In short: most likely yes - but usually as a deployer of AI (its user), not a provider, and that means much lighter obligations. Some rules are already in force: the ban on certain uses and the AI literacy duty have applied since February 2025. The hardest deadlines (“high-risk” systems) are being pushed back - new dates have been agreed: December 2027 and August 2028, though as of June 2026 they still await formal adoption (Council and Parliament agreement). Most ordinary uses (like ChatGPT for text) are minimal risk with light requirements. Panic isn’t warranted, ignoring it isn’t either. (As of June 2026; this is not legal advice.)
Does the AI Act apply to my company at all?
Most likely yes, but in a role that carries fewer obligations than you fear. The regulation distinguishes mainly two roles: the provider (who builds an AI system and puts it on the market under their own brand) and the deployer - the company that uses a ready-made system in its operations. If you use ChatGPT, a vendor’s tool or an app built on someone else’s model, you’re a deployer - and most of the compliance burden sits with the provider.
One thing is worth knowing: the AI Act has extraterritorial reach, much like the GDPR. It also covers companies outside the EU if the output of their AI system is used within the Union. For your company that means you can’t “escape” the rules by picking a vendor on another continent.
What decides your obligations - risk categories
Not the tool, but the way you use it. The AI Act sorts uses into four risk categories: unacceptable (banned), high, limited (transparency duty) and minimal. The higher the risk, the more obligations - but the vast majority of typical business uses fall into the two lightest buckets.
The key trap is that the same tool can land in different categories depending on use. ChatGPT for drafting text is minimal risk. The same ChatGPT used to automatically screen candidates’ CVs is already a high-risk use, because it concerns decisions about people. So what decides the classification is the specific use, not the mere fact of owning the tool.
Not sure which category your AI uses fall into? We’ll help you review and sort them on a free consultation - in plain language, no legal jargon.
What’s already in force, and what’s still coming?
Some rules have applied for a while, and the most serious deadlines have been postponed. It’s easiest to see in a table:
| Date | What starts applying | Status |
|---|---|---|
| 1 August 2024 | Regulation enters into force | In force |
| 2 February 2025 | Ban on certain practices + AI literacy duty | In force |
| 2 August 2025 | Obligations for general-purpose AI models (GPAI) | In force |
| 2 August 2026 | Penalties (Art. 99) and full enforcement apply | Comes into effect August 2026 |
| 2 December 2027 | High-risk systems (Annex III) | Postponement from August 2026 - agreed, awaiting formal adoption |
| 2 August 2028 | High-risk embedded in products | Postponement from August 2027 - agreed, awaiting formal adoption |
The postponement isn’t a rumour - the European Parliament adopted its position in March 2026, and in May the Council and Parliament agreed a joint position (part of the wider “Digital Omnibus” package). As of June 2026 the direction is settled, but the package still awaits formal adoption - it’s worth planning for the new dates without treating them as finally enacted. The practical takeaway: you have more time for the hardest part (high risk), but you aren’t off the hook for what already applies today.
What is the AI literacy duty, and why does it apply to you now?
It’s a requirement that people operating AI know what they’re doing - and it has applied since February 2025. The AI Act obliges providers and deployers to ensure a sufficient level of AI literacy among the staff using these systems. It’s not a certificate or an exam - it’s about genuine understanding of the capabilities, limits and risks of the tools your people use.
In practice this duty comes down to training the team - the same training that decides whether an AI rollout returns anything at all. It’s a rare case where a regulatory requirement and the company’s own interest line up completely: by teaching people to use AI sensibly, you meet the rule and reduce Shadow AI risk at the same time.
When does my company use “high-risk” AI?
Only in narrowly defined uses listed in the regulation - and they’re worth knowing, because they touch typical business processes. Annex III lists as high risk, among others:
- Recruitment and HR decisions - screening candidates, filtering applications, decisions on promotion or dismissal. The most common touchpoint for an ordinary company.
- Creditworthiness assessment of individuals - except detecting financial fraud.
- Safety components of critical infrastructure - e.g. in managing energy or water supply or traffic.
If you use AI in one of these areas, heavier obligations apply (human oversight, documentation, data quality). If not - you most likely stay in the light categories, and common sense plus a competent team is enough.
What are the penalties?
The fines are high, but their design protects smaller companies. The AI Act sets three thresholds: up to EUR 35 million or 7% of global turnover for banned practices, up to EUR 15 million or 3% for most other breaches, and up to EUR 7.5 million or 1% for giving authorities incorrect information. For large companies, the higher of the two applies.
Here’s an important detail for smaller firms: for SMEs and startups, the lower of the two amounts applies, not the higher. And the real risk for a typical company isn’t the maximum fine for banned practices - which you probably don’t use - but small lapses in obligations that are easy to prevent early.
What should you do now?
No panic and no costly project - just a few orderly steps:
- Establish your role - you’re almost certainly a deployer, not a provider.
- Inventory your AI uses and assign each a risk category - separately, because the same tool gets classified differently.
- Ensure your team’s AI literacy - this applies now and is the easiest to meet.
- Check the high-risk areas - especially recruitment and scoring, if you use AI there.
- Write a short AI policy - who uses what and how. The same tool that organises compliance also organises data security.
The first step is the same as in any sensible rollout: one area, done well, before you take on the whole. We covered it in our post on where to start.
Frequently asked questions
Do I need to fear the AI Act if we only use AI for text? No. Such uses are minimal risk - without heavy obligations. What applies to you is mainly your team’s literacy and good sense with data, not procedures for high-risk systems.
Does the postponement mean I can do nothing? No. Only the obligations for high-risk systems are being postponed. Banned practices and the AI literacy duty have applied since February 2025 - regardless of the new dates.
Does the AI Act apply to a company outside the EU? Yes, if the output of its AI system is used in the Union. Being based outside the EU doesn’t exempt you - it’s the same extraterritorial mechanism as the GDPR.
Key takeaways
- You’re most likely a user, not a provider - and that means much lighter obligations.
- Your obligations depend on the use, not the tool - the same AI can be minimal or high risk.
- Some rules already apply - bans and AI literacy since February 2025, regardless of postponements.
- The hardest deadlines are being pushed back - high risk to December 2027 and August 2028 (agreed, before formal adoption) - that buys time, not exemption.
- Penalties protect smaller firms - for SMEs the lower amount applies, not the higher.
- Act now, without panic - establish your role, inventory your uses, train the team, write a policy.