Quick guide

The EU AI Act, explained.

You use more AI than you think — and the law is already here. No jargon: what it demands and from when.

1

What the EU AI Act is

The world's first comprehensive AI law. And it regulates by risk, not by technology.

The EU AI Act (Regulation EU 2024/1689) has been in force since August 2024 and is the first law in the world to regulate artificial intelligence comprehensively. Its logic is simple: it doesn't regulate AI itself, it regulates what you do with it.

It classifies each use by level: prohibited (manipulation, mass surveillance), high risk (decisions about people: hiring, lending, assessing), limited risk (chatbots and generated content, with transparency duties) and minimal risk. The greater the impact on people, the more obligations.

Prohibited High risk Limited risk: transparency Minimal risk
2

The real timeline

It's not one date. It's a timeline — and part of it is already in force.

The EU AI Act applies in phases. Two are already running, the next is around the corner, and only one has moved:

  • February 2025 In force

    Prohibited AI uses and the duty to train the employees who use it.

  • August 2025 In force

    Obligations for large models (GPAI) and an active penalty regime: AESIA, the Spanish AI authority, can already impose sanctions.

  • 2 August 2026 The nearest

    Transparency (art. 50): chatbots must say they are AI and AI-generated content must be identifiable. This date has not moved.

  • 2 December 2027 Postponed (provisional)

    High-risk obligations (HR, scoring, education…): the Digital Omnibus political agreement (May 2026) moves them from August 2026 to December 2027 — pending official publication; until then, the legal date remains August 2026.

Timeline verified as of 6 July 2026
3

The key point

You use AI even if you think you don't.

The usual reaction is "we don't do AI". But the law isn't about making AI: it's about using it. And that includes the customer-service chatbot, the filter that screens CVs, the scoring you use to decide who gets credit — and the generative tools your team already uses every day, even if nobody officially approved them.

Each of those uses brings concrete obligations: transparency (telling people there's AI in front of them), human oversight (a person able to review and correct what the machine decides) and something as basic as an inventory: knowing what AI is used in your company, by whom and for what. It's the first document the regulator asks for.

Support chatbot → transparency CV filter → high risk Customer scoring → high risk Team tools → inventory and training
4

What you're exposed to

Tiered fines. And they can already be imposed.

The penalty regime works in tiers, by severity: up to €35 million or 7% of worldwide turnover for prohibited uses; up to €15 million or 3% for breaching the other obligations (including almost everything high-risk); and up to €7.5 million or 1% for giving authorities incorrect information.

For SMEs there is explicit proportionality: the lower of the two amounts applies, not the higher. No catastrophism: the giant fine is not the likely scenario for an SME — the likely scenario is an AESIA inspection asking for the inventory and documentation you don't have.

AESIA (A Coruña) is the Spanish authority and can impose sanctions since August 2025.

You don't need to ban AI. You need to use it wisely — and be able to prove it.

An inventory of uses, transparency where it's due, human oversight where it decides about people, and training for whoever uses it. That is complying with the EU AI Act — and it's exactly what a client or an inspection will ask you to show.

Does your use of AI create obligations?

Answer it with the free check-up: which AI uses you have, what the EU AI Act demands of you and from when. No jargon, no strings attached.

Find out in 5 minutes if your AI use creates obligations (Spanish) →