EU AI Act 2026: A Practical Business Compliance Guide
On 2 August 2026, the core obligations of the EU AI Act (Regulation EU 2024/1689) — the world's first comprehensive AI legislation — come into force. For businesses already using or planning to deploy artificial intelligence systems, compliance moves from a recommendation to a legal obligation, with fines of up to €35 million or 7% of global turnover.
Yet the majority of SMBs and mid-sized businesses still have no clear picture of which obligations apply to them, what deadlines they must meet, or how to prepare. This guide translates the Regulation into practical language and provides a concrete action plan.
What Is the EU AI Act and Why Does It Affect Your Business?
The EU Artificial Intelligence Act (Regulation EU 2024/1689), commonly known as the EU AI Act, is the legal framework governing the development, commercialization, and use of AI systems in the European Union. It was adopted in June 2024 and applies progressively between 2025 and 2027.
Who it applies to:
- AI providers: Businesses that develop or market AI systems.
- AI users (deployers): Businesses that use AI systems in their operations (most SMBs using ChatGPT, AI agents, etc.).
- Importers and distributors: Businesses that market in the EU AI systems developed outside Europe.
If your business uses ChatGPT, a customer service chatbot, a candidate scoring system, or any AI-based tool, the EU AI Act applies to you as an AI user. It is not only for technology companies. It is not only for technology companies.
The 4 Risk Levels of the EU AI Act
The EU AI Act classifies AI systems into four risk levels, each with increasing obligations:
Unacceptable Risk (Prohibited)
Systems prohibited since February 2025:
- Social scoring by governments or companies.
- Subliminal manipulation causing harm.
- Exploitation of vulnerabilities (age, disability).
- Real-time remote biometric identification in public spaces (with limited security exceptions).
- Biometric categorization based on sensitive data (race, political orientation).
High Risk
Systems with significant obligations from August 2026:
| Area | Examples |
|---|---|
| Recruitment | CV screening with AI, candidate scoring |
| Credit scoring | Automated creditworthiness assessment |
| Education | Automated evaluation systems, admissions |
| Critical infrastructure | Network, transport, energy management |
| Access to public services | Service prioritization, benefits |
| Law enforcement | Risk assessment, crime detection |
Obligations for high-risk systems:
- Documented risk management system.
- Data governance (quality, representativeness, bias minimisation).
- Complete technical documentation.
- Activity logging.
- Transparency and information provision to users.
- Effective human oversight.
- Accuracy, robustness, and cybersecurity.
- Post-market monitoring.
Limited Risk
Systems with transparency obligations:
- Chatbots and virtual assistants: Users must know they are interacting with an AI.
- Deepfakes and AI-generated content: Must be labelled as artificially generated.
- Emotion recognition systems: Must inform the user.
Most business uses of generative AI (ChatGPT, Claude, chatbots) fall into this category. The primary obligation is transparency: informing the user that they are interacting with an AI system.
Minimal Risk
The vast majority of AI systems:
- Spam filters.
- Content recommenders.
- AI-powered productivity tools.
- Internal content generation.
No specific obligations, though best practices and voluntary codes of conduct are encouraged.
What Obligations Does Your Business Have? A Practical Checklist
Most SMBs using generative AI will fall into the limited or minimal risk categories. This checklist helps you determine your obligations:
If You Use Chatbots or AI Assistants for Customers (Limited Risk)
- Inform the user that they are interacting with an AI system.
- Label AI-generated content published as public-interest information.
- Document usage internally (which system, for what purpose, who supervises it).
If You Use AI for Recruitment (High Risk)
- Conduct a fundamental rights impact assessment.
- Document the risk management system.
- Ensure human oversight in all automated decisions.
- Audit for bias on a periodic basis.
- Maintain activity logs for at least 6 months.
- Inform candidates that AI is used in the process.
If You Use Generative AI Internally (Minimal Risk)
- Establish an internal AI usage policy.
- Train your team on responsible use.
- Do not share confidential data with tools that do not guarantee non-training data usage.
- Verify generated content before publishing or sending to clients.
For a detailed analysis of GDPR compliance specific to AI agents, see our security and GDPR guide for enterprise AI agents.
EU AI Act Application Timeline
| Date | What comes into force |
|---|---|
| February 2025 | Prohibitions (unacceptable risk) |
| August 2025 | Obligations for general-purpose AI (GPAI) |
| August 2026 | Core obligations: high risk, transparency, governance |
| August 2027 | Obligations for high-risk systems embedded in regulated products |
August 2026 is the critical deadline for most businesses. Transparency obligations (chatbots, generated content) and high-risk obligations (recruitment, scoring) come into force on that date.
Penalties: What Non-Compliance Can Cost
The EU AI Act sets proportionate but significant penalties:
| Infringement | Maximum penalty |
|---|---|
| Using a prohibited system | €35M or 7% of global turnover |
| Breaching high-risk obligations | €15M or 3% of global turnover |
| Providing incorrect information | €7.5M or 1% of global turnover |
For SMBs, penalties are adjusted proportionally: the lesser of the two amounts (fixed or percentage of turnover) applies. But even a 1% penalty can be significant.
AESIA: Spain's AI Supervisory Authority
Spain has established AESIA (Agencia Española de Supervisión de la Inteligencia Artificial) — Spain's AI supervisory authority — based in A Coruña, as the national supervisory body for the EU AI Act. AESIA has already published 16 practical compliance guides for businesses.
AESIA resources for businesses:
- Risk assessment guides.
- Technical documentation templates.
- Regulatory sandbox to test AI systems in a controlled environment.
- Business enquiry channel.
Access the resources at aesia.digital.gob.es.
Action Plan: How to Prepare Your Business for August 2026
Phase 1: Audit (June 2026)
- AI systems inventory: List all AI systems your business uses (ChatGPT, chatbots, scoring, automations).
- Risk classification: Determine which category each system falls into using the EU AI Act table.
- Gap identification: Compare your current situation against your category's obligations.
Phase 2: Implementation (June–July 2026)
- Transparency: Add AI disclosures to all chatbots and customer-facing systems.
- Internal policy: Draft an AI usage policy for your organisation.
- Training: Train relevant teams (HR, customer service, marketing).
- Documentation: For high-risk systems, prepare technical documentation and the risk management system.
Phase 3: Monitoring (From August 2026)
- Periodic review: Review compliance quarterly.
- Updates: Keep documentation current with every system change.
- Continuous training: The EU AI Act and AESIA guidelines will evolve — keep your team informed.
The Relationship Between the EU AI Act and GDPR
The EU AI Act does not replace the GDPR: both regulations coexist and complement each other. If your AI system processes personal data (practically all of them do), you must comply with both:
| Aspect | GDPR | EU AI Act |
|---|---|---|
| Focus | Personal data protection | Safety and rights with AI |
| Applies to | Any data processing | Specific AI systems |
| Impact assessment | Mandatory for high data risk | Fundamental rights impact assessment |
| Transparency | Information about data processing | Information about AI use |
| Oversight | DPO (Data Protection Officer) | Human oversight of AI decisions |
The good news: if you already comply with the GDPR, you have a solid foundation for the EU AI Act. Data governance processes, documentation, and impact assessments are all reusable.
Conclusion: Compliance Is a Competitive Advantage, Not a Cost
Businesses that prepare proactively for the EU AI Act will gain a double advantage: they will avoid penalties and build trust with clients and partners who value responsible AI. In a market where 49% of Spanish businesses identify regulation as the primary barrier to AI adoption, demonstrating compliance is a genuine commercial differentiator.
Three immediate steps:
- Conduct an AI systems inventory this week. You cannot comply with what you have not identified.
- Classify each system by risk level. Most business uses will be limited or minimal risk.
- Add transparency notices to all chatbots and customer-facing systems before August 2026.
Need help preparing your business for the EU AI Act? At Technova Partners we advise SMBs on AI regulatory compliance and design AI implementation strategies that conform to the European Regulation. Request a consultation.
