EU AI Act Compliance Guide for Companies: What You Must Do Before August 2, 2026

2026-06-12 · 12 min read

Practical EU AI Act compliance guide for companies: who is covered, the real obligation timeline (August 2, 2026; December 2, 2026; December 2, 2027), a role-based checklist (provider vs. deployer), and the mistakes that cost up to €35M or 7% of global turnover.

Company	Visual-AI-Labs
Headquarters	Sibiu, Romania (EU)
Founded	2004 (22+ years)
Services	AI Integration, AI Automations, CRM, ERP, SaaS, Custom Software
Industries	Legal, Insurance, Healthcare, Automotive, E-commerce, Hospitality, Sports, Real Estate
Languages	English / Deutsch / Română
Delivery	World-wide architecture & engineering, delivered from Europe

On August 2, 2026, the EU AI Act becomes generally applicable. If your company runs a chatbot on its website, an AI scoring system, LLM-powered automations, or any AI integration that touches customers or employees in the EU, you will have concrete legal obligations from that date — whether you built the system yourself or merely use it.

The good news: for most companies, compliance is not a year-long legal project but a handful of clear actions that can be completed in the weeks remaining. The bad news: fines go up to €35 million or 7% of global turnover, and "we didn't know it applied to us" is not a defense.

This guide shows you exactly: whether you're covered, in which role, what obligations apply at each deadline, and what to start with today.

What the EU AI Act Is, in Short

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive law regulating artificial intelligence. It is a regulation, not a directive — it applies directly in every member state, with no national transposition needed.

The logic of the law is simple: obligations scale with risk. AI systems fall into four categories:

Unacceptable risk — banned outright (since February 2025): subliminal manipulation, social scoring, emotion recognition in the workplace, untargeted scraping of facial images.
High risk — allowed, but under strict obligations: AI used in recruitment and employee evaluation, credit scoring, education, critical infrastructure, medical devices, biometric identification.
Limited risk — transparency obligations: chatbots must disclose they are AI, generated content must be labeled.
Minimal risk — no specific obligations: spam filters, product recommendations, most internal automations.

The Real Application Timeline (2026 Update)

The timeline was recently amended through the Digital Omnibus package, so many articles from 2024–2025 are outdated. Here is the current state:

February 2, 2025 (already in force) — Bans on unacceptable-risk practices + the AI literacy obligation for staff (Art. 4).
August 2, 2025 (already in force) — Obligations for general-purpose AI models (GPAI) + governance structure and penalties.
August 2, 2026 — General applicability: transparency obligations for chatbots and systems interacting with people (Art. 50), provider obligations (Art. 9–17) and deployer obligations (Art. 26) for high-risk systems.
December 2, 2026 — Mandatory labeling of AI-generated content (deferred by 4 months from the original deadline).
December 2, 2027 — Obligations for certain high-risk categories under Annex III (biometrics, critical infrastructure, education, employment, migration) — extended from the original August 2026 deadline.

Are You Covered? The 3-Question Test

1. Do you use any AI system?

A website chatbot, an internal document assistant, customer scoring, GPT/Claude/Gemini automations, AI in recruitment, intelligent invoice OCR — they all count. If the answer is yes, the law concerns you.

2. Are you a provider or a deployer?

This is the law's central distinction, and the place where most companies misclassify themselves:

Provider — develops an AI system and places it on the market under its own name. The heavy obligations (technical documentation, risk management, CE marking for high-risk) sit here.
Deployer — uses an AI system in a professional capacity. Lighter obligations, but real ones: use according to instructions, human oversight, informing affected persons.

Watch the trap: if you take an existing model and integrate it into a product you sell under your own brand, or substantially modify it, you can become a provider without realizing it — with the full obligation package attached.

3. Do you reach people in the EU?

The law applies extraterritorially: what matters is where the system's outputs are used, not where your company or your servers are located.

Typical SME situation: chatbot for customer support + internal document assistant + automated onboarding scoring. Classification: deployer for all three. Obligations before August 2, 2026: chatbot must disclose it is AI, scoring (if it affects access to services) must be checked as potentially high-risk, and staff working with these systems must be trained. Realistic effort: 2–4 weeks.

Compliance Checklist Before August 2, 2026

Step 1: AI Inventory (Week 1)

List every AI system in the company — including those "hidden" inside the SaaS tools you use (CRM with scoring, HR tech with CV filtering, marketing automation with content generation). For each: what it does, who supplies it, what data it processes, who is affected by its outputs.

Step 2: Risk Classification (Weeks 1–2)

Classify each system: banned / high-risk / limited risk / minimal. The sensitive areas that quickly become high-risk: recruitment and employee evaluation, access to credit or insurance, education, healthcare. Chatbots and content generation are usually "limited risk" — transparency obligations, not certification.

Step 3: Role Determination (Week 2)

For each system: are you the provider or the deployer? Document the decision. If you developed — or commissioned the development of — your own AI system, analyze carefully: this is where most surprises live.

Step 4: Transparency (Weeks 2–3)

Chatbots and AI assistants must inform users they are interacting with an AI system — clearly, at first contact.
Prepare AI-generated content labeling (mandatory from December 2, 2026) — it is cheaper to build it into your workflows now than to retrofit it later.

Step 5: Minimal Governance (Weeks 3–4)

Appoint an internal AI owner (this doesn't have to be a new role — extending the DPO's remit often works).
Train the staff who use AI systems (this obligation has applied since February 2025).
Request compliance documentation from your AI vendors — you are required to use their systems according to their instructions.
For high-risk systems: ensure genuine human oversight over decisions and retain the logs.

Step 6: Technical Verification

Paper compliance doesn't survive without compliance in code: where data is hosted, who can access prompts and logs, how customer data is isolated, what happens to data sent to external AI APIs. This is where a technical AI security audit shortens the path considerably — it checks AI Act requirements and GDPR alignment in one pass, since both apply in parallel.

The Mistakes That Cost

"We just use ChatGPT, it doesn't apply to us." Professional use makes you a deployer — with transparency and training obligations already in force.
"We're a small company, this law is for corporations." Fine ceilings are lower for SMEs, but the obligations are identical. There is no size exemption.
Provider/deployer confusion. Selling a product with embedded AI under your own brand? You're probably a provider.
Ignoring the AI inside your SaaS stack. The HR system filtering CVs with AI belongs in your compliance inventory.
Postponing because "the law keeps changing." Transparency and the general framework take effect on August 2, 2026 — firmly.
Treating compliance as a purely legal project. Half the requirements are technical: logging, human oversight, data isolation, content labeling.

The Fines, Concretely

up to €35M or 7% of global turnover — for prohibited practices;
up to €15M or 3% — for violating most obligations (including transparency and high-risk obligations);
up to €7.5M or 1% — for supplying incorrect information to authorities.

The higher of the two amounts applies. For SMEs the lower amount applies — but these are still figures that can shut a company down.

How Visual-AI-Labs Helps

We build AI systems that are compliant by design — EU hosting, private models, data isolation, and built-in logging from day one, not bolted on afterwards. For existing systems, our AI security audit verifies in a single pass: your AI Act risk classification, transparency requirements, data flows to external models, and GDPR alignment — and delivers a technically prioritized remediation list, not an abstract legal memo.

Book an AI audit before August 2 →

FAQ

Does the EU AI Act apply to companies outside the EU?

Yes, if their AI systems are used in the EU or their outputs affect people in the EU. The law applies extraterritorially — company headquarters and server location are irrelevant.

What exactly happens on August 2, 2026?

The regulation becomes generally applicable: transparency obligations for chatbots and systems interacting with people, plus provider and deployer obligations for high-risk systems (except the categories deferred to December 2027).

We only use ChatGPT/Claude/Gemini via subscription. Do we have obligations?

Yes. Professional use classifies you as a deployer: staff must be trained (in force since February 2025), and if the AI interacts with customers or generates public content, transparency obligations apply.

Does our chatbot have to say it is AI?

Yes, from August 2, 2026. The disclosure must be clear and at first contact — not buried in terms and conditions. Exception: situations where it is obvious from context that the counterpart is an AI system.

Are we a deployer or a provider if we commissioned a custom AI application?

It depends on who places it on the market and under whose name. If the application runs internally or is offered to your customers under your brand, there is a real risk you will be classified as a provider. Put this analysis in writing before August.

Is our AI-powered recruitment system high-risk?

Almost certainly yes — recruitment, promotion and employee evaluation are explicitly listed in Annex III. The specific obligations for this category were extended to December 2, 2027, but preparation (inventory, vendor documentation, human oversight) is worth starting now.

What does the "AI literacy" obligation mean?

Staff who operate or use AI systems must have a sufficient level of understanding: what the system can and cannot do, how to verify outputs, what the risks are. The obligation has applied since February 2025 and is typically covered by documented internal training.

Does AI-generated content have to be labeled?

Yes, from December 2, 2026 (deferred from August). Text, images, audio and video generated or substantially modified by AI must be labeled as such, in a technically detectable format.

How does the AI Act interact with GDPR?

They apply in parallel; neither replaces the other. GDPR governs the personal data processed by AI systems; the AI Act governs the system itself. A serious audit checks both together.

How long does compliance realistically take for an SME?

For a deployer-only company (the typical case): 2–6 weeks — inventory, classification, chatbot transparency, training, vendor documentation. For companies with proprietary AI products or high-risk systems: 2–4 months.