The EU AI Act has already become law, and its regulations are being implemented gradually. Miss one of them and your company would incur a penalty of up to $ 35 million or seven percent of the worldwide turnover, a stiff punishment indeed. These are the five milestones that you should pin on your roadmap today.
1. Act in Force 1 August 2024
The clock starts the day the regulation comes into force. Since that time, all AI products targeting users in the EU have been questioned. If you have not conducted a full gap analysis yet, meaning you have not compiled a list of models or data sources or assessed your level of risk, then do it this week. Such inventory becomes the foundation for any subsequent compliance work.
2. Unacceptable-risk Systems Ban – 2 February 2025
In six months’ time, the strictest ban under the Act takes effect. Social scoring, predictive policing, or un-targeted facial scraping systems should be closed down or re-designed. Audit your marketing, hiring and security pipelines now; no one at the regulators will countenance ignorance once the fines begin to be collected.
3. Practices Codes Payable- 02 May 2025
Voluntary codes of practice are to be published by the providers of general-purpose AI (GPAI) and their largest customers nine months after they come into force. A startup that merely calls an external API and a small one at that, will be questioned by investors about its place. Write a two-page note about data governance, red-team testing, and incident response so that you will be able to share it on demand.
4. Internal Audit & Budget Lock 30 June 2025
This time is not mentioned in the legal document; consider it an internal solid deadline. Your compliance budget, vendor contract, and board-level risk report should be in place by the end of June. Waiting to holiday to recruit auditors or book additional GPU may put you in scramble mode when you can no longer get the specialists you need.
5. GPAI Transparency requirements – 2 August 2025
The transparency requirements were made mandatory one year after the Act was enforced. When creating a large model or fine-tuning one, you must publish model cards that detail the training data, capabilities, limitations, and a record of any serious incidents. Startups that are not doing coupling within their organization only need to ensure that their providers are providing compliant documentation. Write skeleton model cards now that you are ready when your next release goes out.
To the bottom line: EU AI Act is not a future concern, but a chronometer. Meet these five dates and move compliance to a more strategic advantage with customers, investors and regulators alike.
