The EU AI Act enters its enforcement phase: what you need to know

We’ve been hearing about the EU AI Act for years as something that would “eventually arrive”. Well, it’s here: August 2, 2026 was marked from the start as the day of full application of the regulation, and although the timeline has shifted over the past few months (we’ll get to that in the timeline below), it remains a turning point for any company using AI in Europe, or offering its services to European users.
I’ve talked to quite a few companies over the past months and I keep running into two extremes: those who believe this doesn’t apply to them because “we don’t do AI”, and those who are freezing initiatives out of fear of the regulation. I think both positions stem from not fully understanding the regulation, so this post is meant as an introduction to the key ideas, without going into legal detail.
Before anything else, two details that are often overlooked. The AI Act (Regulation (EU) 2024/1689) is a regulation, not a directive: it applies directly across all Member States without waiting for national laws. And it has extraterritorial scope: if your company is based outside the EU but your AI systems are used within European territory, it applies to you too. It’s the same Brussels effect we already saw with the GDPR.
How it rolls out: the updated timeline
The regulation doesn’t take effect all at once, it rolls out in phases. And here’s where most of the confusion comes from: in May 2026, the political agreement on the “Digital Omnibus” postponed the high-risk obligations. A lot of content published before that date says “all high-risk obligations” take effect in August 2026, and that’s no longer correct. This is the updated timeline:
The four risk levels
This is the first thing to internalize: the AI Act doesn’t regulate “AI” in the abstract, it regulates the uses we put it to. The same model can carry no obligations at all, or plenty, depending on what you use it for.
The table follows the European Commission’s official classification (note that the Commission calls the third tier “transparency risk”, not “limited risk”):
| Categoría | Unacceptable risk | High risk | Transparency risk | Minimal or no risk |
|---|---|---|---|---|
| Status | Prohibited | Strict obligations | Disclosure obligations | No obligations |
| What it is | A clear threat to people's safety, livelihoods, or rights | Uses that can pose serious risks to health, safety, or fundamental rights | Uses where people must know an AI is involved, to preserve trust | The vast majority of AI systems in use today across the EU |
| Examples | The regulation bans 8 practices:
|
|
|
|
| Obligations | None: they are directly banned |
|
| None. Voluntary codes of conduct |
| Applies from | February 2025 | December 2027 (Annex III) and August 2028 (AI embedded in products) | August 2026 | — |
Based on the European Commission’s official classification: digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
On top of this there’s a separate regime for general-purpose models (GPAI). If you’re a company that only uses these models via an API, those obligations aren’t yours, they belong to the provider. Yours depend on how you use them.
What takes effect on August 2, 2026
What takes effect now, and hasn’t been postponed, are the transparency obligations under Article 50:
- AI interaction: if your system interacts with people (a chatbot, for example), they must know they’re talking to an AI, unless it’s obvious from the context.
- Synthetic content: if you generate or manipulate images, video, or audio with AI that could appear authentic (deepfakes), you must label them as such.
- Public-interest texts: AI-generated texts published to inform the public about matters of public interest must be identified, unless there is human editorial review and responsibility.
- Technical marking: providers of generative AI must technically mark their outputs as artificially generated, in a machine-readable format.
This affects far more companies than it seems. You don’t need to train models or do credit scoring: having a customer-support chatbot or publishing AI-generated content is enough.
Penalties
The penalty regime is one of the toughest in European digital law. Fines are calculated on the fixed amount or the percentage of global annual turnover, whichever is higher:
FAQ
Does the AI Act apply to me if I only use third-party AI?
What exactly changes on August 2, 2026?
Wasn't everything postponed by the Digital Omnibus?
What happens if I use a customer-support chatbot?
Is it forbidden to use models hosted outside the EU?
The AI Act is about to enter its enforcement phase, so it’s not advisable to keep delaying work on making sure you comply with the regulation.
For most companies, the first step is simple and doesn’t require lawyers: take stock of the AI systems in use (your own and third-party), classify them by risk level, and from there work out which obligations apply and when.
–
This post is an informational introduction, not legal advice. To classify your systems and understand your specific obligations, consult specialized legal counsel.