A plain-English, interactive guide to the world's first comprehensive AI law: what it regulates, who it applies to, when the obligations bite, and where organisations will need help to be ready.
Book a discovery call → Prefer to read offline? Download the PDF →Most leaders assume the EU AI Act is a problem for big technology companies, or that the recent delay means there is nothing to do yet. Both are mistaken, and both positions carry real cost. The Act is now law, it reaches far beyond Europe, and the delay is breathing space, not a reprieve.
It applies wherever your AI is placed on the EU market, used in the EU, or where its output is used thereExtraterritorial reachLike GDPR, the Act follows the output, not your address. If an AI decision affects someone in the EU, the Act can apply even if your organisation has no EU presence at all.. A firm in London, New York, or Sydney screening EU applicants is in scope.
The Act regulates what AI is used to do, not the industry you sit in. The same model is unregulated drafting an email and high-risk screening a CV.
Much regulated AI arrives embedded in software you already own: recruitment ranking, credit scoring, staff monitoring, chatbots. The list is longer than most teams expect.
Fines reach GDPR scale and above. The harder costs are often reputational: a hiring tool that discriminates, or an enquiry that freezes a launch.
The reframe. The Act is not only a compliance burden. It is a forcing function that pushes organisations to do what good AI adoption requires anyway: know where AI is used, decide who is accountable, and put guardrails around the decisions that matter. Treat it as governance, not paperwork.
Rather than treating all AI the same, the Act sorts uses by the risk they pose to people's safety, rights, and livelihoods. The greater the potential harm, the heavier the duties. Select a tier to explore what it covers and what it means for you.
A small number of AI uses are judged so harmful that they are banned across the EU. This prohibition has applied since 2 February 2025 and carries the highest penalties in the Act. Most organisations will not do these deliberately; the risk is doing one unknowingly through a purchased tool.
Subliminal or deceptive techniques that distort behaviour and cause significant harm.
Targeting age, disability, or economic circumstance to distort behaviour and cause harm.
Classifying people over time in ways that lead to detrimental or disproportionate treatment.
Building facial-recognition databases by scraping images from the internet or CCTV.
Inferring emotions in the workplace or in education, outside narrow medical or safety uses.
Categorising people by biometrics to infer race, beliefs, sex life, or sexual orientation.
New from December 2026. The Digital Omnibus added a prohibition on AI that generates or manipulates non-consensual intimate imagery, including "nudifier" apps, and abuse material. The banned list is not closed; it will grow as new harms emerge.
Most of the Act's substantive obligations sit here, and so does most organisations' real work. Crucially, many high-risk categories are ordinary business activities, not exotic technology. The two most organisations meet are employment and essential services.
CV screening and ranking, promotion and termination decisions, and performance monitoring.
Credit scoring, insurance risk and pricing, and eligibility for public benefits.
Admissions, assessment, exam scoring, and monitoring during tests.
Remote identification, biometric categorisation, and emotion recognition where not banned.
Safety management of utilities, digital infrastructure, and traffic.
Use by courts and in democratic processes, law enforcement, and border control.
You are a deployer, and you carry your own duties: use the system as instructed, assign competent human oversight, monitor performance and report serious incidents, keep the logs, and often inform the people affected. Public bodies and some private deployers must also complete a fundamental rights impact assessment before use.
Where help is usually needed. Few organisations have the inventory, classification, and working governance to know which systems are high-risk, let alone the documentation and oversight to satisfy the obligations. This is the largest single readiness gap we see, and it is rarely a technology problem. It is a question of organisational logic.
Lighter than the high-risk regime, but they touch a very large number of everyday systems. People have a right to know when AI is involved.
The Omnibus cut the grace period for marking AI-generated content from six months to three, with marking for in-market generative systems from 2 December 2026. Chatbot and deepfake disclosure still apply from August 2026.
The large foundation modelsFoundation modelA large, general-purpose AI model trained on broad data that can be adapted to many tasks. The engines behind well-known chatbots and assistants, which most other AI tools are built on top of. behind most AI tools carry their own duties: technical documentation, information to downstream businesses, an EU copyright policy, and a public summary of training data. The most capable models, judged to pose systemic riskSystemic riskThe threshold for the most powerful models, based on their scale and reach. These face extra duties: adversarial testing, risk mitigation, incident reporting, and stronger cybersecurity., face extra testing and reporting.
If you only buy AI: ask vendors which models they use, whether those providers meet the obligations, and what documentation they can pass on. A vendor who cannot answer is a risk indicator.
The same AI model is minimal-risk when it drafts an email and high-risk when it screens a job application. The Act regulates the decision, not the software.
By late 2025 the high-risk timetable was running ahead of the technical standards needed to comply. The Digital OmnibusThe Digital OmnibusA package of amendments to the AI Act proposed by the Commission in November 2025 to simplify the rules and ease the timetable. Political agreement was reached on 7 May 2026, with formal adoption expected around July 2026., agreed 7 May 2026, deferred the heaviest deadlines. Here is the position as at June 2026. The amber marker is today.
Read the delay as time to prepare, not permission to wait. Three things have not moved: the prohibitions, the general-purpose AI rules, and the literacy duty are all live now. And the high-risk work takes many months done well. The Omnibus also extended SME relief to a new small mid-cap category: fewer than 750 employees and turnover not exceeding €150m. All Omnibus dates are subject to formal adoption, expected July 2026.
The Act backs its obligations with penalties on a par with, and in places exceeding, GDPR. Fines are tiered by seriousness, capped at the higher of a fixed sum or a percentage of worldwide annual turnoverWorldwide turnoverThe percentage cap is based on the whole group's total global revenue, not just EU or AI-related income. For a large group, the percentage can far exceed the fixed-euro figure.. For SMEsSMEs and small mid-capsSmaller organisations pay the lower of the fixed sum or the percentage, not the higher. The Omnibus widened this relief to firms with fewer than 750 staff and turnover up to €150m., the lower of the two applies.
The real exposure is rarely the headline fine. For most organisations the likelier costs are an investigation that stalls a product, a contractual dispute when a tool fails to meet the Act, or reputational damage when a decision is challenged. Good governance is cheaper than all three, and it is the same governance that makes AI deliver value.
Duties follow the role you play for each system. Most organisations are deployersDeployerAn organisation that uses an AI system in its activities. The role most organisations occupy, and it carries real duties of its own, not just the vendor's., and assume the vendor carries the responsibility. It does not all sit there, and there is a trap: significantly modify a high-risk system, rebadge it, or use it in a way that makes it high-risk, and you can become a providerBecoming a providerFine-tuning a model, putting your own name on a tool, or repurposing it for a high-risk use can make you the "provider" in the eyes of the Act, inheriting the much heavier obligations., with the heavier duties that follow.
You develop a system and place it on the market under your name. The heaviest duties.
You use a system in your activities. The role most organisations occupy, with real duties of its own.
You bring a non-EU provider's system to the EU market. Verify their compliance first.
You make a system available without being provider or importer. Check markings and documentation.
Of every obligation in the Act, this is the one that already applies, to nearly every organisation, and it is the most sensible place to start. Article 4Article 4The AI Act's AI-literacy provision. It requires providers and deployers to ensure their people have the understanding to use AI systems appropriately. In force since 2 February 2025. requires organisations to make sure the people who use AI on their behalf actually understand it. It is not limited to high-risk systems: if your staff use AI, this duty is yours today.
Both providers and deployers, which means nearly everyone. Unlike the high-risk regime, it applies whatever risk tier your AI sits in.
A sufficient level"Sufficient level"Deliberately contextual: it scales with a person's role, the systems they use, and who is affected. A board member, a recruiter and a frontline user each need different literacy. There is no single syllabus. of AI literacy, proportionate to people's roles and the systems they use.
2 February 2025, alongside the prohibitions. The Digital Omnibus softened "ensure" to "support the development of" literacy, but the expectation, and the exposure, remain.
Literacy is the foundation the rest of the Act stands on. The human oversightWhy it underpins everythingHigh-risk systems must have meaningful human oversight. That is only real if the person overseeing understands the system: you cannot challenge or override what you do not understand. that high-risk systems demand is only real if the people doing it understand the systems. It is also the practical defence against the risks that land first, before any high-risk deadline: misuse, over-reliance, leaking data into public tools, and the shadow AI that staff adopt without sign-off. Done well, it is role-tailored, tied to your real AI uses and policies, and refreshed as tools change, not a single e-learning module sent to everyone.
Enough to ask the right governance questions, set risk appetite, and own accountability.
Enough to oversee AI-assisted decisions, see when to intervene, and apply policy.
Enough to use tools safely, spot errors and bias, handle data well, and avoid shadow AI.
Enough to evaluate vendors, models, and data, and document the decisions behind them.
Why start here. Literacy is the lowest-cost, highest-leverage move on the Act: it satisfies a duty that is already live, cuts the risks that surface first, and builds the shared understanding every later step depends on. It is where most organisations should begin, and where we most often start with clients, through our AI Foundations and AI Training & Enablement programmes, tailored to your actual AI estate and obligations.
The path is not complicated, but it has an order. Start now and finish well within the revised timeline. Most failed efforts start in the wrong place, by writing a policy before anyone knows what is in use. Inventory first, then classify, then govern.
List every AI system in use, including embedded and informally adopted tools.
Confirm in writing that nothing falls into the prohibited list. Removes your top exposure fast.
Decide each system's tier and your role. This sets the size of the task.
Map the gap for high-risk systems; plan disclosure for customer-facing generative AI.
Named owners, a sign-off route, real oversight, incident reporting, board visibility.
Equip people to oversee the AI they use. Tailor training to roles, not one generic course.
Make AI Act assurances a standard part of buying any AI-enabled tool.
Inventory and classification are living documents. Refresh them on a cadence.
We help organisations move from scattered, informal AI use to a governed, intentional approach that is both compliant and genuinely valuable. Independent and vendor-neutral, governance-led, and human-centred, we start from organisational logic, not technology. Our services map directly onto the readiness gaps.
An independent review of your AI estate, governance, and capability, including the inventory and risk classification readiness depends on.
A purpose-led strategy and roadmap that build compliance into how AI delivers value.
Translating classification into working governance: owners, oversight, sign-off, incident reporting.
Independent, vendor-neutral assessment of tools and the assurances their providers can give.
Role-tailored AI literacy for board, managers, and frontline staff that satisfies the Article 4 duty already in force. For most organisations, the natural first step.
Ongoing oversight and continuous improvement as your AI use, and the rules, keep changing.
The organisations that treat the Act as a forcing function, and do the foundational work now, will be both compliant and ahead. We would welcome a conversation about where your organisation stands and what a sensible first step looks like.
Book a discovery call → Want to learn more about what we do? Explore ITAA.ai services →A focused 45-minute conversation with an ITAA.ai adviser to pinpoint where your organisation stands and what a sensible first step looks like. Send your details and we will be in touch to arrange a time.
Your details go to the ITAA.ai team only and are stored solely to arrange this call. We never share them with third parties.
We reply within two working days.