The EU AI Act’s First Compliance Deadline Hits August 2 — and 73% of Affected Companies Aren’t Ready

The clock is not paused. The EU AI Act’s first major compliance deadline arrives August 2, and according to a Forrester survey of 600 European and multinational firms, nearly three-quarters of affected organizations have not completed the AI system audits the regulation requires. For companies still treating this as a future problem, the future has arrived — with fines of up to €35 million or 7% of global annual turnover on the line.

What August 2 Actually Means

The EU AI Act follows a phased implementation structure, and August 2 marks the enforcement of its prohibited practices provisions — the regulation’s hardest line. These are not gray-area compliance questions. Prohibited practices represent AI applications that EU lawmakers determined pose unacceptable risks to fundamental rights, safety, and human dignity.

Systems falling under this ban include AI used for biometric categorization based on sensitive characteristics, social scoring by public or private entities, real-time remote biometric identification in public spaces by law enforcement (with narrow exceptions), and AI that exploits psychological vulnerabilities to manipulate behavior. Organizations deploying any of these systems — or components that could plausibly be interpreted as performing these functions — must either have ceased operations or completed a defensible audit trail demonstrating they do not cross prohibited thresholds.

The compliance deadline is not a suggestion. It is the date on which enforcement authority becomes active.

Why 73% of Companies Are Still Exposed

The Forrester survey data reveals a compliance gap that is both wide and unevenly distributed. Larger multinationals with dedicated AI governance teams are closer to readiness, but mid-market firms and companies that embedded AI capabilities through third-party vendors are significantly behind. Several structural factors explain the shortfall.

First, many organizations underestimated the scope of what qualifies as an AI system under the regulation’s definition. The EU AI Act applies a broad technical definition that captures machine learning models, certain logic-based systems, and statistical approaches — meaning tools that legal and compliance teams did not initially flag as “AI” may fall within scope.

Second, the audit process itself is resource-intensive. Documenting system purpose, training data provenance, risk classification, and human oversight mechanisms requires cross-functional coordination across legal, engineering, data science, and procurement teams. Companies that delayed building AI governance structures are now attempting to compress months of work into weeks.

Third, vendor dependency has created accountability gaps. When an AI capability is delivered through a SaaS platform or API, the deploying organization still bears compliance responsibility under the Act — yet many have not obtained the technical documentation from vendors needed to complete their own assessments.

Regulators in Germany and France Are Moving First

Regulatory posture matters as much as the text of the law. National competent authorities in Germany and France have signaled that enforcement will not be passive. Both countries have indicated they intend to pursue enforcement actions within 90 days of the August 2 deadline, with biometric categorization and social scoring systems identified as initial priority targets.

This sequencing is deliberate. Biometric categorization and social scoring represent the clearest cases under the prohibited practices framework — systems where potential harm is most legible and the regulatory case is easiest to construct. Regulators building enforcement track records will pursue the highest-confidence cases first.

For compliance officers, this means organizations operating in Germany or France — or whose AI systems process data from residents of those countries — face the most immediate exposure. The 90-day window is not a grace period. It is the timeline within which first enforcement actions are expected to be filed.

What Legal Teams Must Do Before the Deadline

With August 2 days away, the realistic compliance posture for most organizations is triage. Legal and AI product teams should focus immediate attention on three priorities.

**Inventory and classify.** Produce a complete inventory of AI systems in production, including those delivered through vendors. Apply the EU AI Act’s risk classification framework to each system. Any system that could plausibly touch prohibited practice categories requires immediate escalation.

**Document or decommission.** For systems that are not prohibited but require audit documentation, accelerate the documentation process. For any system that cannot be clearly distinguished from a prohibited practice, the risk calculus strongly favors suspension pending legal review. At penalties of up to €35 million or 7% of global annual turnover, continued operation of ambiguous systems represents an asymmetric risk that is difficult to justify.

**Engage regulators proactively.** National competent authorities have indicated openness to organizations demonstrating good-faith compliance efforts. Proactive outreach — particularly in Germany and France — can establish a documented record of intent that carries weight in enforcement proceedings.

The Broader Compliance Timeline Demands Immediate Foundation-Building

August 2 is the first deadline, not the last. The EU AI Act’s obligations for high-risk AI systems, transparency requirements, and governance mandates continue rolling out through 2026 and 2027. Organizations that treat the prohibited practices deadline as an isolated event will find themselves in the same position — or worse — at each subsequent milestone.

The compliance infrastructure required for August 2 — AI system inventories, risk classification processes, vendor documentation protocols, cross-functional governance structures — is the same infrastructure needed for every phase that follows. Companies that build it now, even under deadline pressure, will have a functional foundation. Companies that do not will face compounding exposure as AI regulation matures and enforcement capacity scales.

The Cost of Waiting Has Never Been Higher

The EU AI Act is the most consequential AI regulatory framework currently in force anywhere in the world. Its prohibited practices provisions are not aspirational policy — they are enforceable law, with penalties calibrated to create genuine deterrence for organizations of any size.

Seventy-three percent of affected companies are not ready. That number will not improve on its own before August 2. For compliance officers, legal teams, and AI product leaders, the question is no longer whether to act — it is whether the actions taken in the time remaining are sufficient to demonstrate the good-faith compliance posture that will matter when regulators begin building their first cases.

The deadline is August 2. Enforcement follows within 90 days. The window for preparation is now measured in hours, not months.