The AI Act uses a phased enforcement approach:
**February 2, 2025** — Prohibited AI practices ban takes effect. AI literacy obligation (Article 4) begins.
**August 2, 2025** — Governance structure established. Codes of practice for general-purpose AI apply.
**August 2, 2026** — FULL ENFORCEMENT. All remaining provisions apply, including high-risk system requirements, transparency obligations, and penalties.
**August 2, 2027** — Extended deadline for certain high-risk AI systems listed in Annex I (safety components of regulated products).
The AI Act has a three-tier penalty system:
**Tier 1 (Highest)**: Up to EUR 35 million or 7% of global annual turnover for using prohibited AI practices.
**Tier 2**: Up to EUR 15 million or 3% of global annual turnover for violating other AI Act requirements (e.g., high-risk system obligations).
**Tier 3**: Up to EUR 7.5 million or 1% of global annual turnover for providing incorrect or misleading information to authorities.
For SMBs, fines are proportional — but even the lowest tier can be devastating for a small business. The regulations explicitly state that fines should be "effective, proportionate, and dissuasive."
Each EU member state must designate at least one national competent authority to enforce the AI Act. Some countries have already started:
- Germany: BNetzA (Federal Network Agency) - France: CNIL (data protection authority, expanded role) - Italy: AgID and Garante (dual authority) - Spain: AESIA (new AI supervision agency)
These authorities have the power to conduct audits, issue fines, and even order AI systems to be withdrawn from the market.
When does full enforcement of the AI Act begin?