The EU AI Act was always described as a tsunami on the horizon. As of April 2026, the wave has made landfall — and it’s catching a surprising number of major corporations completely off guard.
The Deadlines Are Real
The EU Artificial Intelligence Act, which entered into force in August 2024, is rolling out in phases. The first major enforcement milestone — prohibitions on unacceptable-risk AI systems — took effect in February 2025. But the heavier obligations targeting high-risk AI systems are now activating throughout 2026, with full compliance required for most enterprise AI deployments by August 2026.
High-risk categories under the Act include AI used in employment screening, credit scoring, biometric identification, educational assessment, and critical infrastructure management. These aren’t niche applications: they cover the bread-and-butter automation that thousands of European companies — and non-EU companies doing business in Europe — have been quietly running for years.
The fines are not symbolic. Non-compliance can trigger penalties of up to €35 million or 7% of global annual turnover, whichever is higher. For a multinational with €10 billion in revenue, that’s a potential €700 million liability.
Most Companies Are Not Ready
A survey conducted by law firm Linklaters in Q1 2026 found that only 23% of European enterprises have completed AI system inventories — the foundational first step required for compliance. Without knowing which systems they operate and how those systems are classified under the Act, companies cannot begin the conformity assessments, technical documentation, or human oversight mechanisms the regulation demands.
The compliance gap is particularly acute in financial services. Banks and insurers have deployed AI-driven credit and insurance underwriting tools for years, often without the rigorous documentation and audit trails the Act now mandates. Industry groups including the European Banking Federation have lobbied for phased enforcement leniency, with limited success.
“The challenge isn’t that companies disagree with the regulation,” noted one senior compliance officer at a Frankfurt-based financial institution, speaking on background. “It’s that building the documentation infrastructure required to prove compliance is a 12–18 month project, and the clock started ticking faster than anyone expected.”
The Vendor Scramble
The Act is reshaping the AI vendor market in real time. Established cloud providers — Microsoft, Google, and Amazon — have each launched dedicated EU AI Act compliance toolkits in the past six months, offering audit trail generation, risk classification dashboards, and automated documentation pipelines as premium add-ons.
Startups are also moving fast. Companies like Credo AI, Holistic AI, and DataRobot have repositioned themselves as AI governance platforms, offering compliance-as-a-service packages priced between €50,000 and €500,000 annually depending on the number of AI systems in scope.
Consulting firms are the clear near-term winners. McKinsey, Deloitte, and PwC have each stood up dedicated EU AI Act practices, with billable hours running at rates that would make a securities lawyer blush.
Enforcement Signals Are Emerging
National market surveillance authorities across EU member states are beginning to signal their enforcement postures. Germany’s Federal Network Agency and France’s CNIL have both announced dedicated AI Act enforcement units. Italy’s Garante, which made headlines in 2023 for temporarily banning ChatGPT, has been particularly aggressive in signaling intent.
The first enforcement actions — likely targeting lower-hanging fruit such as prohibited AI practices or obvious documentation failures — are expected before year-end 2026. Observers expect these early cases to be selected for maximum deterrent effect, targeting recognizable brands in sensitive sectors.
The Broader Stakes
Beyond corporate compliance headaches, the EU AI Act represents the world’s most ambitious attempt to create a comprehensive legal framework for AI governance. Its influence is already spreading: Canada’s Artificial Intelligence and Data Act (AIDA) draws heavily from it, and US Congressional staffers have cited it as a template in ongoing domestic AI regulation discussions.
For technology companies operating globally, the Act is rapidly becoming a de facto international standard — like GDPR was for data protection. The companies that treat compliance as a strategic investment rather than a checkbox exercise will likely emerge with durable competitive advantages in regulated markets.
The wave is here. Whether companies are ready for it is another matter entirely.
Sources: EU AI Act Official Journal, Linklaters Q1 2026 Enterprise Survey, European Banking Federation submissions, national regulatory authority public statements.
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.