What the EU AI Act is
The world's first comprehensive AI law. And it regulates by risk, not by technology.
The EU AI Act (Regulation EU 2024/1689) has been in force since August 2024 and is the first law in the world to regulate artificial intelligence comprehensively. Its logic is simple: it doesn't regulate AI itself, it regulates what you do with it.
It classifies each use by level: prohibited (manipulation, mass surveillance), high risk (decisions about people: hiring, lending, assessing), limited risk (chatbots and generated content, with transparency duties) and minimal risk. The greater the impact on people, the more obligations.
The real timeline
It's not one date. It's a timeline — and part of it is already in force.
The EU AI Act applies in phases. Two are already running, the next is around the corner, and only one has moved:
- February 2025 In force
Prohibited AI uses and the duty to train the employees who use it.
- August 2025 In force
Obligations for large models (GPAI) and an active penalty regime: AESIA, the Spanish AI authority, can already impose sanctions.
- 2 August 2026 The nearest
Transparency (art. 50): chatbots must say they are AI and AI-generated content must be identifiable. This date has not moved.
- 2 December 2027 Postponed (provisional)
High-risk obligations (HR, scoring, education…): the Digital Omnibus political agreement (May 2026) moves them from August 2026 to December 2027 — pending official publication; until then, the legal date remains August 2026.
The key point
You use AI even if you think you don't.
The usual reaction is "we don't do AI". But the law isn't about making AI: it's about using it. And that includes the customer-service chatbot, the filter that screens CVs, the scoring you use to decide who gets credit — and the generative tools your team already uses every day, even if nobody officially approved them.
Each of those uses brings concrete obligations: transparency (telling people there's AI in front of them), human oversight (a person able to review and correct what the machine decides) and something as basic as an inventory: knowing what AI is used in your company, by whom and for what. It's the first document the regulator asks for.
What you're exposed to
Tiered fines. And they can already be imposed.
The penalty regime works in tiers, by severity: up to €35 million or 7% of worldwide turnover for prohibited uses; up to €15 million or 3% for breaching the other obligations (including almost everything high-risk); and up to €7.5 million or 1% for giving authorities incorrect information.
For SMEs there is explicit proportionality: the lower of the two amounts applies, not the higher. No catastrophism: the giant fine is not the likely scenario for an SME — the likely scenario is an AESIA inspection asking for the inventory and documentation you don't have.
You don't need to ban AI. You need to use it wisely — and be able to prove it.
An inventory of uses, transparency where it's due, human oversight where it decides about people, and training for whoever uses it. That is complying with the EU AI Act — and it's exactly what a client or an inspection will ask you to show.
Does your use of AI create obligations?
Answer it with the free check-up: which AI uses you have, what the EU AI Act demands of you and from when. No jargon, no strings attached.
Find out in 5 minutes if your AI use creates obligations (Spanish) →