EU AI Act hits full force in August 2026. Everything you need to know right now.

> TL;DR

> - The EU AI Act is the world's first binding AI law. The phase affecting most businesses begins 2 August 2026.

> - High-risk AI systems — covering hiring, education, credit, healthcare and more — now require full documentation, risk management and human oversight.

> - Fines for serious violations can reach €35 million or 7% of global turnover.

> - Norway is an EEA country. Norwegian companies serving EU customers are directly covered — no exceptions.

The clock is ticking. And businesses are not ready.

Two months. That is all the time that remains before the heaviest enforcement round of the EU AI Act kicks in. From 2 August 2026, companies using so-called high-risk AI systems — whether based in Oslo, Amsterdam or San Francisco — must document, audit and take control of their technology. Those who fail risk fines that could cripple even large technology companies. Yet recent analyses show that a majority of European businesses are still not compliant (Sesamedisk, May 2026).

What is the EU AI Act, exactly?

The EU AI Act (Regulation EU 2024/1689) formally entered into force on 1 August 2024. This is not guidance. It is not a recommendation. It is law — with financial penalties, extraterritorial reach and an enforcement structure modelled on the GDPR.

The law is built on a risk-based principle: the higher the risk an AI system poses to people, the stricter the requirements. It divides AI into four categories: unacceptable risk (prohibited), high risk (strict requirements), limited risk (transparency requirements) and minimal risk (no specific requirements).

Enforcement is being rolled out in four waves over three years.

> FACT BOX: Four waves of EU AI Act enforcement

>

> | Date | What entered into force |

> |---|---|

> | 2 February 2025 | Prohibited AI practices (Art. 5) + AI literacy requirements (Art. 4) |

> | 2 August 2025 | GPAI obligations (Art. 51-56). AI Office, AI Board and Advisory Forum became operational. |

> | 2 August 2026 | Core phase: high-risk AI systems (Annex III), transparency requirements (Art. 50), sandboxes |

> | 2 August 2027 | AI embedded in regulated products: medical devices, machinery, toys, vehicles (Annex I) |

> | 2 December 2027 | Legacy GPAI models launched before August 2025 must achieve full conformity |

What is already banned — right now

Since 2 February 2025, several AI practices have been completely prohibited in the EU. This is not about the future — it is current law:

• Subliminal manipulation: AI that influences behaviour without the user's awareness.
• Exploitation of vulnerable groups: AI that targets children, the elderly or people with disabilities in a manipulative way.
• Social scoring: Ranking individuals based on behaviour by public authorities — think Chinese-style social credit.
• Real-time biometric identification in public spaces, with very limited exceptions for serious crime.
• Emotion recognition in workplaces and schools.

Violations of these rules can trigger the heaviest fines in the law (Legalithm, May 2026).

2 August 2026: What actually happens

This is the date most Norwegian and European businesses should have circled in red. Annex III lists eight categories of high-risk AI:

For all systems in these categories, there are now requirements for a risk management system, data quality governance, technical documentation, activity logging, user transparency, human oversight, and security and robustness against attacks. The requirements apply to whoever develops the system (the "provider"), but also to whoever deploys it in their business (the "deployer"), according to Sesamedisk (2026).

> KEYFIGURE

>

> €35,000,000 — Maximum fine for violations of prohibited AI practices (or 7% of global turnover, whichever is higher)

>

> €15,000,000 — Maximum fine for violations of high-risk requirements (or 3% of global turnover)

>

> €7,500,000 — Maximum fine for providing false or misleading information to authorities (or 1% of global turnover)

Digital Omnibus changed two key deadlines

In April 2026, political agreement was reached on a modification known as the "Digital Omnibus". The deal was formally confirmed on 7 May 2026 and introduces two adjustments that are important to know (TechJack Solutions, May 2026):

Track 1 — GenAI providers: Providers of generative AI models have until 2 December 2026 to comply with watermarking of synthetic content and the prohibition on AI-generated intimate content without consent.

Track 2 — Annex III deployers: Businesses that deploy high-risk AI systems (but do not develop them) receive a deferral until 2 December 2027 — from the original 2 August 2026.

This gives deployers more than one extra year, but they are already required to register and begin mapping their AI use.

> HIGHLIGHT

>

> Norway is not exempt. As an EEA country, the EU AI Act is expected to be incorporated into Norwegian law through the EEA process. Until that happens, Norwegian companies offering services or products to EU customers are directly subject to the law — just as with the GDPR. There is no Norwegian "EEA pause" that provides room to manoeuvre.

Three frameworks dominate 2026 — and they are not the same

Alongside the EU AI Act, two other prominent frameworks shape the market. Here are the key differences:

The NIST AI RMF is in practice expected in the American public sector and is used globally as a competency framework. ISO/IEC 42001 provides certification and is used by companies wanting to document AI maturity to customers and regulators. Many Norwegian companies opt for a combination of all three (Blissdrive, 2026; AgenticRail, 2026).

The rest of the world: chaos, or competition?

The EU AI Act does not exist in a vacuum. Regulatory pressure globally is intense but fragmented:

• USA: President Trump's executive order from December 2025 blocks state-level AI regulation. Federal policy is focused on innovation, not safety (EO 14179, January 2025). California SB 1047 still requires annual third-party audits from January 2026.
• China: The CAC requires approval before launching public-facing AI. AI Governance Framework 2.0 includes a Human-in-Control mandate. From January 2026, a new cybersecurity law adds AI security review and data localisation requirements (ISACA, 2026).
• South Korea: AI Framework Act (January 2026) mandates fairness and non-discrimination. Fines of up to approximately $21,000.
• Japan: AI Promotion Act (May 2025) is light-touch — no monetary fines, but public naming of violators.
• Singapore: Voluntary framework.
• United Kingdom: Still no dedicated AI legislation. Sector-specific approach, and a private AI Bill is progressing through the House of Lords.

More than 60 countries now have AI policies (The AI Forest, 2026). Fragmentation is demanding for global companies, but the EU model is gaining ground as an international benchmark.

> PULLQUOTE

>

> "The EU AI Act is not a compliance problem. It is a strategic reality. Companies that treat it as the former will lose to those who understand it as the latter."

> — Summary from ResponsibleAILabs Knowledge Hub, 2026

What Norwegian companies should do right now

The following applies to Norwegian businesses in June 2026, based on consolidated guidance from ADMT.ai and Sesamedisk (2026):

BOTTOM LINE

The EU AI Act is not future regulation. It is here now. From 2 August 2026, the law's heaviest requirements apply to high-risk AI systems. Norwegian companies are not shielded — EEA membership and extraterritorial reach mean the rules apply in full. With fines of up to €35 million and requirements touching everything from HR systems to credit assessment, this is the most consequential AI legislation the world has seen. Companies that start now still have a chance. Those who wait are gambling with more than money.

Verified against 10 open primary sources.

Published: 7 June 2026 | 24AI — Norway's best AI news site