessment documentation has been more laborious but manageable for companies with mature GDPR processes. Companies with established DPO processes have incorporated AI Act obligations as an additional layer without stirring structures.

What hurt most

The highest cost in the first cycle isn’t the new obligations but identifying which systems qualify as “high risk”. The definition includes eight concrete categories plus criteria leaving significant gray zones. Companies using AI to filter CVs, decide educational admission, evaluate credit, or prioritize medical emergencies have found their systems fall under high risk even when the assisted function seemed minor.

The classification process required coordinated legal and technical work many companies didn’t have budget to do properly. The practical result: some over-classified to avoid regulatory risk, taking on unnecessary compliance load; others under-classified from interpretive optimism, risking sanctions if audited.

The second high cost was effective human supervision: you can’t just put a human in front rubber-stamping everything, but detailed review of every decision isn’t realistic for systems processing thousands daily. Companies have had to design flows with sampling, deviation alerts, and real ability to override individual decisions.

The third cost is incident log management: detected biases, significant errors, security failures. Setting up this infrastructure with integrity and adequate retention isn’t trivial for companies whose internal telemetry wasn’t designed for external audit.

What’s de facto ignored

Three non-compliance patterns repeat frequently in the first cycle:

1. User notification for automated decisions: the Act requires clearly informing users when a decision significantly affecting them was made with an AI system. In practice, many companies notify only when explicitly demanded and avoid doing so in gray zones.

2. Training-data documentation quality: for systems using proprietary third-party models, documentation depends on what the provider publishes, and many providers publish less than the Act would require. The European Commission has started pressing large providers, but timelines are long.

3. Compliance as a continuous process: many companies treated the compliance exercise as static documentation once a year instead of an ongoing process. The Act implicitly expects risk analysis to update when the system changes; in practice many organizations produce the initial report, file it, and keep modifying the system without revisiting compliance.

Real sanctions in the first cycle

Sanctions applied have been few but visible:

• October 2026: two-million-euro fine on a French employment platform for a CV-filtering system without adequate human supervision.
• January 2026: sanction against a German bank for credit scoring without complete training-data documentation.

Both fell well below the regulation’s theoretical maximum, signaling regulators in pedagogical rather than punitive phase. The expectation is that truly high fines will come from 2027 onward once doctrine is established.

What seems to have worked

Two things deserve positive mention:

• The European AI Office has acted with more pragmatism than many feared. Its guidance documents published during 2025 and 2026 have clarified dark points without hardening interpretations beyond reasonable.
• The Act has pushed many companies to professionalize AI governance that used to be ad-hoc or nonexistent: internal committees, specific compliance roles, structured system review before deployment.

What’s missing

Two pending points set the agenda for the next cycle:

• Real harmonization across national authorities: interpretive divergences between Spain, France, Germany, and Italy create uncertainty for multinational operations.
• Treatment of general-purpose models: the “systemic risk” definition remains ambiguous for concrete cases, and entry and exit criteria for the list aren’t fully transparent.

My reading

The first full-application cycle ends with a more nuanced balance than either enthusiasts or detractors expected. The Act hasn’t destroyed European innovation nor solved all the transparency and bias problems that motivated it.

For companies, the practical lesson is that Act compliance is manageable when treated as continuous process integrated with risk management and data protection, and is expensive and risky when treated as an annual-report one-off. Those who got this in the first cycle are well-positioned for the next; those who didn’t will probably hear from the regulator before next August.