EU AI Act 2026: What Companies Need To Do Before August
From 2 August 2026, important EU AI Act transparency rules will start applying across Europe.
This matters not only for companies based in the European Union. It also matters for companies outside the EU if they offer products, services, AI systems, or AI-generated content in the EU market.
The EU AI Act 2026 deadline is not just a legal date on paper. It is a practical warning for businesses: if your company uses AI, you need to know where it is being used, who is responsible for it, and whether people need to be told that they are interacting with AI.
EU AI Act compliance starts with three questions:
❔Where do we use AI
❔Who controls or deploys the AI system
❔Do customers, users, employees, or the public need to know that AI is involved
Here is a practical EU AI Act compliance checklist for 2026.
1️⃣ Identify where AI is already being used
The first step is to look honestly at your business processes and answer a question:
❔Where are we already using AI
This may include chatbots, advertising, written content, images, videos, HR tools, customer support, legal drafts, reports, internal documents, translation tools, meeting summaries, analytics, or content creation.
Many companies think they do not use AI. In reality, AI may already be present in several departments.
Example: a company says it does not use AI. But the marketing team creates images with an AI tool, customer support uses a chatbot, and HR screens CVs with the help of AI software. That company is already using AI. It is simply not managing it properly.
Before the AI Act August 2026 deadline, companies should hold an internal meeting, go through all key business processes, and record even minimal use of AI.
2️⃣ Define your role under the EU AI Act
The EU AI Act does not treat every business in the same way. If your company creates an AI system and sells it to others, that is one level of responsibility.
If your company only uses someone else’s AI tool, that is another level of responsibility. But using someone else’s AI system does not mean there is no responsibility at all.
Example: if a law firm uses ChatGPT or another AI tool to prepare draft documents, it did not create that AI system. But the law firm is still responsible for how it uses the output, whether the result is checked by a human, and whether the client is misled about the role of AI.
This is why EU AI Act compliance is not only a technical issue. It is also a governance issue.
Every company should know whether it acts as a provider, deployer, importer, distributor, product manufacturer, or simply as a business user of AI.
3️⃣ Tell people when they are interacting with AI: EU AI Act transparency obligations
One of the most important AI Act transparency obligations for companies is disclosure. If a person is communicating not with a real employee, but with an AI chatbot or AI assistant, they should understand this.
A company should not pretend that a machine is a human being.
Example: a website has a chatbot with a human name, a human photo, and a friendly conversational style. It answers like a member of staff. In that situation, the company should clearly tell users that they are interacting with an AI assistant.
This does not need to be dramatic. It can be simple:
“You are chatting with an AI assistant.”
The main point is clarity. Users should not be tricked into believing they are speaking with a human when they are not.
4️⃣ AI Act transparency rules for AI-generated content
The EU AI Act transparency rules also matter for AI-generated and AI-manipulated content. If a company creates written content, images, videos, voices, advertisements, reports, or public communications with the help of AI, it may need to clearly state that the content was created or modified by AI.
This may be done through a visible label, metadata, a watermark, a technical marker, or another method.
The exact solution will depend on the type of content, the risk, the audience, and the context.
Example: a brand publishes a realistic AI-generated image of a person holding its product. People may think it is a real photograph. They may believe that a real person was photographed for the campaign.
In that situation, the company should decide in advance whether a label such as “created with AI” or “AI-generated image” is needed.
AI labelling should not be decided at the last minute, after the campaign is already live. It should be part of the content creation process before publication.
5️⃣ Be especially careful with deepfakes
Deepfakes are one of the clearest risk areas under the AI Act transparency obligations.
A deepfake is content where AI creates or changes a face, voice, photo, or video in a way that makes it look real. This is risky because people may believe that someone said or did something when they did not.
Example: a company creates a video where a well-known person appears to recommend its product. Even if the company sees it as a joke, parody, or creative advertisement, viewers may believe the person really said it. In this situation, very clear labelling is needed.
If AI makes something fake look real, the disclosure must be obvious enough for people to understand what they are seeing.
6️⃣ Use AI carefully for matters of public interest
Not every AI-generated text needs the same level of labelling or legal review. But if the content concerns important public issues, the risk is much higher.
This may include politics, war, migration, health, public safety, elections, people’s rights, financial matters, education, or access to public services.
Example: an AI-generated text about store discounts is one thing. An AI-generated text about refugee rights, elections, medical advice, or emergency rules is completely different. In those areas, a mistake may harm people.
For this reason, companies should treat public-interest AI content as a separate risk category.
Before publishing this type of content, they should check:
❔Is AI involved
❔Was the output reviewed by a qualified human
❔Could people rely on this information to make an important decision
❔Does the content need an AI label or disclosure
This is where EU AI Act compliance connects directly with trust, reputation, and public responsibility.
7️⃣ GPAI and the Code of Practice
The EU AI Act also includes rules for general-purpose AI models, often called GPAI. This is where the GPAI Code of Practice becomes relevant.
GPAI obligations mainly concern providers of general-purpose AI models. These are companies that develop or place powerful AI models on the market. For ordinary companies that only use AI tools, the situation is different.
A small business using a third-party AI writing tool is usually not the provider of a GPAI model. But this does not mean GPAI is irrelevant.
Companies should still ask practical questions about the AI tools they use:
❔Does the supplier explain how the AI system works
❔Does the tool support transparency and labelling
❔Can the company keep records of AI-generated content
❔Does the supplier provide documentation, terms, safety information, or compliance materials
❔Does the tool make it possible to preserve metadata, watermarks, or other AI markers
Example: a marketing agency uses an AI image generator for client campaigns. The agency may not be the provider of the underlying general-purpose AI model.
But it still needs to know whether the tool allows AI-generated content to be labelled, whether metadata is preserved, and whether the client can later prove how the content was created.
This is why the GPAI Code of Practice matters even for companies that are not AI developers.
It gives the market a practical direction: transparency, documentation, copyright awareness, safety, and accountability are becoming part of normal AI governance.
8️⃣ Do not assume that an AI policy is enough
Many companies will respond to the EU AI Act by writing an AI policy. That is useful, but it is not enough. A document saying “we use AI responsibly” will not solve the problem by itself. Companies need evidence.
They should be able to show:
which AI tool was used
who used it
what content or decision it helped create
who reviewed the output
where the content was published
why it was labelled or not labelled
what risk assessment was done
what human oversight existed
Example: a company launches an AI-generated advertising campaign. Six months later, a regulator, customer, journalist, or business partner asks questions. If the company cannot show who created the content, who checked it, and why there was no AI label, a general AI policy will not be enough.
EU AI Act compliance is not only about having a policy. It is about being able to prove what happened.
9️⃣ Check whether you use high-risk AI systems
Some AI systems are treated more seriously because they can affect people’s lives, rights, opportunities, or access to essential services. This is the area of AI Act high-risk systems.
High-risk AI may include systems used in employment, education, access to services, migration, law enforcement, safety, or other sensitive areas.
Example: if a company uses AI to select job candidates, rank applicants, assess employees, or support promotion decisions, this is not just a productivity tool. It can affect a person’s career and income.
That is why this type of AI should be reviewed very carefully.
Companies should ask:
❔Do we use AI in hiring or HR
❔Do we use AI to evaluate people
❔Do we use AI to make or support decisions about access to services
❔Do we use AI in a regulated or sensitive sector
❔Could the AI system affect someone’s legal position, rights, money, job, education, safety, or status
The phrase “EU AI Act high risk” should not be treated as abstract legal language.
For companies, it means this: if AI can seriously affect a person’s life, the compliance burden is higher.
🔟 EU AI Act penalties for non-compliance
Companies should also understand the risk of penalties. EU AI Act penalties can be serious.
For certain violations, fines may reach up to EUR 15 million or up to 3% of the company’s total worldwide annual turnover, whichever is higher.
This does not mean that every mistake will automatically lead to the maximum fine. But it does mean that AI compliance can no longer be ignored.
Example: a small company launches an AI chatbot but does not tell people that they are speaking with AI. If the company has EUR 2 million in annual worldwide turnover, 3% equals EUR 60,000. This may be more than poor customer service. It may become a legal and financial problem.
Another example: a larger company publishes realistic AI-generated content in a sensitive public-interest area without proper review, labelling, or records. If the company has EUR 100 million in annual worldwide turnover, 3% equals EUR 3 million. But because EUR 15 million is higher, the possible maximum fine may reach EUR 15 million. If questions arise later, the company may need to explain not only what it published, but also how the content was created, reviewed, approved, and disclosed.
❗️What companies should do now
Map where AI is used inside the business
Identify the company’s role and responsibility
Check whether users interact with AI systems
Review AI-generated content and labelling needs
Create rules for deepfakes and synthetic media
Treat public-interest content with special care
Check whether GPAI tools and suppliers provide enough documentation
Review whether any AI use may fall into high-risk AI systems
Keep evidence of AI use, human review, and publication decisions
Train staff before the rules become a problem
You can find more detailed information in my full article: Up to €15 Million or 3% of Global Turnover: EU AI Act Compliance for AI-Generated Content in 2026
See you in the next piece.
Cheers,



