The EU AI Act is the first comprehensive law governing how organisations build and deploy artificial intelligence. It applies to any organisation that places an AI system on the EU market or whose AI output reaches a European user, no matter where that organisation is based. From 2 August 2026 most of its rules are in force. If your AI touches a European citizen, this law touches you.
The fines are not symbolic. Breaking the ban on prohibited systems can cost up to 35 million euros or 7 percent of worldwide turnover, whichever is larger. This is a board-level number, which is exactly why AI governance has moved from a legal footnote to a strategy meeting.
What does the EU AI Act actually regulate?
The Act sorts AI by risk, not by industry. The same face-matching model is light-touch in a photo app and high-risk at a border. What matters is where the system is used and who it can harm. Get the classification right and the rest of the law falls into place. Get it wrong and you either over-spend on safe tools or under-protect the dangerous ones.
The four EU AI Act risk tiers, from banned to unrestricted
Every AI system lands in one of four buckets, and the bucket decides the workload.
- Unacceptable risk. Banned outright since February 2025. This covers social scoring by governments and systems built to manipulate people against their own interest.
- High risk. The heavy tier. AI used in hiring, credit scoring, education, biometrics, critical infrastructure, and essential public services. These systems carry the full weight of the law.
- Limited risk. Chatbots and generated media. The duty here is honesty: tell people when they are talking to a machine or looking at AI-made content.
- Minimal risk. Spam filters, game engines, recommendation toys. No new duties at all.
Most enterprise AI sits in the limited and minimal tiers. The work concentrates on the high-risk handful, so finding that handful is the first job.
What counts as high-risk AI under the EU AI Act?
High-risk AI systems are those deployed in eight domains where an error could damage the rights, safety, or access to services of the people affected: biometric identification, critical infrastructure, education, employment, access to essential services, law enforcement, migration, and the administration of justice. Classification depends on where the system is used, not on the technology inside it. The same computer vision model is low-risk in a photo editing tool and high-risk at a job interview. The full compliance burden of risk management, data governance, technical documentation, human oversight, and logging applies only to systems in these eight domains.
The 2026 timeline, and the deferral nobody expected
The Act arrives in waves, not all at once. Bans and staff AI literacy duties landed in February 2025. Rules for general-purpose models followed in August 2025. Most remaining rules, including the transparency duties, apply from 2 August 2026.
Then came the twist. In June 2026 the European Union agreed a simplification package known as the Digital Omnibus, which pushed the heaviest high-risk obligations under Annex III from August 2026 out to December 2027. That is relief, not reprieve. The extra sixteen months are for building real controls, not for looking away.
What must a high-risk system do?
If a system lands in the high-risk tier, the obligations are concrete and testable. Plan for all of them.
- Risk management. A living process that finds and reduces harms across the whole life of the system.
- Data governance. Training data that is relevant, representative, and checked for bias.
- Technical documentation. A written record complete enough for a regulator to understand how the system works.
- Logging. Automatic records of what the system did, so events can be traced after the fact.
- Human oversight. A person who can understand, override, and switch off the system.
- Accuracy, robustness, and cybersecurity. Proof the system performs and resists tampering.
None of this is exotic. It is ordinary engineering discipline written into law, and teams that already build carefully are halfway there.
The penalties, and who pays them
The fines climb with the severity of the breach. Prohibited practices reach 35 million euros or 7 percent of global turnover. Other breaches of the high-risk rules reach 15 million euros or 3 percent. Giving a regulator wrong or misleading information reaches 7.5 million euros or 1 percent. In every case the larger figure applies.
One point catches companies off guard. Any company that integrates a third-party AI tool into a consequential decision about a person is a deployer under the Act and must verify that the vendor has met the provider obligations before the system goes live.
Provider or deployer: who carries the obligation?
The law draws a firm line between two parties. The provider is the company that builds or places a system on the market. The deployer is the company that puts it to work for a specific use case. A procurement team that licenses an AI screening tool from a vendor is a deployer, not a provider, yet it still carries documentation, human oversight, and logging duties under Annex III. Sourcing a tool from a certified provider does not transfer the deployer obligation away, which is the single most expensive assumption a compliance team can make.
What about general-purpose AI models?
General-purpose AI models, the foundation models that sit under most enterprise AI tools, carry their own obligation tier that has applied since August 2025. Providers of models judged to pose systemic risk must run adversarial testing, report serious incidents to the EU AI Office, and publish a model evaluation. If your product is built on one of those foundation models, your due diligence starts with demanding that documentation from the vendor before a single line of your own code runs on top of it. This is where the general-purpose AI model rules and your own deployer duties meet.
A practical readiness checklist
You do not need a legal department to start. You need an honest inventory and an owner.
- List every AI system in the business, including the ones hidden inside vendor tools.
- Classify each one by risk tier, and write down why.
- Name an owner for every high-risk system.
- Write the documentation now, while the build is fresh, not the week before an audit.
- Add human oversight to anything that decides about a person.
- Check your vendors, because their gaps become your gaps.
How AiLeap makes the AI Act practical
We map your full AI estate, classify every system by risk, and close the gaps that matter before the deadline rather than after it. The output is not a binder that sits on a shelf. It is a working set of controls, documentation, and oversight that lets you keep shipping AI with confidence. Our secure AI deployment practice was built for exactly this.
Want to know where your AI sits against the Act? Talk to AiLeap for a governance review, or start with our AI Kickstart program and build compliant AI from the first line.
Ready to make the leap to AI?
Book a free 30-minute discovery call — we will pinpoint your best first AI use case.
Book a discovery call
