What the EU AI Act is and how to use it operationally

The EU AI Act is a risk-based EU regulation that applies different rules to AI systems and general-purpose AI (GPAI) models depending on the potential harm to people’s safety, rights, or the market. It bans a short list of unacceptable-risk practices, sets strict requirements for high-risk AI systems, requires transparency for chatbots, deepfakes and certain generative content, imposes technical documentation and copyright obligations on GPAI model providers, and requires providers and deployers to ensure appropriate AI literacy among staff.

Most organisations will interact with several “lanes” at once. The law already applies to prohibitions, definitions and AI literacy (since 2 February 2025). GPAI rules begin 2 August 2025. Transparency obligations and most high-risk rules begin 2 August 2026. Rules for high-risk AI embedded in regulated products follow in 2027. Non-EU companies are in scope if they place AI on the EU market or whose systems are used in the EU.

This guide translates the legal text into an operational workflow so you can inventory uses, determine your role, identify applicable lanes, collect evidence, and monitor changes—without drowning in the full regulation.

Current law status (May 2026)

• In force: prohibitions, AI literacy (Article 4), definitions, and the first set of GPAI obligations (from 2 August 2025).
• Next: transparency obligations (Article 50) and high-risk rules for Annex III systems on 2 August 2026; high-risk rules for products under sectoral legislation on 2 August 2027.
• Proposal: The European Commission’s Digital Omnibus package (under negotiation as of March 2026) proposes linking some high-risk application dates to the availability of harmonised standards, extending certain SME simplifications to small mid-caps, and other adjustments. These changes are not yet law and do not alter obligations currently in force. Always check the official AI Act Service Desk timeline for the latest confirmed dates.