The EU AI Act is the European Union's law on artificial intelligence. It sorts AI systems into risk levels and sets rules for each: a few uses are banned outright, high-risk uses face strict requirements, and most everyday AI faces light transparency duties or none at all. Full enforcement of the main rules begins on August 2, 2026.
What Is the EU AI Act? A Plain-English Explanation
What Is the EU AI Act in One Paragraph
The EU AI Act, officially Regulation (EU) 2024/1689, is the world's first comprehensive law dedicated to artificial intelligence. It was adopted in 2024 and entered into force on August 1, 2024, with its obligations switching on in stages through 2027. The core idea is simple: the law does not regulate AI as a technology, it regulates what you do with it. The riskier the use, the stricter the rules. A spam filter faces essentially no new obligations. A hiring tool that screens job applicants faces a long list of requirements. A system that scores citizens based on their social behaviour is banned entirely.
Why Did the EU Create This Law
European lawmakers wanted two things at once: protection and predictability. On the protection side, the law aims to shield people from AI uses that can harm health, safety, or fundamental rights, such as manipulative systems, discriminatory hiring algorithms, or intrusive surveillance. On the predictability side, businesses across 27 member states previously faced a patchwork of national approaches. A single EU-wide rulebook means one set of requirements for the entire single market of roughly 450 million people. The EU also openly hopes the Act becomes a global reference point, the way its data protection law shaped privacy rules worldwide.
How the Risk-Based System Works
Every obligation in the Act flows from the risk category an AI system falls into. There are four levels for AI systems, plus a separate set of rules for general-purpose AI models such as the large models behind popular chatbots.
| Risk level | What it covers | What the law requires |
|---|---|---|
| Unacceptable risk | Practices listed in Article 5, such as social scoring and manipulative techniques that cause significant harm | Banned outright since February 2, 2025 |
| High risk | AI in sensitive areas such as hiring, credit scoring, education, medical devices, and critical infrastructure | Risk management, data quality controls, documentation, human oversight, registration, conformity assessment |
| Limited risk | AI that interacts with people or generates content, such as chatbots and image generators | Transparency: tell people they are dealing with AI or AI-generated content |
| Minimal risk | Everything else, such as spam filters, inventory forecasting, and recommendation engines in games | No new obligations; voluntary codes of conduct encouraged |
In practice, the overwhelming majority of AI used by ordinary businesses falls into the minimal or limited categories. The heavy compliance machinery applies to a defined list of high-risk uses, not to AI in general.
What Counts as an AI System
The Act defines an AI system as a machine-based system that operates with some degree of autonomy, may adapt after deployment, and infers from the input it receives how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. In plain terms: software that works things out from data rather than blindly following fixed rules written by a human. A traditional spreadsheet formula is not an AI system. A machine-learning model that predicts which customers will cancel their subscription is. The boundary cases sit in between, and the European Commission has published guidelines to help organisations decide.
Who Has to Comply
The Act assigns duties by role. Providers are the organisations that develop an AI system or have one developed and put it on the EU market under their own name. They carry the heaviest obligations. Deployers are organisations that use an AI system in their professional activities, for example a retailer using an AI scheduling tool for staff. They carry lighter but real duties, especially for high-risk systems. Importers and distributors have their own checks to perform. Crucially, the Act reaches beyond Europe: a company in the United States or Japan is covered if it places AI on the EU market or if the output of its system is used in the EU. Purely personal, non-professional use by individuals is out of scope, as are systems used solely for military purposes or scientific research.
Key Dates You Need to Know
| Date | What starts to apply |
|---|---|
| August 1, 2024 | The Act enters into force; the countdown begins |
| February 2, 2025 | Bans on prohibited practices and the AI literacy duty for staff |
| August 2, 2025 | Rules for general-purpose AI models and the governance framework |
| August 2, 2026 | The main body of the law, including most high-risk obligations and transparency rules |
| August 2, 2027 | Extended deadline for high-risk AI embedded in regulated products such as medical devices |
For most businesses, August 2, 2026 is the date that matters. That is when the obligations for high-risk systems listed in Annex III, the transparency duties for chatbots and generated content, and the enforcement apparatus all apply in full.
What Happens If You Ignore It
Penalties are tiered to match the seriousness of the breach. Using a prohibited practice can cost up to 35 million euros or 7 percent of worldwide annual turnover, whichever is higher. Breaching most other obligations, including the high-risk requirements, can cost up to 15 million euros or 3 percent. Supplying incorrect or misleading information to authorities can cost up to 7.5 million euros or 1 percent. For small and medium-sized enterprises, the law softens the blow: the applicable cap is whichever of the two amounts is lower. National market surveillance authorities in each member state handle enforcement for AI systems, while the European Commission's AI Office oversees general-purpose AI models.
Does It Apply to My Small Business
Almost certainly yes, in some form, if you operate in or sell into the EU and use AI in your business. The practical question is how much it applies. If your team uses a chatbot for customer questions, you mainly need to make sure people know they are talking to a machine. If you use AI to screen job applications or evaluate employees, you are deploying a high-risk system and have concrete duties around oversight, monitoring, and informing affected staff. If you only use AI for things like drafting marketing copy, summarising documents, or forecasting stock, your main obligation is the AI literacy duty: making sure staff who work with AI understand what it can and cannot do. The Act also includes support measures for smaller companies, including priority access to regulatory sandboxes and simplified documentation formats.
Where to Start
Start with an inventory. List every AI system your organisation builds, buys, or uses, including features hidden inside everyday software. For each one, ask three questions. First, does it touch a banned practice? For most ordinary businesses the answer is no, but check the list in Article 5. Second, does it fall into a high-risk category such as employment, credit, education, or essential services? Third, does it interact with people or generate content in a way that triggers transparency duties? Once each system has a category, the obligations and the timeline become clear, and most organisations discover that the work ahead is manageable, provided they begin before the August 2026 deadline rather than after it.
How the EU AI Act Compares to GDPR
People often describe the AI Act as GDPR for AI, and the comparison is half right. Both are EU regulations with global reach and turnover-based fines, and both demand documentation, risk assessment, and accountability. The difference lies in what they protect. GDPR governs personal data wherever it flows, AI or not. The AI Act governs AI systems as products, whether or not they process personal data. A factory robot guided by AI may involve no personal data at all and still be regulated; a paper filing cabinet of customer records involves no AI and is still covered by GDPR. In daily business the two laws frequently apply to the same project at the same time, so teams that built GDPR muscle after 2018 have a genuine head start: records of processing, vendor due diligence, and impact assessment habits all transfer directly to AI Act work.
Common Misconceptions Worth Clearing Up
Three misunderstandings come up constantly. The first is that the Act bans powerful AI. It does not; it bans specific practices, and capability alone is never the trigger. The second is that only tech companies are affected. In reality, the heaviest deployer duties land on ordinary employers using AI in hiring and management, and on banks and insurers using it in credit and pricing decisions. The third is that compliance can wait until enforcement begins. Several obligations, including the bans and the staff AI literacy duty, have applied since February 2025, and high-risk preparation realistically takes months. The businesses in the best position in August 2026 will be the ones that treated the Act as a routine operational project in 2025 and early 2026, not as a legal emergency in the final summer.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.