What is the EU AI Act and what does it mean for your company?
Status: 14 July 2026. Legal deadlines change; always verify important details against the original sources linked at the end of this article.
The EU AI Act is the first comprehensive AI law in the world. It already applies, but in stages: some obligations have been binding since 2025, the next major deadline is 2 August 2026, and the high-risk obligations were postponed to the end of 2027 in June 2026. Exactly this mixed picture causes confusion. This article explains what the AI Act is, which obligations hit your company and when, and where you can find the original sources.
This article is an editorial overview and not legal advice. It does not replace a legal assessment of your individual situation. For binding answers, please consult a law firm specialising in IT law and data protection.
- The AI Act already applies, but in stages: the bans and the AI literacy duty have been binding since February 2025.
- The next deadline is 2 August 2026: transparency obligations for chatbots, deepfakes and AI-generated content.
- The high-risk obligations (for example recruiting AI) were postponed to 2 December 2027 by the EU Digital Omnibus.
- Fines reach up to 35 million euros or 7 percent of worldwide annual turnover; SMEs pay the lower of the two amounts.
- Each member state designates its own supervisory authorities; the EU AI Act Service Desk offers guidance in all EU languages.
What is the EU AI Act?
The AI Act is Regulation (EU) 2024/1689. It was published in the Official Journal of the EU on 12 July 2024 and entered into force on 1 August 2024. As an EU regulation, it applies directly in every member state without any national transposition law. Only supervision is organised nationally; more on that below.
At its core is a risk-based approach: the greater the risk an AI system poses to health, safety or fundamental rights, the stricter the obligations. Some practices are banned outright, high-risk systems face strict requirements, certain systems carry transparency obligations, and the large remainder stays largely unregulated. The regulation also applies to providers outside the EU as soon as their systems are used within the EU.
Important: the timeline changed in 2026
If you read up on the AI Act in 2024 or 2025, you probably know the original timeline. It is no longer accurate. With the so-called Digital Omnibus on AI, an amendment that changes the AI Act after the fact (proposal COM(2025) 836 of 19 November 2025), the EU postponed the high-risk deadlines and softened individual obligations. The procedure is complete: political agreement between the Council and Parliament on 7 May 2026, approval by the European Parliament on 16 June 2026, final adoption by the Council on 29 June 2026. The amending regulation enters into force on the third day after its publication in the Official Journal of the EU; publication was expected for July 2026 and was still pending when this article was finalised.
The current timeline therefore looks like this:
| Deadline | What applies |
|---|---|
| 1 August 2024 | The AI Act enters into force. |
| 2 February 2025 | Prohibited practices (Article 5) and AI literacy (Article 4) apply. |
| 2 August 2025 | Obligations for providers of general-purpose AI models (GPAI), the governance structures and the penalty framework apply. |
| 2 August 2026 | The remaining provisions apply, in particular the transparency obligations (Article 50). The European Commission starts enforcing the GPAI obligations. |
| 2 December 2026 | End of the transition period for the machine-readable labelling of AI-generated content by existing systems. A new ban on AI systems that generate non-consensual intimate imagery and child sexual abuse material takes effect. |
| 2 December 2027 | High-risk obligations for standalone systems under Annex III, for example in human resources (originally 2 August 2026). |
| 2 August 2028 | High-risk obligations for AI in regulated products under Annex I (originally 2 August 2027). |
The new high-risk deadlines are fixed dates and are no longer tied to the availability of technical standards, as the Commission proposal had envisaged. And the substantive requirements for high-risk systems remain unchanged. Postponed does not mean cancelled.
The four risk classes
The AI Act sorts AI systems into four tiers, from banned outright to obligation-free:
Prohibited practices (Article 5)
Eight practices are banned in the EU, including social scoring, targeted manipulation, the exploitation of vulnerabilities, untargeted scraping of facial images and real-time remote biometric identification in public spaces.
Especially relevant for companies: emotion recognition in the workplace is prohibited, as it is in educational institutions. From 2 December 2026, a ban on systems that generate non-consensual intimate imagery or child sexual abuse material is added.
High-risk systems (Article 6)
Annex III lists eight areas of use, including biometrics, critical infrastructure, education, law enforcement and the judiciary. Decisive for most companies: employment (recruiting, application screening, promotion, termination) and creditworthiness assessment. Annex I covers AI in regulated products such as machinery or medical devices.
High risk does not mean prohibited. It means strict requirements for risk management, data quality, documentation, human oversight and robustness.
Transparency obligations (Article 50)
Anyone interacting with an AI system must be able to tell: chatbots have to identify themselves as AI, AI-generated content has to carry a machine-readable label, and deepfakes as well as AI-generated texts on matters of public interest have to be disclosed.
There are exceptions, for example for evidently artistic content and for texts published under human editorial responsibility.
Everything else
The vast majority of AI applications, such as spam filters or recommendation systems, face no specific obligations under the regulation.
Voluntary codes of conduct remain possible; nothing is mandatory here.
Cutting across these tiers are the GPAI models (general-purpose AI, meaning foundation models such as GPT, Claude or Gemini): since 2 August 2025 their providers must supply technical documentation, present a copyright policy and publish a summary of the training data. For particularly capable models with systemic risk, evaluation and reporting duties come on top. The GPAI Code of Practice of 10 July 2025 serves as guidance; its signatories include Amazon, Anthropic, Google, IBM, Microsoft, Mistral AI and OpenAI. If your company merely uses such models, these obligations do not hit you directly. Our AI glossary explains the terminology behind all of this.
Provider or deployer: which role does your company have?
The obligations depend on the role. Providers develop AI systems or have them developed and place them on the market under their own name; for high-risk systems they carry the main burden (conformity assessment, CE marking, quality management, registration). Deployers use AI systems under their own authority in a professional context. This is the role most companies find themselves in: if you use ChatGPT, Claude or Copilot in your daily work or embed a purchased chatbot on your website, you are a deployer.
Beware of the role switch under Article 25: a deployer legally becomes a provider if it offers a high-risk system under its own name or brand, substantially modifies it, or changes the intended purpose of a system in a way that turns it into a high-risk system. So if you fine-tune a foundation model for a high-risk purpose or resell a purchased tool under your own brand, you should examine the role question carefully.
What already applies to your company today?
First: do not use prohibited practices (since 2 February 2025). In practice this means above all: no emotion recognition directed at employees, no social scoring, no manipulative AI systems. Violations carry the highest fines in the regulation.
Second: AI literacy under Article 4 (also since 2 February 2025). Providers and deployers must see to it that the people working with AI systems have a sufficient level of AI literacy. That affects practically every company using AI, regardless of size. The omnibus rephrases the provision as a softer support duty (to “support” the development of AI literacy instead of to “ensure” it). In practical terms, little changes: if your staff work with AI, you should train them in a documented way. Market surveillance of this begins in August 2026.
What arrives on 2 August 2026?
With the next deadline, the transparency obligations under Article 50 become binding. Concretely, for deployers: a chatbot on your website must identify itself as AI (the duty to design it that way sits with the provider of the system; the duty to choose a compliant product sits with you). Anyone publishing deepfakes must disclose that they are artificially generated; the same applies to AI-generated texts that inform the public on matters of public interest, unless a human carries editorial responsibility. Providers of generative systems must label outputs in a machine-readable way; for systems placed on the market before 2 August 2026, a transition period runs until 2 December 2026. In addition, the European Commission starts enforcing the GPAI obligations against the model providers.
What comes later: the high-risk obligations
From 2 December 2027, the obligations for standalone high-risk systems under Annex III apply. For deployers, Article 26 means among other things: use the system in accordance with its instructions for use, ensure human oversight by competent and trained people, keep control over relevant input data, retain the automatically generated logs for at least six months, and inform employees and their representatives before a high-risk system is put to use in the workplace. So if you use AI in recruiting or for credit decisions (or plan to), now is the time to align your processes and contracts. From 2 August 2028, the product-integrated systems under Annex I follow.
Penalties: what violations can cost
The penalty framework (Article 99) has applied since 2 August 2025 and is staggered in three tiers:
- Up to 35 million euros or 7 percent of worldwide annual turnover: prohibited practices under Article 5.
- Up to 15 million euros or 3 percent: violations of central obligations, including provider, deployer and transparency obligations.
- Up to 7.5 million euros or 1 percent: supplying incorrect information to authorities.
For companies, the higher of the two amounts applies in each tier; for SMEs and start-ups, the lower one.
On top of that, SMEs get relief elsewhere: preferential access to AI regulatory sandboxes, simplified documentation forms, and further easing through the omnibus, including for so-called small mid-caps.
Supervision: national authorities plus an EU service desk
The AI Act itself is directly applicable EU law, but market surveillance is organised nationally: each member state designates its own competent authorities through a national implementing act, so who supervises you depends on where you operate. At the EU level, the AI Act Service Desk has been available since October 2025, including a compliance checker, in all official EU languages; it is a good first stop for orientation regardless of your member state.
One example: Germany. Its implementing act, the KI-MIG, passed the Bundestag on 11 June 2026 and was approved by the Bundesrat on 10 July 2026; it makes the Bundesnetzagentur (Federal Network Agency) the central market surveillance authority, with BaFin covering the financial sector and the data protection authorities keeping their remit. Check which authorities your own member state has designated.
First steps: how to approach it
- Build an AI inventory: which AI systems are in use in your company, including unofficial ones (shadow AI)? Without an inventory there is no classification.
- Determine the risk class per system: does a system touch prohibited practices? Does it fall under Annex III (above all HR and credit)? Do transparency obligations apply?
- Clarify your role: are you a deployer or (also) a provider? Watch out for the role switch under Article 25 in cases of own branding, substantial modification or a change of purpose.
- Train your staff: build documented AI literacy under Article 4; it is the foundation for meaningful AI use anyway.
- Prepare for transparency by 2 August 2026: settle chatbot labelling, the handling of AI-generated content and deepfake disclosure.
- Tackle high-risk cases early: if you use or plan recruiting or scoring AI, prepare deployer obligations, contracts with providers and employee information now, not at the end of 2027.
- Watch the developments: keep an eye on the Official Journal publication of the omnibus, Commission guidelines and the work of your national authorities.
Official sources and legal texts
- Regulation (EU) 2024/1689, full text (EUR-Lex)
- Digital Omnibus proposal on the AI Act, COM(2025) 836 (EUR-Lex)
- Council of the EU: press release on the final adoption of the AI omnibus (29 June 2026)
- European Commission: regulatory framework for AI with the current timeline
- European Commission: AI literacy questions and answers (Article 4)
- European Commission: GPAI Code of Practice
- AI Act Explorer (unofficial, convenient full-text navigation)
Conclusion
The AI Act is no reason to panic, but it is also nothing you should sit out. The bans and the AI literacy duty already apply, the transparency obligations arrive on 2 August 2026, and the postponement of the high-risk obligations to the end of 2027 buys you time, it does not grant a free pass. If you build your AI inventory now, clarify roles and train your staff, you can work through the requirements calmly instead of scrambling under pressure in 2027.
If you would like support along the way: with the EU AI Act compliance audit I review your AI systems in a structured way for risk classes, roles and obligations. And for your team’s AI literacy under Article 4, there is the AI literacy training in the academy.
Once more, the reminder: this article is not legal advice. It reflects the legal position as of 14 July 2026.
Further reading
- AI glossary – 129 AI terms explained in plain language, including the EU AI Act, GPAI and more
- EU AI Act compliance audit – a structured inventory of your AI systems
- AI literacy training – Article 4 AI literacy for your team
