🧠 AI & Agents

The EU AI Act in 2026: What Actually Applies to Companies and Users

AI system supervision screens in a professional environment

The AI Act does not ban “artificial intelligence.” It classifies uses by risk and assigns duties to providers, importers, distributors and organisations deploying a system. The right question is therefore not “do we use AI?” but “for what purpose, in which role and with what impact?”

What already applies

The regulation entered into force on 1 August 2024. Prohibited practices and AI-literacy duties have applied since 2 February 2025. Governance rules and obligations for general-purpose AI models have applied since 2 August 2025.

Prohibited practices include certain harmful manipulation, social scoring, indiscriminate facial-recognition database building and emotion recognition at work or school, subject to the text's definitions and exceptions.

2 August 2026 is not one date for everything

A large part of the regulation becomes applicable on 2 August 2026, including transparency obligations. A person must be told when interacting with certain automated systems. Synthetic material, including some deepfakes and public-interest text, must be machine-identifiable or disclosed depending on the case.

The timetable for high-risk systems has, however, been moved under the simplification political agreement described by the Commission. Its official page now points to December 2027 for several standalone high-risk uses and August 2028 for systems embedded in regulated products. Companies should check consolidated and final legal texts because this timetable has changed.

The four risk levels

Unacceptable risk leads to prohibition. High risk includes certain uses in recruitment, education, critical infrastructure, essential services and safety components. Duties include risk management, data governance, documentation, logging, human oversight, robustness and post-market monitoring.

Transparency risk covers situations where people need to know that they are interacting with a machine or seeing artificial content. Minimal risk covers most ordinary systems, including spam filters and some games.

General-purpose models are not applications

A large model may become the base of thousands of products. The Act requires general-purpose model providers to provide documentation, a copyright policy and a public summary of training content. Models that may pose systemic risk have extra evaluation and mitigation duties.

A company integrating a model does not automatically inherit every provider obligation, but it must determine its own role. A substantial modification, changed purpose or high-risk use can shift responsibilities.

What a small company should do

Start with a simple register: system, supplier, data, purpose, users, decisions influenced and internal owner. Then classify risk, check contracts, document testing and create an incident process. An internal writing tool is not treated like a recruitment filter.

AI literacy does not mean training every employee to code. It means giving relevant people enough skill to understand limits, verify outputs and use the system safely.

What users will notice

The most visible changes will be notices that an automated system is involved, markings on synthetic content and more information about oversight. A label is not proof that content is true; it describes origin or process.

The verdict: the AI Act is a use-based accountability framework, not a “safe” sticker for every product. To evaluate the technology behind the word agent, begin with our complete definition of an AI agent.

✔ How we checked this

The timeline is checked against the Commission page updated 7 July 2026 and the official regulation; this article is not legal advice.

Sources

  1. AI Act — regulatory framework and application timelineEuropean Commission
  2. Regulation (EU) 2024/1689 — Artificial Intelligence ActEUR-Lex
  3. AI Act Service DeskEuropean Commission

Related reading