EU AI Act: Complete Business Guide 2026
The world's first comprehensive AI law is now in force. Understand your obligations, key deadlines, and how to find compliant AI tools — all in one place.
The information on this page is of a general nature only and is not intended to address the specific circumstances of any particular individual or entity. It is not necessarily comprehensive, complete, accurate, or up to date. It does not constitute legal advice, legal opinion, regulatory guidance, or a legal interpretation of any legislation. No attorney-client relationship is created by accessing or relying on this content. GateOnAI is an independent AI tools directory — not a law firm, regulatory body, or compliance consultancy. For advice specific to your organisation's obligations under the EU AI Act or any other regulation, consult a qualified legal professional specialising in EU technology law or contact your national competent authority.
What is the EU AI Act?
The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive, horizontal legal framework governing artificial intelligence. Adopted by the European Parliament and Council, it entered into force on 1 August 2024 and applies a risk-based approach: the stricter the potential harm of an AI system, the more stringent the obligations.
Unlike sector-specific regulations, the AI Act applies across all industries and use cases — from healthcare and hiring to marketing automation and customer service. Crucially, it has extraterritorial reach: any organisation providing or deploying AI systems that affect people in the EU must comply, regardless of where that organisation is headquartered.
Implementation Timeline
The AI Act follows a phased implementation schedule. Different obligations apply at different dates depending on the type of AI system and your role in the supply chain.
The regulation was published in the Official Journal and became binding EU law. The phased implementation timeline begins.
Article 5 prohibitions took effect. Unacceptable-risk AI systems — including social scoring, subliminal manipulation, and certain biometric surveillance — are now banned. Violations face fines of up to €35M or 7% of global turnover. AI literacy obligations (Article 4) also apply from this date.
General-Purpose AI (GPAI) model providers must comply with transparency requirements, technical documentation standards, and copyright policies. New GPAI models released after this date must comply immediately. Member States designate national competent authorities.
The most significant milestone for most businesses. High-risk AI systems must complete conformity assessments, establish risk management systems, maintain technical documentation, ensure human oversight, and register in the EU database. Each EU Member State must also have at least one AI regulatory sandbox operational.
Obligations extend to GPAI models placed on the market before August 2025, and to AI systems embedded in regulated products (medical devices, machinery, automotive systems). Legacy systems must be fully updated.
Risk Categories Explained
The AI Act classifies AI systems into four risk tiers. Your compliance obligations depend entirely on which tier your AI system falls into.
These AI systems are completely banned under Article 5. No compliance pathway exists — they must not be developed, deployed, or used.
- Social scoring systems by public authorities
- Real-time remote biometric identification in public spaces (with narrow exceptions)
- Subliminal manipulation causing harm
- Exploitation of vulnerability of persons (age, disability, social situation)
- Emotion recognition in workplace or education
- Predictive policing based solely on profiling
Permitted, but subject to extensive obligations before market placement. Deadline: 2 August 2026.
- Biometric identification and categorisation systems
- AI in recruitment, CV screening, interview assessment
- Credit scoring and insurance risk assessment
- AI in medical devices and clinical decision support
- Education: student assessment and performance evaluation
- Law enforcement: evidence evaluation, criminal risk profiling
- Migration and border control systems
- Critical infrastructure: water, gas, electricity, road traffic
Permitted with transparency requirements under Article 50. Users must be clearly informed they are interacting with an AI.
- Customer service chatbots and virtual assistants
- AI-generated content (text, images, audio, video)
- Deepfake generation tools
- Emotion recognition systems (limited contexts)
- Spam filters with direct user interaction
The vast majority of AI tools fall here. The European Commission estimates approximately 85% of AI systems in the EU market are minimal risk. No mandatory obligations apply, though voluntary codes of conduct are encouraged.
- AI-enabled video games
- Content recommendation systems
- Writing assistants and productivity tools
- Image generation for creative use
- SEO and marketing analytics tools
What Every Business Must Do Now
Regardless of your AI risk tier, Article 4 (AI literacy) applies to all organisations using AI as of February 2025. Here is a practical action plan:
Catalogue every AI system your organisation provides, deploys, or uses — including embedded AI in third-party tools (HR software, CRM, marketing platforms). Over 50% of enterprises lack a systematic AI inventory, creating immediate compliance risk.
Apply the four-tier classification to each system. Use the official AI Act Explorer or the EU Commission's compliance checker. Pay particular attention to HR, credit, medical, and education use cases — these are almost always high-risk under Annex III.
Article 5 prohibitions have been in force since February 2025. If any of your AI systems fall under unacceptable risk — emotion recognition in the workplace, social scoring, certain biometric surveillance — discontinue them without delay. Enforcement is active.
Article 4 requires that all staff using or overseeing AI systems have sufficient AI literacy. Document your training programme — without evidence of training, you cannot demonstrate compliance even if your systems are technically sound.
For each high-risk AI system, complete: risk management documentation, data governance assessment, technical documentation, conformity assessment, and EU database registration. Implementation typically takes 12–18 months for complex organisations. Start now.
For limited-risk systems (chatbots, AI-generated content), ensure users are clearly informed they are interacting with AI. Label all AI-generated content. This applies immediately.
Official Resources & Further Reading
GateOnAI Ecosystem
One platform. Every AI tool, workflow, and comparison you need — EU-hosted, independent, always free.
Frequently Asked Questions
What is the EU AI Act?
The EU AI Act (Regulation EU 2024/1689) is the world's first comprehensive legal framework for artificial intelligence. It entered into force on 1 August 2024 and establishes binding rules for AI systems placed on the EU market or used within the EU, regardless of where the provider is headquartered.
Who does the EU AI Act apply to?
The Act applies to any organisation — EU-based or not — that provides, deploys, or uses AI systems affecting people within the European Union. This includes software vendors, businesses using third-party AI tools, importers, and distributors. If your AI system touches EU users, you are in scope.
What are the key deadlines?
2 February 2025: Prohibited AI practices banned. 2 August 2025: GPAI model obligations and national authority designation. 2 August 2026: High-risk AI system obligations. 2 August 2027: Full compliance for GPAI models and AI in regulated products.
What are the penalties for non-compliance?
Fines reach up to EUR 35 million or 7% of global annual turnover for prohibited practices — exceeding GDPR levels. High-risk non-compliance: up to EUR 15 million or 3% of turnover. Providing incorrect information to authorities: up to EUR 7.5 million or 1% of turnover. SMEs and startups benefit from proportionate caps.
What is a high-risk AI system?
High-risk AI systems include those used in biometrics, recruitment and HR decisions, credit scoring, medical devices, education assessment, law enforcement, migration, and critical infrastructure. These systems must meet strict requirements including risk management, data governance, transparency, human oversight, and conformity assessment before August 2, 2026.
Does the EU AI Act apply to AI tools I use (not build)?
Yes. Businesses that deploy third-party AI tools — such as HR screening tools, customer service chatbots, or credit assessment software — are considered deployers and have obligations under the Act. This includes maintaining an inventory of AI systems, ensuring AI literacy among staff, and verifying that high-risk tools meet compliance requirements.
What should my business do right now?
Start with an AI inventory: catalogue every AI system you use or provide. Classify each by risk tier. For prohibited practices (already banned since February 2025), discontinue immediately. For high-risk systems, begin conformity assessment and documentation. Ensure AI literacy training for staff — Article 4 is already in force.
This page is provided for general informational and educational purposes only. GateOnAI makes no representations or warranties of any kind, express or implied, regarding the completeness, accuracy, reliability, or suitability of the information contained herein. GateOnAI accepts no responsibility or liability whatsoever with regard to any decisions made or actions taken in reliance on the information on this page. The binding interpretation of EU legislation is the exclusive competence of the Court of Justice of the European Union. Laws and regulations change frequently — always verify with official EU sources before making compliance decisions. External links are provided for convenience only; GateOnAI has no control over and assumes no responsibility for the content of external sites.
Sources: Regulation (EU) 2024/1689 (Official Journal, 13 June 2024) • artificialintelligenceact.eu • European AI Office • EUR-Lex