The EU AI Act Is Already in Force. Most Companies Are Not Ready. Here Is What That Means for You.
Most organisations I speak with have two reactions when the EU AI Act comes up. The first is “We know it is coming. We will deal with it properly before August 2026.” The second, once they realise parts of it are already in force, is something closer to: “So what do we actually do now?”
That second reaction is the more honest one. And it is the one I hear far more often than anyone admits publicly.
The problem is that parts of it are not coming. They arrived on 2 February 2025. The AI literacy obligation under Article 4 is already law. If your employees use ChatGPT, Microsoft Copilot, or any AI tool as part of their work, and you have not put a documented training or guidance programme in place, you are already in breach.
According to the IAPP EU Digital Laws Report 2025, nearly 7 in 10 businesses report difficulty understanding their obligations under the EU AI Act. That number is not a prediction about who might fall behind. It describes where I see most organisations sitting right now: aware that something is required, uncertain about what exactly, and unsure where to begin.
This article covers what the Act actually requires, which deadlines are real, and what getting ready looks like in practice.
Five things you need to know right now
If you only have two minutes, start here. The rest of the article gives you the context behind each point.
1. The AI literacy obligation (Article 4) has been in force since 2 February 2025. It is not upcoming. It applies now.
2. The regulation applies to any organisation using AI in its business processes. You do not need to build AI to be in scope.
3. Penalties reach up to 35 million EUR or 7% of global annual turnover for the most serious violations, and up to 15 million EUR or 3% for most deployer-level non-compliance.
4. Most organisations have four gaps right now: no AI inventory, no defined governance owner, no documentation structure, and no AI literacy programme for staff.
5. The window to August 2026 is shorter than most leadership calendars currently reflect.
Not sure where your organisation stands? We walk business leaders through the practical implications in a free 45-minute session every other Thursday.
What the EU AI Act Actually Is
The EU AI Act (Regulation (EU) 2024/1689) is the European Union’s primary legal framework for artificial intelligence. It uses a risk-based approach: the higher the potential harm of an AI system, the stricter the requirements.
Here is the part that surprises most organisations. This regulation does not primarily target the companies building AI. It targets deployers: the organisations using AI in their business processes.
That is your HR team running CV screening software. Your customer service department using a chatbot. Your finance function relying on AI-assisted decision support. Your procurement team using a SaaS platform with embedded AI features they may not even know are there.
If your organisation uses AI in any of these areas, you are in scope:
- Human resources and recruitment (CV screening, performance evaluation, workforce planning)
- Customer interactions (chatbots, virtual assistants, automated eligibility checks)
- Decision support (credit, risk, compliance, procurement)
- Critical operations (logistics, safety, infrastructure)
- Content generation (copilots, document assistants, synthetic outputs)
The Dates That Actually Matter
The timeline is not one deadline. It is a series of obligations that started at different points. Several have already begun.
Last updated: May 2026, reflecting the Digital Omnibus provisional agreement of 7 May 2026.
1 August 2024: The Act entered into force across all 27 EU Member States.
2 February 2025: Banned AI practices and the AI literacy obligation under Article 4 became applicable. Both are legally enforceable right now.
2 August 2026: Transparency rules under Article 50 apply from this date. Chatbots and AI tools that interact with people must clearly identify themselves as AI. National enforcement begins on this date.
2 December 2026: Providers of generative AI systems already on the market before August 2026 must have their content marking solutions in place. A new prohibition on AI systems generating non-consensual sexual imagery or child sexual abuse material also takes effect.
2 December 2027: The strictest obligations apply for high-risk AI systems. This covers AI used in hiring, education, credit scoring, law enforcement, and critical infrastructure. The original deadline was August 2026 and was extended following the Digital Omnibus agreement of 7 May 2026.
2 August 2028: Rules for high-risk AI built into regulated products such as medical devices, machinery, and toys apply from this date.
On 7 May 2026, the EU Council and European Parliament reached a provisional political agreement on the Digital Omnibus on AI. The agreement still requires formal adoption before it becomes law, but formal endorsement is expected before August 2026. For planning purposes, December 2027 is now the operative baseline for high-risk obligations.
Two things the Omnibus did not change. Article 5 (prohibited practices) remains fully in force. Article 4 (AI literacy) also remains in force from 2 February 2025. The Omnibus adjusts how that obligation is framed, moving it closer to an obligation of means rather than strict result, with the Commission and Member States providing supporting guidance. Organisations deploying high-risk AI systems still carry a direct training obligation for staff responsible for human oversight. When enforcement begins in August 2026, regulators will look for evidence of a proportionate, documented approach regardless of risk tier.
The most common misconception I encounter is this: organisations believe they have a full two-year grace period until August 2026. The February 2025 obligations are not a warm-up round. They are legally enforceable right now.
The Four Risk Categories Every Deployer Must Understand
A deployer is any organisation that uses an AI system built by someone else. If your teams use Microsoft Copilot, ChatGPT, or any AI-powered tool as part of their work, your organisation is a deployer under the EU AI Act.
The Act classifies AI systems into four categories. Your obligations depend on which category your specific use cases fall into, which is why mapping them is the essential first step.
Prohibited AI covers practices that are banned outright and cannot be used under any circumstances. These include social scoring systems, real-time biometric surveillance in publicly accessible spaces for law enforcement purposes, AI systems that manipulate people through techniques they are not aware of, and AI that targets the psychological vulnerabilities of specific groups. A further prohibition on AI systems generating non-consensual sexual imagery or child sexual abuse material is expected to be formally adopted before August 2026, with a compliance deadline of 2 December 2026. The existing prohibitions have been enforceable since February 2025.
High-risk AI carries the strictest obligations. This category covers AI used in hiring decisions, CV screening, performance evaluation, credit scoring, access to essential services, law enforcement, and critical infrastructure. If your organisation uses AI in any of these areas, the compliance requirements are significant: human oversight must be in place, fundamental rights impact assessments must be conducted, and system performance must be monitored throughout use. The planning date for these obligations is 2 December 2027, following the Digital Omnibus provisional agreement.
Transparency-required AI covers systems that interact with people directly or generate synthetic content. From 2 August 2026, any chatbot or AI copilot must clearly tell users they are interacting with AI. If your organisation produces deepfakes or AI-generated content, that content must be labelled as artificially created. Most commercial GenAI tools fall into this category.
Minimal-risk AI covers the largest share of AI use cases and carries lighter obligations. One requirement still applies here regardless: the AI literacy obligation under Article 4, which has been in force since February 2025.
The first step is knowing which of your AI use cases fall into which category. A study by appliedAI covering 106 enterprise AI systems found that 40% could not be clearly classified. Most organisations have not done this mapping yet.
What the Penalties Look Like
The EU AI Act uses a three-tier penalty structure under Article 99.
Tier 1: Fines of up to 35 million EUR or 7% of global annual turnover and applies to violations of the prohibited AI practices under Article 5. These prohibitions have been enforceable since February 2025.
Tier 2: Fines of up to 15 million EUR or 3% of global annual turnover and applies to non-compliance with deployer obligations under Article 26, transparency requirements under Article 50, and a range of other provisions. This is the tier most private-sector organisations need to focus on.
Tier 3: Fines of up to 7.5 million EUR or 1% of global annual turnover and applies to supplying incorrect or misleading information to competent authorities.
For larger enterprises, the higher of the two amounts applies. For SMEs and startups, the lower applies. For context: GDPR’s maximum sits at 4% of global annual turnover. The AI Act’s top tier is 7%. National authorities begin formal enforcement from 2 August 2026.
In my experience, the penalty numbers land differently on different executives. The CFO does the maths on 3% of turnover. The General Counsel thinks about documentation gaps. The CEO thinks about how a regulator inquiry looks in the press. They are all right to be concerned. The question is not whether the exposure is real. It is whether you have started addressing it.
Why Most Organisations Are Not Ready
In working with enterprises across the DACH region, the same four gaps appear consistently. They are not unique to any industry or company size.
The invisible AI problem. Nobody has a complete picture of where AI is actually being used inside their organisation. It is not just the tools IT approved. It is the SaaS platforms with AI features quietly embedded into products your teams have used for years, the vendor systems processing customer data, and the tools individual employees started using on their own last quarter.
One of our insurance clients began a compliance check expecting a handful of relevant systems. The inventory came back with over thirty. None of them were surprises to the individual teams using them. All of them were surprises to legal, risk, and compliance.
The ownership gap. The EU AI Act touches governance, procurement, HR, IT, security, risk, compliance, and every business function using AI tools. When a question like “are we compliant with the transparency requirements for our customer chatbot?” arrives on someone’s desk, there is often no single person or function who owns the answer. Everyone has a partial view. Nobody has the complete one.
The documentation deficit. High-risk AI use cases require evidence: logs, risk assessments, human oversight records, incident processes. Even organisations that have thought seriously about compliance often have no structured approach to creating or retaining this. The IAPP puts it plainly from their readiness work with deployers: the gap is rarely legal theory. It is missing operational proof. If regulators ask, the answer cannot be “we handled it appropriately.” The answer needs to be a file.
The literacy gap. Article 4 has been applicable since 2 February 2025. The majority of organisations have not yet run any structured AI literacy programme for their employees. Every employee using an AI tool as part of their job is part of the compliance picture. For most companies, that is the majority of their workforce.
If any of these four gaps sound familiar, our free EU AI Act webinar is the right next step. In 45 minutes, we walk through how to run the AI inventory that most organisations have been putting off for months, and what the first 30 days of a compliance programme actually looks like in practice. Next session: every other Thursday.
What Getting Ready Actually Looks Like
Compliance under the EU AI Act is an operational programme, not a legal opinion you commission and file. It requires execution across multiple functions simultaneously, and it takes time to build properly.
When I work through this with leadership teams, I always start in the same place. Not governance frameworks or legal analysis. Five concrete operational areas that everything else builds on.
1.Start with the inventory. Not a rough list your IT team pulls together in an afternoon. A structured mapping of every AI system, tool, and vendor in active use, including the AI embedded in SaaS platforms your teams have been using for two years without anyone formally logging it.
2. Classify each use case against the EU AI Act’s risk categories.
3. Assign ownership: one person or function with clear authority for AI governance decisions, not a committee where everyone has a view and nobody has accountability.
4. Build human oversight mechanisms for any AI system supporting important decisions.
5. Create documentation that will hold up if a regulator asks. The logs, records, and processes that demonstrate compliance when it counts.
None of this requires slowing down AI adoption. The organisations best positioned by August 2026 are those building governance alongside their AI work, not as a separate track that starts later. GDPR taught that lesson clearly: late adopters faced last-minute panic and paid for it.
What We See in Practice
One pattern we see consistently: organisations that treat compliance as a separate legal workstream end up with two parallel efforts that never properly connect. The ones that build governance into their operating model from the start move faster.
One insurance client approached us after their legal team flagged the EU AI Act as a material risk. Their assumption was that exposure would be limited to a handful of AI tools they knew about. When we conducted the use case inventory, the picture looked different.
AI and automation were already embedded across claims processing, customer service routing, underwriting support, and several internal workflows. None of it was rogue. All of it had been introduced thoughtfully by individual teams solving real problems. But none of it had been mapped against the Act’s requirements, classified by risk level, or documented with appropriate governance evidence.
The compliance check produced a risk heatmap, an initial use case classification, and a prioritised 30/60/90-day action plan. The conversation shifted from “we need to think about this” to “here is what we are doing and who owns it.”
The EU AI Act does not require perfection. It requires evidence of a considered, proportionate, and documented approach. That is achievable. But the window to August 2026 is shorter than most executive calendars currently reflect.
Three Questions for Your Next Leadership Meeting
Bring these three questions to your next leadership discussion. The answers will tell you where you actually stand.
-
Can we produce a complete list of every AI system, tool, and vendor in use across the business today?
Not a rough estimate. A complete list. If the answer is no, or “probably not,” you have an AI inventory gap at the foundation of every other compliance requirement. You cannot classify risk you have not found.
-
Do we have a defined owner for AI governance and compliance decisions?
One person or function with clear authority and accountability. If ownership is distributed across legal, IT, risk, and business with no central coordination, every decision will take longer than it needs to and evidence will end up in the wrong places.
-
Have our employees received any structured guidance on responsible AI use since 2 February 2025?
Article 4 has been in force since that date. If the answer is no, that is not a future risk. It is a compliance gap that exists right now.
Where to Go From Here
If your organisation is early in this process, the most useful next step is a clear picture of what the Act means for your specific situation, mapped to your actual AI use cases, business functions, and risk profile.
We run a free 45-minute session every other Thursday for business leaders working through exactly this. No technical or legal background required. The session covers the obligations that apply to most deployers, the gaps we see consistently, and how to build a compliance approach that does not get in the way of the AI work your teams are already doing.
Ready to move? Two options.
We train your teams, including a dedicated EU AI Act programme, so compliance is handled from within.
Or we handle it for you entirely as an external partner: use case inventory, risk classification, governance setup. You focus on the business. We produce the deliverables.
