Disclosure

Important reader notice

This article is for general informational and educational purposes only. It is not legal, financial, tax, medical, security, compliance, or other professional advice, and you should not rely on it as a substitute for advice from a qualified professional who understands your specific situation.

AI tools, pricing, features, policies, laws, and platform terms can change quickly. We work to keep content accurate, but we do not guarantee that every detail is current, complete, or suitable for your use case. Always verify important claims with the original source before making business, legal, financial, safety, or purchasing decisions.

Some links may be affiliate, partner, or sponsored links. If you buy through them, AIUnpacking may earn compensation at no extra cost to you. Sponsored relationships are disclosed where applicable, and compensation does not override our editorial judgment.

The EU AI Act is not a policy paper anymore. It is a live enforcement framework. The law entered into force on 1 August 2024. Some obligations have been binding since February 2025. And while the freshly negotiated Digital Omnibus—agreed by the EU institutions on 7 May 2026—has shuffled a few dates, it has not cancelled what matters: if your company places, deploys, imports, distributes, or uses AI systems affecting people in the EU, you need an inventory, a risk classification, and documentation that holds up under scrutiny.

Most companies start with a policy memo. Do not do that. Start with a list. Write down every AI tool your teams actually use—including the ones IT does not know about. Then classify them, assign an owner, and close the gaps before enforcement lands.

This guide is current as of 23 May 2026. It incorporates the Digital Omnibus provisional agreement and the latest Commission guidance. It is not legal advice. Use your own counsel for final classification decisions, especially for high-risk or cross-border systems.

The Timeline Has Shifted—Here Is What Actually Applies When

The Omnibus deal changed key dates. Several were pushed back. Some stayed. Here is the calendar now:

DateWhat applies
2 February 2025General provisions, AI literacy duties (Article 4), and prohibited AI practices (Article 5)
2 August 2025General-purpose AI model rules (Chapter V), GPAI Code of Practice, and EU governance provisions
2 August 2026Article 50 transparency obligations apply (except synthetic content marking). Governance structure fully operational
2 December 2026Synthetic content marking (Article 50(2)) applies. New prohibitions on CSAM and non-consensual intimate imagery (“nudifier” tools) apply
2 August 2027National regulatory sandboxes must be operational. Annex I high-risk obligations originally set for product-safety AI moved here
2 December 2027Annex III high-risk AI obligations apply—the biggest milestone for most businesses
2 August 2028Annex I high-risk obligations for AI covered by existing EU sectoral legislation (Machinery Regulation, Medical Device Regulation, etc.)

December 2027 is the headline for most companies. That is when high-risk systems in employment, education, creditworthiness, insurance, essential services, law enforcement, migration, and critical infrastructure must have risk management, conformity assessment, technical documentation, logging, human oversight, and serious-incident reporting in place. But do not treat it as a distant deadline. The AI Office can already investigate, and transparency rules take effect in two months.

One caveat: the Omnibus is a provisional political agreement. Formal adoption and publication in the Official Journal must happen before 2 August 2026. But all three institutions are aligned. Plan as if these dates are final.

Risk Classes: What Your System Means for Your Obligations

The AI Act runs a risk-based pyramid. Obligations scale with your classification.

Prohibited AI

These are uses the Act treats as unacceptable. Examples include manipulative or exploitative AI practices, social scoring by public authorities, untargeted scraping of facial images, real-time remote biometric identification in public spaces for law enforcement (with narrow exceptions), and—under the Omnibus, effective 2 December 2026—AI systems that generate child sexual abuse material or non-consensual intimate imagery (“nudifier” tools).

If your system lands here, the answer is not “document it better.” It has to stop, be redesigned, or be removed from the EU market.

High-Risk AI

This is where compliance gets real. Two paths lead here. Annex I covers AI embedded as a safety component in regulated products—machinery, medical devices, toys, lifts. Annex III lists eight domains: biometrics, critical infrastructure, education, employment and worker management, access to essential private and public services, law enforcement, migration, and administration of justice.

High-risk obligations include risk management, data governance, technical documentation, logging, transparency, human oversight, accuracy and robustness testing, cybersecurity, conformity assessment, post-market monitoring, and serious-incident reporting.

The Omnibus lets the Commission harmonize overlapping obligations where sectoral laws already impose equivalent AI-specific requirements, reducing duplication.

Limited-Risk AI

Transparency obligations under Article 50 only. Chatbots must disclose AI interaction. AI-generated synthetic audio, images, video, or text must be marked as artificially generated (from 2 December 2026). Emotion recognition and biometric categorization systems must inform exposed individuals.

Minimal-Risk AI

Spam filters, grammar checkers, and basic recommendation engines have no specific obligations. Still, keep them in the inventory. A system used for email today becomes high-risk tomorrow if wired into your hiring pipeline.

The GDPR Is Part of the Same Conversation

If you are already GDPR-compliant, roughly 20–30% of the documentation work carries over for high-risk AI. Both frameworks demand impact assessments, data governance, transparency, and accountability. The Omnibus also expanded Article 10(5) to extend the legal basis for processing special-category data for bias detection—subject to strict safeguards including pseudonymization, access controls, and timely deletion.

If your AI system processes personal data, start with existing GDPR records. Map what already covers AI Act documentation needs. Do not build parallel compliance stacks.

Who Enforces This, and What Happens If You Get It Wrong

Enforcement is a network, not a single agency. National market surveillance authorities operate in each Member State, coordinated by the European AI Office. The AI Office has direct supervisory competence over GPAI model providers and—under the Omnibus—over AI systems based on GPAI models from the same provider or group, plus AI systems integrated into very large online platforms under the Digital Services Act.

Member States designated their authorities by 2 August 2025. Regulatory sandboxes must be operational at national level by 2 August 2027, and an EU-level AI Office sandbox is being created with priority access for SMEs, startups, and small mid-caps.

Penalties follow a three-tier structure:

ViolationMaximum fine
Prohibited AI practices (Article 5)€35 million or 7% of worldwide annual turnover
Other operator obligations (high-risk, transparency, GPAI)€15 million or 3% of worldwide annual turnover
Supplying incorrect, incomplete, or misleading information€7.5 million or 1% of worldwide annual turnover

The highest tier is always “whichever is greater.” For a company with €50 million global turnover, that is €3.5 million. Serious-incident reporting timelines are tight: 15 days for most incidents, 2 days for critical infrastructure cases. Build your reporting procedure now.

SMEs and Mid-Caps Get Targeted Relief

The Omnibus extends SME-friendly provisions to “small mid-cap” enterprises—businesses with fewer than 750 employees and under €150 million annual turnover (or €129 million balance sheet). These companies get simplified technical documentation templates, proportionate quality-management expectations, priority sandbox access, and tailored penalty caps.

Relief does not mean exemption. A small company deploying high-risk AI in hiring has the same classification obligations as a large enterprise. The templates are simpler; they still need to exist.

AI Literacy: Already in Force

Since 2 February 2025, Article 4 requires providers and deployers to ensure AI literacy among staff and anyone involved in AI operations. The Commission’s May 2025 Q&A clarified this applies broadly—not just to technical teams, but to anyone whose role touches AI systems.

This means training. Not a one-off webinar. A program that covers what AI your organization uses, what the risks are, what is prohibited, and how to escalate concerns.

The Compliance Checklist That Actually Works

Every AI system:

  • Name, vendor, version, internal owner
  • Intended purpose and affected people
  • Risk class with rationale
  • Whether personal data is processed (triggers GDPR)
  • User-facing disclosures where required
  • Staff training records
  • Vendor model-change and update tracking
  • Review date (quarterly for high-risk, biannual otherwise)

High-risk AI systems (from the applicable enforcement date):

  • Documented and continuously updated risk management system
  • Data governance records for training, validation, and testing—documented for bias and representativeness
  • Technical documentation covering design, architecture, and intended performance
  • Automated logging and audit trails
  • Instructions for use with known limitations and accuracy metrics
  • Defined human oversight roles and escalation paths
  • Conformity assessment before market placement or service deployment
  • Post-market monitoring plan
  • Serious-incident reporting procedures documented and tested

General-purpose AI model use:

  • Confirm your GPAI provider publishes required documentation and complies with the Code of Practice (published July 2025)
  • Review contractual terms for data use, retention, and security
  • Do not send sensitive data unless the contract and controls explicitly support it
  • Keep prompts, outputs, and human review logs for high-impact workflows

AI Inventory Template

FieldWhat to record
System nameProduct, vendor, internal owner, version
Intended purposeWhat decision, recommendation, or output it supports
UsersEmployees, customers, contractors, public users
Affected peopleWho experiences the impact of the system’s output
DataInputs, personal data categories, sensitive data, retention
Risk classProhibited, high-risk, limited-risk, minimal-risk
RationaleWhy that class was assigned—include Annex reference if applicable
ControlsHuman review, access control, logging, monitoring
DocumentationPolicies, testing reports, vendor docs, impact assessments
Review dateNext scheduled reassessment

A Practical 45-Day Plan

Days 1–10: Inventory everything. Run discovery surveys across all departments. Include shadow AI, browser extensions with AI features, and third-party SaaS tools with AI modules.

Days 11–20: Classify each system. Flag anything touching hiring, performance management, credit, insurance, education, biometrics, legal decisions, health, or public services—those are your high-risk candidates.

Days 21–30: Collect vendor documentation: DPAs, model cards, security certifications, model-change policies. If your vendor cannot produce these, flag it.

Days 31–45: Close urgent gaps. Ensure Article 50 transparency disclosures for chatbots and AI interactions. Train staff on AI literacy. Define human oversight roles. Create logging, escalation paths, and incident-reporting procedures.

After day 45: Prioritize confirmed high-risk systems for deeper conformity assessment and post-market monitoring. December 2027 is your Annex III deadline. Use the time wisely.

FAQ

Does the AI Act apply outside the EU?

It can. If your AI system is placed on the EU market, put into service in the EU, or its output is used in the EU, you may have obligations regardless of where your company is based. US and APAC companies serving EU customers are not exempt.

Is every chatbot high-risk?

No. A chatbot answering FAQ questions on a retail site is limited-risk—just disclose it is AI. A chatbot screening loan applications or evaluating job candidates is a different story. Classification follows the use case, not the tool.

Do small businesses have to comply?

Yes, but with proportionality. The Omnibus extends simplified pathways to SMEs and small mid-caps. Lighter documentation templates. Priority sandbox access. But no blanket exemption. A five-person startup deploying AI in credit decisions still classifies, documents, and controls.

What should I do first?

Build the inventory. You cannot govern AI systems you have not found. If you do nothing else this quarter, find every AI system your organization touches.

Has the Digital Omnibus cancelled the high-risk deadline?

No. It postponed Annex III enforcement to 2 December 2027 and Annex I to 2 August 2028. Transparency rules still apply from 2 August 2026. The delay is a planning window, not permission to do nothing.

What is a regulatory sandbox?

A controlled environment where businesses test innovative AI under regulatory supervision before full market deployment. National sandboxes must exist by August 2027, and an EU-level sandbox run by the AI Office is being created. For novel or borderline AI, sandboxes reduce legal uncertainty.

Does the Act cover AI already in use?

Pre-existing high-risk systems are subject to post-market monitoring and incident-reporting obligations. Systems that undergo significant design modifications after enforcement dates must comply fully. Grandfathering is limited.

Verified Sources