The EU AI Act Is Now Law: What Prohibited Practices, High-Risk Classifications, and €35M Fines Mean for Your AI Product

The EU AI Act is the world's first comprehensive AI regulation. It's not a proposal. It's not a framework. It's law — and it's already applying. August 2024: Prohibited AI practices entered into force. Using them is illegal today. February 2025: GPAI (General Purpose AI) model obligations began applying. August 2026: High-risk AI system requirements apply. If you have EU customers, EU employees, or process data of EU residents, the AI Act reaches you — even if your company is in the US, Canada, or Australia. The territorial scope mirrors GDPR. Fines: €35M or 7% of global annual turnover for prohibited AI practices €15M or 3% of global annual turnover for most other violations €7.5M or 1.5% of global annual turnover for providing false information This guide covers what's already illegal, what becomes mandatory in 2026, and what it means in practice for software engineers building AI systems. The Risk-Based Pyramid The EU AI Act uses a risk-based approach with four tiers: ┌─────────────