When does the EU AI Act fully apply?

The EU AI Act phases in between February 2025 and August 2027. Prohibited AI practices have been banned since February 2025. High-risk AI system obligations take full effect on 2 August 2026. General-purpose AI model obligations apply from August 2025. Full enforcement across all categories is complete by August 2027.

Does the EU AI Act apply to businesses outside the EU?

Yes. The Act applies to any business that places AI systems on the EU market or whose AI system outputs are used within the EU, regardless of where the business is established. This extraterritorial scope mirrors GDPR and means any business serving EU customers must comply.

What are the penalties for non-compliance?

Fines reach up to 7% of annual global turnover for deploying prohibited AI practices, 3% for violating high-risk system obligations, and 1.5% for providing incorrect information. For SMEs, fines are capped at the lower of the percentage or a fixed amount, but the reputational impact of enforcement action is often more damaging than the fine itself.

Do I need to comply if I use third-party AI tools rather than building my own?

Yes. The AI Act distinguishes between providers (who develop AI systems) and deployers (who use them). As a deployer, you have obligations including ensuring human oversight, informing affected individuals, monitoring system performance, and reporting serious incidents. You cannot outsource your compliance obligations to your AI vendor.

How does the AI Act interact with GDPR?

The two frameworks are complementary. GDPR governs personal data processing; the AI Act governs AI system design and deployment. An AI system processing personal data must comply with both. The AI Act's data governance requirements for training data align with but extend beyond GDPR's data quality principles. Businesses should integrate their AI Act and GDPR compliance efforts rather than treating them separately.

What constitutes a 'high-risk' AI system under the Act?

High-risk AI systems include those used in biometric identification, critical infrastructure management, education and vocational training assessment, employment and worker management, access to essential services (credit scoring, insurance), law enforcement, migration and border control, and administration of justice. The full list is in Annex III of the Act and may be updated by the European Commission.

May 5, 202611 min readRegulation & Compliance

The EU AI Act Hits Full Force in August: What Every Business Needs to Do Now

On 2 August 2026, the EU AI Act's high-risk provisions come into full effect. Combined with active DSA and DMA enforcement, Europe's regulatory framework for AI and digital services is now the most comprehensive in the world. Here is a practical compliance checklist for SMEs that cannot afford to get this wrong.

EU AI ActComplianceRegulationAI GovernanceDigital Services ActDigital Markets ActData ProtectionGDPR

Giovanni van Dam

IT & Business Development Consultant

The Regulatory Moment: Why August 2026 Matters

The EU AI Act is not new — it was adopted in 2024 and has been phasing in since February 2025. But 2 August 2026 is the date that most businesses need to circle in red. This is when the Act's high-risk AI system provisions come into full effect, covering AI used in employment, credit scoring, education, healthcare, law enforcement, and critical infrastructure.

For businesses deploying AI — whether customer-facing chatbots, automated hiring tools, credit assessment models, or diagnostic systems — the compliance window is closing. Fines for non-compliance reach up to 7% of annual global turnover for prohibited practices and 3% for other violations. These are not theoretical penalties; the European AI Office has been building enforcement capacity since mid-2025.

Combined with the already-active Digital Services Act (DSA) and Digital Markets Act (DMA), Europe now operates the world's most comprehensive regulatory framework for AI and digital services. For international businesses, EU compliance is effectively becoming the global baseline — just as GDPR did for data protection.

What the AI Act Actually Requires

The EU AI Act uses a risk-based classification system. Your obligations depend on where your AI systems fall:

Unacceptable risk (banned): Social scoring systems, real-time biometric identification in public spaces (with narrow exceptions), manipulative AI targeting vulnerable groups, and emotion recognition in workplaces and schools. These have been prohibited since February 2025.
High-risk (strict obligations): AI used in recruitment, credit decisions, education assessment, healthcare diagnostics, critical infrastructure management, and law enforcement. These require conformity assessments, risk management systems, data governance, human oversight, and detailed technical documentation.
Limited risk (transparency obligations): Chatbots, deepfake generators, and emotion recognition systems must disclose that users are interacting with AI. AI-generated content must be labelled.
Minimal risk (no specific obligations): Spam filters, AI in video games, and similar low-impact applications.

The critical question for most businesses is: does any AI system I use or deploy qualify as high-risk? The answer is often yes, particularly if you use AI in hiring, customer creditworthiness assessment, or automated decision-making that materially affects individuals.

A Practical SME Compliance Checklist

Compliance does not require a dedicated legal department or a seven-figure budget. It requires structured, documented effort. Here is a practical checklist for SMEs:

1. Inventory and Classify Your AI Systems

Create a register of every AI system you develop, deploy, or use as a service. For each, determine its risk classification under the Act. This includes third-party AI tools — if you use an AI-powered hiring platform, you share compliance obligations as a deployer even if you did not build the system.

2. Establish Documentation and Governance

For high-risk systems, you need: a risk management system (identifying and mitigating risks throughout the system lifecycle), data governance procedures (ensuring training data quality, relevance, and representativeness), technical documentation (system architecture, design choices, performance metrics), and logs that enable traceability of AI decisions.

3. Implement Human Oversight Mechanisms

High-risk AI systems must be designed to allow effective human oversight. This means a qualified person must be able to understand the system's capabilities and limitations, monitor its operation, intervene or override decisions, and activate a stop mechanism. Document who these oversight roles are assigned to and how they exercise their authority.

4. Meet Transparency Obligations

If you deploy chatbots, AI-generated content, or emotion recognition systems, ensure users are clearly informed they are interacting with AI. For high-risk systems, provide clear information about the system's purpose, accuracy levels, and limitations to affected individuals.

The DSA and DMA: The Broader Regulatory Context

The AI Act does not operate in isolation. The Digital Services Act (DSA) and Digital Markets Act (DMA) are already in active enforcement and create additional obligations:

DSA: If you operate an online platform with user-generated content, the DSA requires content moderation transparency, illegal content reporting mechanisms, and — for larger platforms — regular risk assessments of systemic risks including AI-amplified disinformation.
DMA: While primarily targeting large gatekeepers (Google, Apple, Meta, Amazon), the DMA's requirements for data portability, interoperability, and fair ranking practices affect any business that relies on these platforms for distribution.

The practical impact: if you use AI for content moderation (DSA), automated advertising (DSA + AI Act), or operate on gatekeeper platforms (DMA), you are likely subject to multiple overlapping regulatory frameworks. Mapping these overlaps is essential to avoid compliance gaps.

The Cost of Inaction vs. The Cost of Compliance

The compliance burden is real but manageable. For a typical SME with 2-5 AI systems, expect an initial investment of 40-80 hours for inventory, classification, and documentation, plus ongoing governance effort of 5-10 hours per month. This is a fraction of the cost of a single fine or the reputational damage of a public enforcement action.

More importantly, well-governed AI systems perform better. The discipline of documenting your AI's purpose, limitations, and oversight mechanisms forces clarity that improves both reliability and trust — with customers, partners, and regulators.

If you need help navigating the EU AI Act and building a compliance framework that is practical rather than bureaucratic, I work with businesses across Europe on exactly this challenge.