EU AI Act enforcement: what the May 2026 milestone means for Cyprus

The European Union's AI Act entered its first enforceable phase in May 2026. From this month, providers of general-purpose AI models and high-risk systems operating in the EU — including in Cyprus — must meet specific transparency, risk-management and post-market monitoring obligations.

For most BINA Cyinnovation Hub readers, three changes matter:

1. Transparency for general-purpose models

Foundation-model providers must publish a "sufficiently detailed summary" of training data sources, alongside a copyright-compliance policy. The European AI Office has released a templated form; Cypriot SMEs deploying these models bear no direct duty, but should request the same documentation from upstream providers.

2. High-risk system registration

If your organisation operates an AI system in any of the Annex III domains — biometric identification, critical infrastructure, employment, education, essential services — it must now appear on the EU's AI System Register before being put on the market.

3. Right to explanation

End-users affected by a high-risk system's decision have a right to a "meaningful explanation" of how the system reached its conclusion. This is not a right to the model weights; it is a right to the reasoning chain in terms a layperson can act on.

What's next

The next milestone — August 2026 — extends obligations to most general-purpose models. We will publish a follow-up brief mid-July with checklists for Cypriot non-profits and public-sector bodies.

In the meantime, the Cyprus Digital Security Authority has published Greek-language guidance at csa.gov.cy/ai-act; the AI Office's official documentation is at digital-strategy.ec.europa.eu.