EU AI Act

The EU AI Act, in plain English

A European law about how AI can be built and used, in force since August 2024 and phasing in through 2028. If you run a small business, your duties are almost certainly modest and manageable. Here is what it is, who it affects, and what to actually do.

Does it apply to you?

live
No read yet
Does your team use AI tools at work?
Do you run a customer-facing chatbot or publish AI-generated content?
Do you build or sell AI that screens CVs or scores creditworthiness?
Do you have customers or users in the EU?

What it is

A risk-based rulebook for AI

A single EU-wide rule for how AI is built, sold and used. It sorts AI by how risky the use is, not by the technology, so most everyday tools carry light obligations or none.

Who it affects

Almost any company that touches AI, from using ChatGPT at work to selling a product with AI inside. What changes is not whether it applies, but how much.

Like GDPR: one EU-wide, risk-based law that also reaches companies outside the EU when they serve people inside it.

The four risk levels

From minimal to banned

The Act sorts AI into four levels. Most everyday tools sit in the bottom two.

High riskReal obligations

A defined set of sensitive uses, such as AI that screens job applicants or scores creditworthiness. Real obligations apply, but they reach a small minority of businesses and are not due until December 2027 (pending official publication).

Screening job applicantsCredit scoring
See which level your AI falls into

What you have to do

For most SMEs, hours not months

For most small businesses that simply use AI tools, this is a short, achievable list, not a compliance programme.

  • Keep staff AI literateIf your team uses AI at work, you must make sure they have a basic working understanding of what the tools can and cannot do. This has been a live duty since February 2025, and for a small team a short internal guidance note usually covers it.in force
  • Be transparent about AIFrom August 2026, if you run a customer-facing chatbot or publish AI-generated content, you have to make that clear to the people who see it. Often this just means not hiding a disclosure your vendor already provides.confirmed
  • Heavier documentation, only if you build high-risk AIFormal risk management, technical documentation and independent checks apply only to the small number of businesses building high-risk AI products, and not until December 2027.pending publication
Get your obligations, not the general list

Where things stand

From 2024 to 2028, milestone by milestone

Updated July 2026

in forceconfirmedpending publication
  1. 1 August 2024in force

    The AI Act enters into force

    The regulation becomes EU law. The countdown to each set of duties starts here.

  2. 2 February 2025in force

    Banned AI practices and the AI literacy duty apply

    A short list of AI uses is prohibited outright, and any organisation whose staff use AI at work must keep them basically literate in how it works and where it fails.

  3. 2 August 2025in force

    Rules for general-purpose AI models, plus governance and penalties, apply

    Duties begin for the general-purpose models behind tools like ChatGPT, along with the EU bodies that oversee the Act and the framework for penalties.

  4. 2 August 2026confirmed

    Transparency duties apply (chatbots and AI-generated content)

    People must be told when they are dealing with AI or looking at AI-generated content. Confirmed, and not delayed by the Digital Omnibus reform.

  5. 2 December 2027pending publication

    Stand-alone high-risk systems (the eight high-risk categories) apply

    The core rules for high-risk AI, such as hiring or credit-scoring tools sold on their own, apply from this date. Moved from the original 2 August 2026 date by the reform, and pending official publication.

  6. 2 August 2028pending publication

    High-risk AI built into already-regulated products applies

    High-risk AI embedded in products that already carry EU safety rules, like medical devices or machinery, applies from this date. Pending official publication.

The Digital Omnibus package delays only the high-risk dates (to December 2027 and August 2028). The August 2026 transparency duties do not move, whatever happens.

See the full timeline and status

Frequently asked questions

  • Does the EU AI Act apply to my small business?

    Almost certainly, in some capacity. If your team uses AI tools at work, or you build or sell anything with AI in it, and you have customers or users in the EU, the Act applies. For most small businesses that only use AI tools, the duties are light. The Exposure Check tells you exactly which ones apply to you.

  • What happens if I do nothing about this?

    The duties that are already live, like AI literacy, are real legal obligations even though no fines have been issued for them so far. The bigger near-term item for most SMEs is the transparency duties from August 2026, and for a few, the high-risk rules later. Doing a little now, like a short internal AI-use note, is far cheaper than catching up under pressure.

  • Is this basically GDPR again, but for AI?

    The shape is similar: one EU-wide, risk-based law that also reaches companies outside the EU serving people inside it. But the AI Act is about how AI systems are built and used, not about personal data as such, and its duties scale with how risky the use is.

  • My company isn't based in the EU. Does it still apply to us?

    It can. The Act reaches you if you place an AI system on the EU market, or if the output of your AI is used by people in the EU, wherever your company is based. A UK or US company with EU customers is often in scope. If you have no EU link at all, treat this as good practice rather than a legal duty.

  • How long does it actually take to get compliant?

    For a small business that simply uses AI tools, the core steps are a matter of hours: write a short internal AI-use note and check that any customer-facing AI is clearly labelled. Building high-risk AI is a bigger project, but that affects very few SMEs. The Exposure Check gives you a realistic, personal list.

Let's talk

Thirty minutes. Zero commitment.

Tell us what you need and we'll say exactly how we can help. If it isn't a fit, we'll save you the time.

Book a consultation

Denise & Ricardo

Sekit team

  • 30 min · Google Meet
  • cal.com/denise-moreno-sekit

This page is general information, not legal advice. For an answer specific to your business, take the Exposure Check or book a call.