ComplianceJuly 20268 min read
The EU AI Act for businesses: what actually applies to you
The EU AI Act looks scary from a distance and much less so up close. Here is what actually applies to you, what is already in force, what got pushed back, and where to start without hiring a law firm.
The EU AI Act in three sentences, no legal jargon
The EU AI Act is the European regulation that governs how AI is used, not the technology itself. Its logic fits in one idea: the more an AI use can harm people, the heavier the obligations. Everything else, the vast majority of business cases, is mostly common sense and transparency. I am not a lawyer and this is not legal advice: it is a field read to help you see where you stand and what to do first.
Are you concerned? User, deployer, provider
The regulation does not treat everyone the same. Your first question is not 'am I concerned' but 'in what capacity'. Three roles to tell apart, and you can hold several at once depending on the project.
- Plain user, in a personal capacity: you use ChatGPT or an assistant for yourself, outside work. You sit outside the scope of business obligations.
- Deployer: you run an AI system in your business (a support assistant, a CV screener, a decision aid). This is the case for the vast majority of companies, and it carries obligations, especially when the use is sensitive.
- Provider: you build an AI system, or put your brand on it, or modify it substantially. Here the obligations are the heaviest. Many companies become providers without realizing it, for instance by wrapping a model under their own product.
The risk-tier logic, without the jargon
The regulation sorts uses into four tiers. You do not need to know the articles, only which tier each of your cases lands on.
- Unacceptable risk: banned, full stop. Social scoring, manipulation, certain surveillance. If you are in there, it is not a compliance topic, it is a stop-doing-it topic.
- High risk: allowed but tightly framed. Hiring, credit, health, education, safety, HR. This is where the real obligations sit: documentation, human oversight, data quality, traceability.
- Limited risk: allowed with transparency. A chatbot, a generated image or text must be flagged as such. This is the most common business case.
- Minimal risk: allowed with no particular obligation. Most office and automation uses. Nothing special to do beyond common sense.
The real timeline: what applies, what is coming, what got pushed back
This is where you get sold the most panic. The reality: the regulation applies in waves spread over several years, and the schedule was even loosened in late 2025. These dates have already moved and may move again, so do not build your whole strategy around one specific day. The key point is that nothing lands on you all at once.
- Since February 2025: banned uses (unacceptable risk) already are banned, and an AI literacy duty (training your teams on the basics) is in force.
- Since August 2025: obligations on general-purpose models (the large models like GPT, Claude, Gemini) apply, mostly on the providers of those models.
- December 2026: transparency and content-marking duties (chatbots flagged, AI content identifiable). This is what touches the most companies day to day.
- December 2027: the bulk of high-risk obligations, pushed back from the original schedule. So you have time ahead of you, as long as you do not wait until the last minute.
The concrete obligations: transparency, marking, inventory
Behind the vocabulary, the obligations that will touch the most companies are fairly simple. Transparency: telling a user they are talking to an AI, not a human. Marking: flagging that a piece of content (text, image, voice) was generated or altered by AI. And, upstream of all that, the inventory: knowing which AI systems run in your business, for what, on which data. Many companies cannot answer any of those three questions today, and that is exactly where to start. An internal AI usage policy already settles a good part of the topic on the team side.
Penalties, to size up the stakes (without panicking)
The numbers make the headlines: up to 35 million euros or 7% of worldwide turnover for banned uses, up to 15 million or 3% for other breaches. These are ceilings, meant for serious and deliberate cases, with proportionality and adjusted thresholds for smaller organizations. The point is not to scare you: it is to remind you the topic deserves real attention, not a sleepless night.
The AI Act does not penalize using AI. It penalizes not knowing what your AI is doing.
Where to start: inventory first, then gap analysis
Two moves, in this order. First the inventory: list every AI use in the company, including the ones nobody made official (the tools teams already use on their own). For each: what it does, which data it touches, which risk tier it lands on, are you a deployer or a provider. Then the gap analysis: compare what you do to what the regulation asks for that tier, and list the gaps to close. This is work I often run as part of a compliance-and-cost oriented AI audit, because the two overlap: the same inventory serves to cut the bill and to frame the risk.
What it changes for your technical choices
The regulation rewards those who can show their working. Three technical choices put you ahead regardless of the dates. Traceability first: keeping a record of who asked what, what the model answered, from which sources, so you can explain a decision after the fact. That is the core of reliability in production. Sourcing next: knowing where your data and your models come from, and standing behind it. Sovereignty last: for sensitive data, a model hosted in the EU or run on your own infrastructure rather than a distant cloud makes compliance, and a leader's sleep, a lot easier. If you want an honest read of your exposure and a plan without the jargon, let's talk.