EU AI Act Overview: The Complete 2026 Guide
This EU AI Act overview is the plain-English map of Regulation (EU) 2024/1689 — what the law is, who it binds, how its risk tiers work, when each obligation applies, and what the Digital Omnibus is changing right now. The AI Act is the world’s first comprehensive law on artificial intelligence, and it does not switch on all at once: its duties phase in over several years, and the rules that bind your organisation depend entirely on what kind of AI you build or use and how risky that use is. By the end of this guide you will know which category you fall into and what your next deadline actually is.
EU AI Act overview: what Regulation (EU) 2024/1689 actually is
The AI Act is a single, directly applicable EU regulation — it binds every Member State without national transposition. It entered into force on 1 August 2024 and applies in phases under Article 113. Rather than regulating the technology itself, it regulates uses of AI according to the risk they pose to health, safety and fundamental rights. That risk-based design is the key to the whole law: identical software can be lightly regulated in one context and heavily regulated in another, purely because of how and where it is deployed.
The regulation applies to AI systems and to general-purpose AI (GPAI) models placed on the EU market or whose output is used in the EU — which is why it reaches far beyond Europe’s borders. A provider in the United States, the United Kingdom or anywhere else falls within scope the moment its system is made available in the EU or its outputs are used there.
Who must comply
The Act assigns obligations by role, and one organisation can hold several roles at once:
- Providers — those who develop an AI system or GPAI model (or have one developed) and place it on the market under their own name. They carry the heaviest obligations.
- Deployers — those who use an AI system under their own authority in a professional capacity. Most businesses using AI are deployers.
- Importers and distributors — those who bring a third-country system into the EU or make it available down the chain; they must verify the provider did its job.
- Product manufacturers — who integrate AI as a safety component of a regulated product.
Crucially, the Act has extraterritorial reach. If you are a non-EU company selling into the EU, or your AI’s output is used inside the EU, you are in scope regardless of where you are established — a point covered in depth in our guide for companies outside the bloc.
Quick scope test. Answer yes to any of these and you are almost certainly in scope: do you build or badge an AI system offered in the EU? Do you use AI in your business in a way that affects people in the EU? Is your AI’s output — text, images, decisions — used inside the EU, even if you operate from outside it? Scope is broad by design; when in doubt, assume you are in and classify the use.
Article 4: the AI literacy duty already in force
One obligation is easy to overlook because it sounds soft and applies to almost everyone: the AI literacy duty in Article 4, in force since 2 February 2025. It requires providers and deployers to take measures ensuring their staff — and anyone operating AI on their behalf — have a sufficient level of AI literacy, taking into account their technical knowledge, experience and the context of use. There is no certificate to earn and no prescribed curriculum, but regulators expect you to show that the people building or operating your AI understand what it does, its limits and the risks it carries. For most organisations that means a documented internal training or awareness programme, scaled to how heavily you rely on AI. It is the cheapest part of the Act to satisfy and the easiest to forget.
The four risk tiers
Everything in the Act flows from which of four risk categories a given use falls into.
| Risk tier | What it means | Examples |
|---|---|---|
| Unacceptable (prohibited) | Banned outright under Article 5 | Social scoring, manipulative techniques, untargeted facial scraping, most workplace emotion recognition |
| High-risk | Permitted but heavily regulated (Annex III stand-alone; Annex I product-embedded) | AI in recruitment, credit scoring, education, critical infrastructure, medical devices |
| Limited / transparency | Allowed, with disclosure duties under Article 50 | Chatbots, deepfakes, AI-generated content |
| Minimal | No specific obligations | Spam filters, AI in video games, inventory tools |
Most organisations discover they sit in the transparency tier — and that is exactly why Article 50, with its 2 August 2026 deadline, is the obligation that touches the widest range of businesses.
The compliance timeline, in brief
The Act’s obligations arrived (and will arrive) on staggered dates:
- 1 Aug 2024 — entry into force.
- 2 Feb 2025 — prohibited practices (Article 5) and the AI literacy duty (Article 4) apply.
- 2 Aug 2025 — GPAI model obligations, governance bodies and the penalty framework apply.
- 2 Aug 2026 — Article 50 transparency obligations apply (the next live deadline).
- 2 Dec 2027 / 2 Aug 2028 — high-risk obligations, as deferred by the Digital Omnibus (pending publication).
For the full breakdown of every milestone and what to do before each one, see our dedicated AI Act compliance timeline.
Article 50 transparency — your next deadline
Article 50 is the heart of the transparency tier and the most broadly relevant part of the Act for ordinary businesses, because it is not limited to high-risk systems. From 2 August 2026 it imposes four duties: telling people when they are interacting with an AI (Art. 50(1)); marking AI-generated audio, image, video and text in a machine-readable format (Art. 50(2)); disclosing deepfakes (Art. 50(4)); and labelling AI-generated text published on matters of public interest. Our complete guide to Article 50 transparency obligations walks through each one, and we cover the two highest-traffic cases in detail — chatbot and AI-interaction disclosure and deepfake labelling.
High-risk AI obligations (and the Digital Omnibus deferrals)
High-risk is where the Act’s compliance burden is heaviest: risk management systems, data governance, technical documentation, human oversight, accuracy and cybersecurity, conformity assessment and registration. The Act splits high-risk into two groups — stand-alone systems listed in Annex III (recruitment, credit, education, law enforcement, migration and similar) and AI embedded as a safety component of products already regulated under Annex I (such as lifts, machinery and medical devices).
In practice, providers of high-risk systems must build and maintain a documented set of controls before the system reaches the market and across its whole life:
- a continuous risk management system spanning the system’s lifecycle;
- data governance ensuring training, validation and testing data are relevant, representative and as error-free as possible;
- technical documentation and automatic record-keeping (logging);
- transparency and clear instructions for use provided to deployers;
- human oversight designed into the system;
- appropriate accuracy, robustness and cybersecurity.
Before going to market the provider must complete a conformity assessment, draw up an EU declaration of conformity, affix the CE marking and register the system in the EU database. Deployers carry lighter but real duties of their own — operating the system according to instructions, ensuring human oversight and monitoring how it performs.
These obligations were originally due on 2 August 2026 (Annex III) and 2 August 2027 (Annex I). The Digital Omnibus defers them — to 2 December 2027 for Annex III stand-alone systems and 2 August 2028 for Annex I product-embedded systems — to give the market time to finish the harmonised standards and conformity-assessment tools that high-risk compliance depends on. As noted in the status box above, those new dates are not yet binding: until the Omnibus is published in the Official Journal, the original 2 August 2026 date remains the legal text, so high-risk operators should keep preparing against it.
General-purpose AI (GPAI) models
Providers of general-purpose AI models — the large foundation models that power many downstream applications — have had their own obligations since 2 August 2025: technical documentation, copyright policies, training-data transparency summaries, and, for models posing systemic risk, additional evaluation and incident-reporting duties. If you build applications on top of someone else’s model rather than training your own, these duties largely sit with the model provider, but you remain responsible for your own system’s classification and transparency.
The Commission has backed these duties with a GPAI Code of Practice that providers can sign up to as a way of demonstrating compliance, alongside a template for the public summary of training content. Models that cross the systemic-risk threshold face the heaviest scrutiny: model evaluations, adversarial testing, systemic-risk assessment and serious-incident reporting to the AI Office.
Who enforces the EU AI Act?
Enforcement is shared between EU and national bodies. At EU level, the AI Office inside the European Commission supervises general-purpose AI models and coordinates consistent application across the Union, while the European Artificial Intelligence Board brings Member States together to align practice. At national level, each Member State designates market surveillance authorities that police AI systems in their territory, investigate complaints and impose penalties. For businesses this means your day-to-day regulator is usually national, but the rules — and the reading of GPAI obligations — are steered centrally. The slow designation of those national authorities was one of the implementation bottlenecks that prompted the Digital Omnibus in the first place.
Penalties for non-compliance
The penalty framework in Chapter XII has applied since 2 August 2025. For undertakings, the fine is the higher of a fixed amount or a percentage of total worldwide annual turnover.
| Violation | Maximum fine |
|---|---|
| Prohibited practices (Art. 5) | €35,000,000 or 7% of worldwide annual turnover |
| Most operator obligations, incl. Article 50 (Art. 99(4)) | €15,000,000 or 3% of worldwide annual turnover |
| Incorrect info to authorities (Art. 99(5)) | €7,500,000 or 1% of worldwide annual turnover |
SME and start-up protection. For SMEs and start-ups the rule inverts: each fine is capped at the lower of the fixed amount or the percentage, not the higher. If you are a small operator, that single provision can be the difference between a survivable penalty and an existential one.
The Digital Omnibus: what is changing in 2026
The Digital Omnibus on AI is the first package of amendments to the Act since its adoption. The European Parliament gave it final approval on 16 June 2026; formal adoption by the Council and publication in the Official Journal are expected before 2 August 2026. Its headline effects are the staggered high-risk deferrals above; a shortened transparency grace period that gives legacy generative AI until 2 December 2026 to meet the Article 50(2) machine-readable marking duty; the postponement of the deadline for Member States to set up AI regulatory sandboxes to 2 August 2027; and a new Article 5 prohibition on AI systems that generate non-consensual intimate imagery (“nudifiers”) and child sexual abuse material. It is worth being clear about what the Omnibus does not do: it does not weaken the prohibited-practices list, alter the four-tier structure, or touch the Article 50 transparency deadline. It is a timing-and-targeting amendment, not a rollback of the Act’s core protections. The European Commission’s AI Act resource hub tracks the official implementation materials as they are released.
How the AI Act fits with other EU rules
The AI Act does not replace your other obligations — it sits on top of them. If your AI processes personal data, the GDPR still applies in full, and the two regimes overlap heavily around transparency, lawful basis and automated decision-making. If your AI is built into a physical product, EU product-safety law and CE marking — under instruments such as the Machinery Regulation, or the Construction Products Regulation for building products — continue to apply alongside the Act’s high-risk rules, and the General Product Safety Regulation governs consumer products more broadly. The practical lesson for any overview is that AI Act compliance is rarely a standalone project: it has to be mapped against the regulations you are already subject to, so you neither duplicate work nor leave a gap between regimes.
What your business should do now
- Inventory your AI. List every AI system you provide or deploy, and every output that reaches the EU.
- Classify each use against the four risk tiers — this determines everything else.
- Prioritise Article 50. It is the next binding deadline (2 August 2026) and it is not being deferred. Implement disclosure and content-marking now.
- Keep preparing for high-risk against the original dates until the Omnibus is published, then update your roadmap to the new 2027/2028 timeline.
- Document everything. Records of classification decisions and compliance measures are your defence in any enforcement action.
Frequently asked questions
When does the EU AI Act fully apply?
It applies in phases. Prohibitions and AI literacy applied from February 2025, GPAI and penalties from August 2025, Article 50 transparency from August 2026, and high-risk obligations from December 2027 / August 2028 once the Digital Omnibus is published.
Does the EU AI Act apply to companies outside the EU?
Yes. It applies to any provider or deployer placing an AI system on the EU market or whose system’s output is used in the EU, regardless of where the company is based.
What is the next AI Act deadline?
2 August 2026 — the Article 50 transparency obligations. It has not been deferred by the Digital Omnibus.
Has the high-risk deadline been postponed?
It is being postponed to 2 December 2027 (Annex III) and 2 August 2028 (Annex I), but only once the Digital Omnibus is published in the Official Journal. Until then the original August 2026 date legally stands.
What are the fines under the AI Act?
Up to €35M or 7% of worldwide turnover for prohibited practices, €15M or 3% for most operator obligations (including Article 50), and €7.5M or 1% for supplying incorrect information — with a lower cap for SMEs.
Key takeaways
- The EU AI Act (Regulation (EU) 2024/1689) is a risk-based law that regulates uses of AI, not the technology itself, and applies in phases under Article 113.
- Your obligations depend on your role (provider, deployer, importer) and on which of the four risk tiers your use falls into.
- The next binding deadline is Article 50 transparency on 2 August 2026 — broad in scope and not deferred.
- The Digital Omnibus, approved by Parliament on 16 June 2026, defers high-risk obligations to 2 December 2027 and 2 August 2028 — binding once published in the Official Journal.
- Fines reach €35M/7%, with a lower cap for SMEs; classify your AI and prioritise Article 50 now.
Use this EU AI Act overview as your starting point, then follow the linked guides for the obligation that applies to you — and bookmark it, because we revise it the moment the Digital Omnibus is published in the Official Journal.
📋 Article 50 Transparency Compliance Pack — €67
Every Article 50 obligation, checklist, template disclosures and documentation guide — ready for the 2 August 2026 deadline. 15 pages, built for teams who need to act.
