EU AI Act Consultation: Complete Guide & Resources

Introduction

The EU AI Act is no longer a horizon risk. It entered into force in August 2024, prohibited AI practices became enforceable in February 2025, and a cluster of high-risk system obligations lands in August 2026. Boards that haven't started asking hard questions about their AI exposure are already behind.

The active consultation cycle makes this moment consequential. The European Commission is right now finalizing guidance that will determine exactly how obligations are interpreted and enforced. Organizations that engage during this window shape the rules they'll later be required to follow. Organizations that don't will comply with whatever was decided without their input.

This guide is written for boards, C-suite executives, and legal and risk leaders — particularly at US-based enterprises with EU market exposure, EU customers, or AI systems that touch EU residents. It covers:

  • How the consultation process works and who can participate
  • Which organizations fall within scope
  • Which consultations are currently active and their deadlines
  • The governance steps executive teams should take before August 2026

TLDR

  • The EU AI Act applies to US companies whose AI systems are used by EU residents or sold into EU markets
  • Four risk tiers determine your compliance burden: unacceptable, high, limited, and minimal
  • August 2, 2026 is the critical deadline—high-risk AI obligations and serious incident reporting both apply from that date
  • Consultations on high-risk classification and Article 50 transparency are open now—outputs will set enforcement expectations
  • Boards need an AI system inventory, clear accountability structures, and oversight frameworks in place before obligations kick in

What Is the EU AI Act Consultation Process?

The EU uses formal stakeholder consultation as a structured part of how law gets operationalized. The European Commission publishes draft guidance, implementing acts, or technical frameworks—then invites written feedback before those documents are finalized. Unlike lobbying, this is an official mechanism where submissions directly influence the final text.

The Commission's Have Your Say portal is the primary access point for open consultations. AI Act-specific consultations are also published on the Shaping Europe's Digital Future site. The Future of Life Institute maintains a widely-used non-official tracker at artificialintelligenceact.eu.

Why Participation Matters

Consultation outputs—guidance documents, codes of practice, implementing acts—don't change the core Regulation text. But they interpret and operationalize it, which makes them highly consequential for compliance decisions.

Organizations that engage during consultations often face fewer compliance surprises than those who wait for final rules. Feedback submitted on draft guidance can shift:

  • Classification thresholds and system categorization
  • Definition language that determines scope of obligations
  • Enforcement priorities that shape where regulators focus first

These shifts can materially affect compliance costs before rules are ever finalized.

The Commission's official language opens participation to "citizens and stakeholders." Major US industry associations and global companies have participated in prior rounds without restriction, even though no primary source expressly limits participation to EU entities.

The EU AI Act's Risk-Based Approach and Who It Applies To

The Four-Tier Framework

The Act categorizes every AI system into one of four risk levels. That classification determines nearly everything about compliance burden:

Risk Tier Example Systems Compliance Requirement
Unacceptable Social scoring, real-time biometric surveillance in public spaces Banned outright
High HR screening tools, credit scoring, medical devices, critical infrastructure Strict pre-market and ongoing obligations
Limited Chatbots, deepfake generators, emotion recognition Transparency disclosures only
Minimal Spam filters, AI in video games No specific obligations

High-risk systems fall into two buckets under the Act: AI embedded in products covered by EU product safety legislation (medical devices, machinery), and standalone AI systems listed in Annex III—covering employment decisions, credit scoring, critical infrastructure, law enforcement, education, and migration.

EU AI Act four-tier risk classification framework with compliance requirements breakdown

Territorial Scope: Why US Companies Are In Scope

Article 2 of Regulation 2024/1689 applies the Act to:

  • Providers placing AI systems on the EU market, regardless of where they're established
  • Deployers located or established in the EU
  • Providers and deployers in third countries where AI output is used in the EU
  • Importers, distributors, and authorized representatives of non-EU providers

A US company selling an AI-powered HR tool to European enterprises is a provider within scope. A US parent whose European subsidiary deploys AI tools is within scope through its deployer entity. The extraterritorial reach is comparable to GDPR.

Provider vs. Deployer—Get This Right First

The Act assigns different obligation sets to providers (those who develop or place AI systems on the market) and deployers (those who use AI systems in a professional context). A US company can be a provider, a deployer, or both — determined by whether it develops and places the system on the market or simply uses it.

Getting this classification right early matters: providers carry the heavier technical and documentation burden, while deployers face obligations around use-case transparency, human oversight, and fundamental rights impact assessments.

General Purpose AI (GPAI) Models

GPAI providers—foundation model developers—face a separate obligation set under Chapter V. All GPAI providers must publish training data summaries and comply with copyright law, including text and data mining (TDM) reservations.

Providers of GPAI models with systemic risk face additional duties:

  • Model evaluations and adversarial testing before deployment
  • Incident reporting to the AI Office
  • Ongoing cybersecurity measures

Systemic risk is presumed when training compute exceeds 10²⁵ FLOPs under Article 51. Notably, the European AI Office—not national authorities—enforces GPAI obligations.

GPAI model obligations comparison standard versus systemic risk providers under EU AI Act

Active EU AI Act Consultations: What's Open and Why They Matter

Several consultations have recently closed or are currently active. Each one will produce guidance that defines how the Act is applied in practice.

High-Risk AI Classification Guidelines (Active Through June 23, 2026)

The Commission opened a targeted consultation on draft classification guidelines on May 19, 2026, closing June 23, 2026 at 22:00 CET. This follows an earlier public consultation that closed July 18, 2025.

These guidelines will directly affect how enterprises classify AI systems used in HR, credit decisioning, and health applications. Organizations deploying AI in Annex III categories should review the draft guidelines before the deadline—classification decisions determine which obligations apply, which don't, and how much compliance infrastructure you actually need to build.

Article 50 Transparency Guidelines (Active Through June 3, 2026)

A consultation on draft transparency guidelines opened May 8, 2026 and closes June 3, 2026. It covers:

  • AI systems that interact with humans (chatbots)
  • AI-generated and manipulated content, including deepfakes
  • Emotion recognition and biometric categorization systems
  • Machine-readable marking requirements

These transparency obligations apply broadly—including to organizations that don't deploy high-risk systems. Any company using AI-powered customer-facing tools should understand what this guidance requires.

Article 73 Serious Incident Reporting (Closed November 2025)

The Commission published draft guidance and a reporting template for serious incident reporting in September 2025 (closed November 7, 2025). Starting August 2, 2026, providers of high-risk AI systems must notify national authorities when serious incidents occur. The draft addresses:

  • Incident definitions and what triggers a notification
  • Reporting timelines and actor obligations
  • Interaction with other regulatory reporting regimes

GPAI Copyright/TDM Protocols (Closed January 2026)

A December 2025 consultation addressed technical protocols for how content rights holders can reserve their material from AI training data. The outcome directly affects what GPAI providers must do to comply with Article 53 copyright obligations. If your organization builds on or deploys foundation models, watch the GPAI Code of Practice closely—it will translate these protocol decisions into specific compliance requirements.

AI Regulatory Sandboxes (Closed January 2026)

The Commission consulted on a draft implementing act for AI regulatory sandboxes—controlled environments for testing AI systems under regulatory supervision. Member States must have at least one national sandbox operational by August 2, 2026. For organizations building novel AI systems, sandboxes offer a way to develop compliance relationships with regulators before full enforcement begins.

EU AI Act Implementation Timeline: Critical Deadlines

The Act's obligations apply in phases. Missing the phased structure is a common source of planning errors.

Date Milestone
August 1, 2024 Act entered into force
February 2, 2025 Prohibited AI practices (Title II) became enforceable
August 2, 2025 GPAI obligations applied
August 2, 2026 High-risk Annex III systems, serious incident reporting, national sandbox requirements
August 2, 2027 High-risk rules for AI embedded in Annex I products

EU AI Act phased implementation timeline from 2024 to 2027 key compliance deadlines

The official implementation timeline is maintained by the Commission's AI Act Service Desk.

August 2026 is where the compliance burden concentrates. High-risk system conformity assessments, EU database registration, serious incident reporting infrastructure, and deployer human oversight requirements all land simultaneously. Conformity assessments alone typically require 12–18 months of documentation and internal review — organizations that defer planning past mid-2025 will run out of time.

Compliance doesn't end at that date either. The Act requires continuous obligations: annual conformity reassessments for some high-risk systems, GPAI Code of Practice reviews at least every two years, and ongoing post-market performance monitoring. Boards and audit committees should expect standing agenda items — not a single sign-off.

What Boards and Executive Teams Should Do Before Obligations Kick In

Start with an AI System Inventory

Boards cannot govern what they cannot see. The first step is a structured inventory of all AI systems in use or under development, mapped against the EU AI Act's risk categories.

The inventory needs to answer:

  • Which systems qualify as high-risk under Annex III or Annex I product categories?
  • Which systems trigger transparency obligations under Article 50?
  • What role does the organization play—provider, deployer, or both—for each system?
  • Which systems involve GPAI models, and who is the model provider?

This is not an IT task. It requires executive ownership because the classification decisions have material compliance and liability implications.

Assign Accountability and Build Oversight Structure

Once the inventory is complete, the governance question becomes ownership. The Act's human oversight requirements and incident reporting obligations don't work without named accountability — and before August 2026, organizations need clear answers to:

  • Who is accountable for AI risk governance at the executive level?
  • Who approves deployment of high-risk AI systems?
  • What are the escalation thresholds and paths to the board?
  • How will the organization satisfy mandatory human oversight requirements in practice?

AI governance accountability structure four key executive questions for board oversight

For organizations moving quickly from zero formal AI governance to a defensible posture, Tyson Martin's 30-day AI Governance Starter Pack delivers an AI risk assessment, decision-rights map, board-level AI policy, and a facilitated director briefing. Ongoing governance support — including an AI risk register, board-ready oversight reporting, and quarterly reviews — gives directors a credible answer to regulators and auditors.

Track Consultations and Engage Regulatory Outputs

Guidance emerging from current consultations will define enforcement expectations. Waiting for final rules is a higher-risk posture than engaging during the drafting phase.

Organizations with EU market exposure should designate someone responsible for:

  • Monitoring the Commission's digital strategy portal for new consultations
  • Reviewing draft guidance documents when published
  • Submitting comments when the organization has relevant operational experience

Organizations that engage only with final text — skipping the guidance developed through this process — often discover they've misread their actual obligations after enforcement expectations are already set.

Frequently Asked Questions

What is the consultation procedure in EU law?

The EU consultation process is a formal mechanism where the European Commission publishes draft guidance, implementing acts, or frameworks and invites written feedback from stakeholders before those documents are finalized. Submissions directly shape the final text of guidance documents and codes of practice that determine how the law applies in practice.

What approach does the EU AI Act take?

The Act takes a risk-based approach, categorizing AI systems into four tiers—unacceptable, high, limited, and minimal risk—and calibrating compliance obligations based on the potential harm a system could cause to health, safety, or fundamental rights. Higher-risk systems face significantly more demanding requirements.

Who is in scope for the EU AI Act?

Any provider, importer, distributor, or deployer of AI systems that places products on the EU market—or whose systems affect people within the EU—is in scope. This includes non-EU companies: US businesses that sell or operate AI-enabled products or services in European markets fall within scope as providers, or through their EU-based importers and distributors.

Does the EU AI Act apply to US companies?

Yes. The Act has extraterritorial reach similar to GDPR. If a US company's AI system is used by EU residents or sold into the EU market, the company falls within scope as a provider—or through its EU-based importers, distributors, or subsidiary deployers.

What are the penalties for non-compliance?

Article 99 sets three penalty tiers: up to €35 million or 7% of global annual turnover for prohibited AI practice violations; up to €15 million or 3% for other Act obligations; and up to €7.5 million or 1% for providing incorrect information to authorities. SMEs and startups pay the lower of the fixed amount or the percentage figure. National market surveillance authorities handle most enforcement; the EU AI Office enforces GPAI rules.

When do EU AI Act compliance obligations take effect?

Prohibitions on unacceptable-risk AI applied from February 2025. GPAI obligations applied from August 2025. High-risk Annex III system obligations and serious incident reporting requirements apply from August 2, 2026. Governance preparation should begin now—building conformity assessment processes, oversight structures, and incident reporting infrastructure takes months, not weeks.