The EU AI Act is not coming. It's here. The world's first comprehensive AI regulation entered into force in August 2024 and its requirements are now active and enforceable for many AI system categories. If your AI agents process EU residents' data, operate in EU markets, or are deployed by EU-based organisations, this regulation applies to you — regardless of where your company is headquartered.

This article cuts through the legal complexity to explain what the Act actually requires for AI agents, who it applies to, and what you need to have in place right now.

The timeline — what's active now

August 2024 — In force
The Act officially entered into force. The 24-month implementation clock began.
February 2025 — Prohibited practices banned
Prohibited AI systems (social scoring, certain biometric systems, subliminal manipulation) are now illegal.
August 2025 — GPAI rules apply
General-purpose AI model obligations (transparency, capability evaluations, systemic risk) are now active for providers of frontier models.
August 2026 — High-risk AI requirements fully enforceable
All high-risk AI system requirements are now enforceable. This is the deadline most enterprise AI deployments need to be ready for.

Does your AI agent qualify as high-risk?

The EU AI Act takes a tiered approach to risk. Most AI systems fall into the limited or minimal risk categories and face only light-touch transparency obligations. High-risk systems face the full weight of compliance requirements.

An AI agent is likely to be classified as high-risk if it is used in one of the following contexts:

The grey area: AI agents that assist human decisions (rather than making them autonomously) are still subject to high-risk requirements if they materially influence outcomes in the categories above. "It's just a recommendation tool" is not a defence if the recommendation is consistently followed.

If you are not in one of these categories, your obligations are lighter — but you still need to comply with transparency requirements and, if you use GPAI models like GPT-4 or Claude, with the obligations that flow from those models' frontier status.

What high-risk AI agents must do

For high-risk AI systems, the Act specifies five categories of requirement that map directly to how you govern your AI agents:

Requirement What the Act says TrustLoop coverage
Audit Trail Automatic logging of events, with tamper-evident records stored for at least 6 months Blockchain-anchored audit log, full call history
Human Oversight Mechanisms allowing humans to monitor, intervene, and override AI decisions Approval workflows, kill-switch, real-time alerts
Transparency Documentation of how the system works, what data it uses, what decisions it makes Plain-English rule engine, decision logging with context
Risk Management Ongoing identification, analysis, and mitigation of risks throughout the AI lifecycle Policy enforcement, PII masking, blocked tool tracking
Data Governance Controls over training and operational data, including personal data protection Automatic PII/secret masking before logs are stored

The five-minute compliance checklist

If you need to get a handle on your current compliance position, run through these five checks:

Penalties — and why they matter even outside the EU

The EU AI Act carries fines of up to €35 million or 7% of global annual turnover for the most serious violations — exceeding even GDPR. Prohibited AI practices carry the highest penalty tier; high-risk system failures sit at €15 million or 3% of turnover.

More importantly for US-based companies: the Act applies extraterritorially. If your AI system produces outputs that are used in the EU, or if you provide AI systems to EU-based operators, you are in scope. This is the same market reach principle that made GDPR a global standard despite being EU regulation. Expect the EU AI Act to do the same.

The companies that treat EU AI Act compliance as a European problem will be surprised when their US enterprise customers start requiring AI governance documentation as part of vendor due diligence. This is already happening.

The bottom line

The EU AI Act is not a future regulatory risk. For many AI agent deployments, it is a present requirement. The organisations that are ahead of it are the ones that built governance infrastructure as a foundation rather than a retrofit — because when a regulator asks to see your audit trail, you want to be producing evidence, not building a system to generate it.

Compliance is not the end goal. It is the floor. The real advantage of governing your AI agents well is that you understand what they're doing, you can stop them when something goes wrong, and you can demonstrate that control to anyone who asks — customer, partner, regulator, or board.

EU AI Act compliant in under 5 minutes.

TrustLoop covers audit trail, human oversight, transparency, and risk management — all five high-risk requirements — with a single integration and zero code changes to your existing agents.

Start free — no credit card