Skip to content
ahead x
EU AI Act: What businesses actually need to know

Law, society & ethics · Explained

EU AI Act: What businesses actually need to know

The EU AI Act is in full effect from 2026. What it means for your business, risk classes, obligations, deadlines, penalties. Plain English, no legalese.

Marco Esposito 10 min read

In short

10 min read Companies Decision-makers

What this explains

  1. 01 The four risk classes
  2. 02 Special rule: Foundation Models / GPAI
  3. 03 What does this mean for your business?
  4. 04 Penalties
  5. 05 Practical steps for the next 90 days
  6. 06 What the EU AI Act does not regulate
  7. 07 Common misconceptions

The EU AI Act is the first comprehensive AI regulation in the world. It has been in force since 2024, is being phased in step by step, and from August 2026 it is in full effect. Anyone who uses AI, whether as a provider or as a user, needs to know which risk class their own system falls into.

The four risk classes

The regulation sorts AI applications into four risk levels. Obligations and penalties rise with the level.

Prohibited

Banned. Full stop. This includes:

  • Social scoring by public authorities (a system like the one in China)
  • Manipulative AI that exploits vulnerabilities
  • Real-time facial recognition in public spaces by public authorities (with narrowly defined exceptions)
  • Emotion recognition in the workplace and in educational institutions
  • Biometric categorization by sensitive characteristics

These bans have applied since February 2025.

High-risk

Permitted, but heavily regulated. Examples:

  • AI in critical infrastructure (energy, water, transport)
  • Education and employment: AI that decides on study places, exams, promotions
  • HR: AI for candidate selection, performance evaluation
  • Law enforcement, migration, justice
  • Medical devices with AI

Obligations: risk management system, technical documentation, human oversight, accuracy/robustness/cybersecurity standards, EU declaration of conformity.

Limited

Transparency obligation. You have to tell users that they are interacting with AI.

  • Chatbots: notice required
  • Deepfakes / AI-generated content: labeling obligation
  • Emotion recognition or biometric categorization systems (outside the prohibited use cases)

Minimal

No specific obligations. This covers most everyday applications: spam filters, recommendation algorithms, AI-powered games.

Special rule: Foundation Models / GPAI

General-purpose AI models (GPT-4, Claude, Gemini, etc.) get their own obligations, regardless of the use case. Providers must:

  • Document training data (copyright compliance)
  • Disclose energy consumption
  • For particularly powerful models: a systemic-risk assessment

These obligations have applied since August 2025.

What does this mean for your business?

If you use AI (deployer)

  1. Take inventory of all AI systems that are in use or being planned. SaaS tools with AI features count too.
  2. Classify them by the four risk levels.
  3. Document human oversight, training, logging, especially for high-risk.
  4. Review contracts with AI providers: the supply chain has to be EU AI Act compliant.

If you develop AI yourself (provider)

  1. Complete technical documentation
  2. Risk management system
  3. For high-risk: conformity assessment, CE marking, EU database entry
  4. For GPAI: additional obligations (see above)

Penalties

  • Up to € 35 million or 7 % of global turnover for prohibited practices
  • Up to € 15 million or 3 % for breaches of other obligations
  • Up to € 7.5 million or 1 % for false information to authorities

The higher amount always applies.

Practical steps for the next 90 days

TimeframeStep
Week 1–2Set up an AI inventory, list use cases
Week 3–4Risk classification per system
Week 5–8Gap analysis: what’s missing for high-risk conformity?
Week 9–12Review contracts with providers, renegotiate if needed

What the EU AI Act does not regulate

  • Data protection, that stays with the GDPR
  • Copyright, that stays with national copyright laws + EU directives
  • Product liability, a separate regulation is in preparation

Common misconceptions

“Using ChatGPT in the office falls under the AI Act.” Only partly. If you use ChatGPT for high-risk use cases (HR, education decisions), the high-risk class applies. For normal office use: minimal risk.

“We’re a small company, this doesn’t apply to us.” It does. The regulation has no SME exemption when it comes to risk. There are, however, easements for conformity audits.

“US providers don’t have to comply with this.” They do. Anyone who markets AI systems in the EU or has them take effect there falls under the AI Act, even without an EU establishment.

Disclaimer: This article is no substitute for legal advice. For specific questions about applying it within your own company: bring in a lawyer.

Tags

#EU AI Act #Compliance #Regulation #Decision-makers

Frequent questions

Your turn

What question is still on your mind?

Ask us. Selected questions turn into new explainers, glossary entries or topics for our events.

See all questions →

characters left

Thank you — your question has arrived. We will check whether we can answer it in the magazine, the glossary or at an ahead x event.

See all questions →

Read next

Explained

Data protection in AI: what you can put in the prompt

GDPR + ChatGPT, Claude, Copilot, the most common misconceptions. What technical and contractual steps actually protect, and rules of thumb for daily use.

More on this topic

New articles in your inbox. At most once a month as a roundup of new articles, analysis and explainers. No spam, no sales pitches, just content. Newsletter →
← All Explained Back to Knowledge