The EU AI Act in 2026: what Greek businesses actually need to do
Most of the rules apply from 2 August 2026, while the heaviest high-risk obligations were just delayed to 2027 and 2028. Here is what matters for a normal company using AI, minus the panic.
If your company uses AI in any form, a chatbot on your site, a tool that screens CVs, software that scores leads, you have probably seen headlines about the EU AI Act and an August 2026 deadline. Most of them are written to alarm. This one is not.
Here is the honest version: the AI Act is real, the dates are real, and for the large majority of Greek businesses the actual work is smaller than the headlines suggest. What follows is what matters, and what you can safely ignore for now. (For how the law works overall, see our plain-language guide to what the AI Act is.)
The dates that matter
The Act entered into force in 2024 and applies in phases. The prohibited practices, things like social scoring and manipulative systems, have been banned since February 2025; if you are reading this, you are almost certainly not doing any of them. The dates still ahead:
- 2 August 2026: most of the Act's remaining rules apply, including the transparency obligations below. This is the date behind most of the headlines.
- 2 December 2026: the technical marking of AI-generated content (watermarking) applies for systems already on the market, and two new prohibitions take effect (including AI used to generate non-consensual intimate imagery or child sexual abuse material).
- 2 December 2027 and 2 August 2028: the heavy obligations for high-risk AI. In May 2026 the EU agreed to simplify the Act and push these back, to 2 December 2027 for standalone high-risk systems (areas like biometrics, employment, education and critical infrastructure) and 2 August 2028 for AI built into regulated products (such as lifts or toys). One honest caveat: as of mid-2026 this is a provisional agreement awaiting formal adoption, which the institutions aim to complete before August 2026, so until it is finalised the original 2026 date technically still stands. The direction, though, is clearly more time.
Are you actually "high-risk"?
This is the question that decides how much you need to care. "High-risk" is a specific, narrow list: AI used in things like recruitment decisions, credit scoring, critical infrastructure, medical devices, and education access. A chatbot answering customer questions is not high-risk. A dashboard that forecasts your revenue is not high-risk. An AI that automatically rejects job applicants is closer to the line.
For most companies, the answer is: you are not building high-risk AI, so the heavy obligations (now delayed to 2027 and 2028 anyway) do not apply to you. What does apply is lighter.
The rule that touches almost everyone: transparency
If you use AI to interact with people, you have to tell them. A chatbot has to make clear that it is a machine, not a person. AI-generated images or text published to the public need to be identifiable as such. This is not a paperwork mountain, it is a few clear labels and a line of disclosure, and it applies from August 2026.
Good news for smaller companies
The EU has deliberately softened the rules for smaller players, and the May 2026 simplification went further: it extends the lighter treatment beyond SMEs to "small mid-caps", companies with up to 750 employees and up to €150 million in turnover. In practice that means simplified documentation templates, access to regulatory sandboxes, and proportionate, capped penalties. The Act was not written to bankrupt a 20-person company in Athens for putting a support bot on its website.
A practical checklist
- List where you actually use AI today, including third-party tools.
- For each one, ask: does it make or heavily influence a decision about a person (hiring, credit, access)? If no, you are almost certainly in the low-risk bucket.
- Where AI talks to customers or generates public content, add a clear disclosure.
- Keep your data flows GDPR-clean; the two regimes overlap, and good data governance covers most of both.
- Document, briefly, what each system does and what data it uses. Not a thesis, a page.
How we think about it
When we build AI for a company, compliance is part of the design, not a bolt-on at the end. EU-region hosting, clear data flows, human-in-the-loop on the decisions that matter, and honest disclosure where AI talks to people. That is not extra work bolted on for the regulator; it is how trustworthy systems are built anyway.
If you are not sure where your use of AI sits on the risk scale, that is a short, free conversation, and exactly the kind of question we answer before any project starts.