Skip to main content

EU AI Office Enforcement: Understanding Timelines and Penalty Exposure

By May 2026, the EU AI Act is no longer a distant framework. Regulation (EU) 2024/1689 entered into force on 1 August 2024. The prohibitions and AI literacy requirements became applicable on 2 February 2025. General-purpose AI model obligations started applying on 2 August 2025. Most of the broader regime arrives on 2 August 2026, with some product-related high-risk obligations later. That means many teams are now in the gap between early obligations and the main applicability date. This is also the period when the EU AI Office matters most as a source of coordination, guidance, and, for general-purpose AI models, direct supervisory relevance. Keeptrusts helps in that window by turning legal preparation into route-level controls and evidence rather than leaving readiness as a slide deck.

Use this page when

  • You need a clear operational view of EU AI Act milestones as of mid-2026.
  • You are preparing for August 2026 applicability and want to reduce uncertainty around evidence and control ownership.
  • You need to explain what the EU AI Office does versus what national authorities will do.

Primary audience

  • Primary: Compliance officers, product counsel, platform owners
  • Secondary: Security leaders, engineering managers, audit teams

The problem

The hardest part of AI Act enforcement prep is not reading the dates. It is deciding what each date should change in the actual system. Many organizations know the headline timeline but still do not have a route inventory, a control map, or an evidence package for sensitive AI workflows. They talk about preparedness at the policy level while leaving the runtime path mostly untouched.

The second problem is authority confusion. The EU AI Office is central to GPAI oversight and coordination, but many deployer and provider obligations will still be enforced through national market surveillance and sector-specific structures. If teams assume the AI Office is the only audience, they may miss the practical evidence they will need for product, sector, or national reviews. If they assume only national enforcement matters, they may underestimate the significance of EU-level guidance and expectations around general-purpose AI models.

Penalty language adds a third source of confusion. Article 99 sets upper bands that can reach EUR 35 million or 7% of worldwide annual turnover for prohibited practices, EUR 15 million or 3% for certain other breaches, and EUR 7.5 million or 1.5% for supplying incorrect, incomplete, or misleading information. SMEs and startups have more proportionate caps. Those are ceilings, not automatic outcomes. But teams often jump straight to penalty headlines without doing the more useful work of proving what controls exist today.

The solution

The practical answer is to organize readiness by enforcement horizon.

For obligations already in force, verify whether the relevant routes even exist in a controlled form. For obligations coming into broader applicability on 2 August 2026, map each production AI route to a control tier and identify which ones require stronger evidence, grounding, or review. For any workflow tied to general-purpose AI model governance, keep documentation precise about which obligations fall on the model provider, which fall on the deployer, and where your organization acts as an intermediary or integrator.

Keeptrusts is helpful because it gives you a technical control story that can be shown before a regulator or auditor asks for it. Policies overview frames how the chain works. Data Routing Policy constrains providers by declared handling guarantees. Citation Verifier is useful when a route must stay grounded in approved context. Human Oversight forces a review stop for outputs that should not be delivered directly. Audit Logger marks audit logging as part of the active route. That is not the whole compliance program, but it is the part you can prove concretely.

Implementation

The example below shows a strict review route for an AI workflow that is being prepared for August 2026 governance expectations. It is designed to create strong evidence and prevent uncontrolled outputs.

pack:
  name: ai-act-enforcement-readiness-route
  version: "1.0.0"
  enabled: true

providers:
  targets:
    - id: reviewed-provider
      provider: openai
      model: gpt-5.4-mini-mini
      secret_key_ref:
        env: OPENAI_API_KEY
      data_policy:
        zero_data_retention: true
        training_opt_out: true
        retention_days: 0

policies:
  chain:
    - data-routing-policy
    - citation-verifier
    - human-oversight
    - audit-logger

policy:
  data-routing-policy:
    require_zero_data_retention: true
    require_no_training: true
    max_retention_days: 0
    on_no_compliant_provider: block
    log_provider_selection: true

  citation-verifier:
    require_sources: true
    require_source_match: true
    extract_patterns:
      - regulatory
      - url
      - quote
    rag_context:
      verify_against_context: true
      min_context_overlap: 0.7
    output_action:
      unverified_action: block

  human-oversight:
    action: escalate

  audit-logger: {}

This route is useful because it answers questions enforcement teams actually ask. Was provider handling constrained? Could the route return unsupported content directly? Was a review stop in place? Is there a route-specific evidence trail? Those are practical, defensible questions. They are also easier to answer than abstract claims about organizational readiness.

Results and impact

Teams that prepare this way usually get better risk conversations internally. Instead of asking whether the company is generically ready for EU AI Act enforcement, they can show which routes are already controlled, which ones still need review, and which ones should not be in production at all.

That improves executive communication too. Penalty exposure stops being a vague scare number and becomes a reason to prioritize concrete work: route separation, provider governance, evidence export, and documented review behavior. It is a better use of time because it produces artifacts that still matter even if regulatory guidance evolves.

Key takeaways

  • The AI Act timeline is already operationally relevant in mid-2026.
  • The EU AI Office matters, especially for GPAI, but many obligations will still be enforced through national structures.
  • Penalty ceilings are real, but they are not a substitute for route-level control analysis.
  • Evidence readiness is a better short-term priority than generic policy statements.
  • Keeptrusts helps organizations convert compliance preparation into concrete runtime controls and exports.

Next steps