If you run a company in the EU, you have probably heard that there is now a law for artificial intelligence, that it carries big fines, and that a deadline is coming. All three are true. What gets lost in the headlines is the part that matters to you: for most normal businesses, the actual obligations are limited, and the scariest deadlines were just pushed back. Here is the whole thing in plain language.

What the AI Act is

The EU AI Act is the first comprehensive law on artificial intelligence anywhere in the world. It applies across all 27 member states, and it works on a simple idea: the more a given use of AI can harm people, the more rules apply to it. It is not a ban on AI, and it is not aimed at the technology itself. It regulates how AI is used, sorted by risk.

It entered into force on 1 August 2024 and applies in phases, so different obligations switch on at different dates rather than all at once.

The core idea: four levels of risk

Every use of AI falls into one of four buckets, and your obligations depend entirely on which one.

  • Unacceptable risk — banned. A short list of practices is prohibited outright: social scoring, manipulative systems that exploit vulnerabilities, untargeted scraping of faces to build recognition databases, emotion recognition in workplaces and schools, and a few others. If you are reading this, you are almost certainly not doing any of them.
  • High risk — heavily regulated. A narrow, specific list: AI used in things like recruitment and HR decisions, credit scoring, critical infrastructure, medical devices, and access to education. These carry the heavy obligations (risk management, data governance, logging, human oversight, registration).
  • Limited risk — transparency only. AI that interacts with people or generates content. The rule is simple: be honest about it. A chatbot must make clear it is a machine; AI-generated images, audio or video need to be identifiable as such.
  • Minimal risk — no extra rules. Everything else: spam filters, recommendation features, most everyday tools. This is the large majority of business AI.

The timeline (and the May 2026 changes)

The dates that have already taken effect:

  • 2 February 2025 — the banned practices became illegal, and companies must ensure staff have basic AI literacy.
  • 2 August 2025 — rules for general-purpose AI models (the large models behind tools like ChatGPT), the EU's governance bodies, and the penalty framework came into force.

The dates still ahead, as they stand now:

  • 2 August 2026 — most of the remaining rules apply, including the transparency obligations above. Every member state must also have an AI "regulatory sandbox" (a supervised space to test AI) running.
  • 2 December 2026 — the technical marking of AI-generated content (watermarking) applies for systems already on the market, and two new prohibitions take effect (AI used to create non-consensual intimate imagery or child sexual abuse material).

Here is the important update most coverage is behind on. In May 2026 the EU agreed to simplify the Act and delay its heaviest part. Under that agreement, the obligations for high-risk AI systems move from 2026/2027 to 2 December 2027 for standalone systems (Annex III) and 2 August 2028 for AI embedded in regulated products (Annex I). One honest caveat: as of mid-2026 this is a provisional political agreement awaiting formal adoption and publication, so until that is finalised the original August 2026 date technically still stands. In practice, the direction is clear: more time for the hard cases.

Does any of this actually apply to my business?

For most companies, the answer is reassuring. If you use AI to talk to customers, draft content, analyse your own data, or automate routine work, you are almost certainly in the limited or minimal risk bucket. That means the heavy high-risk machinery does not apply to you, your real obligation is transparency, and even that is light: a few clear disclosures where AI talks to people or produces public content.

You move closer to the high-risk line only when AI makes or strongly influences a consequential decision about a person — who gets hired, who gets credit, who gets access. If that describes what you are building, the obligations are real and worth planning for.

The penalties

The fines are large, which is what makes headlines: up to €35 million or 7% of global annual turnover for using a banned practice, up to €15 million or 3% for breaching other obligations, and up to €7.5 million or 1% for giving authorities misleading information. Two things temper this for smaller companies: penalties are designed to be proportionate, and for SMEs the fine is the lower of the fixed amount or the percentage, not the higher.

The good news for smaller companies

The Act, and the May 2026 simplification, deliberately lighten the load for smaller players: simplified documentation, proportionate requirements, priority access to the regulatory sandboxes, and capped, proportionate fines. The law was not written to bankrupt a 20-person company for putting a support bot on its website.

How this sits next to GDPR

The AI Act does not replace GDPR — it sits alongside it. Wherever your AI touches personal data, both apply, and they overlap heavily. The good news is that clean, well-governed data handling covers most of what both regimes ask for. (We will cover the AI–GDPR overlap in its own guide.)

What to do now, and how we think about it

The practical first step is not legal panic; it is a short inventory: list where you actually use AI today, including third-party tools, and for each one ask whether it makes a consequential decision about a person. That single question tells you, in five minutes, whether you are in the light-touch majority or the small high-risk minority.

When we build AI for a company, compliance is part of the design rather than a bolt-on: EU-region hosting, clear data flows, a human in the loop on decisions that matter, and honest disclosure where AI talks to people. That is not extra work for the regulator; it is simply how trustworthy systems are built. If you are not sure where your use of AI sits on the risk scale, that is a short, free conversation — and exactly the kind of question we answer before any project begins.