The Regulation (EU) 2024/1689 on Artificial Intelligence, known as the AI Act, is the world's first comprehensive AI legislation and applies directly in all EU member states without national transposition. It is not a directive that each country adapts; it is a regulation of direct and mandatory application. If your business uses, develops, imports or distributes AI systems in the European market, it already has active obligations. What remains to be activated, according to the deadlines in force as of June 2026, are the most demanding rules for high-risk systems. But that does not mean waiting: the time to prepare is now.
This guide explains, in concrete and jargon-free terms, what the AI Act requires of a business in 2026, what the real deadlines are following the latest reform (the Digital Omnibus of May 2026), what penalties you risk if you fail to act, and how to structure compliance from a compliance department or from the board level.
What is the AI Act and why does it affect you even if you are not a technology company?
The AI Act does not only regulate companies that develop artificial intelligence software. It regulates any organisation that deploys or uses an AI system in the European Union, regardless of whether that system was purchased from an external supplier or built internally. A law firm that uses an automated system to review contracts, a manufacturing company that applies computer vision on its production line, an HR department that uses candidate scoring software: all of them fall within the scope of the regulation.
The regulation classifies AI systems into four categories based on the level of risk they pose to fundamental rights and people's safety. This classification determines which specific obligations apply to each operator.
The four risk categories of the AI Act
| Category | Description | Examples | Applicable regime |
|---|---|---|---|
| Unacceptable risk (prohibited) | Systems that undermine fundamental rights or manipulate people without their knowledge | Social scoring by public authorities; subliminal manipulation; real-time remote biometrics in public spaces (with exceptions); systems exploiting vulnerabilities of protected groups; nudifiers without consent (prohibition extended Dec. 2026) | Absolute prohibition since 2 February 2025 |
| High risk (Annex III) | Systems with significant impact on rights, safety or access to essential services | Automated HR candidate scoring software; credit scoring; biometric categorisation systems; educational assessment tools; critical infrastructure management; decision-making systems in migration and asylum | Full obligations from 2 December 2027 (deadline postponed by Digital Omnibus) |
| High risk (Annex I) | AI embedded in products regulated by sectoral legislation (machinery, medical devices, vehicles, toys…) | AI-assisted medical diagnosis; industrial machinery control systems; AI in autonomous vehicles | Full obligations from 2 August 2028 |
| Limited risk | Systems with transparency risks that can be managed by informing the user | Chatbots; image or text generators; recommendation systems | Transparency obligations (inform the user they are interacting with AI) |
| Minimal risk | Systems with no significant impact on people | Anti-spam filters; internal search assistants; basic productivity tools | No specific AI Act obligations (voluntary best practices) |
Real deadlines in June 2026: what is already in force and what is coming
One of the most confusing aspects of the AI Act is its phased timeline. Below we detail the milestones already in force and those ahead, incorporating the changes introduced by the Digital Omnibus (provisional agreement of 7 May 2026, which postpones deadlines for Annex III high-risk systems and extends certain prohibitions).
February 2025 — Absolute prohibitions in force
Since 2 February 2025, AI practices deemed to present unacceptable risk (Article 5 of the Regulation) have been prohibited: subliminal manipulation, social scoring by public bodies, real-time remote biometrics in public spaces (except strictly defined national security exceptions), systems that exploit vulnerabilities of specially protected groups, and systems inferring emotions in workplaces or educational centres for purposes other than safety. If your business was using any of these systems, it should have retired or adapted them before that date.
August 2025 — AI literacy and GPAI models
Since 2 August 2025, two blocks of obligations relevant to virtually any business have been in force:
- Article 4 — AI literacy: every organisation that uses AI systems must ensure that its staff have a sufficient level of understanding of how AI works, what its limitations are, and how to interpret its outputs. The Regulation does not prescribe a specific number of training hours, but it does require documenting that an awareness plan has been put in place. The AESIA (Spanish Agency for the Supervision of Artificial Intelligence) may request evidence during an inspection.
- Articles 51-55 — General-purpose AI models (GPAI): companies that develop or adapt large-scale language models (such as GPT, Claude, Llama) for distribution in the EU have documentation, systemic risk assessment and registration obligations. This primarily affects technology providers, but also companies that fine-tune models for large-scale internal use.
August 2026 — Full application and full enforcement capacity of AESIA
2 August 2026 is the date on which the AI Act reaches full application for the bulk of its general obligations. From this point, AESIA has full capacity to inspect, request documentation and impose sanctions. Although the deadlines for high-risk systems have been postponed by the Digital Omnibus, the rest of the Regulation — including governance, transparency and literacy obligations — is fully enforceable and subject to penalties.
December 2027 — Full obligations for high-risk systems (Annex III)
Following the Digital Omnibus of May 2026, systems classified as high risk under Annex III (biometrics, HR, credit, critical infrastructures, education, migration, justice) must comply with the full AI Act regime from 2 December 2027. This sixteen-month postponement from the original plan (August 2026) was negotiated by the European Commission to give companies and public administrations more time. However, preparation must begin now: the requirements are substantial (see the following section).
August 2028 — High-risk systems embedded in products (Annex I)
AI systems integrated into products subject to sectoral safety legislation (Machinery Directive, Medical Devices Regulation, etc.) have until 2 August 2028 to comply.
What specific obligations does your business have if it uses high-risk systems?
If your business operates systems classified as high risk (a candidate scoring module in HR, a scoring system for internal credit approval, a video surveillance platform with facial recognition…), the AI Act obligations are the most demanding in the Regulation. Here is the core of what you will need to have documented and operational before 2 December 2027:
1. AI-specific risk management system
You must establish, document, apply and maintain a risk management system throughout the entire lifecycle of the AI system. A clause in the supplier contract is not sufficient: you must identify the reasonably foreseeable risks of the system, estimate them, assess them and adopt proportionate management measures. This process must be reviewed periodically and whenever there is a material change to the system.
2. Data governance and training data quality
If you develop or adapt the model, you must document your data governance practices: data origin, cleansing procedures, identified biases and corrective measures. Even as a deployer (a company that purchases and uses the system without developing it), you are obliged to monitor that the system operates in accordance with its intended purpose and to document incidents.
3. Technical documentation and activity logs
The AI Act requires detailed technical documentation for each high-risk system: system description, intended purpose, data used, performance metrics, known limitations and human oversight measures. In addition, high-risk systems must generate automatic logs that allow tracing of their operation for a minimum period of six months from use.
4. Transparency and information to users
People affected by a high-risk system (evaluated candidates, credit applicants, people in video surveillance zones) must receive clear information about the existence of the system, its purpose and the rights available to them. This integrates with GDPR rights (Articles 13 and 14) when the system processes personal data.
5. Human oversight
High-risk systems must be designed so that natural persons can oversee, interrupt or override their operation. In practice, this means that no high-impact decision — selecting a candidate, denying credit, restricting access to an essential service — can be made in a fully automated manner without the possibility of human review.
6. Conformity assessment and registration
Before putting a high-risk system into service, a conformity assessment must be carried out. For most Annex III systems, this assessment can be performed by the provider itself through self-assessment, provided the required documentation is in place. The system must be registered in the European AI database (managed by the European Commission) before it is put into service.
Obligations applicable to all businesses (not only high-risk)
Even if your business does not use high-risk systems, the AI Act imposes horizontal obligations that are already in force or will enter into force in August 2026:
- AI literacy (Art. 4): active since August 2025. You must be able to demonstrate that the employees who use AI have basic training on its capabilities, limitations and risks.
- Transparency in conversational and generative systems (Art. 50): if you use a customer-service chatbot, you must inform users that they are interacting with an AI system, unless this is obvious from the context.
- Labelling of AI-generated content: video, image or audio content that is generated or significantly manipulated by AI (including deepfakes) must be labelled in a machine-readable format. This affects marketing campaigns using synthetic images or videos.
- Review of your AI tools inventory: while not an express formal requirement of the Regulation, AESIA recommends — and it is standard compliance practice — that every business carries out an inventory of the AI systems it uses or markets, with an initial risk classification.
Penalties: how much can you lose by failing to comply with the AI Act?
The AI Act's penalty regime is the highest in all European digital regulation, surpassing even the GDPR in the most serious cases:
| Type of infringement | Maximum penalty |
|---|---|
| Use of prohibited AI practices (Art. 5) | 35 million euros or 7% of total worldwide annual turnover (whichever is higher) |
| Non-compliance with obligations for providers or deployers of high-risk AI | 15 million euros or 3% of total worldwide annual turnover |
| Supply of incorrect or misleading information to supervisory authorities | 7.5 million euros or 1% of total worldwide annual turnover |
For SMEs and natural persons, the Regulation states that penalties will be proportionate to the size and resources of the organisation, but does not exempt them from liability. AESIA, operational since March 2025, has published its supervision plan for the second half of 2026, focusing first on the highest-impact sectors (HR, financial services, public administration) and on compliance with the AI literacy obligation.
How to structure AI Act compliance in your business: a five-step roadmap
In our AI Act consulting service we work with a structured approach that allows a business to move from zero to an auditable compliance file within a reasonable timeframe. These are the five essential steps:
Step 1 — Inventory and classification of AI systems
The starting point is knowing which AI systems your business uses: SaaS tools with AI components, internal developments, automations using language models, computer vision systems, conversational assistants… For each system, its risk category is determined according to the criteria of the Regulation. This inventory is the foundation of any compliance programme and allows efforts to be prioritised.
Step 2 — Gap analysis
With the inventory in hand, the gap between the current situation and the AI Act requirements for each system is analysed. For low- or minimal-risk systems, the gap is usually small (updating legal texts, adding user information). For high-risk systems, the gap may be significant: lack of technical documentation, absence of logs, need to redesign human oversight processes.
Step 3 — Action plan and roadmap
Based on the gap analysis, an action plan is defined with responsible parties, deadlines and resources. The plan must distinguish between immediate actions (complying with obligations already active, such as AI literacy) and medium-term actions (preparing technical documentation for high-risk systems before the December 2027 deadline).
Step 4 — Implementation: documentation, processes and training
This phase includes drafting the required technical documentation, implementing logging and monitoring systems, updating transparency notices to affected users (integrating with GDPR privacy policies), and running AI literacy training programmes for relevant staff.
Step 5 — Ongoing review and maintenance
The AI Act is a lifecycle regulation: obligations are not met once and filed away. The inventory must be reviewed whenever a new AI system is adopted, documentation must be updated when there are material changes to existing systems, and activity logs must be kept active. Additionally, the Regulation itself and the harmonised technical standards that will be published periodically may require regular adjustments.
The AI Act and its relationship with GDPR, NIS2 and ISO 42001
The AI Act does not operate in a vacuum: it interacts with other regulations that your business may already be complying with or that also affect you. Understanding these intersections avoids duplicated work and ensures coherent digital governance.
- GDPR: AI systems that process personal data — that is, virtually all those with an impact on people — must simultaneously comply with the AI Act and the GDPR. The GDPR impact assessments (DPIA) and the AI Act risk assessments can and should be coordinated to avoid duplicating effort. The legal basis for automated data processing remains the GDPR; the AI Act adds the system governance framework.
- NIS2: if your business operates critical infrastructures or essential services and uses AI systems in those environments, the cybersecurity obligations of the NIS2 Directive (pending transposition in Spain as of June 2026) overlap with the security and robustness requirements of the AI Act for high-risk systems.
- ISO 42001: this international standard for AI management systems can act as an implementation framework for AI Act obligations. Having a system certified under ISO 42001 makes it easier to demonstrate conformity with the Regulation, although ISO certification does not by itself constitute legal compliance with the AI Act.
If your business is already working on NIS2 compliance, we recommend coordinating both initiatives. You can learn more about our NIS2 and DORA consulting for businesses with regulatory exposure in cybersecurity.
Frequently asked questions
Does the AI Act affect me if I only use third-party SaaS tools with AI, such as ChatGPT or Copilot?
Yes, although with fewer obligations than if you were the system's developer. As a deployer (a business that uses an AI system developed by a third party), you have specific obligations: ensuring the system is used for its intended purpose, monitoring its operation, informing users when required and, if the system is high-risk, documenting its use and maintaining the required logs. The provider (Microsoft, OpenAI, etc.) assumes the obligations specific to providers, but that does not exempt you from your own obligations as a deployer.
What exactly is the «AI literacy» required by Article 4 and how do I demonstrate it?
Article 4 of the AI Act requires providers and deployers of AI systems to take measures to ensure a sufficient level of AI literacy in their staff. The Regulation does not set a number of training hours or prescribed content. In practice, AESIA recommends that businesses develop a training plan proportionate to their use of AI, document who has received what training, and be able to present that documentation to an inspection. The level required varies by role: the expectation is not the same for an operator who uses an AI-powered system without making decisions about it as for a manager who approves the deployment of a high-risk system.
What changed with the Digital Omnibus of May 2026 and is it still binding?
The Digital Omnibus is a provisional agreement reached on 7 May 2026 between the European Commission, the European Parliament and the Council of the EU. Its most relevant changes for businesses are: (1) postponement of the full obligations for Annex III high-risk systems from 2 August 2026 to 2 December 2027; (2) extension of the prohibition on unacceptable-risk AI to include nudifiers without consent, with effect from December 2026. As of June 2026, the agreement was in the process of formal adoption, but the provisional text is what guides compliance planning. The obligations already in force (prohibitions since February 2025, AI literacy and GPAI models since August 2025) have not been modified.
Who is the supervisory authority for the AI Act in Spain and what can it do?
The Spanish Agency for the Supervision of Artificial Intelligence (AESIA), headquartered in A Coruña, is the designated national competent authority in Spain for AI Act supervision. It has been operational since March 2025. From 2 August 2026, it has full capacity to carry out inspections, request technical documentation, impose precautionary measures (including market withdrawal of a system) and propose sanctions. It can act on its own initiative or in response to a complaint. AESIA publishes guides and orientations on aesia.gob.es which, while not legally binding, serve as a reference for best practices recognised by the supervisory authority.