back to blog
AI & Regulation6 min read

The EU AI Act in 2026: what you actually need to know

#ai-act#eu-regulation#compliance#ai

If you build anything with AI in Europe you've probably heard about the EU AI Act by now. It's been in the news for years and kept getting delayed. But as of 2026 it's actually happening. Some parts are already enforceable and more provisions are coming.

I've been trying to wrap my head around what this means practically. Not the legal jargon version but what actually matters if you're building data systems or working with AI tools.

Quick background

The EU AI Act is the first comprehensive legal framework for AI anywhere in the world. It takes a risk-based approach. Some AI applications are banned entirely. Others need strict compliance. Most use cases have lighter requirements or none at all.

The law entered into force in August 2024 but implementation happens in phases. We're currently somewhere in the middle of that rollout.

What's already being enforced

As of January 2026 these provisions are live and enforceable:

Banned AI practices (since February 2025)

Certain AI systems are just not allowed in the EU anymore. These include:

  • Social scoring by public authorities
  • Untargeted scraping of facial images from the internet or CCTV
  • Emotion recognition in workplaces and schools (with some exceptions)
  • AI that manipulates people through subliminal techniques
  • Exploiting vulnerabilities of specific groups

If you're building anything in these categories you need to stop. Full stop.

General-purpose AI rules (since August 2025)

This one affects the big model providers. If you're using something like gpt or claude in your products you're probably fine as a deployer. But the providers themselves now need to:

  • Maintain technical documentation
  • Comply with EU copyright law
  • Publish summaries of training data used

The European AI Office handles enforcement for GPAI models. There are extra requirements if a model is classified as having "systemic risk" which basically means the really powerful foundation models.

AI literacy requirements (since February 2025)

This is easy to miss but it's already in effect. If you deploy or provide AI systems you need to ensure your staff have sufficient knowledge of AI.

What counts as sufficient? The regulation doesn't specify exactly. But having training programs in place and documenting that your team understands the AI tools they work with is probably the baseline.

Governance structure

Member states were supposed to designate their national competent authorities by August 2025. These are the bodies that will handle enforcement at the national level. The penalty framework is also in place. Fines can be significant depending on the breach.

What's coming next

Here's where things get more intense.

August 2026: the big one

This is when most of the remaining AI Act provisions become enforceable. Specifically:

High-risk AI systems in areas like recruitment, education, law enforcement, and access to essential services will need full compliance. This means:

  • Risk management systems
  • Data governance requirements
  • Technical documentation
  • Human oversight measures
  • Accuracy and robustness requirements
  • Logging and traceability

If you're building AI for hiring decisions or educational assessments or credit scoring this is your deadline.

Transparency obligations become legally binding. AI-generated content needs to be clearly labeled. This includes deepfakes and synthetic content that looks real. If your system generates images or videos or audio that could be mistaken for real content you need disclosure mechanisms.

Regulatory sandboxes must be established. Each member state needs at least one AI regulatory sandbox at the national level by this date. These let companies test innovative AI in a controlled environment with regulatory guidance.

August 2027

High-risk AI that's integrated as a safety component into existing regulated products gets an extra year. Think medical devices, machinery, aviation systems. These already have their own regulatory frameworks so the AI rules layer on top.

possible delay

There's a legislative proposal from late 2025 that could push the high-risk system deadline to December 2027. This hasn't been approved yet by the European Parliament and Member States. If you're building high-risk systems keep an eye on this but don't assume the delay will happen.

What this means practically

Most data engineers and developers aren't building banned AI systems. You're probably safe from the February 2025 prohibitions.

The GPAI rules mostly affect model providers not people using the models. If you're integrating openai or anthropic into your applications you're a deployer not a provider. Your main obligations are around transparency and proper use.

The August 2026 deadline is the one that could actually affect your work. Ask yourself:

  • Does my AI system make decisions about people in sensitive areas?
  • Is it used in recruitment, education, credit, healthcare, law enforcement?
  • Does it generate content that could be mistaken for real?

If yes to any of these you should be preparing now. Compliance requires documentation, testing, and governance structures that take time to build.

Risk categories simplified

The AI Act uses four risk tiers:

Unacceptable risk: banned outright. The practices I listed earlier.

High-risk: allowed but heavily regulated. The Annex III list covers things like biometric identification, critical infrastructure management, education and training systems, employment and worker management, access to essential services, law enforcement, migration and border control, and administration of justice.

Limited risk: transparency requirements mainly. Chatbots need to disclose they're AI. Deepfakes need labels.

Minimal risk: no specific requirements. Most AI applications fall here.

Your job is figuring out which category your system lands in. If it's high-risk you have work to do.

Documentation you should start now

Even if you're not sure whether your system is high-risk starting documentation early helps. Consider tracking:

  • Training data sources and how data was selected
  • Model architecture and how the system works
  • Performance metrics and how you tested accuracy
  • Known limitations and failure modes
  • Human oversight mechanisms
  • How you handle updates and monitoring

This stuff is useful even without regulatory pressure. Good engineering practice overlaps a lot with compliance requirements.

Where to find more info

The official resources worth checking:

  • EU Digital Strategy website has the full regulation text
  • AI Act Service Desk provides a timeline and guidance
  • Your national competent authority (once designated) for local interpretation

The law is complex and my summary here isn't legal advice. If you're building something that might be high-risk get proper legal counsel involved.

Final thoughts

The AI Act isn't going to change everything overnight. Most of what people build with AI doesn't fall into the high-risk or prohibited categories.

But if you're working on anything that touches hiring, education, healthcare, or law enforcement this is real regulation with real teeth. Starting compliance work now gives you runway before the August 2026 deadline.

The EU is first but probably not last. Other jurisdictions are watching. Building with compliance in mind now might save you headaches later as similar regulations pop up elsewhere.

I'm still figuring out how this affects my own work with data pipelines and AI integrations. Will share more as I learn. If you have insights or questions hit me up.

share:
Yari Bouwman

Written by

Data Engineer and Solution Designer specializing in scalable data platforms and modern cloud solutions. More about me