EU AI Act explained for businesses

22

May
2026

What the EU AI Act actually is

The EU AI Act is the world's first comprehensive law regulating artificial intelligence. It entered into force on 1 August 2024 and rolls out in stages between February 2025 and August 2027. It applies to any company that puts AI on the EU market — whether or not that company is headquartered in the EU. Selling an AI product to a single Berlin customer brings you into scope.

The Act is risk-based: AI systems are classified by what they do, not what model they're built on. Higher-risk uses get more regulation. A spam filter and a facial-recognition system are both AI, but only one of them is reshaping people's life chances.

Quick facts

  • Adopted: EU Regulation 2024/1689
  • In force since: 1 August 2024
  • Applies to: Any AI system placed on the EU market or used in the EU, regardless of where the provider is based
  • Key dates: Prohibitions from 2 February 2025. General-purpose AI rules from 2 August 2025. High-risk system obligations from 2 August 2026. Full application 2 August 2027.
  • Maximum fines: €35M or 7% of global annual turnover (whichever is higher), for prohibited-AI violations
  • Enforcement: National competent authorities + the new EU AI Office in Brussels

The four risk categories

The Act splits AI uses into four tiers. Where your product lands determines how much paperwork your engineering team is about to do.

1. Unacceptable risk — banned outright. Social scoring by public authorities. Real-time remote biometric identification in public spaces (with narrow exceptions for serious crime). Emotion recognition in workplaces and schools. Manipulative AI that exploits children or vulnerable groups. Untargeted scraping of facial images from the internet to build databases. These are gone from the EU as of February 2025.

2. High risk — heavily regulated. AI in medical devices, vehicles, recruitment, education admissions, credit scoring, law enforcement profiling, biometric ID, critical infrastructure. Providers must implement risk management systems, data governance, technical documentation, transparency, human oversight, and conformity assessments. Annex III of the Act lists the use cases.

3. Limited risk — transparency obligations. Chatbots must tell users they're talking to a machine. Deepfakes must be labelled. Emotion-recognition and biometric-categorisation systems must inform the affected person. Modest paperwork, but real.

4. Minimal risk — no obligations beyond existing law. Spam filters, recommender systems for low-stakes content, AI-enabled video games. Most consumer AI today falls here.

What businesses need to do

This depends entirely on whether you're a provider (you build the AI), a deployer (you use it in your operations), an importer, or a distributor. The heaviest obligations fall on providers of high-risk systems.

For most European SMBs the practical action items are:

  1. Inventory your AI uses. List every AI tool your business uses, including chatbots, recruiting AI, marketing AI, code assistants. For each, identify whether it's high-risk, limited-risk, or minimal-risk per Annex III. Most won't be high-risk.
  2. If you use general-purpose AI (GPAI) models like GPT-4, Claude, Mistral Large: the obligations are on the provider, not you. You don't need to file paperwork for using ChatGPT in your office. You do need to make sure your use isn't sliding into a high-risk category — for example, automatic CV screening for hiring.
  3. If you build or deploy a high-risk AI system: begin implementing the technical documentation, data-governance records, and human-oversight processes the Act requires. CE marking for high-risk AI systems is required by August 2026.
  4. For deployers of high-risk AI: assign human oversight, log usage, and inform people whose decisions are being made or affected by the AI.
  5. For everyone: AI literacy. From February 2025, organisations using AI must ensure staff have appropriate AI literacy. The bar is reasonableness, not perfection — but document training.

General-purpose AI (GPAI) — the foundation models

The Act has a separate tier for foundation models like GPT-4, Claude, Mistral Large, Llama 3. The provider of the model (OpenAI, Anthropic, Mistral, Meta) carries the obligations, not the deployer.

For most GPAI models the obligations are: technical documentation, training-data summaries, copyright compliance, transparency to downstream developers. For "systemic risk" GPAI (models with greater than 10^25 FLOPS of training compute — currently GPT-4 class and above), there are additional obligations: model evaluation, adversarial testing, serious-incident reporting.

The voluntary GPAI Code of Practice published in July 2025 sets out how providers can meet these obligations. Mistral, OpenAI, Anthropic, and Google have signed up. Meta has not.

Penalties

The fines are designed to bite.

  • Prohibited AI use: up to €35M or 7% of global annual turnover (whichever is higher).
  • Non-compliance with most other obligations: up to €15M or 3% of turnover.
  • Providing incorrect information to authorities: up to €7.5M or 1% of turnover.
  • SMEs and startups: these caps are explicit upper bounds rather than mandatory floors — proportionality applies.

For comparison: GDPR maxes out at €20M or 4% of turnover. The EU is saying out loud that AI misuse can be more harmful than data misuse.

Worth knowing

Three things most quick summaries leave out.

The Act applies extraterritorially. A US-headquartered company that ships an AI product into the EU is in scope. So is a Japanese company using an EU recruitment AI. There's no "we're not in Europe" defence.

The Act overlaps but doesn't replace GDPR. If your AI processes personal data, GDPR still applies. The Act is additional. The combination is the most regulated environment for AI in the world.

Enforcement is still being built. National competent authorities are being designated through 2025-2026. The European AI Office in Brussels is staffing up. Real enforcement actions are likely to ramp up from late 2026. Don't take the absence of fines today as evidence that the law isn't real — it's just early.

What this means for European AI

The Act has been characterised by US AI companies as overreach. That framing is convenient but incomplete. The Act gives European AI providers — Mistral, Aleph Alpha, Black Forest Labs, Lovable, Helsing — a structural advantage: they're built from day one for EU compliance, while their US competitors have to retrofit. Mistral and Aleph Alpha both signed the GPAI Code of Practice early; OpenAI dragged for months. That gap matters when European public-sector and regulated-industry buyers are choosing AI vendors.

Combined with the European Sovereign AI initiatives (€800M+ in member-state funding, the AI Factories program, GAIA-X) the Act is one half of an industrial strategy to keep AI infrastructure under European control rather than depending on three US companies.

What to do this month

  1. Inventory the AI tools your business uses. A spreadsheet is fine.
  2. Classify each one (high-risk / limited / minimal). Most will be minimal.
  3. If anything is high-risk, identify who in your organisation is accountable for getting it compliant before August 2026.
  4. For everyone using AI day-to-day (which is everyone now): a 30-minute AI literacy session for your team. Document it.
  5. Bookmark the European AI Office page (digital-strategy.ec.europa.eu) for official guidance as it's published.

Further reading

The official EU AI Act text (Regulation EU 2024/1689), the European AI Office at the Commission's digital strategy portal, and the GPAI Code of Practice (July 2025).

This is an editorial summary. Get a qualified lawyer before treating any of it as compliance advice.