EU AI Act 2026: What Obligations Companies Using or Integrating AI Must Meet — A Practical Guide for Decision-Makers
AI Regulation
· 10 min read
The EU AI Act takes full effect on August 2, 2026. Fines of up to €35 million or 7% of global turnover. What you need to do concretely if your company uses or integrates AI.
August 2, 2026: the date no executive should ignore
On August 2, 2026, the European Artificial Intelligence Act enters full effect for the vast majority of AI systems used in business. This is not a symbolic date. It is the deadline from which regulatory authorities can impose concrete sanctions: fines of up to €35 million or 7% of global annual turnover.
If your company already uses AI — a website chatbot, a customer scoring system, an assisted recruitment tool, or any system that makes or influences decisions — there is a real probability you are subject to at least some provisions of this regulation.
What the AI Act is and why it matters
The AI Act (EU Regulation 2024/1689) is the world's first comprehensive legal framework dedicated to artificial intelligence. It entered into force in August 2024 and applies gradually, with different timelines for different categories of systems.
Unlike GDPR, which regulates personal data, the AI Act regulates AI systems and applications themselves — how they are designed, tested, documented and used.
The regulation applies to any company that develops AI systems for the European market, imports or distributes AI systems in the EU, or uses AI systems in its operations as a "deployer". This last category is most relevant for SMEs that don't produce AI but integrate it from external sources.
The regulation's logic: risk-based classification
Unacceptable risk — prohibited systems (since February 2025)
- Social scoring of citizens based on behaviour
- Subliminal manipulation of human behaviour without consent
- Real-time biometric identification in public spaces (with limited exceptions)
- Emotion inference systems in the workplace or educational institutions
Maximum penalties: up to €35 million or 7% of global turnover.
High risk — extensive obligations (from August 2, 2026)
High-risk systems include, under Annex III: recruitment and employee evaluation; credit and financial scoring; education and vocational training; essential services; administration of justice.
For these systems, deployers must: conduct a conformity assessment before deployment; maintain use logs for at least 6 months; inform employees; designate a human oversight responsible; notify national authorities of serious incidents.
Limited and minimal risk
Chatbots and virtual assistants are limited-risk — the main obligation is transparency. Spam filters and simple recommendations — minimal risk, no specific obligations.
What to do concretely if your company uses AI
Step 1: Inventory existing AI systems
The first — and most urgent — step is knowing which AI systems you actually use. Many companies have adopted tools with AI components without centralised tracking: HR screening plug-ins, CRM scoring modules, departmental chatbots. Create an AI system register.
Step 2: Risk classification
Each system must be assessed: does it influence decisions affecting people's rights or opportunities? Does it process data about employees, candidates, customers? Is there automated decision-making without human intervention?
Step 3: Vendor verification
Vendors placing products on the European market have their own obligations. Request compliance documentation. Important: vendor compliance does not automatically exempt you as deployer.
Step 4: Human oversight implementation
For high-risk systems, real human oversight is mandated — not formal. Who monitors AI system decisions, how errors are managed, and how the system can be stopped if necessary.
Step 5: Documentation and logging
Implement audit logging for critical AI applications. Logs must be detailed enough to support incident investigation and accessible to authorities in case of audit.
The GDPR intersection: dual compliance framework
An AI system that processes personal data must simultaneously comply with GDPR (lawfulness of processing, data minimisation, right to erasure) and AI Act (system transparency, technical documentation, human oversight, logging). A well-designed architecture can satisfy both sets of requirements without double effort.
In November 2025, the European Commission included in the "Digital Omnibus" package a proposal to delay Annex III obligations to December 2027. On May 7, 2026, Parliament and Council reached a provisional agreement. However, this delay has not been definitively adopted. A company that has delayed preparation and finds itself without an official extension in August faces limited options and real exposure to sanctions.
How the AI Act influences AI integration decisions in 2026
- Vendor selection: prefer vendors who can document AI Act compliance
- Data architecture: clear separation between personal data and AI processes, with deletion mechanisms
- Documentation from the start: not optional for high-risk systems
- Human oversight integrated into the workflow — not a formal checkbox
The SME situation: proportional obligations
The AI Act recognises that SMEs don't have the same resources as large corporations: access to simplified technical documentation for high-risk systems; ability to use regulatory sandboxes provided by national authorities; lower fine caps for micro-enterprises.
Practical checklist before integrating any AI system
- What AI Act risk level does this system have, per the vendor's classification?
- Can the vendor provide technical documentation meeting AI Act requirements?
- Is my data processed within or outside the EU?
- Is there a zero data retention or on-premise option?
- What human oversight mechanisms are integrated into the system?
- Does the system generate audit logs accessible to me as deployer?
- How does the vendor handle security incidents and who is notified?
- Do the contractual terms explicitly mention AI Act responsibilities?
Conclusion: compliance is not a cost — it is an architecture decision
Viewed correctly, the AI Act is a set of design principles for responsible AI systems: transparency, real human oversight, documentation and logging, protection of the rights of people affected by algorithmic decisions.
At Visual AI Labs, we design AI integrations with compliance as a zero-level requirement — security architecture, logging, oversight mechanisms and documentation are part of the deliverable, not add-on options.