The EU AI Act is no longer a thing builders can ignore. The rules are in force, in phases, and the first enforcement actions have started. The good news: most teams are not building "high-risk" systems and the practical compliance work is mostly documentation. The bad news: a lot of vendors are selling expensive compliance solutions to problems most teams do not have.
This guide is what a normal AI-using company actually needs to do in 2026, separated from the panic.
What changed in 2026
- The high-risk system rules are live. Anything in employment, credit, education, critical infrastructure, or law enforcement now has full obligations.
- General-purpose AI model rules phase in over 2026 and 2027. Foundation model providers face most of the burden; most app builders are downstream.
- Enforcement is beginning. A handful of public investigations have started; large fines are not yet common but will be.
How the Act is structured
- Four risk tiers. Unacceptable (banned), high-risk (heavy obligations), limited-risk (transparency), minimal-risk (almost nothing).
- GPAI rules sit on top. Foundation models above certain compute thresholds have separate obligations.
- Most consumer apps are limited or minimal-risk. A chatbot is "limited" — disclose it is AI.
- High-risk is narrow but expensive. Credit scoring, hiring, school admissions, biometric ID.
- Documentation, not just behavior. A lot of the burden is paperwork.
1. Are you actually high-risk?
The Act lists eight high-risk categories. If you are not in one, the obligations are mostly transparency: tell users when they are talking to an AI, label generated content, basic disclosures.
If you are in one — hiring tools, credit scoring, education, healthcare, certain biometric systems — you have a much heavier checklist: risk management system, data governance, technical documentation, human oversight, accuracy testing, post-market monitoring.
Read the actual annex before you decide. Most "AI for X" startups are not high-risk.
2. The documentation burden
Even for limited-risk systems, documentation is the practical work. You need:
- A model card or system card describing what the AI does.
- A training data summary (what data, what sources, what filtering).
- An intended use statement and known limitations.
- A complaint and redress mechanism for users.
For high-risk systems, multiply that by 5x and add audit logs. This is where most of the compliance budget actually goes.
3. What about general-purpose AI models?
If you train and release foundation models (or fine-tune above certain thresholds), GPAI obligations apply. For most app builders, you are using someone else's foundation model — your obligation is mostly transparency to users plus passing through the provider's documentation.
OpenAI, Anthropic, Google, and Meta all publish increasingly detailed compliance docs. Use them.
Comparison: EU AI Act obligations by category in April 2026
| Category |
Examples |
Main obligations |
Cost |
| Unacceptable |
Social scoring, manipulative AI |
Banned |
— |
| High-risk |
Hiring, credit, biometrics |
Full risk mgmt, docs, oversight |
High |
| Limited-risk |
Chatbots, deepfakes |
Transparency, labelling |
Low-medium |
| Minimal-risk |
Spam filters, recommender |
Voluntary codes |
Very low |
| GPAI (foundation models) |
LLMs, large image models |
Documentation, training data summary |
High |
| GPAI with systemic risk |
Frontier models |
Add safety evals, incident reporting |
Very high |
Common mistakes to avoid
Buying a "compliance platform" before reading the Act. Most teams need a checklist and a quarterly review. Compliance SaaS is for high-risk systems and large enterprises.
Treating the Act as US-irrelevant. If you serve EU users, it applies. Geographic scope is broad.
Ignoring the GDPR overlap. Training data and user data still fall under GDPR. The AI Act is on top, not instead of.
FAQ
Does the Act apply to my US-only SaaS?
If you have any EU users, yes. If you actively block EU traffic, no — but blocking is operationally hard.
What is the worst-case fine?
Up to 7% of global annual turnover for unacceptable-tier violations. Lower tiers cap at 3% or fixed amounts. Real fines so far have been smaller while enforcement scales up.
Should I hire a compliance lead?
Only if you are high-risk or large. For most teams, a quarterly review with outside counsel is enough.
Where to go next
For related guides see AI privacy guide: protect your data, How AI companies actually make money in 2026, and How regulatory reform actually happens in 2026.