The EU AI Act Explained: What It Means for Your Business in 2026
A plain-English guide to the EU AI Act: risk tiers, the 2026–2028 compliance timeline, the Article 4 AI literacy duty, penalties, and the practical steps to take now.
If your organisation builds, buys, or even just uses AI (and it does), the EU AI Act now applies to you. It’s the first comprehensive AI law in the world, it reaches well beyond Europe’s borders, and after a major 2026 update its deadlines have shifted in ways most companies haven’t caught up with.
This is the plain-English version: what the law is, who it binds, the real timeline as it stands in 2026, what it costs to get wrong, and (the part that matters) what to actually do now. No legalese, no scaremongering.
I write this from the deployer’s side of the table. I spent two years building AI systems as an engineer before moving into advisory, and the questions leaders ask me about the Act are almost always the same five, so this is the briefing I wish more of them had read first.
The short version
- The EU AI Act is the world’s first comprehensive AI law. It’s risk-based, and it applies even to non-EU companies whose AI (or its output) is used in the EU.
- If your staff use AI at work, you are a deployer, and the AI literacy duty (Article 4) already applies to you, as of February 2025.
- A 2026 amendment package (the “Digital Omnibus”), agreed in principle but not yet formally adopted, defers the heavy high-risk obligations to late 2027–2028, while the bans and the literacy duty are in force now.
- Penalties run up to €35 million or 7% of global annual turnover.
- Your practical priority today: inventory your AI, classify it by risk, and close the AI literacy gap.
Quick note: this is an explainer for decision-makers, not legal advice. Where you need a compliance decision, confirm the current text with counsel, and see the moving-target warning at the end.
What the EU AI Act actually is
The EU AI Act is a risk-based regulation. Rather than policing the technology itself, it sorts AI systems by how much harm they could do and scales the obligations to match. There are four tiers:12
| Risk tier | Examples | What the law does |
|---|---|---|
| Unacceptable | Social scoring, manipulative or exploitative systems, most real-time public biometric identification | Banned outright |
| High-risk | AI in hiring, credit scoring, education, critical infrastructure, medical devices | Strict duties: risk management, data governance, human oversight, logging, conformity assessment |
| Limited | Chatbots, deepfakes, generated content | Transparency: disclose AI use and label AI-generated content |
| Minimal | Spam filters, recommendation engines, game AI | No obligations |
The vast majority of everyday AI lands in the bottom two tiers. The weight of the law falls on the high-risk category, and on the people who provide or deploy those systems.
Who it applies to (including you, probably)
The Act splits responsibility between two main roles:2
- Providers: those who develop an AI system and put it on the market or into service.
- Deployers: any organisation using an AI system under its own authority in a professional context.
That second word is the one most businesses miss. If your team uses an AI tool at work, you are a deployer, and a subset of the Act’s duties (including the AI literacy obligation) applies to you, even if you never build a thing.
And it doesn’t stop at the EU’s borders. Like the GDPR before it, the Act has extraterritorial reach: it applies to providers and deployers outside the EU whenever their AI system is used in the EU, or its output is used there.3 A company in London, New York, or Sydney serving EU customers is in scope.
The 2026 timeline: the big shift you need to know
The Act entered into force on 1 August 2024 and phases in over several years. In late 2025 the Commission tabled a major amendment package, the “Digital Omnibus”, which reached provisional political agreement in May 2026 and is expected to be formally adopted shortly after.45 Its headline effect: timeline relief on the heaviest obligations, because the supporting technical standards weren’t ready in time.
Here’s where things stand in 2026:
| Date | What applies | Status |
|---|---|---|
| 2 Feb 2025 | Banned practices + AI literacy (Article 4) | In force now |
| 2 Aug 2025 | Rules for general-purpose AI (GPAI) models + governance | In force now |
| 2 Aug 2026 | Most remaining rules; enforcement apparatus activates | In force |
| 2 Dec 2026 | New prohibitions (non-consensual intimate imagery, AI-generated CSAM); watermarking grace period ends for pre-existing systems | Agreed, pending adoption |
| 2 Dec 2027 | High-risk systems (Annex III: hiring, credit, etc.) | Deferred from Aug 2026 |
| 2 Aug 2028 | High-risk AI embedded in regulated products (Annex I: medical devices, machinery, vehicles) | Deferred |
The takeaway for decision-makers: the bans and the AI literacy duty are live today. The expensive, complex high-risk compliance work has been pushed to late 2027 and 2028, which is breathing room, not a reprieve. The smart move is to use that runway, not to forget the clock is running.
General-purpose AI (GPAI)
If you build on, fine-tune, or distribute large foundation models, a dedicated set of GPAI rules has applied since August 2025: transparency about training, technical documentation, and copyright compliance, with additional safety obligations for the most capable “systemic-risk” models. The Commission has published guidance and a voluntary Code of Practice to help providers comply.1 Most businesses consume GPAI rather than provide it, but if you’re wrapping a model into a product, check where you sit.
Article 4: the AI literacy duty (live right now)
Of all the Act’s provisions, Article 4 is the one that touches the most organisations the soonest, and it’s also the cheapest to address. It requires providers and deployers to take measures to support a sufficient level of AI literacy among staff and others operating AI on their behalf.6
Three things make it manageable:
- It’s proportionate and role-based. The required level scales with people’s technical knowledge, experience, and the context of use. The Commission has explicitly rejected one-size-fits-all training.7
- It’s an obligation of effort, not result. Even now the duty is to take measures to ensure, to your best extent, a sufficient level of literacy, not to guarantee it: you don’t have to prove everyone passed a test, you have to make a genuine, documented effort.6 The 2026 Digital Omnibus, agreed in principle but not yet adopted, would soften the wording further, from ensuring to supporting the development of AI literacy.4
- There’s no specific fine attached to it. Article 4 isn’t in the penalty schedule with its own figure. It’s supervised by national authorities and matters for diligence and reputation more than direct fines.
In other words, Article 4 is a low-cost, high-signal compliance win, and it happens to be the foundation of using AI well in the first place. We go deep on the substance in What is AI literacy?.
What it costs to get wrong
Penalties are tiered to match the risk, and they are serious at the top end:81
- Up to €35 million or 7% of global annual turnover for breaching the banned-practice rules.
- Up to €15 million or 3% of turnover for most other obligations (high-risk provider duties, transparency, value-chain information).
- Up to €7.5 million or 1% of turnover for supplying incorrect or misleading information.
Whichever figure is higher applies. For a mid-sized company, the percentage-of-turnover basis is what makes this a board-level issue rather than a line-item risk.
What to do now: a practical checklist
You don’t need a compliance department to make real progress. In order of priority:
- Inventory your AI. List every AI system your organisation builds or uses, and who uses it. You can’t classify or govern what you can’t see.
- Classify by risk tier. Most tools will be minimal or limited risk. Flag anything touching hiring, credit, education, biometrics, or safety: those are your high-risk exposures.
- Close the Article 4 gap now. Put proportionate, role-based AI literacy measures in place for your staff, and document them. This is due today and is the fastest win on the list.
- Check your GPAI position. If you’re fine-tuning or redistributing models, confirm which provider obligations attach.
- Map the 2027–2028 runway. If you have high-risk systems, start the governance work now: conformity assessment and documentation take time, and the deferred deadlines will arrive faster than they feel.
- Assign ownership. Name a person accountable for AI governance. Diffuse responsibility is how compliance gaps and bad AI decisions both happen.
What “good” looks like isn’t a binder of policies. It’s an organisation that knows what AI it uses, why, and who’s responsible, with people who have the judgment to use it well. That last part is not a compliance checkbox; it’s a competitive advantage.
Frequently asked questions
Does the EU AI Act apply to companies outside the EU?
Yes. It has extraterritorial reach: it applies to any provider or deployer whose AI system is used in the EU, or whose output is used there, regardless of where the company is based.
When does the EU AI Act take effect?
It entered into force on 1 August 2024 and phases in over years. Banned practices and the AI literacy duty have applied since 2 February 2025; GPAI rules since August 2025; and most remaining rules from 2 August 2026. After the 2026 Digital Omnibus, high-risk obligations were deferred to December 2027 (Annex III) and August 2028 (Annex I).
What are the penalties under the EU AI Act?
Up to €35 million or 7% of global annual turnover for banned practices; up to €15 million or 3% for most other breaches; and up to €7.5 million or 1% for supplying incorrect information, whichever amount is higher.
What is the Article 4 AI literacy requirement?
Article 4 requires organisations that provide or deploy AI to take proportionate, role-based measures to support AI literacy among their staff. It has applied since 2 February 2025 and is an obligation of effort rather than a guaranteed result; the 2026 Digital Omnibus, agreed but not yet adopted, would soften the wording further.
Is my company a “deployer” under the EU AI Act?
If your staff use an AI system under your authority in a professional context, yes, you’re a deployer, and the relevant deployer obligations (including AI literacy) apply, even if you never build AI yourself.
Want a clear, proportionate plan for the AI Act?
Navigating what this means for your specific business is exactly what we do at Elevia: translating the regulation into a clear, proportionate plan, and building the AI literacy your team needs to satisfy Article 4 and use AI well.
Moving-target warning: the Digital Omnibus was provisionally agreed in May 2026 but, at the time of writing, had not completed formal adoption and publication in the Official Journal. Dates and wording here reflect the agreed position; verify the final text before relying on it for a compliance decision.
Sources & further reading
Footnotes
-
EU Artificial Intelligence Act, “High-level summary”. Risk tiers, GPAI obligations, penalty structure, and implementation timeline. https://artificialintelligenceact.eu/high-level-summary/ ↩ ↩2 ↩3
-
European Commission, “Regulatory framework for AI”. Overview of the risk-based approach, provider/deployer roles, and scope. https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai ↩ ↩2
-
EU AI Act, Article 2 (Scope). The territorial reach: the Act binds providers placing AI on the EU market wherever they are established (Art. 2(1)(a)), and providers and deployers in third countries where the system’s output is used in the Union (Art. 2(1)(c)). https://artificialintelligenceact.eu/article/2/ ↩
-
Digital Omnibus on AI (European Commission). The 2026 amendment package: it would reword Article 4 to an obligation of effort, defer high-risk deadlines, and add new prohibitions. https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-ai-regulation-proposal ↩ ↩2
-
Gibson Dunn, “EU AI Act Omnibus Agreement: Postponed High-Risk Deadlines and Other Key Changes”. Analysis of the deferred timelines and penalty changes. https://www.gibsondunn.com/eu-ai-act-omnibus-agreement-postponed-high-risk-deadlines-and-other-key-changes/ ↩
-
EU AI Act, Article 4. The AI literacy obligation on providers and deployers. https://artificialintelligenceact.eu/article/4/ ↩ ↩2
-
European Commission, “AI Literacy: Questions & Answers”. Official guidance on the Article 4 timeline and the requirement for role-differentiated, proportionate training. https://digital-strategy.ec.europa.eu/en/faqs/ai-literacy-questions-answers ↩
-
EU AI Act, Article 99 (Penalties). The fine tiers: up to €35M or 7% of total worldwide annual turnover for prohibited practices, €15M or 3% for most other obligations, and €7.5M or 1% for incorrect or misleading information, whichever is higher (the lower of the two for SMEs). https://artificialintelligenceact.eu/article/99/ ↩