The European AI Office spent the better part of two years assembling its enforcement infrastructure — hiring technical experts, building out its audit protocols, and negotiating the boundaries of its jurisdiction with member state regulators who were reluctant to cede authority. On Tuesday, it used that infrastructure for the first time, sending formal notices to three companies that it alleges are operating high-risk AI systems in violation of the EU AI Act's Title III requirements.
The companies named — a Belgian retail analytics firm, a German airport security technology vendor, and a Dutch smart city contractor — are all deploying biometric identification or emotion inference systems in contexts that the Act categorizes as high-risk: public spaces, critical infrastructure, and employment-adjacent decision-making. None of the three had completed the mandatory conformity assessments required before deployment. None had registered their systems in the EU database of high-risk AI systems that the Act mandates. Two had not conducted the required fundamental rights impact assessments.
The formal notices are the first step in the Act's enforcement process — not yet financial penalties, but binding orders requiring the companies to suspend the relevant systems within 30 days and submit compliance documentation within 90 days. Failure to comply at either stage triggers escalating fines: up to 3% of global annual turnover for non-compliance with documentation requirements, and up to 6% for prohibited AI practices. For a company with €500 million in revenue, the ceiling is €30 million.
"The AI Office is making a deliberate choice with these first enforcement actions. They're targeting clear violations — systems that are obviously high-risk, with obviously absent compliance documentation — to establish the legal framework before going after more contested edge cases."
That strategic framing comes from Dr. Franziska Berger, head of AI policy at the Future of Life Institute's Brussels office, who has been tracking the AI Office's operations since its establishment in 2025. She notes that all three enforcement targets share a common characteristic: the companies involved were early adopters of biometric AI technology, deploying systems before the Act entered full force, and have been slow to adapt to the new compliance requirements. They are, in her assessment, "the easiest possible first cases" — which is precisely the point.
What the Industry Needs to Do Now
The enforcement actions are being watched closely by a much broader universe of companies than the three named in Tuesday's notices. Estimates from the European AI Alliance suggest that between 800 and 1,200 AI systems currently deployed across EU member states may fall into the high-risk category — and of those, fewer than 15% have completed the full compliance process the Act requires. The gap between what companies have deployed and what they've documented is enormous.
Legal teams at major technology companies and enterprise software vendors are now in triage mode. The compliance requirements for high-risk systems are substantial: technical documentation covering the system's purpose, architecture, training data, and performance characteristics; conformity assessment conducted by either internal or notified-body auditors; registration in the EU's high-risk AI database; and an ongoing monitoring and incident reporting obligation. For systems already deployed, there is a 24-month grace period from the Act's full entry into force — but that window closes in August 2026, and the AI Office's Tuesday action signals clearly that it intends to enforce before the deadline, not after.
The most significant precedent the Tuesday notices set may be procedural rather than substantive. By initiating enforcement under the high-risk classification provisions — rather than the Act's prohibited AI categories, which are legally cleaner but operationally rarer — the AI Office has established that the compliance framework applies immediately to deployed systems, not just to future deployments. That interpretation, if it holds through the inevitable legal challenges, will define the regulatory environment for AI in Europe for years to come.
