Back to Journal
EU AI Act for Businesses: Obligations, Deadlines, and What to Do Now
Compliance6/29/2026

EU AI Act for Businesses: Obligations, Deadlines, and What to Do Now

MH

Marius Huinink

Author

The EU AI Act is the EU's first comprehensive AI regulation and will become binding in stages. For businesses, one thing is paramount: what obligations apply from when, and what exactly needs to be done? This article categorizes risk classes, deadlines, and measures, including the latest postponement by the Digital Omnibus.

What the Digital Omnibus Has Changed

In May 2026, the Parliament and Council agreed on the "Digital Omnibus on AI" and staggered the most demanding obligations.2 The most important points at a glance:

  • High-risk obligations postponed. Stand-alone high-risk systems under Annex III (e.g., recruiting, creditworthiness, education) will apply only from December 2, 2027, and high-risk AI embedded in products under Annex I from August 2, 2028.3
  • Transparency obligations remain. The obligations from Article 50 will apply unchanged from August 2, 2026.
  • Facilitations for smaller businesses. A new category "Small Mid-Caps" (fewer than 750 employees, maximum €150 million turnover) will receive simplified documentation, capped fines, and preferred sandbox access.3
  • The new dates will become legally binding only upon publication in the Official Journal, expected before August 2, 2026.

In short: The postponement shifts effort; it does not eliminate it. Those operating high-risk systems gain preparation time. The August 2026 deadline for transparency remains sharp for almost everyone.

What to Do from August 2, 2026

From this date, transparency obligations apply, regardless of whether you develop or merely use AI.5 Specifically:

  1. Label chatbots. Users must be able to recognize that they are speaking with AI, not with a human.
  2. Mark AI content. AI-generated or manipulated texts, images, audio, and video must be recognizable as such. Deepfakes are particularly included.
  3. Retrofit existing systems. For systems placed on the market before August 2, 2026, a grace period for machine-readable labeling applies until December 2, 2026.
  4. Define responsibilities. These points are technically manageable but require clear accountability within the organization.

Important for practice: Machine-readable labeling (watermarks, metadata) is primarily the obligation of the AI provider, not the user. As an operator, your main responsibility is visible disclosure to your users.

Understanding the Four Risk Classes

The EU AI Act regulates AI by risk, not by technology. What matters is what a system is used for and what consequences that has for people.1

  • Unacceptable Risk: prohibited practices such as social scoring. Not permissible in the EU.
  • High Risk: Systems impacting fundamental rights or safety, such as personnel selection, credit scoring, or critical infrastructure. Documentation and audit-intensive.
  • Limited Risk: Transparency obligations, such as labeling chatbots and AI content.
  • Minimal Risk: the majority of operational applications, with low requirements.

Most companies primarily operate in the minimal and limited risk categories. As soon as an application co-decides over people, for example in the application process, it moves into the high-risk class. The initial classification is therefore the most important step.

Key Deadlines at a Glance

  • Prohibited practices: since February 2025
  • Obligations for General Purpose AI Models (GPAI): since August 2025
  • Transparency obligations (Article 50): from August 2, 2026
  • High-risk systems under Annex III: from December 2, 2027
  • High-risk AI embedded in products (Annex I): from August 2, 2028

The pressure to act increases with each stage. Those who start only shortly before a deadline will face time pressure, as inventory-taking, risk assessment, and documentation require lead time.

How Strictly Is It Already Being Enforced?

An honest assessment is in order: Prohibited practices and GPAI obligations are already enforceable, and the EU Commission initiated initial checks on impermissible AI practices in early 2026.1 A wave of fines or warnings has so far failed to materialize, partly because high-risk obligations do not yet apply and authorities are still building their structures.

However, this is no reason to wait. The transparency obligations from August 2026 are real, and the foundational work (inventory, risk classes, responsibilities) cannot be caught up in a few days if an emergency arises.

Why Compliance Doesn't Work Without Governance

Compliance is the goal; governance is the path there. You need an inventory of your AI systems, a risk classification per system, a responsible person, and a process that reviews new applications before deployment. Without this structure, AI compliance remains a sporadic reaction to individual cases. The article Governance and Law in AI elaborates on how to embed this organizationally.

Implementing the EU AI Act: Five Steps to Get Started

  1. AI Inventory. Document all AI systems and tools, both internal and external. For each system, record which department it runs in, what data it processes, and who is responsible for it.
  2. Risk Classification. Assign each system to one of the four classes. Pay particular attention to applications involving personal data and those that prepare decisions about individuals.
  3. Derive Obligations. For each class, determine the specific requirements, such as transparency notices for limited risk or documentation and human oversight for high risk.
  4. Measures and Documentation. Close the gaps between the current state and obligations. Document technical specifications, risk assessments, and responsibilities in writing.
  5. Ongoing Control. Establish an approval gate for new tools and a regular audit rhythm.

What Threatens in Case of Violations

The EU AI Act provides for staggered sanctions.4 For prohibited practices, fines of up to 35 million euros or 7 percent of global annual turnover are threatened, whichever amount is higher. For violations of high-risk obligations, the range is up to 15 million euros or 3 percent. For medium-sized enterprises, the practical risk is more relevant than the maximum amount: missing documentation, unclear responsibilities, and systems whose risk class nobody has determined.

When External Consulting Is Worthwhile

Not every need requires comprehensive consulting. An honest assessment helps:

  • Pure tool training is usually best handled directly by the provider.
  • Technical integration belongs to the system integrator or IT consultant.
  • An isolated data protection or legal question is clarified by a specialized data protection officer or a law firm with AI expertise.
  • Comprehensive EU AI Act consulting is worthwhile when AI is used strategically and across departments, and strategy, governance, technology, and data protection need to be brought together.

Mini-FAQ on the EU AI Act

Does the EU AI Act also affect small businesses? Yes. The type of AI used is decisive. Even small businesses with high-risk applications fall under the stricter obligations.

Has the postponement abolished the obligations? No. Only the start of applicability for high-risk obligations has been postponed. The transparency obligations from August 2026 remain unchanged.

What is the first concrete step? An AI inventory. Without an overview of all systems, no risk class can be determined.

Do we necessarily need external consulting? Not in every case. Many steps can be completed internally. External support is particularly worthwhile for high-risk systems and cross-cutting implementation.

What You Should Do Specifically

  1. Start an AI inventory across all departments this week.
  2. Assign each system to a risk class and mark high-risk applications.
  3. Implement the transparency obligations for chatbots and AI content by August 2026.
  4. Document risk assessments, measures, and responsibilities in writing.
  5. Establish an approval gate and an audit rhythm for new systems.

Where does your company stand with the EU AI Act?

In a 30-minute AI check, we categorize your applications by risk and show which transparency and governance steps are truly necessary by August 2026. No sales pitch, no slides.

Sources & References

  1. European Commission, AI Act – Regulatory Framework (Risk Classes, Timeline, Enforcement): digital-strategy.ec.europa.eu
  2. Gibson Dunn, EU AI Act Omnibus Agreement — Postponed High-Risk Deadlines and Other Key Changes, 27.05.2026: gibsondunn.com
  3. Council of the EU (Consilium), Artificial Intelligence: Council and Parliament agree to simplify and streamline rules, 07.05.2026: consilium.europa.eu
  4. Regulation (EU) 2024/1689 (AI Act), Sanction Framework Art. 99, via EUR-Lex: eur-lex.europa.eu
  5. EU AI Act, Article 50 (Transparency Obligations for Providers and Operators): artificialintelligenceact.eu
Let's talk

Are you ready for true AI sovereignty?

Let us find out how 6Rocks can support your company.