Brussels sets hard deadlines for AI transparency requirements. What your team needs to know.
The countdown is over. The European Commission has published the final implementation timeline for the EU AI Act, and the first enforcement wave is now live as of June 1, 2026. For every organisation deploying AI systems within the European Economic Area — from a Munich-based fintech using credit-scoring algorithms to a Warsaw logistics company running route-optimisation software — the rules are no longer theoretical.
Who Gets Hit First and How Hard
The Act draws a hard distinction between risk tiers, and the consequences scale steeply. Providers of high-risk AI systems — defined to include applications in employment screening, credit assessment, biometric identification, critical infrastructure management, and law enforcement — must submit technical documentation proving compliance with transparency, data-governance, and human-oversight requirements. Non-compliance carries fines of up to seven percent of global annual turnover. For a mid-sized enterprise with 500 million euros in revenue, that exposure reaches 35 million euros.
High-risk classification is not self-assessed. The Act specifies product categories and sectors in its Annex III, and companies have limited discretion to argue themselves out of the high-risk bucket. If your AI system is used in recruitment — including CV screening tools — it is high-risk by definition. If it informs lending decisions, it is high-risk. Legal teams across Europe have spent the past 18 months mapping their AI deployments against this taxonomy, and many have discovered that tools they classified as low-risk advisory software actually fall into regulated categories.
General-Purpose Models Under the Microscope
For the large language model providers serving European customers, the Act introduces a separate and technically demanding compliance regime. Models trained using more than 10^25 floating-point operations — a threshold that encompasses GPT-5.2, Claude Opus 4.5, Gemini 3 Pro, Grok-4, and likely Llama 4 in its largest variants — are classified as systemic risk models. They face obligations that go well beyond standard transparency requirements: adversarial testing against a standardised battery of red-team evaluations, incident reporting to the AI Office within 72 hours of detecting serious misuse, and energy-consumption disclosure in a standardised format attached to every model card.
Below the systemic risk threshold, general-purpose AI models still face tiered obligations. Providers must publish model summaries, disclose training data sources at a high level, and maintain technical documentation that regulators can audit on request. The Act's drafters were deliberate here: the obligations scale with capability, so a smaller open-source model serving a narrow use case faces lighter requirements than a frontier system deployed to millions of European users.
The Watermarking Deadline
One provision that will touch virtually every AI product serving European consumers is the synthetic-content labelling requirement. By December 2026, any AI system generating text, images, audio, or video must label its outputs as AI-generated using what the Act describes as sufficiently reliable methods. The practical implementation debate has centred on two approaches: cryptographic watermarking embedded in model outputs at inference time, and visible disclosure through interface design. Both approaches are permissible under the Act, but cryptographic watermarking is the preferred technical standard because it survives copying and reposting in ways that interface-level labels do not.
The December deadline is tighter than many product teams anticipated. Adding watermarking retroactively to production systems requires model-level changes for text and code generators, and metadata pipeline changes for image and video tools. Companies that deferred this work are now accelerating.
Building Compliance Infrastructure
The practical challenge for most organisations is not understanding the rules but instrumenting their AI stack to prove compliance continuously. The Act requires not just initial documentation but ongoing monitoring: data-governance logs showing that training data was lawfully sourced, human-oversight records demonstrating that automated decisions in high-risk contexts were reviewed, and incident logs capturing any cases where the system behaved unexpectedly. This is operational infrastructure, not a one-time legal filing.
For teams building or extending AI-powered products for European markets, tools that ship with compliance metadata built in significantly reduce the documentation burden. Vincony.com's Sentiment Analyzer, for instance, already includes EU-regulated use-case metadata, which simplifies audit trails for teams using it within high-risk sentiment-analysis workflows. Building compliance as a layer on top of an existing stack is hard; working with tools that were designed for compliance from the start is considerably easier.