EU AI Act Published in the Official Journal

The European Union published the Artificial Intelligence Act in the Official Journal of the European Union on July 12, 2024 as Regulation (EU) 2024/1689. The law enters into force on August 1, 2024 and sets up a staged, risk-based compliance schedule: unacceptable-risk systems must cease within six months, general-purpose AI (GPAI) providers face transparency duties after 12 months, and high-risk deployments must meet conformity assessment, quality management, and fundamental rights obligations within 24 months.

Key provisions now in force

• Risk-tiered obligations. Providers of high-risk AI systems must implement documented quality management, post-market monitoring, incident reporting, and human oversight controls aligned with Annex IV technical documentation requirements.
• General-purpose AI governance. GPAI providers must publish detailed training data summaries, technical documentation, and usage instructions, with additional model evaluation duties when the European Commission designates a systemic-risk model.
• AI Office and national regulators. The Act creates an EU-level AI Office to coordinate enforcement and requires Member States to designate market surveillance authorities and notified bodies for conformity assessments.
• Fundamental rights impact assessments. Public sector deployers of high-risk systems must complete impact assessments before use, documenting mitigation for fundamental rights, health, and safety risks.

Guidance for teams

• Map deadlines. Track the 6-month (February 2025) bans on unacceptable-risk uses, 12-month (August 2025) GPAI transparency requirements, and 24-month (August 2026) high-risk system obligations; some product safety integrations extend to August 2027.
• Update product development lifecycles. Embed Annex IV documentation, logging, and human-in-the-loop checkpoints into software development and ML Ops pipelines now to avoid remediation crunches.
• Coordinate with EU economic operators. Clarify responsibilities between providers, deployers, importers, and distributors so supply-chain partners understand conformity assessment ownership and reporting duties.

Next steps for compliance leaders

• Launch cross-functional readiness sprints with legal, product, and privacy teams to draft fundamental rights impact assessment templates and GPAI transparency disclosures.
• prioritize inventory of AI systems deployed in the EU, tagging risk tiers, affected business processes, and dependencies on third-party GPAI services.
• Engage notified bodies early for high-risk systems that rely on existing CE marking frameworks to confirm testing, documentation, and surveillance expectations.

References

• Official Journal of the European Union: Regulation (EU) 2024/1689 (July 12, 2024)
• Council of the EU press release: Council gives final green light to the AI Act (May 21, 2024)
• European Commission: European approach to artificial intelligence (accessed July 2024)

This brief guides compliance, product, and assurance teams through EU AI Act readiness—from risk tiering and Annex IV documentation to GPAI supplier audits.

Implementation detail

Successful implementation requires a structured approach that addresses technical, operational, and organizational considerations. Organizations should establish dedicated implementation teams with clear responsibilities and sufficient authority to drive necessary changes across the enterprise.

Project governance should include regular status reviews, risk assessments, and stakeholder communications. Executive sponsorship is essential for securing resources and removing organizational barriers that might impede progress.

Change management practices help ensure smooth transitions and stakeholder acceptance. Training programs, communication plans, and feedback mechanisms all contribute to effective change management outcomes.

Compliance checking

Compliance verification involves systematic evaluation of implemented controls against applicable requirements. Organizations should establish verification procedures that provide objective evidence of compliance status and identify areas requiring remediation.

Internal audit functions play an important role in providing independent assurance over compliance activities. Audit plans should incorporate risk-based prioritization and coordination with external audit requirements where applicable.

Continuous compliance monitoring capabilities enable early detection of control failures or compliance drift. Automated monitoring tools can provide real-time visibility into compliance status across multiple control domains.

Third-party factors

Third-party relationships require careful management to ensure compliance obligations are properly addressed throughout the vendor ecosystem. Due diligence procedures should evaluate vendor compliance capabilities before engagement.

Contractual provisions should clearly allocate compliance responsibilities and establish appropriate oversight mechanisms. Service level agreements should address compliance-relevant performance metrics and reporting requirements.

Ongoing vendor monitoring ensures continued compliance throughout the relationship lifecycle. Periodic assessments, audit rights, and incident response procedures all contribute to effective third-party risk management.

Strategic factors

Strategic alignment ensures that compliance initiatives support broader organizational objectives while addressing regulatory requirements. Leadership should evaluate how this development affects competitive positioning, operational efficiency, and stakeholder relationships.

Resource planning should account for both immediate implementation needs and ongoing operational requirements. Organizations should develop realistic timelines that balance urgency with practical constraints on resource availability and organizational capacity for change.

Key metrics

Effective monitoring programs provide visibility into compliance status and control effectiveness. Key performance indicators should be established for critical control areas, with regular reporting to appropriate stakeholders.

Metrics should address both compliance outcomes and process efficiency, enabling continuous improvement of compliance operations. Trend analysis helps identify emerging issues and evaluate the impact of improvement initiatives.

What this means for business

This development carries significant strategic implications for organizations across multiple sectors. Business leaders should evaluate how these changes affect their competitive positioning, operational models, and stakeholder relationships. Early adopters who address emerging requirements often gain advantages over competitors who delay action until compliance becomes mandatory.

Strategic planning should incorporate scenario analysis that considers various implementation approaches and their associated costs, benefits, and risks. Organizations should also consider how their response to this development affects relationships with customers, partners, regulators, and other key stakeholders.

Operational approach

Achieving operational excellence in response to this development requires systematic attention to process design, technology enablement, and workforce capabilities. Organizations should establish clear operational metrics that track both compliance outcomes and process efficiency, enabling continuous improvement over time.

Operational processes should be designed with appropriate controls, checkpoints, and escalation procedures to ensure consistent execution and timely issue resolution. Automation opportunities should be evaluated and prioritized based on their potential to improve accuracy, reduce costs, and enhance scalability.

Oversight approach

Effective governance ensures appropriate oversight of compliance activities and timely escalation of significant issues. Organizations should establish clear roles, responsibilities, and accountability structures that align with their compliance objectives and risk appetite.

Regular reporting to senior leadership and board-level committees provides visibility into compliance status and supports informed decision-making about resource allocation and risk management priorities.

Adapting over time

Compliance programs should incorporate mechanisms for continuous improvement based on lessons learned, emerging best practices, and evolving requirements. Regular program assessments help identify enhancement opportunities and ensure sustained effectiveness over time.

Organizations that approach this development strategically, with appropriate attention to governance, risk management, and operational excellence, will be well-positioned to achieve compliance objectives while supporting broader business goals.

Related articles

Curated signals from the same pillar or overlapping topics.

AI · Credibility 90/100 · January 24, 2024

European AI Office Establishment

European Commission stands up the European AI Office, centralising enforcement of the EU AI Act and coordinating global safety partnerships ahead of the regulation’s phased obligations.

AI · Credibility 94/100 · April 7, 2025

EU AI Act

The EU AI Act's GPAI model transparency requirements are approaching enforcement. Model providers need to document training data sources, known limitations, and intended uses. Technical documentation is not optional—it…

AI · Credibility 93/100 · April 14, 2025

EU AI Act

EU AI Act GPAI codes of practice deadlines are approaching. Model providers need documented compliance with transparency, safety, and risk management requirements. The codes translate high-level AI Act requirements into…

AI · Credibility 94/100 · April 21, 2025

EU AI Act

EU AI Act GPAI safety testing requirements demand rigorous evaluation of general-purpose AI models against systemic risk criteria. Providers must stress test models using adversarial techniques, red team exercises, and…

AI · Credibility 93/100 · May 2, 2025

EU AI Act

The deadline for GPAI providers to submit to EU AI Act codes of practice was May 2025. If you are offering general-purpose AI models in the EU, you should already have your transparency commitments and code of practice…

Continue in the AI pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• AI Procurement Governance Guide

  Structure AI procurement pipelines with risk-tier screening, contract controls, supplier monitoring, and EU-U.S.-UK compliance evidence.

• AI Workforce Enablement and Safeguards Guide

  Equip employees for AI adoption with skills pathways, worker protections, and transparency controls aligned to U.S. Department of Labor principles, ISO/IEC 42001, and EU AI Act…

• AI Model Evaluation Operations Guide

  Build traceable AI evaluation programmes that satisfy EU AI Act Annex VIII controls, OMB M-24-10 Appendix C evidence, and AISIC benchmarking requirements.

References

1. Official Journal of the European Union: Regulation (EU) 2024/1689 (July 12, 2024) — eur-lex.europa.eu
2. Council of the EU press release: Council gives final green light to the AI Act (May 21, 2024) — www.consilium.europa.eu
3. European Commission: European approach to artificial intelligence (accessed July 2024) — digital-strategy.ec.europa.eu