On August 2, important new provisions of the EU AI Act will take effect. Contrary to what one might assume at first glance, these provisions do not affect only the industry giants behind the large language models. The EU defines deployers of AI systems much more broadly: "The notion of 'deployer' referred to in this regulation should be interpreted as any natural or legal person, including a public authority, agency or other body, using an AI system under its authority, except where the AI system is used in the course of a personal non-professional activity.”, AI Act, recital (13). So every business using AI should think twice about the new regulation and whether they might be affected – especially since fines of up to 35 million euros may be imposed.
We have compiled a few key takeaways on the new regulation.
The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive AI legislation, aiming to balance innovation and regulation. European policymakers believe that the revolutionary technology creates new challenges that existing laws do not address, including negative effects on personal rights and security, as well as on public safety. To prevent such consequences, the EU has defined certain uses of AI as posing an unacceptable risk and has explicitly prohibited their use. In addition, the categories "High Risk", "Limited Risk", and "Minimal Risk" have been defined, each corresponding to tiers of compliance requirements. With the new fundamental regulation, trust in the technology shall be strengthened amongst citizens. Furthermore, a single EU market for AI products and services shall be established to ensure fair competition and compliance with applicable EU standards.
.
To determine whether at all or how a business is affected by the AI Act, it is helpful to look at the four risk categories first:
|
Description |
Examples |
|
| Unacceptable risk |
AI systems that pose an unacceptable threat to safety or fundamental rights. These are generally banned.
|
|
| High risk |
AI used in areas where errors or bias could significantly affect people's lives. These systems are allowed but must comply with strict requirements.
|
|
| Medium risk |
AI systems that mainly require transparency so users know they are interacting with AI.
|
|
| Limited risk |
AI applications with little or no impact on safety or fundamental rights. These face few, if any, additional obligations under the AI Act.
|
|
Companies whose offerings fall into the first two categories are either already affected by the AI Act – since restrictions on prohibited AI have been in effect since early 2025 – or they operate in industries that are already strictly regulated.
Most private-sector companies will likely fall into categories 3 and 4, with category 4 being the least problematic and imposing virtually no additional requirements (existing regulations, such as the GDPR or specific industry guidelines, will of course continue to apply).
At this time, a major challenge for many AI use cases is the transparency requirements for category 3 as laid out in Art. 50, AI Act. However, it is unclear how these are to be implemented in practice. For this reason, the EU AI Office has published a Code of Practice (CoP). This document was drafted by eligible stakeholders who replied to a public call and was published on June 10, 2026. Currently, the code is undergoing a final assessment by the EU Commission and the AI Board.
👉 Get a breakdown of the different transparency requirements here in our free whitepaper.
Non-compliance with the AI Act can result in severe fines. The regulation allows law enforcement agencies a margin of discretion of up to €35 million or 7% of global annual turnover for certain prohibited AI violations.