EU AI Act: What Entrepreneurs Really Need to Know in 2026

The Four Risk Classes of the EU AI Act

At the heart of the EU AI Act is a risk-based classification. The greater the potential harm a given AI system can cause, the stricter the regulation. That sounds logical. And at its core it is.

The decisive question for you as an entrepreneur: into which class do the AI tools you currently use - or want to use - fall? That determines what you need to do.

Where most entrepreneurs actually land

The honest answer: most SME owners and freelancers I know use AI as a writing aid, for marketing copy, for research, for summaries. That is Class 3 or Class 4. Little to no regulation. Anyone using AI for recruitment screening, credit decisions or in medical contexts, however, is in an entirely different universe.

Prohibited AI Systems - What Has Applied Since February 2025?

Since 2 February 2025, Article 5 of the EU AI Act is fully active. These are the absolute prohibitions - no grey areas, no transition periods, no proportionality. Anyone deploying these systems risks the harshest fines.

What is concretely prohibited

Social scoring: AI systems that evaluate people's behaviour over time and use that score to impose disadvantages. The classic example is China's social credit system. Prohibited in the EU - whether state-run or private.

Emotion recognition at workplaces and educational institutions: Cameras or other systems that detect and evaluate the emotions of employees or pupils. Anyone who gets the idea to monitor the mood of their workforce via AI has a serious problem.

Real-time biometric mass surveillance: Facial recognition and similar technologies in public spaces in real time by authorities - with very narrow exceptions for law enforcement under judicial oversight.

Manipulative AI: Systems that exploit psychological weaknesses or vulnerabilities to influence people's behaviour against their own will - without them knowing that an AI is influencing them.

Practical check: As a regular entrepreneur you will not come into contact with any of these prohibited categories. Most concern state actors or highly specialised system providers. Anyone who gets the idea of introducing AI for 'mood analysis' of their staff should stop immediately.

High-Risk AI - Who Is Affected and What Must They Do?

This is the part that becomes relevant for most entrepreneurs by August 2026. High-risk AI systems are defined in Annex III of the EU AI Act. The list is concrete and exhaustive - no room for interpretation.

Which areas count as high-risk

• HR and personnel: AI systems for applicant screening, CV screening, employee performance evaluation, dismissal decisions.
• Credit and financial services: AI-driven creditworthiness checks, automated credit decisions.
• Medicine: Diagnostic AI systems, triage systems, AI in medical devices.
• Education: Systems that evaluate exam results, control access to educational institutions or assess learners.
• Law enforcement: AI for evaluating recidivism risk, analysing suspects.
• Border control and migration: Systems for risk assessment at border crossings.
• Critical infrastructure: AI in energy, water, transport, financial systems.
• Administration of justice: AI systems that assist judges or prosecutors in decisions.

What providers of high-risk AI must do

The obligation list for providers (i.e. those who develop and market such systems) is extensive. Articles 9 through 17 and Article 43 of the EU AI Act specify:

• Risk management system (Art. 9) - ongoing, not a one-off
• Data governance and training data quality (Art. 10)
• Technical documentation per Annex IV (Art. 11)
• Record-keeping / logging obligations (Art. 12)
• Human oversight - the system must be overridable (Art. 14)
• Quality management system (Art. 17)
• Conformity assessment (Art. 43)
• Registration in the EU database (Art. 71)

Deployers - those who use finished high-risk AI systems without developing them - have their own, narrower obligations under Article 26. In certain cases this includes a fundamental rights impact assessment (Art. 27).

Limited Risk: Chatbots and the Transparency Obligation

Class 3 is the category that affects most entrepreneurs directly. Everything related to user-AI interaction belongs here: chatbots on your website, AI-generated text and images, synthetic speech.

What Article 50 concretely requires

From 2 August 2026, Article 50 applies. The core obligation is straightforward: anyone operating a chatbot must ensure users know they are interacting with an AI - not a human. That sounds trivial, but it is not if you take the wording seriously.

On top of that comes the obligation to machine-readable labelling of AI-generated content. Images, videos and audio produced by AI must carry a machine-readable watermark - unless they are obvious satire or works of art. This also applies in principle to AI-generated marketing images.

In practice: if your website has an AI chatbot, the user must know it is AI. If you use AI-generated images in your advertising, they need a label.

Who Is a Provider, Who Is a Deployer?

This distinction is the most important thing for your concrete action needs. The EU AI Act clearly distinguishes between two main roles.

Providers are those who develop an AI system and bring it to market under their own name or brand. OpenAI is a provider. Anthropic is a provider. A startup that develops and sells its own AI software for credit scoring is a provider. Providers carry the greatest obligation burden.

Deployers use finished AI systems in the course of their own business activities. You use ChatGPT for your marketing? Deployer. You have a third-party chatbot on your website? Deployer. You use an AI tool for recruitment? Deployer - and in this case with serious obligations.

Why the role is decisive

As a pure deployer of minimal-risk or limited-risk tools, what you mainly need by August 2026 is: a transparency notice when users interact with your chatbot, and where applicable labelling of AI-generated content. That is manageable.

As a deployer of a high-risk system you will face more extensive obligations - but still fewer than the provider. Article 26 lists deployer obligations. In short: use the system as intended, don't modify it, keep records, cooperate with authorities.

As a provider you are in the full spectrum of obligations. That is the job of specialised IT lawyers - not this article.

The Key Deadlines of the EU AI Act 2025-2027

Four dates. They cover 95 percent of all entrepreneurs.

Does the EU AI Act Apply to Small Businesses and SMEs Too?

Yes - but with clear differences compared to large corporations. The EU AI Act explicitly addresses proportionality. Three points that are decisive for SMEs:

Proportional fines

Fines can be capped proportionally. The lower thresholds apply for small businesses where these are lower than the absolute maximums. A startup with 500,000 euros in annual turnover pays a maximum of 15,000 euros at a 3% cap - not 15 million. Painful, but not existentially threatening.

Simplified requirements

SMEs must fulfil the same core obligations as large companies - but supervisory authorities will apply proportionality when it comes to documentation depth. That is not written explicitly in the law, but is clear from the recitals and the political intent.

What you as an SME need to do concretely

• Create an AI inventory: List all AI systems you use. Which tools, where deployed, for what purpose.
• Determine the risk class: Does any of your tools fall into the high-risk category? If you only use ChatGPT for marketing copy: Class 4. If you use an AI tool for recruitment screening: high-risk.
• Ensure transparency: Chatbot on your website? Clearly label it as AI.
• Avoid high-risk or be compliant: Anyone deploying high-risk systems must fulfil the deployer obligations under Art. 26.

EU AI Act vs. GDPR: What Is the Difference?

The comparison is helpful because almost every entrepreneur knows the GDPR - or should. Here are the key differences:

The GDPR regulates how personal data is handled. Everything revolves around how you collect, store, process and share data about people. Legal basis, purpose limitation, right of access - that is GDPR territory.

The EU AI Act regulates AI systems as a technology - regardless of whether they process personal data. An AI system that only uses public data can still be high-risk. An AI system that stores no data can still trigger transparency obligations.

Both can apply simultaneously. An AI system for recruitment that processes applicant data is both GDPR-relevant (personal data) and EU AI Act-relevant (high-risk AI). You need both.

Put simply: GDPR = how you handle data. EU AI Act = which AI systems you deploy and how you control them. Different dimension, can overlap.

Germany: KI-MIG and the Federal Network Agency

The EU AI Act is an EU regulation and applies directly. But each member state must designate a market supervisory authority. Germany resolved this in February 2026: the Federal Cabinet adopted the AI Implementation Act (KI-MIG) on 11 February 2026 and referred it to the Bundestag.

The Federal Network Agency as coordinating body

The Federal Network Agency (Bundesnetzagentur) is designated as the coordination office for AI regulations (KoKIVO). For high-risk AI in specific sectors (medicine, banking, insurance), the respective specialist authorities remain responsible. The Federal Network Agency coordinates overarchingly.

What that means for you: if you have questions about the EU AI Act and are based in Germany, the Federal Network Agency is your first point of contact. The national KI-MIG law creates the framework for how it is implemented in practice.

Digital Omnibus: Is a Deadline Extension Coming?

Honestly: yes, the Digital Omnibus is real. The EU legislative process is ongoing, and there are discussions about shifting the main deadlines to December 2027 or August 2028. But - and this is decisive - there is no enacted legislation yet.

Anyone pursuing the strategy of waiting for a shift and then orienting to August 2028 as a target is taking a serious risk. If the shift does not come or only comes partially, you are left with nothing. The trilogue process can drag on, can fail, can produce different outcomes than expected.

My recommendation: plan with 2 August 2026. If the deadlines do actually get pushed - all the better, you have buffer. If not, you are compliant.

What Are GPAI Models and Does That Apply to My Business?

GPAI stands for General Purpose AI - AI systems not trained for a specific use case, but suitable for a broad range of tasks. ChatGPT, Claude, Gemini, LLaMA - these are all GPAI models.

What has applied since 2 August 2025

For providers of GPAI models, extensive obligations have been active since 2 August 2025. The Code of Practice for GPAI was published in final form on 10 July 2025. Models with a training compute of more than 10^25 FLOP (floating-point operations) qualify as models with 'systemic risk' and face even stricter regulation.

For you as a deployer of these models - i.e. as a user of Claude, ChatGPT etc. - the point is: you need to be able to trust that the providers are meeting their GPAI obligations. Check whether the tools you use are compliant. The major providers generally do this, because the fines are painful for them too.

Fines and Sanctions: What Happens If You Violate the Rules?

The EU AI Act has teeth. Three levels:

Prohibited systems (Art. 5)

Up to 35 million euros or - for companies - up to 7 percent of global annual turnover. The higher of the two applies. This is the harshest tier.

High-risk and GPAI: violations of obligations

Up to 15 million euros or 3 percent of global annual turnover. For violations of high-risk obligations and GPAI requirements.

False statements to authorities

Up to 7.5 million euros or 1 percent of annual turnover. Anyone who lies to or obstructs supervisory authorities is penalised separately.

SMEs: the lower of the two thresholds applies. A company with 2 million euros in turnover pays a maximum of 140,000 euros at 7 percent - not 35 million. Painful, but not existentially threatening.

My Take as an Entrepreneur

I use AI every day - as you may know from my article about my AI assistant. Claude helps me write articles, manages my calendar, answers emails. All of that is Class 3 or Class 4 applications. Barely regulated.

My company is based in Cyprus - an EU member state. I have EU clients. So I am in, whether I like it or not. And that is right.

What actually matters to me as an entrepreneur

AI is changing how search engines and AI systems find and rank information. The EU AI Act influences which AI tools I can use long-term and which providers will survive. Providers that ignore the EU AI Act will be pushed out of the European market - or hit with very expensive penalties. That means: compliant tools will dominate. Good for users like me.

What irritates me: the bureaucratic overhead for genuine high-risk systems is astronomical. A mid-sized company that wants to deploy AI for recruitment screening faces documentation requirements that are almost discouraging. That is deliberate policy - I understand the intent, but find the execution disproportionate in places.

My advice to entrepreneurs: do not make a drama of it. Check which category your AI usage falls into. If you are not running a high-risk system, the effort is manageable. If you are - get legal support.

The EU AI Act is not a reason for panic - but also not a reason to wait. Anyone who does their AI inventory now and knows their risk classes has enough time before August 2026. Anyone who puts it off will find it tight.