EU AI Act Is Now Enforced: What Every Business Using AI Must Do Before It's Too Late

EU AI Act Is Now Enforced: What Every Business Using AI Must Do Before It's Too Late

The European Union's Artificial Intelligence Act is no longer a regulation sitting in draft form. The AI Act is the world's first comprehensive legal framework on AI, designed to address the risks of artificial intelligence while positioning Europe as a global leader in trustworthy AI governance. And the clock for businesses has been ticking since early 2025.

If your business uses AI tools in any capacity that affects people's rights, access to services, or major life decisions, this law applies to you — and "I didn't know" is not a defense.

What Has Already Come Into Effect

The Act did not land all at once. It rolled out in phases, and several major obligations are already active.

From 2 February 2025, AI systems classified as "unacceptable risk" — such as social scoring systems and manipulative AI — became illegal across the EU. Providers and deployers of AI were also required to begin AI literacy training for their staff from this date.

The governance rules and obligations for general-purpose AI models became applicable on 2 August 2025. This means companies offering or using large-scale AI models — think hiring tools, content generation systems, or automated decision platforms — must now comply with transparency and risk management requirements.

The most significant remaining deadline is 2 August 2026, when most of the remaining provisions of the AI Act become active, including transparency obligations under Article 50 that require labelling of AI-generated content.

What "High-Risk AI" Actually Means for Your Business

Not every AI system falls under the heaviest scrutiny, but more businesses are in scope than they realise.

High-risk AI systems — such as those used in critical infrastructure, law enforcement, hiring, education, and credit scoring — face strict requirements around risk assessment, data quality, documentation, transparency, human oversight, and accuracy. EU Artificial Intelligence Act

High-risk AI systems and foundation models must be registered in an EU database. They must also go through conformity assessments before deployment, and human oversight must be built into the workflow — not just mentioned in a policy document.

The financial stakes are significant. Fines for violations of prohibited practices can reach up to €35 million or 7% of global annual turnover, whichever is higher. Non-compliance with data governance and transparency requirements can result in fines of up to €15 million or 3% of global annual turnover.

What Is Outright Banned

Some uses of AI are now flatly prohibited across all EU member states. Banned practices include subliminal manipulation of behaviour beyond a person's consciousness, exploitation of vulnerable groups such as the elderly or children to distort behaviour in harmful ways, social scoring systems used by public authorities to classify people based on their personality or social conduct, and real-time remote biometric identification in publicly accessible spaces for law enforcement purposes.

The Act also prohibits untargeted scraping of internet or CCTV material to build facial recognition databases, as well as emotion recognition systems in workplaces and educational institutions.

The Hidden Risk Most SMEs Are Missing

For small and medium-sized businesses, the biggest compliance danger is not necessarily the AI they build. It is the AI tools they buy and deploy without asking the right questions.

If a vendor's AI tool is non-compliant and you are using it to make business decisions in an EU context, liability does not sit entirely with the vendor. Deployers carry their own obligations under the Act.

Both providers and deployers are required to clearly inform users when they are interacting with AI, when content is artificially generated or manipulated — including deepfakes — and when emotion recognition or biometric categorisation systems are in use. The businesses that treat this as a vendor problem will be the ones scrambling when enforcement notices arrive.

What To Do Right Now: A Practical Starting Point

You do not need a legal team on retainer to start. Two actions alone will put you ahead of most competitors:

1. Audit your AI stack. Make a complete list of every AI tool your business uses and what decisions it touches — hiring, customer service, credit, content, health, or operations.

2. Ask your vendors directly. Contact each AI vendor and ask where they stand on EU AI Act compliance. If they cannot give a clear answer, that is your answer.

Each compliance roadmap is highly contextual and will look different from one business to another. Key areas to focus on include establishing a risk management system, implementing data governance measures, drawing up technical documentation, and preparing detailed usage instructions.

The Bottom Line

The EU AI Act is not a future problem. Enforcement is live, fines are real, and the obligation to act falls on both providers and deployers. The businesses that approach this as a governance question — not a compliance checkbox — will be the ones positioned for trust and competitive advantage as the regulatory landscape tightens further.

The table is already turning. The only question is which side of it you are on.