AI News for Business

EU AI Act 2026: AI Requirements for Businesses in the EU

Views: 510 Published: 29.04.2026
🇺🇦 UK 🇺🇸 EN 🇩🇪 DE 🇪🇸 ES
EU AI Act 2026: AI Requirements for Businesses in the EU

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive law regulating artificial intelligence. It came into effect on August 1, 2024, and is being implemented in phases. Transparency requirements for AI chatbots will apply from August 2, 2026; requirements for high-risk AI systems (credit scoring, HR recruitment, medical triage) are postponed until December 2, 2027, according to the preliminary Digital Omnibus agreement (May 2026). For companies in Germany and Austria, this means: if you have an AI chatbot on your website, prepare for August 2026; if you have a high-risk system, the deadline is December 2027, but preparation takes 12–18 months.

Most business owners in the EU have heard of the EU AI Act, but few understand what specifically becomes mandatory and when. A medical center in Vienna using an AI chatbot to answer patient questions, a law firm in Frankfurt with an AI assistant for contract work, a distributor in Munich with an AI tool for managers – they all fall under the AI Act. The only question is which risk category their system falls into and what specific obligations that entails.

This article provides a clear timeline, four risk levels with specific examples, requirements for medicine and law professionals in DE/AT, and an explanation of why your AI system's architecture – whether self-hosted or cloud-based – directly impacts legal compliance.

What is the EU AI Act and Why It Matters to Your Business Now

The EU AI Act is Regulation (EU) 2024/1689, adopted on May 21, 2024, and published on July 12, 2024. It legally took effect on August 1, 2024. Its logic is similar to the GDPR – it regulates not specific technologies, but the risks associated with their use, has extraterritorial application, and imposes significant penalties for non-compliance.

The key difference from GDPR: while GDPR governs *how* you process personal data, the AI Act governs *which AI systems* you use and for what purpose. These two regulations do not replace each other but complement one another. If your AI system processes personal data of clients or patients, it falls under both GDPR and the AI Act simultaneously.

Why it matters to your business right now. The AI Act applies to any organization that places AI systems on the EU market or uses them in its activities within the EU – regardless of the system developer's location. This means if you are a medical center in Vienna that has integrated an American AI chatbot to answer patient queries, you, as the deployer, are subject to the AI Act's obligations. The same applies if you are a law firm in Berlin using a SaaS AI service for contract analysis.

The law distinguishes between two types of operators: provider (a developer who creates or commissions an AI system and brings it to market) and deployer (an organization that uses an existing AI system in its operations). Most businesses – medical centers, law firms, distributors – are deployers. Deployers have fewer obligations than providers, but these obligations are real and mandatory.

Implementation Timeline: What's Effective Now and What's Coming in August 2026

The AI Act is being implemented in phases – not all at once. Here is the exact timeline:

Date What Becomes Effective Who It Concerns
August 1, 2024 AI Act legally entered into force as Regulation (EU) 2024/1689 All operators in the EU
February 2, 2025 Prohibitions on unacceptable AI practices (Art. 5) + AI literacy requirements for personnel (Art. 4) All companies using AI in the EU
August 2, 2025 Rules for GPAI models (GPT-4, Claude, Gemini, etc.): documentation, transparency, copyright Providers of GPAI models
August 2, 2026 Full application of the AI Act: all requirements for high-risk AI systems (Annex III), transparency requirements (Art. 50), registration in the EU database All operators of high-risk AI systems
August 2, 2027 Requirements for high-risk AI integrated into regulated products (Annex I): medical devices, aviation, vehicles Manufacturers of regulated products with AI

What has already happened and what it means for businesses. Since February 2, 2025, 8 categories of AI practices are prohibited – including social scoring, emotion recognition systems in workplaces and educational institutions, and mass collection of biometric data. The penalty for violating these prohibitions is up to €35 million or 7% of annual global turnover – whichever is higher (Art. 99 of the AI Act).

From August 2, 2025, providers of GPAI models (OpenAI, Google, Anthropic, Mistral) are required to provide technical documentation, comply with copyright, and publish summaries of training data. OpenAI, Google, Mistral, and Microsoft have already signed a relevant Code of Practice. Meta has refused and is currently in regulatory uncertainty.

The key date for most businesses is August 2, 2026. From this date, the requirements for high-risk AI systems under Annex III will fully apply. This concerns AI in medicine, law, finance, education, employment, and critical infrastructure. As of today (April 2026), there are fewer than 100 days left.

Note: In November 2025, the European Commission proposed the Digital Omnibus – a package of simplifications that could adjust the application date for high-risk rules. At the time of writing, this proposal has not yet been adopted and is under discussion in the European Parliament. Until adoption, the official date remains August 2, 2026.

Four Risk Levels: Which Category Does Your AI System Fall Into

The AI Act does not regulate all AI systems equally. The law's logic is that the greater the potential risk to health, safety, or fundamental human rights, the stricter the obligations. The classification system is four-tiered: from a complete ban to no requirements at all. The extent of compliance – from zero additional obligations to full technical documentation, independent audits, and registration in the EU database – depends on which category your AI system falls into.

Before reading further: if you are unsure which category your system belongs to, use the free Compliance Checker from the Future of Life Institute. The tool asks 10–15 questions and provides a preliminary classification.

Level 1: Unacceptable Risk — Prohibited from February 2, 2025

These are AI systems that pose a direct threat to fundamental rights, safety, or human dignity. They are completely prohibited within the EU – not regulated, but outright banned. Article 5 of the AI Act contains an exhaustive list of 8 categories. These prohibitions took effect on February 2, 2025.

What specifically is prohibited:

Penalty for violation: up to €35,000,000 or 7% of global annual turnover – whichever is higher (Art. 99 of the AI Act). For a company with €10 million in turnover, the maximum is €700,000. For a company with €1 billion in turnover, it's €70,000,000.

What this means practically for SMEs: If your HR department is considering an AI tool that "analyzes micro-expressions during interviews" or "assesses staff emotional states," this is a direct violation of Art. 5 of the AI Act, which is already in effect. Such tools should be avoided, regardless of how the vendor positions them.

Level 2: High Risk — Strict Requirements from August 2, 2026

This is the broadest and most significant category in terms of business compliance. High-risk AI systems are not prohibited but are subject to detailed regulation. The complete list is in Annex III of the AI Act and covers eight areas where AI can significantly impact people's rights, health, or well-being.

Eight areas of high-risk AI:

Obligations for high-risk systems (Articles 9–15 of the AI Act):

Penalty for non-compliance: up to €15,000,000 or 3% of global annual turnover – whichever is higher.

What this means practically for SMEs: If your company in DE/AT uses an AI tool for resume screening, automated candidate assessment, or customer credit scoring, these systems are high-risk. By August 2, 2026, you will need technical documentation, a documented oversight system, and – if the provider does not ensure compliance – either migration to a compliant system or discontinuation of the functionality.

Level 3: Limited Risk — Transparency Requirements from August 2, 2026

These are AI systems that directly interact with people or generate content – but do not make decisions that significantly affect rights or well-being. The obligations here are much fewer than for high-risk systems: the main requirement is transparency. People must know they are interacting with AI.

What falls under limited risk (Art. 50 of the AI Act):

Penalty for violation of Art. 50: up to €15,000,000 or 3% of global annual turnover.

What this means practically for SMEs: If you have an AI chatbot on your medical center, law firm, or distributor website, you must add a clear notification at the start of the chat by August 2, 2026. This is technically simple but legally mandatory. Non-compliance carries a penalty at the same level as for high-risk systems for violating Art. 13.

Level 4: Minimal or No Risk — No Additional Regulation

The vast majority of AI tools that businesses use daily fall into this category. The AI Act explicitly states that it does not impose requirements for minimal risk systems. Examples include spam filters in email, AI content recommendations on streaming platforms, AI for video games, text autocorrection systems, and basic automation and scheduling tools.

There are no additional obligations under the AI Act for this category. However, the general requirements of GDPR regarding personal data processing remain in force regardless of the AI Act's risk category.

Where Does an AI Assistant for Documents Fit in This Classification?

This is the question our clients – medical centers, law firms, and distributors – ask most frequently. The answer depends on *exactly what* the system does and *what decisions* it supports.

Use Case AI Act Category Key Obligation
AI answers patient questions about procedure preparation based on clinic protocols ⚠️ Level 3 — Limited Risk Explicit notification "You are interacting with AI" from 08/02/2026
AI helps a lawyer find a specific clause in 300 contracts ✅ Level 4 — Minimal Risk No additional AI Act requirements (but GDPR applies)
AI helps a manager find product technical specifications during a client call ✅ Level 4 — Minimal Risk No additional AI Act requirements
AI assesses a client's creditworthiness or insurance risk 🔴 Level 2 — High-Risk (Annex III) Full compliance: documentation, audit, registration, human oversight
AI ranks candidate resumes for an HR manager 🔴 Level 2 — High-Risk (Annex III) Full compliance: documentation, audit, registration
AI assists a judge in analyzing case facts 🔴 Level 2 — High-Risk (Annex III) Full compliance + independent conformity assessment
AI analyzes employee emotions during meetings 🚫 Level 1 — Prohibited Prohibited from 02/02/2025. Penalty up to €35 million

Practical takeaway: An AI assistant that answers questions exclusively from your uploaded documents and does not make decisions that significantly affect rights or well-being most often falls into the limited or minimal risk category. This implies a relatively small scope of obligations: an explicit AI notification and GDPR compliance for data storage. However, if the same tool starts being used for candidate assessment, credit scoring, or medical triage, the category changes to high-risk, and the requirements increase dramatically.


Specific Business Requirements in DE/AT: Healthcare, Legal, Finance

The AI Act is a pan-European regulation, but it doesn't operate in a vacuum. In Germany and Austria, it interacts with their own GDPR implementations, sector-specific legislation, and professional codes of conduct. For healthcare centers, law firms, and financial companies in DE/AT, this translates to a double or even triple layer of requirements – and ignoring any of them creates legal risk. For more on the specifics of GDPR in DE/AT, see the article AI and GDPR in Germany and Austria: Requirements for Corporate Systems.

Healthcare Centers in Austria and Germany

Healthcare is the most regulated sector concerning AI in the EU. AI systems in medicine fall under four layers of legislation simultaneously: the EU AI Act, GDPR (Article 9 – special categories of data), the EU Medical Device Regulation (MDR 2017/745), and national medical legislation. All four layers are in effect concurrently and do not supersede each other.

What is considered high-risk in healthcare under the AI Act (Annex III):

What is not high-risk but falls under Level 3 (limited risk): An AI assistant that answers patient questions based on clinic protocols – such as "How do I prepare for a gastroscopy?", "What should I bring to my appointment?", "How long does an MRI take?" – is not high-risk according to the AI Act. However, it is subject to Article 50 (transparency requirements) and GDPR if it collects any patient personal data during interaction.

Practical Requirements for a Healthcare Center in Austria or Germany:

For more details on processing medical data via AI and GDPR, see the article AI in Medicine: How to Process Medical Data Without Violating the Law.

Law Firms in Austria and Germany

Law firms find themselves in a particularly complex position: the AI Act, GDPR, and attorney-client privilege (a constitutionally protected principle) all demand that client data remains within a controlled environment. Yet, most popular AI tools for lawyers are cloud-based services of US origin.

What is considered high-risk for law firms under the AI Act: AI that assists judicial bodies in analyzing case facts or interpreting the law is high-risk under Annex III, point 8. AI that helps a lawyer find relevant clauses in contracts or formulate arguments is *not* high-risk but is subject to transparency requirements if it interacts directly with the client.

Specifics for DE/AT for Law Firms:

Financial Companies and Insurance in Austria and Germany

The financial sector is a primary focus area for the AI Act. Annex III explicitly classifies two key use cases, standard for banks and insurance companies, as high-risk: assessing the creditworthiness of individuals and risk scoring in insurance. Alongside the AI Act, financial companies in DE/AT are subject to prudential regulation by BaFin and FMA, which already have their own requirements for algorithmic decisions.

What is considered high-risk for financial companies under the AI Act (Annex III):

Obligations for Financial Companies from August 2, 2026:

What is not high-risk for financial companies: An internal AI assistant that helps managers find information within internal regulations and product descriptions is not high-risk; it falls under Level 4 (minimal risk). AI that answers customer questions about bank products via a website chat is Level 3 (limited risk, transparency requirement). The distinction is fundamental: the same bank can simultaneously operate a high-risk system (credit scoring) and a minimal-risk system (internal staff directory).


Why Cloud AI Creates AI Act Challenges — and Where Self-Hosted Wins

The AI Act and GDPR together create a compliance landscape where the architectural decision — where your AI system is physically deployed and who acts as the data controller — has direct legal significance. This isn't a matter of preference or convenience. It's about whether you can meet the specific requirements of Articles 9–15 of the AI Act and Articles 5, 24, and 28 of GDPR when using a cloud service of American origin. For most businesses in DE/AT processing sensitive data, the answer is complicated by three systemic issues.

For more details on where your data is physically stored across different AI services, read the article Self-hosted AI vs. Cloud: Where Your Data Resides.

Issue 1: US CLOUD Act vs. GDPR and the AI Act

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act, USA, 2018) allows US law enforcement agencies to compel US companies to provide data stored on their servers, regardless of where those servers are physically located. OpenAI, Google, Microsoft, Amazon, Notion, and Salesforce are all US companies and are subject to the CLOUD Act. This means that even if your OpenAI-based AI assistant is deployed on servers in Frankfurt, under a US court order, OpenAI could be compelled to grant US authorities access to this data.

GDPR and the AI Act do not supersede or block the CLOUD Act; they regulate different jurisdictions. A Data Processing Agreement (DPA) with a US provider and a Transfer Impact Assessment (TIA) are mandatory documents, but they reduce the risk for most data rather than eliminating it for the most sensitive categories. For patient medical data (Article 9 GDPR — special categories), legal case materials subject to attorney-client privilege, or client financial data protected by banking secrecy requirements, even a signed DPA offers insufficient protection. The Austrian Bar Association (ÖRAK) and several German state bar associations explicitly recommend against using US cloud AI services for processing case materials precisely because of the CLOUD Act risk.

What this means in practice: If you are a medical center in Vienna or a law firm in Munich and use the ChatGPT API or Notion AI to handle sensitive client data, you have an open legal vulnerability that no provider contract can close. A self-hosted system on a Hetzner server in Nuremberg or Helsinki, managed by a German or Finnish company, eliminates this risk architecturally: US law enforcement agencies have no jurisdiction over data that has never been in the possession of a US company.

Issue 2: Transparency, Documentation, and System Control

The AI Act requires deployers — meaning you as a business using AI — to have specific capabilities: explaining how the system makes decisions (Art. 13), demonstrating control over it (Art. 14), possessing technical documentation for the system (Art. 11), and maintaining an operational log (Art. 12).

A cloud SaaS provider offers documentation for *their* system, but not for your specific instance. OpenAI publishes the system card for GPT-4, and Microsoft publishes Copilot documentation, but this documentation describes the base model, not how your company specifically configured it, which documents were uploaded, or what system prompt is being used. For AI Act compliance, documentation of *your specific system* is needed — one that you configured and deployed yourself.

There's another issue: cloud providers update their models, often without notice and without the option to remain on a previous version. GPT-4o in February 2026 and GPT-4o in August 2026 will be different versions with different behaviors. If your high-risk system passed its conformity assessment in February, and the provider updated the model in April without your knowledge, your documentation is technically outdated, and the system requires re-assessment. A self-hosted system where you control which model version you use avoids this problem.

What this means in practice: For the "limited risk" tier, cloud AI is entirely acceptable if a DPA is in place and users are clearly informed. For the "high-risk" tier, cloud AI demands significantly more effort for documentation and compliance proof: you are essentially forced to document someone else's system, which you do not control and which can change without your knowledge. Read more in the article Self-hosted AI vs. SaaS: What to Choose for Corporate Documents.

Issue 3: Human Oversight and Real System Control

Article 14 of the AI Act requires that for high-risk systems, a human must be able to effectively monitor the system, understand its decisions, and have the ability to pause or override them. This isn't just an interface requirement; it's an architectural demand: the system must be designed so that human oversight is genuinely possible, not merely formal.

Cloud SaaS provides control within the limits of what the API provider allows. You can configure the system prompt, set limits through API parameters, or disable certain features, but you cannot control the base model, you don't know precisely how it interprets your prompt after another update, and you cannot guarantee its behavior won't change. If the system suddenly starts giving unexpected responses after a provider update, your intervention options are limited by what the API permits.

A self-hosted system offers a different level of control: you decide which model to use (Llama, Mistral, Qwen, or GPT via OpenRouter), you configure the system prompt and limits, and you control when and which version is updated. If a model behaves unexpectedly, you can roll back to a previous version, change the configuration, or completely replace the LLM provider without altering the rest of the system. This is what constitutes real human oversight under Article 14 of the AI Act.

Issue 4: Responsibility and the Operator Chain

The AI Act clearly distinguishes between the provider (system developer) and the deployer (the business using it) and allocates obligations between them. However, when you use cloud SaaS, the responsibility chain becomes complicated: there's the developer of the base model (e.g., OpenAI), the SaaS provider building a product on top of that model, and you as the end deployer. If something goes wrong, the regulator will come to you as the deployer, and your response "the provider is to blame" does not absolve you of responsibility under Article 26 of the AI Act.

A self-hosted system where you are both the deployer and the actual operator simplifies this chain. You know what you are using, you document your system, and you are responsible for your own deployment — not for someone else's platform that you don't control.

Where Self-Hosted Wins in Terms of the AI Act and GDPR

Requirement Cloud SaaS (US Provider) Self-hosted (AskYourDocs, EU Server)
Data Location — EU Server ⚠️ Server may be in the EU, but the provider is a US company subject to the CLOUD Act ✅ Hetzner (Nuremberg/Helsinki) or OVH (Strasbourg) — non-US provider, CLOUD Act does not apply
Technical Documentation of Your System (Art. 11) ⚠️ Provider documentation exists for the base model, but not for your specific instance and configuration ✅ You document your system: which model, which version, which configuration, which documents were uploaded
Transparency of Processing for Deployers (Art. 13) ⚠️ Provider offers general instructions; processing details at your use case level are not disclosed ✅ Full control and visibility: what happens with each request from receipt to response
Human Oversight (Art. 14) ⚠️ Limited by API capabilities — the provider can change model behavior without your knowledge ✅ Full control: model version, system prompt, limits — all in your hands
Request Logging (Art. 12) ⚠️ Provider maintains logs, but access is restricted, and retention periods are determined by the provider ✅ All logs on your server: full access, you determine retention period
System Stability for Auditing ⚠️ Provider may update the model without notice, rendering documentation obsolete ✅ You control the model version — the system remains static until your decision to update
GDPR Art. 9 — Special Categories of Data (Medical, Legal) ❌ CLOUD Act risk is not eliminated by DPA — for medical and legal data, this is a legal vulnerability ✅ Data never leaves your EU server — CLOUD Act is architecturally inapplicable
Responsibility Chain (Art. 26) ⚠️ Complex: Model Developer → SaaS Provider → You as Deployer ✅ Simple: You as Deployer and Operator of Your Own System

Full disclosure: Self-hosted does not automatically mean AI Act compliance. You must still: explicitly inform users about interacting with AI (Art. 50), maintain a request log, document your system, and — if your use case is high-risk — fulfill the complete requirements of Arts. 9–15. Self-hosted provides you with the *tools* to meet these requirements and removes the structural barriers encountered when working with cloud providers. However, architecture alone is insufficient; documented processes, designated responsibilities, and regular system review are necessary.

For more on the risks of data leaks through AI services and how to check for them, read the article 6 Risks of Data Leakage Through AI in Business.

Checklist: What to Verify in Your AI System Before August 2026

There are fewer than 100 days left until August 2, 2026. Here's what you need to check now, regardless of which AI system you are using.

Question If "Yes" If "No" — Action
Do you know which AI Act risk category your system falls under? ✅ Proceed Complete the Compliance Checker on artificialintelligenceact.eu
Does your AI chatbot inform users that they are interacting with an AI? ✅ Art. 50 fulfilled Add an explicit notification by 08/02/2026
Do you know where the data processed by your AI service is physically stored? ✅ Document this Request confirmation of server location and a DPA from your provider
Do you have a Data Processing Agreement (DPA) with your AI provider? ✅ Keep it up-to-date Sign a DPA — processing data without one is illegal under GDPR
Have your employees who use AI undergone basic AI literacy training? ✅ Art. 4 fulfilled Mandatory from 02/02/2025 — conduct training and document it
Do you maintain a log (audit trail) of AI requests? ✅ Retain for at least 6 months Set up logging — it's mandatory for high-risk systems (Art. 12)
If you have a high-risk system, is there technical documentation for it? ✅ Art. 11 fulfilled Prepare the documentation by 08/02/2026 — the system cannot operate legally without it
If you have a high-risk system, is there a human oversight procedure? ✅ Art. 14 fulfilled Document who supervises AI decisions and how they can be overridden or canceled

For information on preparing documents for an AI system, read the article How to Prepare Documents for an AI Assistant: What to Upload and What Not To.

Frequently Asked Questions

Does the AI Act apply to small businesses or SMEs?

Yes, but with a proportional approach to fines. For SMEs and startups, the penalty is calculated as the lesser of two amounts (a fixed sum or a percentage of turnover). So, for a company with €500,000 in annual turnover, the maximum Level 1 fine is €35,000 (7% of turnover), not €35 million. However, transparency (Art. 50) and prohibition (Art. 5) obligations are the same for everyone, regardless of size.

Does an AI chatbot on a clinic's website fall under the AI Act?

Yes — at a minimum, under the transparency requirements of Level 3 (Art. 50). From August 2, 2026, the chatbot must explicitly inform patients they are communicating with an AI. If the chatbot only answers informational questions from clinic protocols, it's considered "limited risk." If it assists with diagnostics or triage, it's potentially "high-risk" with the full set of requirements.

Is signing a DPA with an AI provider sufficient for AI Act compliance?

A Data Processing Agreement (DPA) is mandatory for GDPR but is not sufficient for full AI Act compliance. The AI Act additionally requires system transparency, logging, human oversight, and — for high-risk systems — technical documentation and registration. A DPA addresses the "where and how data is stored" question but does not resolve issues of control over the AI system and auditability.

What is a Transfer Impact Assessment (TIA) and when is it needed?

A TIA is an assessment of the impact of data transfers to a third country (e.g., the US) required by GDPR following the Schrems II ruling (2020). If your AI provider is a US company and processes your clients' or patients' data on servers outside the EU, a TIA is mandatory. Even if servers are physically in the EU but the provider is US-based, a TIA is recommended due to the CLOUD Act risk.

Want to Check if Your AI System Meets AI Act Requirements?

At AskYourDocs, we build self-hosted AI assistants based on documents for SMEs, medical centers, and law firms — deployed on servers within the EU (Hetzner DE/FI or OVH FR) with an architecture compliant with GDPR and AI Act requirements.

Send us 2–3 of your actual work documents. In 30 minutes, we'll provide a live demonstration, discuss which AI Act risk category your use case falls into, and outline exactly what's needed for compliance.

Write us on Telegram →

Full implementation in 5–7 days. Starting from $500 one-time fee. EU-based servers. No IT team required from your side.


Sources: