EU AI Act 2026: What Your Company Must Do Now

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive legal regulation of AI systems. Entering into force in August 2024, its effects roll out in stages until 2027 — but many companies underestimate the action required. This article clarifies what you specifically need to know and do.

🚨 Deadline: 2 August 2026 – fewer than 60 days remaining

From 2 August 2026, high-risk AI systems (Annex III: HR-AI, credit AI, biometric systems, etc.) must be fully documented, assessed and compliant. Fines of up to €35m or 7% of annual turnover are possible. Anyone without an AI inventory yet should act now — not in July.

What Exactly is the EU AI Act?

The EU AI Act regulates AI systems according to their risk potential — just as the GDPR protects personal data, the AI Act protects against harm from AI. The law applies to:

Providers of AI systems (developers who market AI)
Deployers of AI systems (companies that use AI tools in their operations)
Importers and distributors of AI products

A "AI system" means any system that generates outputs such as predictions, recommendations, decisions or content based on inputs — from chatbots and recruitment software to production optimisation.

The Four Risk Classes at a Glance

The core principle of the AI Act is a risk-based approach. The higher the risk, the stricter the requirements:

Risk Class	Examples	Legal Consequence
Unacceptable	Social scoring by authorities, real-time biometric surveillance in public spaces, manipulative AI	Prohibited — no exceptions possible
High Risk	AI in HR/Recruiting, credit scoring, critical infrastructure, medical devices, judiciary	Extensive obligations: risk management system, data governance, transparency, human oversight, conformity assessment
Limited Risk	Chatbots, deepfakes, emotion-recognition AI	Transparency obligations: users must know they are interacting with AI
Minimal Risk	Spam filters, AI-assisted search, game characters	No specific obligations — voluntary codes of conduct recommended

🛡️ Is your company affected?

I check free of charge which risk class applies to your AI systems and what specific measures are required.

🛡️ Request AI Audit → 📅 Free Initial Consultation

💡 Practical Note: GPAI Models

AI models with general-purpose use (General Purpose AI, e.g. GPT-4, Claude, Llama) are subject to their own rules. Models with systemic risks (training compute > 10²⁵ FLOPs) have particularly strict obligations.

The Timeline: What Applies When?

Aug. 2024

Entry into force

The EU AI Act formally enters into force. 24-month transition period begins.

Feb. 2025

Prohibitions for unacceptable risks

Systems with unacceptable risk potential must be switched off. Fines up to €35m or 7% of annual turnover.

Aug. 2025

GPAI obligations

Rules for general-purpose AI models become applicable.

2. Aug. 2026 ⚠

High-Risk AI (Annex III) – Act now

Full obligations for HR-AI, credit AI, biometric systems, AI in critical infrastructure. Conformity assessment, documentation, EU register entry. Fewer than 60 days remaining.

Aug. 2027

High-Risk AI (Annex I) – Product Law

AI systems in physical products (medical devices, vehicles, machinery) — transition period for existing CE-marked products.

Which Companies Are Particularly Affected?

Many SMEs believe the EU AI Act is primarily a topic for tech giants. This is a dangerous misconception. As a deployer, you are affected if you:

Use AI-supported applicant management systems (e.g. automated CV analysis)
Conduct creditworthiness checks via AI
Use chatbots in customer service without disclosure
Use AI to monitor employee performance
Operate predictive maintenance systems in critical infrastructure

🚨 Common Misconception: "We only use it internally"

The EU AI Act does not distinguish between internal and external use. AI systems used only internally for employee decisions (HR, performance assessment) can also be subject to high-risk requirements.

Obligations for High-Risk Deployers

If you deploy high-risk AI systems, you must specifically:

Ensure the system has a declaration of conformity (CE marking) from the provider
Implement and document a risk management system
Train employees in the use of the system and maintain qualification records
Ensure human oversight — AI decisions must be reviewable and correctable
Retain logs of system operation for at least 6 months
Conduct a fundamental rights impact assessment (mandatory for public authorities, recommended for private entities)

Transparency Obligations: This Affects Almost Everyone

Even if your AI is not classified as high risk, many systems are subject to transparency obligations:

Chatbots and virtual assistants: users must know they are interacting with an AI
Deepfakes and synthetic content: must be labelled as AI-generated
Emotion recognition: users must be informed when their emotions are being analysed

How to Start: 5-Step Immediate Action Plan

Given the deadlines already running, I recommend the following approach:

Step 1: Create an AI Inventory

Document all AI systems in your company — including those perceived as "normal software". Microsoft 365 Copilot, ChatGPT integrations, and automated decision systems in ERP or CRM all count.

Step 2: Conduct Risk Classification

Assign each system to a risk class. The EU AI Act defines high-risk application areas in Annexes II and III. Ask critically: which decisions are supported or automated by AI?

Step 3: Review Provider Documentation

Request conformity documentation from your AI system providers. EU providers must be able to supply this; for non-EU providers, check whether an EU authorised representative exists.

Step 4: Clarify Internal Responsibilities

Appoint an AI Act compliance officer — similar to a data protection officer. Embed AI governance into existing compliance structures.

Step 5: Conduct Training

Employees using high-risk AI must demonstrably be trained. Document training sessions and update them when systems change.

Your Immediate Checklist

AI inventory of all AI systems in use created and documented
Risk classification carried out for each system
Systems with "unacceptable risk" identified and decommissioned (mandatory since Feb. 2025)
Conformity documentation requested from providers of all high-risk systems
Transparency notices implemented for chatbots and AI-generated content
Internal AI governance structure and responsible persons designated
Training measures for employees using AI systems planned/implemented
Logging and retention processes for AI operational data established

✅ Good to know: Proportionality

The EU AI Act provides for a risk-proportionate approach. Small and medium-sized enterprises that exclusively use minimal-risk AI face virtually no additional bureaucratic burden. The effort scales with the actual risk potential of your AI use.

Sanctions: What Penalties Apply for Violations?

The EU AI Act provides for graduated fines:

Up to €35m or 7% of annual turnover for violations of the prohibitions (unacceptable risks)
Up to €15m or 3% of annual turnover for violations of other obligations
Bis 7,5 Mio. € oder 1,5% des Jahresumsatzes bei falschen Angaben gegenüber Behörden

For SMEs, the lower value from each pair applies. Oversight is handled by national market surveillance authorities — in Germany, expected to be the Federal Network Agency.

Are You Compliant by 2 August 2026?

Structured AI audit in half a day: inventory, risk classification, written report with action plan.

🛡️ KI-Audit anfragen 📅 Free Initial Consultation 📄 PDF-Leitfaden herunterladen