The EU AI Act phased in over 2024-2026 and is now substantively enforceable. If your company has any users in the EU, sells AI-flavoured products there, or trains models on EU data, you have obligations, and most US companies are still confused about which ones. This is a plain-English breakdown.
The four risk tiers and what they mean
The Act sorts AI systems into four buckets. Unacceptable risk (social scoring, emotion recognition in workplaces and schools, predictive policing on individuals) is banned outright. High risk (employment screening, credit decisions, critical infrastructure, biometrics, education) carries the heaviest compliance load. Limited risk (chatbots, generated content) requires transparency disclosures. Minimal risk (spam filters, AI-assisted productivity) is essentially unregulated.
Most US companies sit in limited or high risk depending on the product. The mistake is assuming you’re minimal because you’ve never thought about it.
If you ship a chatbot, here’s the bare minimum
Article 50 transparency obligations apply to any AI system that interacts with humans, generates synthetic content, or performs emotion recognition. The bar is low but real: tell users they’re interacting with AI, label AI-generated content as such, and don’t pretend a human is on the other end. A footer that says “this assistant is powered by AI” satisfies most of it.
For generated images and video, the disclosure has to be machine-readable, C2PA-style provenance metadata is becoming the de facto standard. If you ship an image-generation product, embedding C2PA is the cheap path to compliance.
If you’re high-risk, the work is real
High-risk systems require: a quality management system, a risk management process, technical documentation that survives an audit, data governance documenting training data sources and bias mitigation, human oversight built into the workflow, accuracy and robustness testing with documented results, cybersecurity measures, and post-market monitoring. The ISO 42001 standard now exists to provide a recognised framework for most of this.
Penalties at the top end of the scale reach 7% of global annual turnover or €35 million, whichever is higher. The first enforcement actions in early 2026 have landed on the lower end, but the precedent is the harder problem, once a regulator decides your product is high-risk and you didn’t comply, the categorisation tends to stick.
General-purpose AI models, the GPAI tier
If you train or significantly fine-tune a general-purpose model, separate obligations apply: technical documentation summarising the training data, copyright compliance policy, and (for “systemic risk” models above 10^25 FLOPs of training compute) additional safety testing, incident reporting, and adversarial testing.
Most companies aren’t training their own foundation models. If you fine-tune Llama or call OpenAI’s API, the upstream provider’s compliance covers most of the GPAI obligations. You inherit the limited or high-risk obligations downstream depending on the use case.
The three things to do this quarter
Inventory your AI systems and classify each one. If you can’t list them, you can’t comply. The list usually surprises people, most large organisations have between 30 and 200 AI-touching workflows.
Decide whether you’re a provider or a deployer. Providers (you built the system) carry more weight; deployers (you use someone else’s) carry less but still real. The same product can have a US-based provider and an EU-based deployer with split obligations.
Add the disclosures and the documentation for limited-risk systems immediately, and start the ISO 42001 work for high-risk systems. The documentation is the lift. Most US companies don’t have it yet because they’ve never had to. Building it from scratch takes a quarter of focused work.
Bottom line
The Act is not GDPR. It’s narrower in scope but heavier on documentation. The smart move is to assume an enforcement letter eventually arrives, and to make sure when it does, you can produce the artefacts in 48 hours instead of 48 days. That’s the difference between a fine and a finding.