AI Regulation: What the EU AI Act and GDPR Mean for Your Business
The EU has just delayed the AI Act's high-risk deadline from August 2026 to December 2027, but the transparency rules for chatbots and AI-generated content still land in August 2026. This guide explains the revised timeline, the risk classifications, the penalties, and what UK and North American businesses selling into the EU or UK need to do.

A note on timing. This article was first published in March 2026 and updated in July 2026 to reflect the AI Act simplification package (the Digital Omnibus), which the Council of the EU gave final approval on 29 June 2026. AI regulation is moving quickly. Treat this as a practical starting point, not legal advice. For specific compliance decisions, consult a qualified legal advisor.
Why you need to pay attention
If you are running an AI transformation in a consumer-facing business, regulation is not a theoretical concern. The EU AI Act is already partially in force. GDPR applies to any AI system processing personal data. And the penalties are significant: up to 7% of global annual turnover for the most serious breaches.
The good news is that most consumer-facing businesses will not face the heaviest compliance burden, and the deadline for the heaviest obligations has now moved back by more than a year. But some obligations still land in August 2026, so you need to understand where your AI systems sit in the risk framework, what your obligations are, and when each deadline hits.
The EU AI Act: what it is and where it stands
The EU AI Act entered into force on 1 August 2024. It is the world's first comprehensive AI law and applies to any business that places AI systems on the EU market or deploys AI that affects EU-based individuals, regardless of where the business is headquartered.
In late 2025 the European Commission proposed a simplification package known as the Digital Omnibus, which set out to delay the AI Act's most demanding deadlines. That package is no longer a proposal. The European Parliament endorsed it on 16 June 2026 and the Council of the EU gave final approval on 29 June 2026. It will be published in the Official Journal and enter into force shortly after. The headline effect is a significant delay to the high-risk rules, while the transparency rules stay on their original date.
Here is the revised timeline:
| Date | What applies |
|---|---|
| 1 Aug 2024 (in force) | The Act entered into force. |
| Feb 2025 (in effect) | Prohibited AI practices banned. AI literacy obligation began. |
| Aug 2025 (in effect) | General-purpose AI (GPAI) model obligations apply. |
| 2 Aug 2026 | Transparency obligations for chatbots and AI-generated content apply. Commission enforcement powers over GPAI providers begin. |
| 2 Dec 2026 | Two new prohibited practices apply (non-consensual intimate imagery and child sexual abuse material). Grace period ends for labelling pre-existing AI-generated content. |
| 2 Aug 2027 | Deadline for national AI regulatory sandboxes. |
| 2 Dec 2027 | High-risk rules apply for standalone Annex III systems. Moved from August 2026. |
| 2 Aug 2028 | High-risk rules apply for AI embedded in regulated products (Annex I). Moved from August 2027. |
The key change: if your concern was the August 2026 high-risk deadline, you now have until December 2027 for standalone high-risk systems and August 2028 for AI built into regulated products. The extra time was granted partly because the technical standards that high-risk compliance depends on are not ready. Do not read the delay as the obligations going away. Read it as more time to do the work properly.

The risk classification system
The Act classifies AI systems into four tiers. Your obligations depend on where your systems sit.
Unacceptable risk (prohibited)
A set of AI practices are outright banned. The original list, in force since February 2025, includes:
- Subliminal manipulation causing significant harm
- Exploitation of vulnerabilities (age, disability, socio-economic status)
- Social scoring by public authorities
- Predictive policing based on personality profiling
- Untargeted scraping of facial images to build recognition databases
- Emotion recognition in the workplace and educational settings
- Biometric categorisation to deduce protected characteristics (race, political opinions, sexual orientation)
- Real-time remote biometric identification in public spaces for law enforcement (with narrow exceptions)
The Digital Omnibus adds two further prohibitions, effective 2 December 2026: AI systems that generate or manipulate non-consensual intimate imagery of identifiable people, and AI systems that generate or manipulate child sexual abuse material.
For consumer-facing businesses: Most of these are unlikely to apply to you directly. But if you are using AI to monitor employee productivity through emotion recognition, or deploying biometric systems that categorise customers by protected characteristics, stop now.
High-risk - applies from December 2027
AI systems in specific domains carry the heaviest compliance obligations. This is the deadline that moved. Standalone high-risk systems (Annex III) now apply from 2 December 2027, and high-risk AI embedded in regulated products (Annex I) from 2 August 2028. The domains most relevant to consumer-facing businesses:
- Employment: CV screening, interview evaluation, hiring decisions, performance monitoring, promotion and termination decisions
- Credit and finance: Creditworthiness assessment, credit scoring (except fraud detection)
- Insurance: Risk assessment and pricing for life and health insurance
- Customer profiling: Any AI system used for profiling individuals, evaluating or predicting their traits, preferences, or behaviour. This is automatically high-risk even if the provider believes the risks are low
- Biometrics: Remote biometric identification and categorisation
What "high-risk" means in practice for deployers:
Most consumer-facing businesses using third-party AI tools will be classified as deployers, not providers. You are a deployer if you use an AI system built by someone else (e.g., an AI recruitment platform, a credit scoring API, an algorithmic personalisation engine).
Deployer obligations include:
- Use the system in accordance with the provider's instructions
- Assign human oversight to competent, trained personnel
- Monitor the system's operation and report serious incidents
- Keep logs for at least six months
- Conduct a fundamental rights impact assessment before deployment
- Inform individuals that they are subject to high-risk AI decisions
- Inform workers' representatives before deploying AI in the workplace
If you substantially modify an AI system or white-label it as your own, you may be reclassified as a provider with significantly heavier obligations including conformity assessments, CE marking, and technical documentation.
Limited risk - transparency applies from August 2026
AI systems with transparency obligations only. This is the near-term deadline that did not move:
- Chatbots: Must inform users they are interacting with AI (unless it is obvious from the context)
- Deepfakes: Must label AI-generated or manipulated content
- AI-generated text published to inform the public: Must be labelled as AI-generated
- Emotion recognition and biometric categorisation (where not prohibited): Must inform subjects
The core transparency disclosures apply from 2 August 2026. There is a short grace period for the machine-readable labelling of content produced by systems already on the market before that date, which runs to 2 December 2026. Systems placed on the market after 2 August 2026 must comply from the start.
For consumer-facing businesses: If you have a customer-facing chatbot, you need to disclose that it is AI-powered by August 2026. If you publish AI-generated content (blog posts, product descriptions, marketing copy), you need to plan your labelling approach for the same date.
Minimal risk - no mandatory obligations
Most AI systems fall here: spam filters, recommendation engines for internal use, inventory optimisation, demand forecasting, most internal productivity tools. No mandatory requirements, though voluntary codes of conduct are encouraged.
AI literacy: already required
Since February 2025, providers and deployers of AI systems have been expected to support sufficient AI literacy among staff and contractors who operate or use AI systems. The Digital Omnibus softened the wording of this obligation, moving from a duty to ensure literacy toward a duty to support its development, but the practical expectation stands. Training should be role-appropriate.
There are no direct fines for failing to train your team. But weak AI literacy will be treated as an aggravating factor if you breach other provisions. Practically, this means you should be running training for anyone who uses AI tools in their work.
General-purpose AI models: who bears the burden
The GPAI rules (in effect since August 2025) apply to the companies that build foundation models: OpenAI, Anthropic, Google, Meta, and others. They must maintain technical documentation, publish training data summaries, and comply with copyright obligations. The Commission's powers to supervise and enforce against GPAI providers begin on 2 August 2026, and that date was not delayed by the Omnibus.
What this means for you as a user of these models: The compliance burden for the model itself sits with the provider. But if you build a high-risk application on top of a GPAI model (for example, using Claude or GPT to power a hiring tool), you become a deployer or potentially a provider of a high-risk AI system. The model provider's compliance does not shield you from your own obligations.
Verify that your GPAI providers comply with AI Act requirements and obtain the necessary documentation from them.
Penalties
Three tiers of fines:
| Violation | Maximum penalty |
|---|---|
| Prohibited practices | EUR 35 million or 7% of global annual turnover |
| High-risk system obligations, transparency rules | EUR 15 million or 3% of global annual turnover |
| Supplying false information to authorities | EUR 7.5 million or 1% of global annual turnover |
For SMEs and startups, fines are capped at the lower of the percentage or the fixed amount. The intent is not to crush smaller businesses, but the amounts are still significant.
GDPR and AI: the rules that already apply
GDPR has applied to AI systems processing personal data since 2018. If you are deploying AI that touches customer data, you are already subject to these requirements, and none of this was changed by the AI Act simplification package.
Automated decision-making (Article 22)
Individuals have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect them. This includes automatic refusal of credit, automated recruitment screening, algorithmic pricing that excludes individuals from services, and automated denial of insurance.
Where you do use solely automated decisions (with consent, contractual necessity, or legal authorisation), you must implement meaningful human intervention, allow individuals to express their point of view, and allow them to contest the decision.
The key word is "meaningful." Regulators are scrutinising whether human review is genuine or rubber-stamping. In 2025, the Hamburg DPA fined a financial services provider nearly EUR 500,000 for automated rejection of credit card applications without genuine human oversight.
Right to explanation
You must be able to explain what data your AI uses, how it reaches its decisions, what the likely consequences are, and how individuals can challenge outcomes. This applies both in your privacy notice and in response to subject access requests.
Data minimisation
AI systems that process personal data must use data that is adequate, relevant, and limited to what is necessary. This does not prevent you from using AI, but it requires you to justify your data usage and consider privacy-preserving techniques: anonymisation, pseudonymisation, differential privacy, or synthetic data where appropriate.
Recent enforcement
| Case | Fine | Issue |
|---|---|---|
| LinkedIn (2024) | EUR 310 million | Behavioural profiling for advertising without proper consent |
| Clearview AI (2024) | EUR 30.5 million | Scraping facial images, multiple GDPR violations |
| German financial services (2025) | ~EUR 500,000 | Automated credit decisions without human oversight |
| Italian AI developer (2025) | EUR 5 million | Virtual companion AI with inadequate age verification |
Cumulative GDPR fines have reached EUR 5.88 billion since inception, with EUR 1.2 billion issued in 2024 alone.
UK AI regulation: the different approach
The UK takes a principles-based, sector-led approach. There is no single AI law, and no AI Bill is before Parliament as of mid-2026. The government has signalled its intent to legislate, but the more likely route over the next year is rule-making by existing regulators (FCA, ICO, Ofcom, CMA) applying existing frameworks to AI within their sectors.
Five cross-sector principles guide the approach:
- Safety, security, and robustness
- Transparency and explainability
- Fairness
- Accountability and governance
- Contestability and redress
These remain non-statutory guidance, not a standalone AI statute.
How the UK differs from the EU
| Aspect | EU | UK |
|---|---|---|
| Framework | Single comprehensive law | Sector-specific guidance |
| Risk classification | Mandatory, defined in law | No mandatory classification |
| Compliance burden | Prescriptive requirements | Principles-based, flexible |
| Penalties | Up to 7% global turnover | Varies by sector regulator |
| Timeline | Phased 2025-2028 | No fixed statutory timeline |
What UK businesses should watch
- The Data (Use and Access) Act 2025, in force following Royal Assent in June 2025, reformed the rules on automated decision-making and profiling under UK data protection law
- The ICO consulted on updated guidance on AI and automated decision-making, with the consultation closing in May 2026 and final guidance expected over summer 2026
- The statutory duty for the ICO to produce a code of practice on automated decision-making came into force in May 2026; the code itself is still to be drafted and will carry weight in enforcement once finalised
For UK businesses that serve EU customers, the EU AI Act applies regardless of where you are based. Similar to GDPR's extraterritorial reach, you will need to comply and appoint an authorised representative in the EU.
If you sell into the EU or UK from North America
A US or Canadian business does not need an office, servers, or staff in Europe to fall under these rules. Both the EU AI Act and GDPR reach across borders, and the trigger is where your product and its outputs land, not where your company sits.
Under the EU AI Act, you are in scope in two main situations:
- You place an AI system on the EU market or put it into service in the EU, wherever your business is established
- You are a provider or deployer outside the EU and the output of your AI system is used in the EU. Output means a score, a decision, a recommendation, or a piece of generated content. The bar is low. If the result of your AI reaches someone in the EU, the Act reaches you
Most North American consumer businesses selling into the EU will be deployers of third-party AI, with the lighter deployer obligations. If you build or white-label an AI system and offer it in the EU, you are a provider. Non-EU providers of high-risk systems must appoint an authorised representative established in the EU, who holds your technical documentation, keeps records, and answers to market surveillance authorities. Non-EU providers of general-purpose AI models have had to appoint an EU representative since August 2025.
The revised timeline applies to you in the same way. The high-risk obligations move to December 2027, so if you run AI for hiring, credit, insurance pricing, or customer profiling that reaches the EU, you have the same extended runway. The transparency obligations do not move. If your EU-facing chatbot or AI-generated content reaches European users, you need the August 2026 disclosures in place.
The UK is a separate question. The EU AI Act does not apply to sales that only reach the UK, because the UK sits outside the EU. Selling into the UK brings you under UK GDPR and the relevant sector regulators instead, with no single AI statute to satisfy. If you sell into both markets, you carry both sets of obligations at once: the EU AI Act plus GDPR for your EU activity, and UK GDPR plus sector rules for your UK activity.
On the data side, offering goods or services to individuals in the EU or the UK, or monitoring their behaviour, brings you under GDPR or UK GDPR regardless of the AI question. In most cases that means appointing a representative in the EU, in the UK, or in both.
The practical takeaway is simple. Selling into Europe is enough to be regulated by Europe. Map which of your markets are EU, which are UK, and which AI systems produce outputs that land there, then apply the obligations market by market.
What this means for your programme
What you should do now
Prepare for transparency first. This is the obligation with the nearest deadline. If you have customer-facing chatbots, plan to disclose that they are AI-powered by August 2026. If you publish AI-generated content, decide your labelling approach for the same date. The high-risk deadline moved, this one did not.
Audit your AI systems. Map every AI tool your organisation uses and classify it against the EU AI Act risk framework. Most will fall into minimal risk. But check for any that touch hiring, credit, customer profiling, or biometric identification. Those are high-risk, and the delay to December 2027 is time to prepare, not time to ignore.
Check your GDPR compliance. If you are using AI to make decisions about customers, ensure meaningful human oversight is in place, you can explain how the AI works, and individuals can contest decisions. These requirements are not new but enforcement is increasing.
Train your team. AI literacy is already expected under the Act. Run role-appropriate training for anyone who uses or interacts with AI systems. This does not need to be technical. It needs to cover what the tools do, their limitations, and how to exercise appropriate oversight.
Review your vendors. If you use third-party AI tools, verify that your providers comply with the AI Act and GPAI rules. Obtain their technical documentation and assess whether your use of their tools creates high-risk obligations for you as a deployer.
What you can defer
If your AI systems are limited to demand forecasting, inventory optimisation, internal productivity tools, or recommendation engines that do not profile individuals, your compliance burden is minimal. Focus on the basics: AI literacy, GDPR compliance, and vendor due diligence.
Do not over-engineer your compliance response. The Act is designed to be proportionate, and the timeline has just been relaxed for the heaviest obligations. Most consumer-facing businesses will have a handful of systems that need attention, not a fundamental rethink of their AI strategy.
Section 9: Ethics and Governance covers how to build responsible AI governance into your programme. Section 8: Risk and Governance provides the risk management framework you will need for high-risk systems.
Sources
- Artificial Intelligence: Council gives final green light to simplify and streamline rules (Council of the EU, 2026)
- Artificial Intelligence: Council and Parliament agree to simplify and streamline rules (Council of the EU, 2026)
- EU AI Act Omnibus Agreement: Postponed High-Risk Deadlines and Other Key Changes (Gibson Dunn, 2026)
- EU AI Act Implementation Timeline
- EU AI Act - High-Level Summary
- EU AI Act - Annex III: High-Risk AI Systems
- EU AI Act - Article 5: Prohibited Practices
- EU AI Act - Article 99: Penalties
- GDPR Article 22 - Automated Decision-Making
- ICO - Guidance on AI and Data Protection
- EU AI Act Implications for UK Organisations (Farrer & Co)
- A Practical Guide to the Extraterritorial Reach of the AI Act (William Fry)