AI Kick StartBook strategy call
Back to news

AI News

EU AI Act Enforcement Begins: What Developers Must Do Now.

The European Union's AI Act entered full enforcement on 2 June 2026. We break down the compliance requirements, penalties, and practical steps developers need to take.

Daniel Fleuren2026-06-0512 min readFounders and operatorsUpdated 2026-06-19
Portrait of Daniel Fleuren

Written by

Daniel Fleuren

Founder, AI Kick Start. 20+ years enterprise IT

Updated 2026-06-19
AI Kick Start editorial image for EU AI Act Enforcement Begins: What Developers Must Do Now.

Decision

Design boundary

Classify the data first, then decide what can use cloud AI, what must be redacted, and what stays local.

Risk to watch

Data leakage

A useful answer is not worth losing control of personal, financial, or contractual information.

Proof to collect

Audit trail

Capture upload, redaction, access, review, export, and rollback evidence before expanding access.

TL;DR

TL;DR: Reports of a single "full enforcement" switch-on for the EU AI Act on 2 June 2026 appear to be wrong: the verified timeline runs through prohibitions (in force since 2 February 2025), general-purpose AI model rules (2 August 2025), and high-risk system obligations that were set for 2 August 2026 but have since been [deferred to 2 December 2027 under the Digital Omnibus agreement](https://www.gibsondunn.com/eu-ai-act-omnibus-agreement-postponed-high-risk-deadlines-and-other-key-changes/). Either way, [the world's first comprehensive AI law](https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai) is now binding. Anyone deploying AI to EU users faces [risk-based classification](https://artificialintelligenceact.eu/high-level-summary/), documentation duties, and human-oversight rules, with [top fines of 35 million euros or 7% of global annual turnover](https://artificialintelligenceact.eu/article/99/).

Key takeaways

  • The "2 June 2026 full enforcement" date reported in some coverage is unsupported; the verified high-risk obligation date was 2 August 2026, since deferred to 2 December 2027 ([EU AI Act implementation timeline](https://artificialintelligenceact.eu/implementation-timeline/); [Digital Omnibus agreement](https://www.gibsondunn.com/eu-ai-act-omnibus-agreement-postponed-high-risk-deadlines-and-other-key-changes/))
  • AI systems are classified into four risk tiers with escalating compliance obligations ([EU AI Act high-level summary](https://artificialintelligenceact.eu/high-level-summary/))
  • Maximum penalties reach 35 million euros or 7% of global annual turnover ([EU AI Act, Article 99](https://artificialintelligenceact.eu/article/99/))
  • Foundation models with >10^25 FLOP training compute face additional systemic risk obligations ([EU AI Act, Article 51](https://artificialintelligenceact.eu/article/51/))

Analysis

If you run a business in Australia and you assumed Brussels was someone else's problem, this is the moment to look up. The European Union has spent years building the first real rulebook for artificial intelligence, and large parts of it are now live. The headline some outlets have run, that the law flipped to "full enforcement" on 2 June 2026, does not match the official record, and it is worth getting the dates right before you act on anything.

Here is the honest version. The bans on the most dangerous uses kicked in back in February 2025. The rules for big foundation models followed in August 2025. The heavy obligations for "high-risk" systems were pencilled in for 2 August 2026, then pushed back to December 2027 while regulators sorted out the detail. So nobody woke up on a single morning to a finished regime. It has been arriving in waves, and a couple of the biggest waves are still on the way.

The reason it matters to you: the law does not care where your company is based. If your AI touches users inside the EU, you are inside its scope. With a market of roughly 450 million people on the line and fines that scale to a slice of worldwide revenue, "we'll deal with it later" is an expensive position.

What follows is the substance, the tiers, the thresholds, the penalties, and the work that pays off now.

The Risk-Based Framework

The AI Act sorts systems into four risk tiers: minimal, limited, high, and unacceptable (EU AI Act high-level summary).

Minimal risk covers spam filters, recommendation systems users can override, and simple chatbots. These carry no specific obligations beyond general transparency. If you are running a basic FAQ bot or a content recommender with a clear opt-out, your burden is light.

Limited risk covers chatbots, emotion recognition, and biometric categorisation. Here you owe transparency: people must be told when they are dealing with an AI, and AI-generated content has to be labelled. These are procedural steps, not engineering projects, and most teams can handle them.

High risk is where it gets demanding. The category takes in AI used in critical infrastructure, education, employment, law enforcement, migration, and the administration of justice. High-risk systems have to meet a stack of requirements: a risk management system that runs across the whole lifecycle; data governance that keeps training data clean and checks for bias; technical documentation for conformity assessment; record-keeping and logging for audit trails; transparency and clear information for users; human oversight with a real ability to step in; and accuracy, robustness, and cybersecurity. Worth noting: the standalone version of these obligations was scheduled for 2 August 2026, then postponed to 2 December 2027, so the deadline pressure here is later than early reporting suggested.

Unacceptable risk, government social scoring, real-time biometric identification in public spaces (with narrow law-enforcement carve-outs), and systems that prey on the vulnerabilities of specific groups, is banned outright, and has been since 2 February 2025.

Supporting AI Kick Start editorial image for eu-ai-act-enforcement-begins-developers.
Generated AI Kick Start editorial visual used to explain the article's practical workflow and trade-offs.

The Foundation Model Provisions

The Act sets specific rules for "general-purpose AI models", the foundation models such as GPT-5.5, Claude, and Llama that get adapted to all sorts of downstream jobs. Models trained on more than 10^25 FLOP of compute pick up extra duties: systemic risk evaluation and mitigation, adversarial testing and red-teaming, reporting of serious incidents to regulators, and adequate cybersecurity (Article 51).

Every general-purpose model, regardless of size, has to hand technical documentation to downstream deployers, comply with EU copyright law, and publish a sufficiently detailed summary of its training data, obligations that have applied since 2 August 2025. The training-data summary has been the sore point. Several major labs have pushed back hard against disclosing what went into their datasets.

Penalties and Enforcement

The fines are built to be noticed. Breaching the prohibited-practice rules can cost up to 35 million euros or 7% of global annual turnover, whichever is higher. Falling short on the obligations for high-risk systems or general-purpose models runs to 15 million euros or 3% of global turnover. Feeding regulators incorrect or misleading information can cost 7.5 million euros or 1% of turnover (Article 99).

Enforcement sits with national regulators in each member state, coordinated by the new European AI Office. Expect the first cases to go after the obvious stuff, companies running prohibited systems, or skipping basic transparency, before regulators wade into the harder questions around high-risk compliance.

What Developers Should Do Now

If you are shipping AI systems today, here is the work worth doing.

Start with a risk classification audit. Work out which tier each of your systems lands in, and lean conservative. Regulators are likely to read "high risk" broadly in the early going, and you would rather over-prepare than get caught out.

Next, look hard at your data governance. The Act's bar for training-data quality, bias testing, and documentation is higher than most organisations clear today. You want documented processes for how data gets collected, cleaned, annotated, and checked for bias.

Then sort out logging and audit trails. High-risk systems have to keep records detailed enough to reconstruct how a decision was made and prove compliance. If your systems do not produce detailed, tamper-evident logs right now, fix that early rather than late.

Finally, build real human oversight. The Act wants high-risk systems to include meaningful human review with the power to intervene, not a checkbox. That means written procedures for review, override, and escalation.

Source trail

Primary references to keep this briefing grounded

AI and automation information changes quickly. Use these official or primary references to verify the claims, pricing, product behaviour, and compliance details before committing budget or production data.

What to do next

  1. Classify the data before choosing a tool or model.
  2. Define what can leave the environment, what must be redacted, and who approves output.
  3. Keep logs, access controls, and a rollback path visible from day one.

Want help applying this? Explore secure document AI.

AI Kick Start is an Illawarra-based AI studio in Figtree, helping businesses across Wollongong, Shellharbour and Kiama and right across Australia put AI to work.

Explore with AI

Use the article as a decision prompt

Summarise this AI Kick Start article for an Australian business owner. Focus on the useful decision, the risks, and the first practical next step: EU AI Act Enforcement Begins: What Developers Must Do Now

Read with ChatGPTOpen ClaudeSearch with AI Mode

Turn this into a practical roadmap.

Use the guide as a starting point, then map the first workflow worth building.

Book an AI strategy call

AI News

Australia's AI Framework: What's in the New Guidelines and Who They Affect

Australia has released its voluntary AI framework, taking a markedly different approach to the EU's binding regulation. We analyse the implications for businesses operating in Australia.

Read article

AI News

AI Regulation Watch: June 2026 Global Roundup

From the EU AI Act's enforcement launch to the US Fable 5 ban to Australia's voluntary framework, June 2026 was a pivotal month for AI regulation worldwide. We summarise every major development.

Read article

AI News

Anthropic's Week of Chaos: Fable 5, the Ban, and the Response That Followed

Seven days that shook one of AI's most respected labs. From triumphant launch to government suspension to strategic pivot, we reconstruct the week that redefined Anthropic's trajectory.

Read article