EU AI Act

The EU AI Act, in plain English

A European law about how AI can be built and used, in force since August 2024 and phasing in through 2028. If you run a small business, your duties are almost certainly modest and manageable. Here is what it is, who it affects, and what to actually do.

What it is

A risk-based rulebook for AI

The EU AI Act is a single European regulation that governs how AI systems can be built, sold and used across the EU. Because it is a regulation and not a directive, it applies directly in every member state, with no separate national laws needed to bring it in.

It sorts AI by how risky the use is, not by the technology itself. Most everyday tools carry light duties or none, a small number of sensitive uses carry real obligations, and a short list is banned outright. The heavier the potential impact on people, the heavier the rules.

If it helps, think of how the GDPR worked for personal data: one EU-wide, risk-based framework that also reaches companies outside the EU when they serve people inside it. The AI Act follows the same logic for AI.

Who it affects

Almost any business that touches AI

If your company builds or sells an AI product, or simply uses AI tools at work, you are almost certainly in scope in some way. That includes ChatGPT or Copilot on your team's laptops, an AI feature inside a vendor's tool, or a hiring or support tool with AI under the hood.

It applies regardless of where your company is based. If you have customers or users in the EU, the Act can reach you even with no EU office. What changes from business to business is not whether it applies, but how much it asks of you.

Find out where your business stands

The four risk levels

From minimal to banned

The Act sorts AI into four levels. Most day-to-day tools sit in the bottom two. The top two are narrow and mostly do not apply to small businesses.

  • Prohibited

    A short list banned outright, including social scoring by any organisation (public or private) and emotion recognition in the workplace. Not a compliance question: you simply do not do these.

  • High risk

    A defined set of sensitive uses, such as AI that screens job applicants or scores creditworthiness. Real obligations apply, but they reach a small minority of businesses and are not due until December 2027 (pending official publication).

  • Limited risk

    Tools that interact with people or generate content, like chatbots and AI-written text or images. These carry one duty, transparency, so people are told they are dealing with AI. It applies from August 2026.

  • Minimal risk

    Most everyday AI tools: spam filters, autocomplete, analytics. Effectively unregulated beyond the product-safety rules that already apply to any software.

See which level your AI falls into

Not sure where you stand?

Answer 12 short questions and get an instant, plain-language read on your exposure, your obligations, and your single biggest gap. Free, about five minutes, no account needed.

Take the free Exposure Check

What you have to do

For most SMEs, hours not months

  • Keep staff AI literate

    If your team uses AI at work, you must make sure they have a basic working understanding of what the tools can and cannot do. This has been a live duty since February 2025, and for a small team a short internal guidance note usually covers it.

  • Be transparent about AI

    From August 2026, if you run a customer-facing chatbot or publish AI-generated content, you have to make that clear to the people who see it. Often this just means not hiding a disclosure your vendor already provides.

  • Heavier documentation, only if you build high-risk AI

    Formal risk management, technical documentation and independent checks apply only to the small number of businesses building high-risk AI products, and not until December 2027.

For most small businesses that simply use AI tools, this is a short, achievable list, not a compliance programme.

Get your obligations, not the general list

Where things stand

Some of it is already law, some is still moving

Parts of the Act are already in force and enforceable today, including the banned practices and the rules for general-purpose AI models. One major piece, the timeline for high-risk AI, is being pushed back by an EU reform package known as the Digital Omnibus, which the EU Parliament and Council confirmed in June 2026, with only formal publication still pending.

We keep this page current as the picture changes. For exact dates and the full status of the reform, the key dates page is the source of truth.

See the full timeline and status
  1. 1 August 2024in force

    The AI Act enters into force

  2. 2 February 2025in force

    Banned AI practices and the AI literacy duty apply

  3. 2 August 2026confirmed

    Transparency duties apply (chatbots and AI-generated content)

  4. 2 December 2027pending publication

    Stand-alone high-risk systems (the eight high-risk categories) apply

Keeping it in proportion

This does not need to be a fire drill

The Act deliberately goes easier on smaller companies. EU law builds in simplified documentation templates, reduced fees, and priority access to regulatory sandboxes for SMEs and start-ups.

Penalties are scaled too. For a small business, a fine is calculated using the lower of the fixed-euro amount or the percentage-of-turnover figure, the opposite of the rule applied to large companies.

The goal is not to convince you this is nothing. It is to show you it is knowable and doable. Start by finding out where you stand.

Frequently asked questions

  • Does the EU AI Act apply to my small business?

    Almost certainly, in some capacity. If your team uses AI tools at work, or you build or sell anything with AI in it, and you have customers or users in the EU, the Act applies. For most small businesses that only use AI tools, the duties are light. The Exposure Check tells you exactly which ones apply to you.

  • What happens if I do nothing about this?

    The duties that are already live, like AI literacy, are real legal obligations even though no fines have been issued for them so far. The bigger near-term item for most SMEs is the transparency duties from August 2026, and for a few, the high-risk rules later. Doing a little now, like a short internal AI-use note, is far cheaper than catching up under pressure.

  • Is this basically GDPR again, but for AI?

    The shape is similar: one EU-wide, risk-based law that also reaches companies outside the EU serving people inside it. But the AI Act is about how AI systems are built and used, not about personal data as such, and its duties scale with how risky the use is.

  • My company isn't based in the EU. Does it still apply to us?

    It can. The Act reaches you if you place an AI system on the EU market, or if the output of your AI is used by people in the EU, wherever your company is based. A UK or US company with EU customers is often in scope. If you have no EU link at all, treat this as good practice rather than a legal duty.

  • How long does it actually take to get compliant?

    For a small business that simply uses AI tools, the core steps are a matter of hours: write a short internal AI-use note and check that any customer-facing AI is clearly labelled. Building high-risk AI is a bigger project, but that affects very few SMEs. The Exposure Check gives you a realistic, personal list.

Let's talk

Thirty minutes. Zero commitment.

Tell us what you need and we'll say exactly how we can help. If it isn't a fit, we'll save you the time.

Book a consultation

Denise & Ricardo

Sekit team

  • 30 min · Google Meet
  • cal.com/denise-moreno-sekit

This page is general information, not legal advice. For an answer specific to your business, take the Exposure Check or book a call.