DE EN
Free intro call
Home / Magazine / The EU AI Act 2026
Law & AI

The EU AI Act 2026: what companies need to know

Reading time approx. 11 minutesCategory: Law & AIby Cogitavo
Overview of the EU AI Act's risk-based approach with four risk tiers and the obligations for companies
The EU AI Act classifies AI by risk: the higher the risk, the stricter the obligations.

With Regulation (EU) 2024/1689 – better known as the EU AI Act – the European Union has created the world's first comprehensive rulebook for artificial intelligence. For companies that use AI software or build AI-Agents, it is no longer a distant prospect: the first obligations have applied since February 2025, and more take effect in a staggered way across 2026 and 2027. This article explains, in plain language, how the AI Act works, which obligations fall on whom – and what you should do right now.

Important note: This article offers general orientation and does not constitute legal advice. Whether and how the AI Act applies to your specific use case should be clarified with qualified legal counsel.

The risk-based approach: four tiers

The heart of the AI Act is a risk-based approach. Not every AI is treated the same – what matters is the risk a system poses to people's fundamental rights, safety and health. This results in four tiers, from prohibited to largely unregulated. The higher the risk, the stricter the requirements.

Risk tier Examples Obligations Applicability
Unacceptable risk (prohibited) Social scoring by authorities, manipulative or exploitative systems, untargeted facial recognition Fully banned since February 2025
High risk AI in HR/recruiting, creditworthiness assessment, critical infrastructure, medical devices Risk management, data quality, technical documentation, human oversight, transparency, conformity assessment staggered until ~August 2026/2027
Limited risk Chatbots, AI-generated content, deepfakes Transparency obligations under Art. 50 (labelling) from August 2026
Minimal risk Spam filters, AI in video games, simple recommendation systems No specific obligations (voluntary codes of conduct)

Tier 1: Prohibited practices

Certain AI applications are considered so harmful to fundamental rights that they are simply banned. These include, among others, social scoring by authorities, AI systems that deliberately manipulate human behaviour or exploit the vulnerability of protected groups, and the untargeted scraping of facial images from the internet to build recognition databases. These prohibitions have applied since February 2025 – they are the first tier of the AI Act to take effect. Breaches are penalised especially harshly.

Tier 2: High-risk AI

Most of the regulatory requirements fall on high-risk AI. This covers systems that influence consequential decisions in sensitive areas – such as AI software in HR and recruiting (candidate selection), in creditworthiness assessment, in critical infrastructure (energy, transport), or as a safety component in regulated products. Strict obligations apply to these systems:

  • Risk management system: risks must be identified, assessed and mitigated across the entire lifecycle.
  • Data quality (data governance): training, validation and test data must be relevant, representative and as error-free as possible.
  • Technical documentation: the design, functioning and limits of the system must be documented in a traceable way.
  • Human oversight: people must be able to effectively monitor the system and intervene.
  • Transparency, robustness and cybersecurity: accuracy and stability must be ensured.

The applicability of these obligations is staggered: a significant part takes effect around August 2026, while for high-risk AI that acts as a safety component already subject to other product rules, a longer deadline applies until August 2027.

Tier 3: Limited risk – transparency obligations

Many AI systems used in practice fall into the limited risk category. Here, Article 50 primarily requires transparency: people must know when they are dealing with machines rather than humans.

  • Chatbots and AI-Agents: users must be able to recognise that they are interacting with AI software – not a human.
  • AI-generated content: artificially created or modified text, images, audio and video must be labelled as such in a machine-readable way.
  • Deepfakes: realistic but manipulated content must be clearly disclosed as artificially generated.

Tier 4: Minimal risk

The vast majority of AI in use today – spam filters, AI in video games, simple recommendations – falls into the minimal risk category. The AI Act provides no specific obligations here. Companies can voluntarily adhere to codes of conduct, but are not required to.

GPAI: obligations for foundation models

A category of its own is formed by general-purpose AI models (GPAI) – the large foundation models on which many applications are built. They have been subject to their own obligations since August 2025: technical documentation, information for downstream providers, compliance with copyright law and a summary of the training data. For particularly capable models with "systemic risk", additional requirements apply, such as model evaluations and the reporting of serious incidents.

Timeline at a glance

The AI Act does not enter into force all at once, but in stages:

  • February 2025: prohibitions (unacceptable risk) and the AI literacy obligation (Art. 4).
  • August 2025: obligations for GPAI / foundation models, governance structures.
  • August 2026: the bulk of obligations, including transparency (Art. 50) and many high-risk requirements.
  • August 2027: high-risk AI as a safety component of regulated products.

Roles: provider vs. deployer

Which obligations apply to you depends on your role. The AI Act distinguishes mainly between providers – those who develop an AI system or place it on the market under their own name – and deployers – those who use an AI system under their own authority in a professional context. Providers carry the bulk of the obligations (conformity, documentation, risk management). Deployers must use the system as intended, ensure human oversight and meet their transparency obligations. Note: anyone who substantially modifies a third-party system or markets it under their own name can themselves become a provider – with all the consequences.

Key takeaway: your obligations follow from the combination of risk class and role. A deployer using a simple chatbot mainly has transparency obligations; a provider of high-risk AI carries the full programme of duties. Clarifying both is the first step towards compliance.

Penalties and fines

The AI Act is backed by significant penalties. Breaches of the prohibited practices can result in fines of up to EUR 35 million or 7% of global annual turnover – whichever is higher. For breaches of high-risk obligations and other requirements, staggered but still substantial fines apply (up to EUR 15 million or 3% of turnover). Providing incorrect or incomplete information to authorities can be penalised with up to EUR 7.5 million or 1%.

Relationship to the GDPR

The AI Act does not replace the GDPR – both apply in parallel. As soon as an AI system processes personal data (which is the rule for HR, credit or service applications), the data-protection requirements remain fully in force: a legal basis, data minimisation, data-subject rights and, where relevant, a data protection impact assessment. The AI Act adds to this, imposing product-safety-style requirements on the AI system itself. In practice, you should consider both frameworks together.

AI literacy (Art. 4)

An often-overlooked obligation that has applied since February 2025 is AI literacy under Article 4. Providers and deployers must ensure that their staff – and other people handling AI systems on their behalf – have a sufficient level of understanding. What "sufficient" means depends on prior knowledge, context and area of use. In practice, this means: training and a basic understanding of the opportunities and risks of the AI software in use are no longer optional, but mandatory.

What companies should do now

Even though not every deadline has yet taken effect, it pays to become active early. These steps create clarity and certainty:

  • Inventory your AI systems: get an overview of which AI software and AI-Agents are actually in use in your company.
  • Determine the risk class: assign each system to one of the four tiers – prohibited, high, limited or minimal.
  • Clarify your role: are you the provider or the deployer of the system in question?
  • Ensure transparency and labelling: identify chatbots as AI, label AI-generated content and deepfakes.
  • Build documentation: store technical files, risk assessments and evidence in a structured way.
  • Train employees: build and document AI literacy under Art. 4.

Conclusion

The EU AI Act is not a ban on innovation, but a framework meant to make AI reliable and trustworthy. For most companies, the bulk of their AI software will fall into the lower risk tiers – the key task is to clarify this cleanly, establish transparency and take the few high-risk cases seriously. Anyone who now takes inventory, clarifies roles and trains their team will be well positioned when the deadlines in 2026 and 2027 arrive. This overview does not, however, replace a sound legal assessment of your specific case – seek qualified legal counsel for that.

Sources & further reading

Linked sources as of June 2026. This article is for general information and is not legal advice.