Industry
The EU AI Act: what it actually means for businesses shipping AI
Vincent Wahidi
If you build, buy, or deploy AI that touches people in the EU, the AI Act now sets the rules you answer to. Fines for prohibited practices have applied since February 2025, and the deadline that matters for most ordinary businesses, when high-risk obligations and their penalties switch on, lands on 2 August 2026. Most teams do not need to panic. They need to know which risk tier their system falls into, and to start the documentation that tier requires.
Four tiers, and only two that cost you real effort
The Act sorts every AI system into four risk tiers. Unacceptable risk is banned outright: government social scoring, most real-time biometric identification in public spaces, and manipulation that causes harm. Those practices have been prohibited since 2 February 2025. Minimal risk, which covers most software including spam filters and recommendation engines, carries no new obligations.
Between those two extremes sit the tiers that actually shape how you build. Limited risk brings a transparency duty: tell people when they are talking to a bot, and label synthetic media. High risk is where the heavy obligations live, and where most of the compliance work and budget will go. If you cannot yet rule out high risk for a system, assume it until you can. The cost of guessing wrong points in one direction only.
What actually counts as high-risk
This is the question that decides your workload, and it is narrower than the headlines suggest. A system is high-risk in two cases. First, if it is a safety component of an already regulated product, such as a medical device, machinery, or a vehicle. Second, if it operates in one of the areas the Act lists in Annex III: hiring and worker management, access to education, credit scoring and essential financial services, essential public services and benefits, law enforcement, migration, and the administration of justice.
The common thread is consequence. If your model helps decide who gets a job, a loan, a school place, or a benefit, it is probably high-risk, and the burden is on you to show otherwise. A chatbot that answers product questions is not high-risk. The same chatbot, repurposed to screen job applicants, is.
The dates that carry fines
The Act entered into force on 1 August 2024 and switches on in stages. Prohibited practices and the AI literacy duty have applied since 2 February 2025. Obligations for general-purpose AI models, the large language models most teams now build on, applied from 2 August 2025. The date that matters most for ordinary businesses is 2 August 2026, when the high-risk requirements and the financial penalties take effect. High-risk AI embedded in regulated products gets until 2 August 2027.
The penalties are sized to be felt. Using a prohibited system can cost up to 35 million euros or 7 percent of global annual turnover, whichever is higher. Breaching the high-risk obligations can reach 15 million euros or 3 percent of turnover. Supplying regulators with incorrect or misleading information can reach 7.5 million euros or 1 percent. These are ceilings, scaled to the violation, but they are large enough that "we will deal with it later" stops being a plan.
What high-risk obligations look like in practice
Strip away the legal language and the high-risk regime is mostly good engineering discipline, written down. You need a risk management process that runs across the system's life, not a one-time sign-off. You need data governance: knowing what your training and input data is, where it came from, and how it could bias an outcome. You need technical documentation and automatic logging, so that when a decision is challenged you can reconstruct how the system reached it. You need meaningful human oversight, a person who can understand, override, and stop the system, rather than a rubber stamp. And before it goes live, a high-risk system needs a conformity assessment and registration in the EU database.
None of this is exotic. It is the same discipline that separates a model that runs in production from a demo that happens to work once.
What to do now
A short, honest checklist beats a compliance binder no one reads.
- Inventory every AI system you build or buy, including features quietly powered by a vendor's model.
- Classify each one by tier, and be strict about the high-risk areas in Annex III.
- Give each high-risk system a named owner. Compliance with no owner does not happen.
- Start the technical documentation and logging now, while the system is small. Retrofitting it later costs far more.
- Build the human-oversight path into the product, not as a bolt-on at the end.
- Read your general-purpose AI vendor's terms. Their obligations do not erase yours.
Mapping your systems to the Act's risk tiers and building the documentation each one needs is part of our AI consulting work.
Takeaway
The AI Act is less about banning AI than about forcing you to document and supervise the AI that makes consequential decisions about people. For systems that are clearly minimal or limited risk, the work is small. For high-risk systems, the work is real, and 2 August 2026 is closer than it looks. Map your systems to the tiers first. Almost everything else follows from knowing where you stand.

Vincent Wahidi
Author
Vincent Wahidi is the director of Encelyte, a computer engineer who builds production AI, automation, and custom software for enterprises across Cyprus and the wider region. He writes the strategy, cost and decision-maker pieces himself; the practical how-to guides are curated under the five mission-cat bylines below.
Read next
AI for hotels and tourism operators: beyond the chatbot
Have a problem worth solving?
Tell us what you're building or fixing. We'll reply within one business day with a clear next step.
