The EU AI Act in Practice — What Your Company Must Do in 2026 (No Panic, No Legalese)

The EU AI Act regulates AI systems by their level of risk, not by the underlying technology. For most small and medium businesses the practical takeaway is reassuring: typical automation — an email assistant, invoice OCR, a chatbot, an internal RAG — falls into the "minimal" or "limited" risk category and requires no audits or certification. The obligations that actually touch you right now are: ensuring your staff have basic AI knowledge (AI literacy — since February 2025) and transparency (a chatbot must disclose it is a bot, AI-generated content must be labelled — from December 2026). "High risk" — with the full obligation package — appears mainly in recruitment, credit scoring, and biometrics. Fines reach €35M or 7% of global turnover, so the topic is worth understanding, but panic is a poor advisor.

The AI Act sounds scary, but 90% of SMB automation is "minimal risk" with no extra obligations. I explain the four risk tiers, the provider vs deployer distinction, what applies right now (AI literacy, chatbot transparency), when you fall into "high risk", and what a realistic compliance checklist looks like. With an up-to-date timeline after the May 2026 Digital Omnibus package.

Every other entrepreneur I talk to about deploying AI in 2026 asks the same question, with a hint of anxiety: "Won't this whole AI Act ban what I want to do? Won't I get hit with some massive fine?". It's a fair question. The bad news: the internet is flooded with clickbait headlines about "million-euro fines", making decision paralysis easy. The good news: once you break the regulation down, it turns out far more common-sense than the panicked LinkedIn posts suggest.

I'm not a lawyer — I'm an engineer who deploys these systems in real companies. This article is a practical map: where the risk actually is, and where it's just media noise. Always consult a lawyer specialising in new technologies for specific legal decisions.

First, the reassurance: 90% of SMB automation is NOT "high risk"

The biggest misconception around the AI Act goes: "if I use AI, I'm subject to strict regulation". False. The AI Act classifies systems by what you use them for, not by the fact that there's a language model inside.

If your system: - summarises emails and suggests replies, - reads invoices and writes data into your ERP, - answers customer questions from your knowledge base (RAG), - drafts proposals or marketing content, - categorises documents on Google Drive —

then as far as the AI Act is concerned you are in the minimal risk category. No audits, no certification, no registration in any database. The only thing that applies to you is the general obligations I'll cover in a moment.

This is a crucial shift in perspective. The regulation wasn't written to block automation in a bakery or an accounting office. It was written to control systems that genuinely decide human fates: who gets a loan, who gets hired, who gets identified by a camera on the street.

The four risk tiers — where does your system sit?

The AI Act sorts every AI system into four buckets. The higher up the pyramid, the more obligations — and the fewer companies actually land there.

Unacceptable risk (banned). Practices deemed contrary to EU values — and simply illegal. Citizen social scoring, subliminal manipulation, mass scraping of facial images from the internet to build biometric databases, emotion recognition at work and school. These bans have applied since February 2025. If you're building normal business automation, you have nothing to do with them.

High risk. Systems that genuinely affect people's rights and safety. This is where the full obligation package kicks in: conformity assessment, technical documentation, human oversight, logging, data quality management. For a regular company the realistic scenarios are: automated CV screening in recruitment, creditworthiness scoring, biometric systems. If you're planning anything on this list — read on carefully.

Limited risk. This is where most human-facing systems sit: chatbots, content generators, deepfakes. There's one obligation, but it matters: transparency. The user must know they're talking to a machine, and AI-generated content must be labelled as such.

Minimal risk. Everything else — and this is where 90% of SMB automation lives. No extra legal obligations beyond the general rules (AI literacy). Deploy freely.

Provider or "deployer"? Everything hinges on this role

This distinction confuses the most people, yet it's fundamental. The AI Act imposes different obligations depending on your place in the chain.

In 99% of cases your company is a deployer — you use GPT-4o, Claude, or an off-the-shelf tool. The compliance burden for the model itself sits with the provider (OpenAI, Anthropic), not with you.

Watch out — a trap: you can unknowingly become a "provider". If you take someone else's high-risk system, put your own brand on it, or substantially change its intended purpose — legally you become the provider and inherit its obligations. That's why deployment architecture is worth thinking through from the start.

What applies RIGHT NOW: AI literacy and prohibited practices

Here's the part many companies miss: parts of the AI Act are already in force, regardless of your system's risk level.

1. AI literacy (Art. 4). Since February 2025 every organisation using AI must ensure that the people operating these systems have a "sufficient level of AI knowledge" — understanding how the tool works, its limitations, and the risks it carries. It sounds intimidating; in practice it means a short team training and a simple AI usage policy. For a one-person company or a small team that's an hour of training and a one-page document, not a costly project.

2. Ban on unacceptable practices. Also since February 2025. If you're not building social-scoring or manipulation systems — you're done here.

That's everything that genuinely applies to most companies in mid-2026. The rest is either transparency obligations (December 2026) or the world of high risk, which you have to step into deliberately.

Transparency: your chatbot must introduce itself

If you deploy a chatbot, a voice agent, or generate content with AI — this is the one part of the regulation that genuinely applies to you in practice. The rule is common sense:

• A chatbot must disclose it is a machine. The user must not be misled into thinking they're chatting with a human. A clear message is enough: "Hi, I'm company X's AI assistant".
• AI-generated content must be labelled — especially images, audio, and video (deepfakes). From December 2026 there's an added requirement to mark synthetic content in a machine-readable format.
• Emotion recognition and biometric categorisation systems must inform the people subjected to them.

In my chatbot deployments, disclosing the AI's identity is a standard element of the first message — and, interestingly, it doesn't hurt conversion. Customers prefer to know what they're dealing with. Transparency builds trust rather than destroying it.

When you actually fall into "high risk"

This is where the comfort zone ends. If your system belongs to one of the Annex III areas, the obligations rise dramatically. The most common business scenarios:

• Recruitment and HR — automated CV screening, candidate ranking, tools deciding on promotion or dismissal. This is the most common trap: a company rolls out "AI to review CVs" and unknowingly lands in the high-risk category.
• Credit scoring and assessment of natural persons' financial standing.
• Biometric systems — identification, categorisation.
• Access to public and essential services (e.g. automated benefit eligibility).
• Education — exam grading, university admissions.

What does it mean in practice if you land there? As a deployer of a high-risk system you must, among other things: ensure human oversight of decisions, keep operation logs, monitor the system for errors, inform employees that such a system is in use, and use it according to the provider's instructions. The provider, in turn, must pass a conformity assessment.

My practical habit: if automation so much as touches recruitment, employee evaluation, or creditworthiness, I design it on the assumption that it's high risk — with a human making the final decision and a full audit trail. That's not just legal compliance; it's simply good engineering.

The AI Act implementation timeline — what and when

The regulation didn't take effect all at once. It applies in stages, and in May 2026 the EU provisionally agreed the Digital Omnibus package, which pushes back the toughest high-risk deadlines. Here's the current state as of mid-2026:

• August 2024 — the regulation enters into force.
• February 2025 — bans on unacceptable practices and the AI literacy obligation start to apply.
• August 2025 — rules for general-purpose AI models (GPAI) kick in — they apply to model providers, not to you.
• August 2026 — the AI Office gains full powers to enforce the GPAI rules (fines for model providers up to €15M / 3% of turnover).
• December 2026 — full transparency obligations, including marking synthetic content in a machine-readable format.
• December 2027 — obligations for high-risk Annex III systems (deferred from August 2026 by the Omnibus).
• August 2028 — high risk embedded in regulated products (Annex I).

Important caveat: as of June 2026 the Digital Omnibus package is at the provisional agreement stage; formal adoption by Parliament and Council is expected before August 2026. The dates may still shift slightly — follow official announcements before basing your rollout plan on them.

Fines — how much can you really pay

Headlines threaten "millions". Yes, the maximum rates are high, but they scale to the severity of the breach and the size of the company:

For SMBs there are proportionate caps — the lower of the two amounts is taken. The key takeaway: maximum fines target companies knowingly using prohibited practices, not a bakery with a chatbot that forgot one sentence in its policy. But that's no reason to ignore the topic — because the simple obligations (transparency, AI literacy) are cheap to meet.

The AI Act is not GDPR — though they play on the same team

A common question: "if I'm GDPR-compliant, is the AI Act handled?". No. These are two different regulations that complement each other.

• GDPR protects personal data — *what data* you process and on what basis.
• The AI Act regulates the *AI system* — how it works, how risky it is, whether it's transparent.

You can be 100% GDPR-compliant (you mask PII, you have a DPA with the provider) and still breach the AI Act (e.g. hiding that the chatbot is a bot). And vice versa. In practice I design deployments to satisfy both at once — because good data-security architecture handles most AI Act requirements "along the way" anyway.

A practical compliance checklist for your company

What exactly should you do in 2026 to sleep soundly? Here's the order I use with clients:

1. 1.Inventory your AI. List every place you use AI — chatbots, automations, assistants, tools with AI inside. Without a list you can't assess risk.
2. 2.Classify each system against the four risk tiers. In most cases everything lands in "minimal".
3. 3.Mark the roles. For each system, determine whether you're a deployer or (rarely) a provider.
4. 4.Roll out AI literacy. A short team training + a one-page AI usage policy (what's allowed, what not to paste, who's responsible).
5. 5.Add transparency. Every chatbot discloses it's AI. AI-generated content — labelled.
6. 6.For high-risk systems (if you have any) — design human oversight, logging, and monitoring; consult a lawyer on the conformity assessment.
7. 7.Document it. A simple register: which system, what risk, what role, what safeguards. One table is enough to start.

For a one-person company or a small team, this whole checklist is a few hours of work — not a costly compliance project.

A real case study: a chatbot and recruitment automation

Last quarter I spoke with a recruitment company that wanted two things: a website chatbot for initial candidate qualification, and "AI that would reject weak CVs on its own".

The first part — the chatbot — is limited risk. We added a clear AI identity disclosure in the first message and that was that. The second part — automatically rejecting CVs — is a classic high-risk system (Annex III, recruitment). Here we changed the architecture: the AI doesn't *reject* candidates, it pre-sorts and suggests to the recruiter, who makes the final decision. We added logging of every recommendation and a notice to candidates that an AI system takes part in the process.

Result: application review time dropped by about 60%, and the company stayed on the safe side of the AI Act — because a human still decides, and the system is transparent and auditable. That's exactly the kind of architectural decision that separates "deploying AI" from "deploying AI that won't blow up in a year".

What NOT to do — common mistakes

• Decision paralysis. The most common and most expensive mistake: a company deploys nothing "because of the AI Act", while competitors automate and cut costs. Most of your ideas are minimal risk.
• Hiding that the chatbot is a bot. Cheap to fix, yet it exposes you to a transparency complaint.
• Throwing recruitment/scoring at AI without human oversight. A straight path into the high-risk category without meeting the obligations.
• Assuming GDPR covers the AI Act. They're separate regimes.
• Taking the provider's declarations on faith. If you buy an AI tool, check whether the provider declares AI Act compliance — especially for higher-risk systems.

Disclaimer: I'm an engineer, not a lawyer

An important honesty note: this article is a practical map of the terrain from someone who designs and deploys AI systems compliant with these requirements — not legal advice. The AI Act is complex and interpretations are still forming (the Omnibus package is the best proof that the rules are in motion). For high-risk systems and specific legal decisions, always work with a lawyer specialising in new technologies. My role is to design an architecture that meets these requirements technically — human oversight, logging, transparency, data masking.

How I can help

I run wiszniewsky.pl under my own name — as an engineer, not a middleman. When I deploy automation, I design it compliant with the AI Act and GDPR from the start: chatbots disclose they're AI; systems touching people keep a human in the decision loop; everything is logged and auditable. Compliance isn't bolted on at the end — it's part of the architecture from day one.

Not sure which risk bucket your AI systems fall into? I invite you to an AI compliance audit — I'll inventory your deployments, classify the risk, point out the real obligations, and design an architecture that meets the AI Act without blocking growth. No scaremongering, no overpaying.

Summary

The AI Act isn't there to block automation in your company — it's there to keep in check the systems that genuinely decide human fates. For most SMBs the practice comes down to three things: train your team (AI literacy), be transparent (the chatbot says it's a bot), and treat recruitment, scoring, and biometrics with due care. The rest is minimal risk, where you can automate without the brakes on.

The biggest risk in 2026 isn't an AI Act fine. It's inaction while competitors automate and cut costs — while you wait for a certainty that will never come.

Related Articles

• AI Data Security — GDPR without compromise
• LLM application security — prompt injection
• A business chatbot — how much it costs and when it pays off
• Where to start with AI implementation