EU AI Act

The EU Artificial Intelligence Act (AI Act) is the world’s first comprehensive regulatory framework for artificial intelligence. It formally entered into force in August 2024 and is being phased in over several years. For Irish businesses, the timeline is accelerating, and national implementation guidance is expected in Q1 2026. This article sets out where things currently stand, what obligations already apply, and what is coming next.

Current Requirements in Force

The first provisions of the AI Act are already live. From February 2025, certain AI practices are prohibited across the EU. These include systems that manipulate behaviour, exploit vulnerabilities of specific groups, or conduct real-time biometric surveillance in public spaces. Irish organisations developing or deploying AI should have audited their systems to confirm they are not relying on any banned use cases.

The Act also requires that AI literacy be addressed. Providers and deployers must ensure that relevant staff and users understand the capabilities, risks, and limitations of AI systems. While precise expectations will be further clarified, businesses should begin integrating AI training into their compliance and risk management frameworks.

General-Purpose AI (GPAI)

From August 2025, obligations for general-purpose AI models (GPAI) began to take shape. Providers of these large-scale models must ensure transparency and robust documentation. This includes publishing summaries of training data sources, technical documentation, and clarifying whether copyright-protected materials were used.

To support this transition, the European Commission published a Code of Practice for GPAI in July 2025. Although voluntary, adherence provides legal clarity and is likely to be viewed favourably by regulators. Enforcement of GPAI obligations will begin in August 2026, with existing models given until August 2027 to comply fully.

High-Risk AI Systems

The most stringent obligations apply to high-risk AI systems, such as those used in credit scoring, employment recruitment, education, healthcare, or critical infrastructure. These systems will require:

• A quality management system

• Documented risk assessments and mitigation measures

• Human oversight mechanisms

• Transparency obligations for affected individuals

• In some cases, independent conformity assessments carried out by accredited bodies

These requirements begin applying from August 2026, with grace periods depending on whether systems were placed on the market before or after that date.

Enforcement and Penalties

The European AI Office is now operational, overseeing GPAI providers and coordinating enforcement across the EU. In parallel, Member States must designate national supervisory authorities.

Penalties for non-compliance are significant:

• Up to €35 million or 7% of global turnover for breaches of prohibitions

• Up to €15 million or 3% of global turnover for other violations

• Up to €7.5 million or 1.5% of global turnover for supplying incorrect or misleading information to authorities

For Irish organisations, this means that AI governance is no longer optional—regulators will expect clear documentation, accountability, and proactive compliance efforts.

Ireland’s Implementation Roadmap

Ireland has opted for a distributed enforcement model, with multiple regulators designated to oversee sector-specific AI obligations. These include the Data Protection Commission, Central Bank of Ireland, and Competition and Consumer Protection Commission, among others. A lead coordinating regulator will be announced in due course.

Irish oversight bodies responsible for fundamental rights have also been named, though many have yet to receive additional resources. Concerns remain that without sufficient investment, Ireland risks being underprepared for full enforcement.

The Irish Government has committed to issuing further national guidance in Q1 2026, providing businesses with clearer direction on how the AI Act will be applied domestically. There are also proposals for a National AI Office, which would operate in a similar way to the Data Protection Commission but with a focus on AI governance.

Preparing Your Business

Irish businesses should not wait until 2026. Now is the time to:

• Conduct an AI system inventory and assess whether any are prohibited or high-risk

• Begin developing AI literacy training programmes for staff

• If using or providing GPAI models, start preparing technical documentation and risk assessments

• Align AI governance with existing GDPR and ISO 27001/27701 practices

• Monitor Irish Government announcements closely in early 2026 for sector-specific rules and enforcement detail

Conclusion

The EU AI Act marks a fundamental shift in how AI systems must be designed, deployed, and monitored. For Irish businesses, the challenge is twofold: keeping pace with phased EU obligations while also preparing for national-level guidance expected in early 2026. Organisations that act now—by embedding governance, transparency, and literacy—will not only reduce compliance risk but also build trust and resilience in the age of regulated AI.