Skip to main content
~8 weeks until Aug 2, 2026

The EU AI Act takes effect August 2, 2026. Here’s what it asks of the workflows you ship.

Fines reach €35M or 7% of global revenue. This is what applies — and the 5-minute check that tells you your risk tier.

Check my workflow risk →Have OpSprint handle it

Marcos MaceoFounder, OpSprint~12 min read

Probably yes — even if you're based outside the EU.

The Act applies extraterritorially, the same way GDPR does. If your AI system's output is used in the EU, you're in scope regardless of where your company sits on the map.

Three triggers pull a non-EU business in:

  • You place an AI system on the EU market (selling to EU customers, shipping product with embedded AI).
  • Your AI's output is "used in" the EU — your HR software ranks applications from EU residents, or your scoring model decides which EU users see a loan offer.
  • You have employees in EU member states subject to AI-influenced employment decisions.

Non-EU providers of high-risk AI systems must also appoint an Authorised Representative inside the EU under Article 22 — a named entity that takes regulatory correspondence on your behalf. Without one, you cannot legally place a high-risk system on the EU market.

The Framework

Four tiers. Your obligations depend entirely on which one.

Prohibited

Illegal. No workaround.

Under Article 5, certain AI uses are banned outright — not regulated, not permitted-with-conditions. Deploying them in the EU is immediate exposure, regardless of your company's size or consent framework.

  • — Emotion recognition in workplace or schools
  • — Biometric categorization to infer race, religion, political views
  • — Social scoring by public or private actors
  • — Manipulative or subliminal AI that exploits vulnerabilities
High-Risk

Permitted — with substantial obligations.

Listed in Annex III. Requires risk management, data governance, technical documentation, human oversight, logging, transparency, and a conformity assessment before deployment. This is where most SMB workflows land.

  • — AI for hiring, CV screening, candidate ranking
  • — Credit scoring and creditworthiness evaluation
  • — Employee performance monitoring
  • — Essential-service eligibility decisions
Limited RiskTransparency only (Article 50).

Systems that interact with humans or generate synthetic content. Users must know they're talking to AI; AI-generated media must be labeled.

e.g., Customer-facing chatbots · AI-generated images, audio, or video (deepfake disclosure)

MinimalNo specific obligations.

Most common business AI. Voluntary codes of conduct are encouraged but not required.

e.g., Spam filtering · Inventory / demand forecasting · Internal productivity assistants

Workflow Inventory

Find your workflow. Read its tier. Plan accordingly.

Fourteen workflows most SMBs run — tiered against Annex III and Article 5. When in doubt, default to the higher tier and consult counsel.

Prohibited2 workflows

  • Emotion recognition in hiring

    Banned outright under Article 5.

  • Biometric categorization by race, religion, or similar

    Banned under Article 5.

High-Risk6 workflows

  • CV screening / candidate ranking

    Mandatory risk assessment, human oversight, logging.

    Annex III §4

  • Interview video analysis

    High-risk. Emotion recognition in hiring itself is prohibited.

    Annex III §4

  • Job-ad targeting with AI

    Targeted placement of job adverts is specifically named.

    Annex III §4

  • Lead scoring / customer profiling

    High-risk if it profiles EU residents for access to essential services or credit. Pure sales prioritization may drop to limited.

    Annex III §5

  • Credit scoring / creditworthiness

    Explicitly high-risk. Fraud detection is exempt.

    Annex III §5(b)

  • Performance monitoring / evaluation

    Employee monitoring with AI decisions about allocation, promotions, or termination.

    Annex III §4
Limited2 workflows

  • Customer support chatbot

    Users must be told they're interacting with AI.

    Article 50

  • Content moderation (user-generated)

    Transparency obligations; may escalate to high-risk if it gates essential services.

Minimal4 workflows

  • Fraud detection

    Explicitly exempt from the credit-scoring high-risk category.

  • Support ticket routing

    Classification without decisions about individuals' rights.

  • Spam filtering

    No specific EU AI Act obligations.

  • Inventory / demand forecasting

    No specific EU AI Act obligations.

Obligations

Your obligations depend on your role.

Most SMB founders are deployers — you use OpenAI, Anthropic, or Gemini rather than train your own models. If you wrap a GPAI model into a downstream system and ship it, you may also be a provider of that system and owe the provider obligations on your wrapper.

Article 9

Risk management system

Provider

Establish, document, maintain a continuous risk management process.

Deployer

Follow the provider's instructions on risk controls.

Article 10

Data governance

Provider

Relevant, representative, error-free training, validation, and test datasets.

Deployer

Ensure input data is relevant and of sufficient quality.

Article 11

Technical documentation

Provider

Maintain detailed technical docs for the system's life plus 10 years.

Deployer

Request and retain a copy; provide it to authorities on request.

Article 12

Automatic logging

Provider

Design the system to log events.

Deployer

Keep logs at least 6 months.

Article 13

Transparency to deployers

Provider

Provide clear instructions for use and document known limitations.

Deployer

Use the system per instructions; monitor behaviour.

Article 14

Human oversight

Provider

Design the system so humans can monitor and intervene.

Deployer

Assign oversight to competent humans; act on their flags.

Article 15

Accuracy, robustness, cybersecurity

Provider

Build to appropriate technical standards.

Deployer

Report serious incidents to the provider and authorities.

Article 50

Transparency to users

Provider

Mark AI-generated synthetic content; allow downstream labelling.

Deployer

Inform EU users when they interact with AI; disclose deepfakes.

Get your workflow's tier in five minutes.

Twelve questions. Tier, applicable obligations, next actions. No credit card.

Start the Risk Checker →
Stop Immediately

These practices have been banned in the EU since February 2025. Not regulated — banned. "Transparency" or "consent" does not make them legal. Shipping any of them creates immediate legal exposure.

The three most likely to affect SMB deployers

01

Emotion recognition in workplace or schools.

Includes interview-video scoring, productivity-mood tracking, and stress-detection tools used on employees or students. No consent defense applies.

Article 5(1)(f)

02

Biometric categorization to infer protected traits.

Any system that infers race, religion, political views, sexual orientation, or trade-union membership from face, voice, or other biometric data — including ad-targeting models that do it implicitly.

Article 5(1)(g)

03

Social scoring by public or private actors.

Trustworthiness or reputation scoring of natural persons based on general behaviour or predicted characteristics, leading to detrimental treatment in unrelated contexts.

Article 5(1)(c)

Also banned

Subliminal or manipulative AI · Exploitation of vulnerabilities (age, disability, socio-economic) · Predictive policing based solely on profiling · Untargeted scraping of facial images from internet or CCTV · Real-time remote biometric ID in public spaces.

Penalties

The top bracket is €35M or 7% of global revenue.

Prohibited practices

35M

or 7% of global annual turnover — whichever is higher.

Reserved for Article 5 violations. No "transparency" or "consent" defense makes prohibited AI legal.

€15M / 3%High-risk violations — missing documentation, oversight, or logging.
€7.5M / 1%Providing misinformation to authorities.

SMB adjustment: fines are normally "whichever is higher" of the two numbers. For SMEs and startups, regulators apply whichever is lower. Reputational exposure still arrives first — enforcement actions are public.

For SMBs

Five concessions the Act gives smaller teams.

Article 62 and surrounding provisions don't exempt SMBs — they lower the ramp. Worth knowing before you over-invest in compliance theatre.

Reduced fees
Member States must lower conformity-assessment fees for SMEs.
Sandboxes
Every Member State must run at least one AI sandbox by August 2, 2026 — a supervised environment to test high-risk systems with lighter upfront documentation.
Simplified documentation
The Commission has committed to publishing SME-specific templates so smaller teams don't have to reverse-engineer Annex IV.
Consultation channels
Regulators must provide SME-focused Q&A channels, not generic industry ones.
Lower fine brackets
Where the Act fines "X million or Y% of turnover, whichever is higher," SMEs are fined at the lower of the two.
Readiness

Seven steps. Three phases. Fifteen weeks.

01

Phase — Understand

Map what you have, classify it, stop what's illegal.

  1. Step 1

    Inventory every AI workflow

    Not just the ones you built — include GP-API wrappers, vendor tools, Zapier automations. List each workflow, what it decides, and who it affects.

    Time: 2-4 hours.

  2. Step 2

    Classify each workflow's tier

    Use the Risk Checker or the workflow inventory above. When in doubt, use the higher tier.

    Time: 1 hour per workflow.

  3. Step 3· Irreversible

    Kill anything prohibited

    If any workflow triggers Article 5, stop it now. No transition period, no consent defense. This is the one irreversible action in the whole plan.

    Time: hours to days.

02

Phase — Harden

Add the controls the Act requires on high-risk systems.

  1. Step 4

    Add logging and human oversight

    Articles 12 and 14. Log every decision with inputs and model output; assign a named human who can intervene.

    Time: 1-2 weeks per workflow.

  2. Step 5

    Write technical documentation

    Article 11. System description, data sources, known limitations, risk log. Kept for the system's life plus 10 years.

    Time: 2-3 days per workflow.

  3. Step 6

    Add EU-user transparency

    Article 50. Tell users they're interacting with AI. Label synthetic content. Disclose deepfakes.

    Time: a week of copy + UI.

03

Phase — Ship

Prove conformity. Keep the evidence.

  1. Step 7

    Run a conformity assessment (or verify the provider's)

    Article 43. Most Annex III systems allow self-assessment. Biometric ID requires a notified body.

    Time: 1-4 weeks.

How OpSprint helps

That was the DIY plan. Here’s the shortcut.

We ship AI workflows for SMBs that land on the right side of the Act by design. In your Blueprint week you get the inventory, the tier classification, the controls, and the documentation your team can operate — no legal fluff, no compliance theatre.

  • Risk-tier classification for every workflow we touch

    Annex III mapping, Article 5 screen, Article 6 test — we show our work.

  • Controls wired into the workflow itself

    Logging, human-oversight, escalation paths — not a PDF that lives in SharePoint.

  • A per-engagement readiness annex your team can maintain

    Technical docs (Art. 11), oversight protocol (Art. 14), transparency copy (Art. 50). Yours to keep.

  • A named next step when legal sign-off is required

    We’re pragmatic practitioners. When you need EU counsel, we’ll tell you exactly when.

Myths

Five things founders are telling themselves — that aren’t true.

“I just use OpenAI, so I'm covered by their compliance.”
The GPAI provider has its own obligations, but you own the downstream AI system. If you build a hiring screener on top of GPT-4, you're the provider of that screener.
“My company is too small for regulators to care.”
Regulators may not audit you proactively, but any EU resident whose rights are affected can file a complaint. Private enforcement is live.
“I don't sell to the EU.”
If a single EU resident uses your AI output, you're in scope. Job boards, scoring APIs, SaaS-with-an-AI-feature — all trigger it.
“This only affects 'AI companies.'”
Any business that deploys AI for hiring, scoring, monitoring, or content moderation is a deployer under the Act. You don't need to call yourself an AI company.
“I can just add a disclaimer and be fine.”
Transparency is one obligation among many. A disclaimer doesn't satisfy risk management, logging, human oversight, or documentation.

Still unsure which tier a workflow lands in?

Five minutes. Twelve questions. Exact tier and obligations.

Run the Risk Checker →

What happens after August 2, 2026

The Act enters general enforcement. National market-surveillance authorities become operational; the AI Office at the European Commission coordinates across Member States. Serious-incident reporting goes live. EU residents gain the right to file complaints about AI systems that affect them.

Early enforcement is expected to prioritize prohibited practices — emotion recognition in HR, social scoring, biometric categorization — and high-profile high-risk sectors: hiring platforms, credit scoring, public-service eligibility. SMB deployers of standard high-risk workflows are lower priority, but lower priority is not safe.

GPAI model providers have been operating under their obligations since August 2, 2025. Providers of systems built on top of GPAI models — most OpSprint clients — were given the longer runway. It ends in 15 weeks.

FAQ

The questions founders keep asking.

Timeline & scope

When does the EU AI Act actually take effect?

The main obligations (Annex III high-risk systems and Article 50 transparency) apply on August 2, 2026. Prohibited-practice rules have been in force since February 2, 2025. Obligations on general-purpose AI providers started August 2, 2025.

Does it apply to my US company?

If your AI output is used in the EU — scoring EU applicants or serving EU customers — yes. The Act has extraterritorial reach similar to GDPR. Non-EU providers of high-risk systems must also appoint an EU Authorised Representative under Article 22.

How is this different from GDPR?

GDPR regulates personal data processing. The AI Act regulates AI systems (whether or not they process personal data). They overlap but are separate — you may owe obligations under both for the same workflow.

Classification

I just use OpenAI's API. Am I a provider or a deployer?

You're a deployer of the GPAI model. But if you ship a downstream AI system built on top of the API to EU users, you may be a provider of that system and owe provider obligations on your wrapper.

How 'high-risk' is lead scoring?

If it profiles EU residents for access to essential services or credit, it's high-risk. Pure sales prioritization on warm B2B leads is usually limited or minimal. When in doubt, treat as high-risk.

What about fraud detection — is it high-risk?

No. Fraud detection is specifically exempted from the high-risk credit-scoring category under Annex III §5(b).

Consequences

What happens if my AI is classified 'prohibited'?

Stop deploying it in the EU. Prohibited practices carry the top fine bracket: €35M or 7% of global turnover. No 'transparency' or 'consent' workaround makes prohibited AI legal.

My company has 8 employees. Am I exempt?

No. Article 62 gives SMEs reduced fees, sandboxes, and lower fine brackets — but zero size-based exemptions. Compliance burden scales with your workflow's risk tier, not your headcount.

Practical

Do I need EU counsel to comply?

Not always, but you should have access to one. For clear Annex III cases with standard obligations, pragmatic readiness (risk log, oversight protocol, documentation, logging) gets you 80% there. For edge cases or prohibited-adjacent design choices — call counsel.

What's a regulatory sandbox?

Every EU Member State must run an AI sandbox by August 2, 2026. It lets startups test high-risk AI systems in a supervised environment with lighter documentation and direct regulator feedback. Article 57.

Last updated: April 22, 2026

Pragmatic readiness guidance — not legal advice. For specific cases, consult EU counsel.