When does the EU AI Act take full effect?
The EU AI Act entered into force on August 1, 2024. Prohibited AI provisions (Article 5) applied first on February 2, 2025. The main high-risk AI system requirements — covering Annex III categories like employment, credit, healthcare, and education — become mandatory on August 2, 2026. Some Annex I systems (medical devices, machinery safety) have until August 2, 2027.
What makes an AI system "high-risk" under the EU AI Act?
Annex III of the EU AI Act defines eight high-risk categories: (1) biometric identification systems, (2) critical infrastructure management, (3) educational and vocational training systems, (4) employment and worker management, (5) essential private and public services (including credit scoring), (6) law enforcement systems, (7) migration and border control, and (8) administration of justice. If your AI meaningfully assists decisions in any of these areas, it likely qualifies as high-risk.
What are the EU AI Act obligations for high-risk systems?
High-risk AI operators must: register the system in the EU AI Act database (EUAIDB) before deployment; conduct a conformity assessment; implement a human oversight mechanism; maintain technical documentation per Annex IV; establish a data governance program (Article 10); keep logs for traceability (Article 12); apply CE marking where applicable; and appoint an EU authorized representative if based outside the EU.
Does the EU AI Act apply to companies outside the EU?
Yes. The EU AI Act applies to any provider placing an AI system on the EU market, or any deployer using an AI system that affects EU-based users — regardless of where the company is incorporated. US, UK, Canadian, and all other non-EU companies deploying AI systems used by EU residents must comply. Non-EU companies must appoint an EU authorized representative.
What AI systems are completely prohibited under the EU AI Act?
Article 5 prohibits: (1) AI that manipulates people using subliminal techniques; (2) AI that exploits vulnerabilities of specific groups; (3) social scoring by public authorities; (4) real-time remote biometric identification by law enforcement in public spaces (with narrow exceptions); (5) predictive policing based on profiling; (6) biometric categorization to infer sensitive characteristics (race, political opinions, religious beliefs); and (7) large-scale scraping of facial images to build recognition databases. Most of these prohibitions have been in effect since February 2025.
What is the Colorado AI Act (SB 205) and when does it apply?
Colorado SB 205 is the first major US state AI law covering "high-risk AI systems" that make consequential decisions affecting Colorado residents. It requires developers to publish model documentation, disclose AI use to affected consumers, conduct algorithmic impact assessments, and implement risk management programs. It applies to employment, education, financial services, housing, and healthcare decisions. Enforcement begins June 30, 2026 — making Colorado the first US state AI compliance deadline, 33 days before EU enforcement.