What is the EU AI Act? A plain English guide for 2026
If you sell to anyone in Europe, this law affects you. Here is what it actually says, why it exists, and what to do before August 2, 2026.
The one paragraph summary
The EU AI Act is the first comprehensive law on artificial intelligence anywhere in the world. It applies to anyone who builds, sells, imports, distributes, or uses an AI system inside the European Union, or whose AI system reaches people inside the EU. It sorts AI uses into four risk tiers (prohibited, high, limited, minimal), and then attaches obligations to each tier. The most important deadline for most small businesses is August 2, 2026, when Article 50 transparency rules become enforceable. Fines reach €15 million or 3 percent of global annual turnover, whichever is greater.
Why the EU created this law
Three drivers came together at the same time. First, the rapid mainstream adoption of generative AI from late 2022 created visible new risks (deepfakes, fake reviews, synthetic media in elections, automated hiring decisions, AI in critical infrastructure). Second, the EU had a working template for cross border digital regulation in GDPR. Third, the European Commission wanted to set the global standard, the same way GDPR set the standard for privacy law. The Act was first proposed in April 2021, agreed in December 2023, and published in the Official Journal in July 2024. It entered into force on August 1, 2024.
The four risk tiers in plain language
The Act splits every AI use into one of four tiers. The tier decides what you need to do.
1. Prohibited (Article 5)
Some uses are banned outright. Examples: social scoring of natural persons by public authorities, untargeted scraping of facial images to build recognition databases, real-time remote biometric identification in public spaces by law enforcement (with narrow exceptions), emotion recognition in the workplace or in schools, biometric categorisation by sensitive characteristics like race or religion. If you do any of these in the EU, the only answer is to stop. These bans have been in force since February 2, 2025.
2. High risk (Article 6 and Annex III)
This tier covers AI systems used in safety-critical contexts. Examples: AI in critical infrastructure (energy grids, water, traffic), AI used to decide who gets hired or fired or promoted, AI used in education to grade students or decide admissions, AI in essential public services (credit scoring, social benefits, insurance), AI in law enforcement, AI in border control, AI in administration of justice. If your AI sits here, you face the full set of obligations: written risk management system, dataset governance, technical documentation, transparency, human oversight, accuracy and robustness, and EU-database registration before placing the system on the market.
3. Limited risk (Article 50)
This is where most small business AI sits. The tier covers AI systems that interact with humans (chatbots, voice agents), AI that generates content shown to the public (text, image, audio, video), deepfakes, and emotion or biometric categorisation outside the prohibited contexts. The obligation is simple in principle: you must clearly disclose that AI is involved, at the right moment, in a way the user cannot miss. Fines for failing this can still reach €15 million or 3 percent of global turnover.
4. Minimal risk
Everything else. Spam filters, recommender systems behind the scenes, video game AI, internal productivity AI that does not interact with the public. No specific obligation, although the Act encourages voluntary best practices under Article 95.
Who is in scope
The Act uses five role labels for the same AI system, and the obligations differ slightly depending on which one applies to you.
- Provider. The party that develops the AI system and puts it on the market. Most obligations sit here.
- Deployer. The party that uses the AI system under its own authority. Most small businesses fall here. Article 26 spells out deployer duties.
- Distributor. The party that makes the system available without changing it.
- Importer. The party that brings an AI system into the EU from a third country.
- Authorised representative. The EU based natural or legal person designated by a non-EU provider.
Most readers of this guide are deployers. You bought a chatbot from a vendor, you use ChatGPT to draft posts, you embed Midjourney images on your website. You are using AI systems that someone else built, and that puts you in the deployer column. Your duties are smaller than the providers' duties, but they are real and they are enforceable.
The deadlines that matter
| Date | What changes |
|---|---|
| August 1, 2024 | Act enters into force. |
| February 2, 2025 | Prohibited practices (Article 5) start to apply. |
| August 2, 2025 | General Purpose AI rules apply. The European AI Office is operational. |
| August 2, 2026 | Article 50 transparency obligations apply. High risk system obligations apply, except for the Annex III deferred categories which may move to December 2027 under the Digital Omnibus. |
| August 2, 2027 | High risk obligations for AI built into products already covered by EU safety legislation start to apply. |
What this means for your business this year
If you are a small business, an agency, or an indie SaaS founder, your priority list looks like this.
- Build an AI inventory. List every AI tool used by you and your team. Vendor, purpose, who owns it inside the business, what data it touches. A spreadsheet works. Use our inventory template to start.
- Classify each entry. Prohibited, high, limited, or minimal. Most entries will be limited or minimal.
- Add disclosure. Where your AI interacts with users or publishes content, add the visible AI disclosure now. Do not wait for August 2.
- Train your team. Article 4 introduces an "AI literacy" obligation for staff working with AI systems. A one hour internal session covering your inventory plus the disclosure rules is the minimum.
- Publish a transparency page. A short public page that lists your AI tools and links to your contact. Customers and procurement teams will start asking.
- Save evidence. Screenshots of every live disclosure, signed copies of your policy, a dated dossier. If you ever get a complaint, the dossier is what you hand over.
The questions everyone asks first
"My chatbot is just a Messenger auto reply. Am I in scope?"
Yes. Any system that uses AI to interact with humans is in scope under Article 50. The form factor (web widget, Messenger, WhatsApp, SMS, phone) does not matter. The fact that the system replies automatically using AI is what triggers the disclosure obligation.
"What if I am based in the United States?"
If your AI system is used in the EU, you are in scope. A non-EU provider often needs to appoint an EU-based authorised representative. Many SaaS companies already do this for GDPR. The same person can usually serve under the AI Act too.
"How much will it cost me?"
For limited risk systems, the marginal cost is small. The disclosure widget, the transparency page, and the dossier are mostly time, not money. For high risk systems, the cost is real (legal review, risk management system, dataset documentation, technical file, EU-database registration). If your business runs high risk AI, budget for a lawyer.
Where to go next
- Read our deeper guide on the article that hits most small businesses: Article 50 explained.
- Take the free 60 second self-check to see exactly where you sit.
- Create a free ActHub account to start your inventory.
FAQ
When does the EU AI Act take effect?
The Act entered into force on August 1, 2024. Different obligations apply on different dates. Prohibited practices were in force from February 2, 2025. General Purpose AI rules from August 2, 2025. Transparency obligations under Article 50 from August 2, 2026. Most other rules including high risk system obligations from August 2, 2026, with a possible extension to December 2, 2027 for certain Annex III systems under the Digital Omnibus proposal.
Does it apply to non-EU businesses?
Yes if your AI system is placed on the EU market or its output is used in the EU. The reach is extraterritorial, similar to GDPR.
Who is the regulator?
Each EU member state designates a national competent authority. The European AI Office at the European Commission coordinates enforcement for General Purpose AI models and cross-border issues.
Sources and references
- Full text of the EU AI Act: artificialintelligenceact.eu
- European Commission policy page: digital-strategy.ec.europa.eu
- EU AI Office: European AI Office
- SME guide: artificialintelligenceact.eu SMB guide
This article is for general information only and is not legal advice. For binding opinions, especially on high risk systems, consult a qualified lawyer.