The EU AI Act: what your company actually has to do

The EU AI Act is law. It entered into force on 1 August 2024 as Regulation (EU) 2024/1689, and the first obligations have been live since February 2025. If you run a business in the EU, or you sell into it, you are inside its scope.

For most traditional companies, the work is smaller than the headlines suggest. The question is not "do we use AI." The question that matters is where you use it, who is affected, and whether it could influence a decision that touches a person's life.

Most ordinary businesses do not sit in the banned or high-risk categories. They sit in transparency risk: the part of the Act that says you have to tell people when they are talking to a machine, looking at AI-generated content, or otherwise interacting with a system that is not human. That changes what your to-do list looks like.

If you want to confirm where you land, the European Commission publishes a free self-assessment tool: the EU AI Act compliance checker. Use it.

In shape, the AI Act is GDPR-like: risk-based, documentation-led, supervised by regulators. The analogy stops there. GDPR governs personal data; the AI Act governs AI systems. Your GDPR work does not cover this, and this does not cover GDPR. Treat them as two related disciplines.

Rule yourself out first

Before you worry about transparency notices or training plans, check that you are not in the two heavy categories. For most readers this section will be a quick "not me" — that is the point.

Prohibited uses

The AI Act bans a specific list of practices. The Commission's plain-language summary covers eight: harmful manipulation, exploitation of vulnerable groups, social scoring, predicting an individual's criminal behaviour, untargeted scraping of faces from the web or CCTV to build recognition databases, emotion recognition in workplaces and schools, biometric categorisation to infer protected traits, and real-time remote biometric identification by law enforcement in public. These almost certainly do not describe an ordinary business. The warning signs are systems that score people, infer their emotions or protected traits at work, or try to steer their behaviour without them realising. If you recognise your stack in that list, stop and get legal advice. The prohibitions have applied since 2 February 2025.

High-risk uses

High-risk does not mean banned. It means heavily regulated. The kinds of uses the Act puts in this category include CV screening or candidate ranking, employee performance scoring, loan and credit decision support, access to essential public or private services, education admission or grading, biometric identification, automated decisions in public services, and AI used as a safety component in regulated products. If any of that is you, do not try to comply with high-risk obligations from a web article. Get specialist advice and budget for real documentation work.

Not sure?

If your stomach tightened reading the two paragraphs above, run the EU's free compliance checker. It is produced by the Commission, walks you through a short questionnaire, and tells you which category each system lands in. Use it before you start spending money on consultants.

The realistic situation: transparency risk

This is where most companies actually live. The AI Act does not want to stop you using AI here. It wants the people on the other end of it to know what is going on.

You run a chatbot or voice agent

Article 50(1) of the Regulation is short and direct: deployers of AI systems intended to interact with people must inform those people that they are interacting with a machine, unless that fact is obvious to a reasonably well-informed person in the circumstances.

In practice, "obvious" is doing less work than companies hope. A widget labelled "Chat with us" is not obviously a bot. A friendly first message that opens with "Hi, how can I help today?" is not obviously a bot either. If a customer could reasonably think they are talking to a person, you owe them a disclosure.

What that disclosure should look like:

A visible notice on the chat widget itself, written in plain language. Not buried in the terms and conditions. Not in a tooltip nobody opens. Something a person sees before they type their first question.

For a voice agent, the same rule applies on the phone. The agent should identify itself as an AI assistant at the start of the call, before it starts asking the caller questions. "Hi, this is the AI assistant for Acme Plumbing — I can book you an appointment or pass you to a human" is the kind of thing that works.

A few practical points. The duty sits on you as the deployer, not on the vendor whose chatbot you embedded. If you license the tool, you still own the disclosure. The bar is low and the implementation cost is essentially zero, so be careful about chasing grey areas. A single sentence on first contact will usually do the job: "You're chatting with our AI assistant. Type 'human' any time to speak to a person."

You use AI to create public-facing content

If your marketing or communications team uses AI to produce anything that reaches the outside world, this section is for you. Article 50 of the Regulation handles AI-generated content in three layers, and they can overlap in ways that confuse a deployer.

The first layer is Article 50(2), the general marking duty. Providers of AI systems that generate synthetic audio, image, video, or text content must mark the outputs as artificially generated in a machine-readable format. The duty sits on the provider, meaning the company building the tool, not on you. But you still need to know it exists. When you pick a tool, ask the vendor what marking it applies and whether that marking survives the kinds of edits and exports your team does.

The second layer is the one that bites you directly. Article 50(4) says deployers using AI to generate or manipulate image, audio, or video content that constitutes a deep fake (anything that could pass for an authentic recording of real people, places, or events) must disclose that the content is artificially generated. For an ordinary business, the obvious cases are AI-generated photos of people in marketing campaigns, voice clones used in ads, AI-edited product shots that look like real photography, and synthetic avatars in training videos. If a viewer could mistake the output for something real, you label it.

The third layer is the narrow text rule. AI-generated text published to inform the public on matters of public interest must be disclosed, unless a human has reviewed it and a person or organisation holds editorial responsibility. For most companies this almost never applies (you are not publishing news) and the editorial-review carve-out is wide. Note it and move on.

What "good enough" looks like: a visible label near the content. "AI-generated" or "Image generated with AI" on the asset itself, not tucked into image metadata, not in fine print three clicks away.

You use AI internally

Purely internal AI use does not directly trigger Article 50's public-facing disclosure duties. If your team uses a writing assistant to draft emails, AI to compress a meeting, or an internal Copilot to query your own documents, you do not have to put up a sign saying "this team uses AI." The transparency duties target situations where AI touches a person outside your organisation.

Internal use is not a free pass, though. Two obligations still apply:

1. AI literacy under Article 4. Staff using AI tools have to understand what each tool does and does not do, what data must not be entered, when human review is required, and how to spot a bad output. More on this in the next section.
2. Data governance. The AI Act does not replace GDPR. If your internal tool processes personal data, whether employee, customer, or prospect, GDPR still applies in full. You still need a lawful basis, appropriate safeguards, and a clear answer on international transfers. Be especially careful with what staff paste into third-party AI tools that may train on inputs.

What "good enough" looks like for internal use: a short written policy that names the approved tools, the forbidden uses, and the data categories that must not be entered. Plus a named owner who can answer questions and update the policy when the tool or its scope changes. Keep it a bit boring. Boring is fine.

AI literacy is already live

Article 4 requires providers and deployers of AI systems to ensure a sufficient level of AI literacy among staff and other people who handle AI systems on their behalf. The duty has applied since 2 February 2025. If you have been waiting for August 2026 before doing anything, you are already behind on this one.

What Article 4 does not require: turning your employees into AI engineers. There is no obligation to put everyone through a machine-learning course, and the Commission has been clear that you do not have to measure staff knowledge with formal tests.

What it does require: role-specific understanding, calibrated to what each person actually does with AI. Different people need different things.

A general employee using an AI writing assistant needs to know what the tool is approved for, what data must not be entered, when a human should review the output, and how to escalate if something looks wrong. A short briefing and a one-page policy will usually cover them.

A manager using AI in any decision that affects people, even informally, needs more: how the tool reaches its output, what its known failure modes are, when a human must take the call, and how that human review is recorded.

A team owning a customer-facing AI system needs the deepest training, on incident response, escalation, and documentation.

What "good enough" looks like: a short, written training programme keyed to role, attendance records, and refreshers when the tool or its scope changes. Keep it practical and proportionate to the risk.

If your AI comes from a vendor

Most companies are deployers of third-party AI tools, not providers of general-purpose AI models. The heavy GPAI duties under the AI Act (technical documentation, copyright policy, public summary of training content, plus extras for models that pose systemic risk) sit on the model provider, not on you.

You still have a deployer-side duty to know what you are running. The starter questions to ask a vendor of any AI tool you rely on for anything important:

• Which model powers the tool, and who is its provider?
• Is the underlying model a general-purpose AI model under the Act, and is it classified as systemic-risk?
• Can you share the technical documentation and intended-use guidance for this product?
• What human oversight do you recommend on our side?
• How are incidents detected, handled, and reported to us?
• Where is AI-generated content marked or labelled, and what survives editing and export?

That is a starter list. The companion action guide (still in the works) goes further: a fuller vendor questionnaire, the kind of answers that should make you comfortable and the kind that should not, plus templates you can hand to a vendor.

Dates that matter

The AI Act applies in stages, not in one cliff edge. You have time to prepare, but the preparation starts now because some duties are already live.

The dates an ordinary business needs to know:

• 2 February 2025 — Prohibited AI practices apply. AI literacy obligations apply.
• 2 August 2025 — General-purpose AI model obligations enter into application.
• 2 August 2026 — Most of the AI Act becomes broadly applicable. This is the big date for transparency duties, including the Article 50 obligations covered above.
• 2 August 2027 — Later rules apply, including for certain high-risk AI systems embedded in regulated products, and transition periods for some GPAI models already on the market before August 2025.

If you only remember one of those, remember August 2026. That is when the transparency obligations bite.

Penalties, for context

The numbers in the Regulation are big. Up to 35 million euros or 7% of worldwide annual turnover for prohibited AI practices. Up to 15 million euros or 3% for many other infringements. Up to 7.5 million euros or 1% for supplying incorrect, incomplete, or misleading information to authorities. The high ceilings exist because the worst behaviour the Act catches is genuinely harmful, not because every chatbot is a 35-million-euro liability. A company that can show what it uses, why, and how it controls it sits in a very different position from one that cannot.

What to do this week

Adapting to regulation always takes time and effort, but here it all revolves around tools you are already using. If you can answer five questions about each AI system in your company, you are in a better place than most of your peers: what it does, who owns it, what it touches, what happens when it gets something wrong, and who checks the output.

Three concrete things you can do in the next seven days:

1. Run the EU compliance checker on your most-used AI tools.
2. Write down what AI you actually use. A spreadsheet is fine. If your company kept a GDPR data inventory back in 2018, this is the same shape of exercise: different list, same discipline. Doing the inventory does not satisfy GDPR, and GDPR does not satisfy this. They are parallel.
3. Start AI training, role by role, even if it is one page per role.

Official sources and disclaimer

This article is general information, not legal advice. For high-risk or sensitive AI use, involve qualified legal counsel before you commit to a course of action.

The Commission publishes its own materials on the AI Act. These are the sources used in this article:

• Regulation (EU) 2024/1689: eur-lex.europa.eu/eli/reg/2024/1689
• European Commission AI Act policy page: digital-strategy.ec.europa.eu
• Navigating the AI Act FAQ: digital-strategy.ec.europa.eu/faqs
• General-purpose AI obligations: digital-strategy.ec.europa.eu/factpages
• AI literacy Q&A: digital-strategy.ec.europa.eu/ai-literacy
• EU AI Act compliance checker: ai-act-service-desk.ec.europa.eu