Thirty days. That’s roughly how long it’s taken the EU AI Act’s enforcement layer to go from a provisional text agreement to named experts sitting on an independent review panel.
The pace matters. Between May 1 and June 1, 2026, the EU finalized the Digital Omnibus amending text, published revised compliance deadlines, opened a consultation on high-risk classification under Article 6, and now staffed the Scientific Panel and Advisory Forum that will support the European AI Office in executing enforcement. That’s not the rhythm of a regulation still in setup mode. That’s an enforcement timeline moving.
The question this deep-dive answers isn’t what happened on June 1. The daily brief covers that. The question is what the 30-day pattern means for organizations that need to build compliance programs against a framework that was still forming when they started planning.
What’s now operational
Start with what the European Commission has confirmed as active.
The prohibited practices ban took effect in February 2025. AI systems that deploy subliminal manipulation, exploit vulnerabilities of specific groups, enable real-time remote biometric surveillance in public spaces (with narrow law enforcement exceptions), or use social scoring are banned outright across the EU. That’s not pending. That’s enforced.
GPAI model obligations took effect August 2, 2025. General-purpose AI model providers, any organization making a GPAI model available in the EU, must comply with transparency obligations, maintain technical documentation, and adhere to copyright policy requirements. Providers of GPAI models with systemic risk face additional obligations: adversarial testing, incident reporting to the AI Office, and cybersecurity measures. The Scientific Panel appointed June 1 is specifically structured to support AI Office enforcement of these systemic risk obligations.
The AI Office itself is operational. It has issued the GPAI Code of Practice, a voluntary framework that shapes how model providers demonstrate compliance with the Act’s GPAI obligations. Participation in the Code of Practice is voluntary; compliance with the underlying GPAI obligations is not.
Three enforcement bodies now have named members. The Scientific Panel brings independent technical experts to evaluate model compliance. The Advisory Forum, whose permanent seats are held by the Fundamental Rights Agency (FRA), the European Union Agency for Cybersecurity (ENISA), and standards bodies CEN, CENELEC, and ETSI, provides a multi-stakeholder advisory layer. Neither body issues fines. Both inform the enforcement decisions of the AI Office, which does.
What’s still forming
Two major enforcement layers remain incomplete.
The first is the Article 6 high-risk classification framework. The EU AI Act’s Annex III lists the use-case categories that trigger high-risk classification, employment screening, critical infrastructure management, law enforcement applications, access to essential services, and others. But the specific criteria for classifying AI systems within those categories are still being developed through guidance. The public consultation on Article 6 guidelines closes June 23. What comes out of that consultation will determine the scope of high-risk compliance obligations for a wide range of AI deployments.
Before June 23: Article 6 Consultation Action Items
- Confirm whether any deployed AI systems fall within Annex III use-case categories
- Assess current classification assumption (high-risk vs. general-purpose) against draft Article 6 criteria
- Prepare and submit technically grounded feedback to EU AI Office consultation
- Document classification rationale for audit trail regardless of submission decision
EU AI Act Scientific Panel and Advisory Forum, Who Holds Seats
Don’t underestimate the stakes of that consultation. High-risk classification under Article 6 triggers a specific compliance pathway: conformity assessments, technical documentation under Annex IV, human oversight measures, registration in the EU AI database, and, for providers placing systems on the market, third-party conformity assessment in many cases. Organizations whose AI systems sit near the boundary of Annex III categories have real incentive to submit technically grounded feedback before June 23. The Scientific Panel will review those submissions. The panel that was hypothetical two weeks ago now has faces.
The second incomplete layer is Annex III full compliance itself. Thanks to the Digital Omnibus provisional agreement, which the May 28 deadline map brief covers in full, the full compliance deadline for use-based high-risk AI systems shifted 16 months, from August 2, 2026 to December 2, 2027. That’s a meaningful extension. It’s also a bounded one.
The June 23 action window
Compliance teams have 22 days as of this publication to submit feedback to the EU AI Office consultation on Article 6 high-risk classification guidelines.
Three questions are worth tracking as you consider whether to submit:
*First:* Does your organization deploy AI systems in any Annex III use case category, employment screening, critical infrastructure, biometric categorization, access to education or essential services, law enforcement, border management, administration of justice, or democratic processes? If so, the Article 6 guidelines being finalized through this consultation will govern your classification status.
*Second:* Are you building compliance programs now, before the December 2027 deadline, on an assumption about whether your systems are high-risk? If the consultation results in narrowed criteria, some systems you’re treating as high-risk may fall out of scope. If they expand, systems you’ve scoped as general-purpose may be pulled in. Either outcome is disruptive to a compliance program already under construction.
*Third:* The prior TJS coverage of this consultation, the June 23 deadline brief from May 29, details what compliance teams should actually submit. The practical guidance from that brief applies directly to the consultation window that closes in 22 days.
The enforcement timeline, what’s active vs. pending
The sequence matters for compliance planning. Here’s where each layer sits:
EU AI Act Enforcement Capacity, Before and After June 1
Warning
Organizations building Annex III compliance programs on pre-consultation assumptions about Article 6 classification criteria carry scope risk in both directions. If the June 23 consultation results narrow the high-risk definition, resources allocated to out-of-scope systems are wasted. If the criteria expand, programs scoped as general-purpose face sudden high-risk compliance burdens. The consultation window is the last formal input channel before criteria are set.
| Date | Milestone | Status |
|—|—|—|
| February 2025 | Prohibited practices ban | Active, enforced |
| August 2, 2025 | GPAI model obligations | Active, enforced |
| June 1, 2026 | Scientific Panel + Advisory Forum appointed | Active, operational |
| June 23, 2026 | Article 6 high-risk classification consultation closes | Pending, 22 days |
| December 2, 2026 | Article 50(2) synthetic content transparency obligations | Pending |
| December 2, 2027 | Annex III high-risk AI system full compliance | Pending, Digital Omnibus deferred |
That timeline has a specific shape. The obligations that have been active longest, prohibited practices and GPAI model requirements, are also the ones where enforcement infrastructure is now most complete. The obligations still forming, high-risk classification criteria and Annex III full compliance, are the ones where organizations have the most ability to influence the outcome, but only for another 22 days on Article 6.
What the pattern means
The May 21 brief on compliance machinery activation framed the broader story: the EU AI Act’s infrastructure has been coming online in sequence, not all at once. Each activation step has reduced the distance between policy text and enforcement action.
The Scientific Panel appointment closes that distance further. Before June 1, the AI Office had legal authority to enforce GPAI obligations. After June 1, it has named technical experts to support those enforcement evaluations. That’s the difference between a regulator with a mandate and a regulator with capacity.
The real question is timing of first enforcement action. The AI Office has been deliberately methodical, consulting extensively, publishing codes of practice, allowing market participants to adapt. That approach won’t last indefinitely. The enforcement infrastructure is now operational enough to act. The question for compliance teams isn’t whether enforcement is coming. It’s whether the programs they’re building now will hold up when it does.
The June 23 consultation window is the last formal input channel before the Article 6 criteria that will govern enforcement are set. Organizations that participate shape the framework. Organizations that don’t get the framework as others designed it.