How to navigate the EU AI Act before it costs your company €35 million — explained in plain English: the deadlines, the rules, and how not to get fined.
You might already be breaking a law you’ve never read
Here’s an uncomfortable thought to start your morning with.
Right now, today, there is a strong chance your business is using artificial intelligence in a way that the European Union has already classified as illegal — and the part that should worry you is that you probably have no idea you’re doing it. Not the futuristic, robots-taking-over kind of AI. The boring kind. The chatbot on your website. The CV-screening tool your HR team loves. The system that scores your customers, flags “suspicious” transactions, or quietly decides who gets a discount and who doesn’t.
The EU AI Act is now in force. Parts of it have been legally binding since February 2025. And the maximum penalty for getting it wrong is not a slap on the wrist. It is €35 million, or 7% of your company’s total worldwide annual turnover — whichever is higher. For perspective, that ceiling is steeper than the GDPR’s, the regulation that has already cost European companies billions in fines.
If that number made you sit up, good. Because here’s the twist that catches most small and medium-sized businesses off guard: the EU recently delayed the scariest deadline — and that delay is the single most dangerous thing that could happen to your compliance plan. Keep reading, because the reprieve is a trap, and the companies that relax now are exactly the ones who will get burned.
What the EU AI Act actually is
Strip away the legal jargon and the EU AI Act is simple to describe: it is the world’s first comprehensive law governing artificial intelligence, and it sorts every AI system into risk buckets, then assigns rules based on how dangerous the system could be to people’s rights, safety, and livelihoods.
Think of it like food safety regulation. A company selling bottled water faces lighter rules than a company canning seafood, because the consequences of getting it wrong are wildly different. The AI Act applies the same logic. A spam filter is treated very differently from an algorithm that decides whether someone gets a mortgage.
The crucial point most SME owners miss is this: the law does not care whether you built the AI or merely use it. If you deploy an AI system inside your business — even one you bought off the shelf from a vendor — you have obligations. And if your customers or users are in the EU, the law reaches you even if your company is headquartered in London, New York, or Singapore. This is the same long-arm, extraterritorial design that made the GDPR a global standard. Geography is not an escape route.
The fines: why €35 million is only half the story
Let’s talk money, because that’s the part that focuses the mind.
The EU AI Act uses a three-tier penalty system, and which tier you land in depends on what rule you break, not how big the mistake feels:
- Tier 1 — up to €35 million or 7% of global annual turnover. Reserved for the worst offences: using AI systems that are outright banned (more on those in a moment). This is the headline figure, and it is the most punishing penalty in EU digital law.
- Tier 2 — up to €15 million or 3% of global annual turnover. This covers the bulk of compliance failures: breaching the obligations that apply to high-risk systems, ignoring transparency duties, or mishandling information across the AI supply chain.
- Tier 3 — up to €7.5 million or 1% of global annual turnover. Triggered by giving regulators or auditing bodies incorrect, incomplete, or misleading information.
There is one piece of genuinely good news buried in the text, and it matters enormously for smaller companies. For SMEs and start-ups, the fine is calculated as the lower of the two figures, not the higher. So a small company won’t be handed a literal €35 million bill if 7% of its turnover is a fraction of that. The proportionality cushion is real. But “proportionate” is not the same as “survivable” — a fine sized to your turnover can still be the difference between a profitable year and closing the doors.
And fines are not the only consequence. Regulators can order you to withdraw a non-compliant product from the market, force you to retrain or shut down systems, and — perhaps most damaging of all — the reputational hit of being named in an enforcement action can cost you customers and contracts long after the cheque clears.
Does the EU AI Act even apply to you? Find out in two questions
Before you panic-budget for a compliance overhaul, get clear on your role. The Act divides everyone in the AI chain into “operators,” and two roles cover the vast majority of SMEs:
Are you a “provider”? You made the AI system, or you put your name on it and placed it on the market. Software companies, AI startups, and anyone white-labelling an AI tool fall here. Providers carry the heaviest obligations.
Are you a “deployer”? You use an AI system in the course of your business — you bought it, licensed it, or subscribed to it, and now you run it. This is where most small and medium-sized companies sit. The marketing agency using an AI copywriting tool, the recruiter using a screening platform, the clinic using a diagnostic aid: all deployers.
Here’s the reassurance, followed immediately by the catch. If you’re “only” a deployer, your obligations are lighter than a provider’s — but they are not zero. And there’s a sting in the tail: if you take an AI system and modify it substantially, or use it for a purpose its maker never intended, the law can suddenly reclassify you as a provider, with all the heavier duties that entails. Bolting your own logic onto a vendor’s tool can quietly promote you into the regulatory deep end.
The risk pyramid: the four buckets that decide your fate
Everything in the EU AI Act flows from where your system sits in the risk hierarchy. Here are the four levels, in plain terms.
1. Unacceptable risk — banned outright. A short list of AI uses are simply prohibited in the EU. These include social scoring of citizens, manipulative systems that exploit vulnerabilities, untargeted scraping of facial images to build recognition databases, and most emotion-recognition in workplaces and schools. As of late 2026, the EU has also moved to ban AI systems that generate non-consensual intimate imagery and child sexual abuse material. If your system falls here, there is no compliance path — you must stop. This is the €35 million tier.
2. High risk — heavily regulated. This is the category that generates the most work, and the one most likely to ensnare a growing SME. High-risk systems include AI used in recruitment and hiring, credit scoring, access to essential services, education, critical infrastructure, and certain safety components in products. If you use AI to decide who gets hired, who gets a loan, or who gets into a programme, assume you are here until a professional tells you otherwise.
3. Limited risk — transparency required. Chatbots, AI-generated images, deepfakes, and synthetic content. The core rule is honesty: people must know they are dealing with AI or looking at AI-generated material. If your website chatbot lets users believe they’re talking to a human, that’s a problem you can fix cheaply today.
4. Minimal risk — no new obligations. Spam filters, AI in video games, inventory-optimisation tools. The overwhelming majority of everyday business AI lands here and is essentially free to use as before.
The deadlines — and the reprieve that’s quietly setting companies up to fail
This is where you need to pay close attention, because the timeline shifted dramatically in 2026 and a lot of online advice is now out of date.
The EU AI Act does not switch on all at once. It rolls out in phases. Here is the schedule as it now stands:
- 2 February 2025 — already in force. The bans on unacceptable-risk AI took effect. So did the AI literacy obligation (more on that below). If you’re running a prohibited system today, you are already exposed.
- 2 August 2025 — already in force. Rules for general-purpose AI models (the large foundation models behind tools like ChatGPT, Claude, and Gemini) kicked in, along with the EU’s governance and penalty machinery. Member States now have their enforcement structures and fining powers in place.
- 2 December 2026. Transparency rules for marking AI-generated and manipulated content become enforceable, and the new prohibitions on AI-generated intimate imagery and abuse material take effect.
- 2 December 2027. The big one for most businesses: obligations for use-based high-risk AI systems (recruitment, credit, essential services, and the like). This was originally set for August 2026 — and was pushed back roughly sixteen months under the EU’s “Digital Omnibus” reform agreed in May 2026.
- 2 August 2028. Obligations for high-risk AI built into regulated physical products (machinery, medical devices, and similar) — also delayed from 2027.
Read that again. The deadline that should terrify most SMEs — the high-risk compliance date — moved from August 2026 to December 2027. You just received roughly a year and a half of breathing room.
So why am I calling this a trap?
Because deadline relief is not the same as obligation relief. The bans are live now. The AI literacy duty is live now. The general-purpose AI rules are live now. And the extra eighteen months on high-risk systems will evaporate faster than you think, because genuine compliance — auditing every system, documenting risk, building human oversight, training staff, fixing vendor contracts — is a months-long project, not a weekend sprint. Every company that reads “delayed until December 2027” and files it under “deal with it later” is, statistically, a company that will be scrambling in panic in 2027. The reprieve rewards the prepared and punishes the procrastinators. Don’t be in the second group.
The sleeper obligation almost everyone is ignoring: AI literacy
Here is the requirement that gets the least attention and trips up the most businesses, precisely because it sounds soft.
Since February 2025, every provider and deployer of AI has been required to take measures to ensure the people operating AI systems on their behalf are sufficiently AI-literate — that they understand what the tools do, what they can’t do, and where the risks lie. There is no grace period left. It applies today, to companies of every size.
The good news: this is cheap and fast to address. You don’t need a university course. You need documented evidence that your team has been trained on the AI tools they use — a short internal session, a written policy, a record of who attended. The companies that get this wrong aren’t the ones who can’t afford training; they’re the ones who never realised the obligation existed.
How not to get fined: a practical action plan for SMEs
Enough theory. Here is what a sensible, non-paranoid small or medium business should actually do, in order.
- Build an AI inventory. You cannot comply with rules for systems you’ve forgotten you use. List every AI tool in the business: the obvious ones and the sneaky ones embedded inside software you already pay for. Note what each does, what data it touches, and which decisions it influences.
- Classify each system by risk. Run every item through the four-bucket pyramid above. Most will be minimal or limited risk. Flag anything that touches hiring, lending, access to services, or safety — those are your high-risk suspects and deserve professional review.
- Kill anything prohibited, immediately. If a system is in the banned category, no amount of paperwork makes it legal. Stop using it now. This is the one area where there is zero tolerance and the largest fines.
- Fix transparency quick wins today. Make sure chatbots identify themselves as AI and that AI-generated content is labelled. These changes are cheap, fast, and close off real exposure ahead of the December 2026 deadline.
- Sort out AI literacy. Train your team, write a one-page internal AI policy, and keep records. This obligation is already live and inexpensive to meet.
- Interrogate your vendors. For any high-risk system you bought rather than built, demand documentation from the supplier: how was it tested, what are its limitations, how do you exercise human oversight? Their compliance gaps can become your liability. Get the answers in writing and into your contracts.
- Assign an owner and a calendar. Compliance with no name attached is compliance that never happens. Put one person in charge, map the deadlines that apply to you, and start the high-risk work well before December 2027 — not the month before.
The myths that get good companies fined
“We’re too small for the EU to care.” Enforcement scales to your size, but it does not exempt you. SMEs are squarely in scope, and a turnover-based fine is designed to hurt at any size.
“We didn’t build the AI, so it’s the vendor’s problem.” As a deployer, you carry your own distinct duties. The vendor’s compliance does not automatically become yours.
“We’re not based in the EU, so the law doesn’t reach us.” If your AI affects people in the EU, it reaches you. Just like the GDPR.
“The deadline was delayed, so we have time.” You have more time on one slice of the law. Several major obligations are already enforceable, and the high-risk work takes longer than the runway you’ve been given.
The bottom line
The EU AI Act is not a reason to fear artificial intelligence or rip it out of your business. Used well, AI is one of the biggest competitive advantages a small company has ever had access to. The Act is simply the price of using it responsibly in the world’s largest single market — and that price is manageable if you act early and methodically.
The companies that will get hurt are not the ones who tried and made an honest mistake. They are the ones who heard “the deadline moved” and decided the whole thing could wait. You now know better. Build your AI inventory, classify your risks, fix the quick wins, train your team, and start the heavy lifting before the clock runs out. Eighteen months sounds generous right up until it isn’t.
Get ahead of this now, while it’s a planning exercise — not later, when it’s a €35 million emergency.
Frequently asked questions about EU AI Act compliance
What is the EU AI Act?
The EU AI Act is the world’s first comprehensive law regulating artificial intelligence. It sorts every AI system into risk categories — unacceptable, high, limited, and minimal — and assigns rules and obligations based on how much harm a system could cause to people’s rights, safety, and livelihoods. It is now in force across the European Union and is rolling out in phases.
Does the EU AI Act apply to small and medium-sized businesses?
Yes. There is no general exemption for SMEs. The Act applies whether you built an AI system or simply use one bought from a vendor, and it reaches any company whose AI affects people inside the EU — even if the business is based elsewhere. SMEs do get a proportionality cushion on penalties, but they are squarely in scope.
What are the fines for breaking the EU AI Act?
Penalties fall into three tiers. Using a banned AI system can cost up to €35 million or 7% of global annual turnover, whichever is higher. Most other compliance failures carry fines of up to €15 million or 3% of turnover, and giving regulators incorrect information can cost up to €7.5 million or 1%. For SMEs and start-ups, the fine is the lower of the fixed amount or the percentage.
When does the EU AI Act take effect? What are the key deadlines?
It applies in stages. The bans on unacceptable-risk AI and the AI literacy duty have applied since February 2025. Rules for general-purpose AI models have applied since August 2025. Transparency rules for AI-generated content and new prohibitions take effect in December 2026. Obligations for most high-risk AI systems apply from December 2027, with high-risk AI inside regulated products following in August 2028.
Was the EU AI Act deadline delayed?
Yes. Under the EU’s “Digital Omnibus” reform agreed in May 2026, the compliance deadline for use-based high-risk AI systems moved from August 2026 to December 2027, and the deadline for product-embedded high-risk AI moved to August 2028. However, several obligations — including the bans, the AI literacy requirement, and the general-purpose AI rules — were already in force and were not delayed.
Does the EU AI Act apply if my company is not based in the EU?
Yes, if your AI system is used by, or affects, people in the EU. Like the GDPR, the Act has extraterritorial reach, so a company’s location outside the EU is not an exemption.
What’s the difference between a “provider” and a “deployer” under the Act?
A provider makes an AI system or places it on the market under its own name and carries the heaviest obligations. A deployer uses an AI system in the course of business — which is where most SMEs sit. Deployers have lighter but real duties, and can be reclassified as providers if they substantially modify a system or use it for an unintended purpose.
What is the AI literacy obligation?
Since February 2025, providers and deployers must take measures to ensure the people operating AI on their behalf understand what the tools do, their limits, and their risks. It is inexpensive to meet — typically a short training session, a written internal policy, and a record of who was trained — but it is already enforceable, with no grace period remaining.
This article is for general information and reflects the state of the EU AI Act as of mid-2026, including the Digital Omnibus amendments agreed in May 2026 and proceeding through formal adoption. It is not legal advice. Regulatory timelines and obligations continue to evolve, and the rules that apply to your specific systems should be confirmed with a qualified legal professional before you act.