The EU AI Act has moved from a broad regulatory promise into its first active compliance phase. As of Sunday in the European Union, regulators can ban AI systems they judge to create “unacceptable risk” or harm.
The February 2 deadline is the first major checkpoint under the AI Act, a comprehensive framework approved by the European Parliament last March after years of development. The act officially went into force August 1, but its obligations are arriving in stages.
What the February 2 deadline changes
The new deadline centers on the most serious category in the EU’s AI risk framework. The specifics are set out in Article 5, but the larger goal is to regulate how AI systems interact with people across consumer products, services, and physical environments.
The EU’s approach divides AI systems into four broad risk levels. Minimal risk systems, such as email spam filters, face no regulatory oversight. Limited risk systems, including customer service chatbots, face light-touch oversight. High risk systems, with AI for healthcare recommendations given as one example, face heavy oversight. Unacceptable risk systems are prohibited entirely.
That final category is the focus of the February 2 compliance requirement. The practical effect is that companies using banned AI applications in the EU can be targeted by regulators, regardless of where those companies are headquartered.
The financial exposure is significant. Companies found using prohibited AI applications in the EU could face fines of up to €35 million (~$36 million), or 7% of their annual revenue from the prior fiscal year, whichever is greater.
Why enforcement is not immediate
The rules are now in force for compliance purposes, but penalties will not arrive at once. Rob Sumroy, head of technology at the British law firm Slaughter and May, told TechCrunch that the February 2 moment is important but not the only date companies should track.
“Organizations are expected to be fully compliant by February 2, but … the next big deadline that companies need to be aware of is in August,” Sumroy said. “By then, we’ll know who the competent authorities are, and the fines and enforcement provisions will take effect.”
That means companies are expected to align their AI systems with the ban now, while the enforcement machinery continues to take shape. For businesses, the main issue is not only whether a system falls into a prohibited category, but also how regulators will interpret the rules once enforcement begins.
Sumroy also pointed to a wider concern: organizations need clear guidelines, standards, and codes of conduct in time to make reliable compliance decisions. He said working groups are so far meeting their deadlines on the code of conduct for developers.
How companies prepared before the deadline
The February 2 deadline is partly a formal step because some companies had already agreed to start preparing. Last September, over 100 companies signed the EU AI Pact, a voluntary pledge to apply principles of the AI Act before its entry into application.
Signatories included Amazon, Google, and OpenAI. As part of the Pact, they committed to identifying AI systems likely to be categorized as high risk under the AI Act.
Not every major company joined. Meta and Apple skipped the Pact. Mistral, the French AI startup described as one of the AI Act’s harshest critics, also did not sign.
That decision does not necessarily mean those companies will fail to comply with the AI Act. Sumroy noted that, given the prohibited use cases, most companies are unlikely to be engaged in those practices anyway.
Where the rules allow exceptions
The AI Act includes exceptions to several prohibitions. Those exceptions matter because the law does not treat every sensitive AI use as automatically banned in every circumstance.
One example involves law enforcement and certain systems that collect biometrics in public places. The Act permits such systems in limited cases, including a “targeted search” for an abduction victim or efforts to prevent a “specific, substantial, and imminent” threat to life.
That exemption is not open-ended. It requires authorization from the appropriate governing body. The Act also stresses that law enforcement cannot make a decision that “produces an adverse legal effect” on a person solely based on the outputs of these systems.
There are also exceptions for systems that infer emotions in workplaces and schools when there is a “medical or safety” justification. The source gives systems designed for therapeutic use as an example.
What remains unclear
The European Commission said it would release additional guidelines in “early 2025,” after consulting stakeholders in November. Those guidelines have not yet been published, according to the source article.
That leaves companies with a compliance obligation but not yet a full view of how every detail will be applied. The uncertainty is especially important for organizations that operate across multiple regulated areas.
Sumroy warned that AI regulation must be understood alongside other legal frameworks. He specifically named GDPR, NIS2, and DORA as laws that may interact with the AI Act.
“It’s important for organizations to remember that AI regulation doesn’t exist in isolation,” Sumroy said. “Other legal frameworks, such as GDPR, NIS2, and DORA, will interact with the AI Act, creating potential challenges — particularly around overlapping incident notification requirements. Understanding how these laws fit together will be just as crucial as understanding the AI Act itself.”
For now, the key point is straightforward: the EU AI Act’s first compliance deadline has arrived, and the most severe category of AI use is no longer just a future concern. The ban on unacceptable risk systems is active, while the details of enforcement, authority, and guidance are still moving toward the next major deadline in August.