AI Act: from August 2, 2026 it's law. Everything you need to do to be compliant and avoid penalties

Only a few days to go. On August 2, 2026 the AI Act, the European Regulation on Artificial Intelligence (EU Regulation 2024/1689), enters full force: the first comprehensive regulatory framework in the world dedicated specifically to artificial intelligence. From that date it is no longer a matter of best practices or ethical recommendations: it is binding law in all twenty-seven EU member states, with penalties that can reach thirty-five million euros or seven percent of annual global turnover. If your company develops, distributes, imports or uses AI systems, and in 2026 it is hard to imagine a company that doesn't in some form, this is what you need to know before the deadline.

One of the first questions every entrepreneur and manager asks is: does it apply to me? The answer, in most cases, is yes, but with very different levels of obligations depending on the role your organization plays in the AI value chain. The AI Act applies to providers, meaning anyone who develops or has an AI system developed with the intent to place it on the European market, regardless of where the company is based. It applies to deployers, meaning anyone using an AI system in the course of their professional activity: a company using an AI tool to screen CVs is a deployer, just as a bank assessing credit applications or a hospital supporting medical diagnoses. It also applies to importers and distributors, with specific conformity verification obligations. SMEs and micro-enterprises have some exemptions and procedural simplifications, but they are not fully exempt from the core obligations, especially for high-risk systems.

The AI Act does not treat all AI systems equally. It works with a four-tier risk system, where obligations increase in proportion to the potential harm the system could cause to people. The first tier is unacceptable risk, corresponding to practices completely prohibited in the EU from August 2, 2026, with no commercial exceptions.

Prohibited practices include generalized social scoring by governments or private entities, subliminal manipulation exploiting psychological vulnerabilities, exploitation of vulnerabilities of children, elderly people or people with disabilities, emotion recognition in workplaces and schools, biometric categorization to infer sensitive characteristics such as sexual orientation, political opinions, ethnic origin or religious beliefs, real-time remote biometric identification in public spaces for law enforcement purposes (with very limited exceptions subject to judicial authorization), and facial recognition databases built through indiscriminate scraping of images from the internet or surveillance cameras. If your company uses anything similar, the rule is one and only one: stop immediately. There are no grace periods for this category after August 2.

The second tier, high risk, is the one that concerns the largest number of companies and requires the most substantial compliance work. High-risk AI systems are legal, but subject to a set of strict obligations before they can be placed on the market or put into service. The AI Act explicitly lists the relevant domains: critical infrastructure such as electricity, water, transport and financial networks; education and vocational training, in particular systems determining access to educational paths or evaluating students; employment and worker management, from CV screening to performance monitoring to promotion or dismissal decisions; access to essential services such as bank credit scoring, insurance pricing or the provision of social benefits; law enforcement, migration and asylum, administration of justice, medical devices with AI components, autonomous vehicles and transport safety systems.

For high-risk systems the concrete obligations are articulated. Before deployment a documented and continuous risk management system is required, not a one-off document but a living process updated for the entire operational life of the system. Training data governance is required: datasets used to train, validate and test the system must meet documented quality criteria, be examined for bias, errors and gaps, and be relevant and representative of the intended use. Complete technical documentation is required, describing the system, its performance, known limits, security measures and architecture and training details, available to supervisory authorities on request.

High-risk systems must also be able to automatically log their outputs and relevant operating conditions, creating an audit trail that allows reconstructing afterward what the system did and why. The deployer must ensure transparency toward users, informing them clearly and understandably about the system's behavior, its limits, the use of their input and the very fact that they are interacting with AI. Effective human oversight is not a preference but a legal requirement: a human must be able to understand the outputs, intervene, override decisions or shut down the system. To this are added requirements of accuracy, robustness and cybersecurity appropriate to the intended use, including protection against AI-specific adversarial attacks. Finally, before going into service, systems must be registered in the EU's public database managed by the European Commission, accompanied by a conformity assessment procedure, in some cases involving an external notified body, by the affixing of the CE mark and by the declaration of conformity.

The third tier, limited risk, concerns AI systems that interact directly with people in ways not immediately recognizable as AI: chatbots and conversational assistants, deepfakes and synthetic content, text generation systems that could be passed off as human-written. The obligations here are about transparency. Users must be clearly informed that they are interacting with an AI, in an understandable way and not hidden in the terms of service. Synthetic content must be labelled: AI-generated images, videos and audio must be clearly identified as such, with standardized technical watermarking metadata. For deepfakes for entertainment or artistic purposes there is a disclosure obligation, with exceptions for clearly satirical or fictional uses.

The fourth tier, minimal risk, covers most AI systems: spam filters, content recommendations, AI in video games, personal productivity tools. For these systems there are no specific AI Act obligations, although other relevant European regulations naturally still apply, from the GDPR to consumer protection.

The AI Act devotes a specific section to General Purpose AI Models, the large language and multimodal models such as GPT, Claude, Gemini and Llama, used as a base to build a vast range of applications. All GPAI models must produce detailed technical documentation of architecture, training data, capabilities and limits, comply with copyright regulations by publishing a summary of the data used, adopt a clear and enforced acceptable use policy, and cooperate with downstream providers building applications on their models. Models that exceed a training compute threshold of ten to the twenty-fifth FLOP, a threshold that includes virtually all current frontier models, have additional obligations: adversarial evaluation before release, immediate reporting to the European Commission of serious incidents and significant vulnerabilities, reinforced cybersecurity measures, energy impact assessment and efficiency measures.

The penalty system is proportional to the severity of the violation. Violations of the unacceptable risk category, the prohibited practices, can cost up to thirty-five million euros or seven percent of annual worldwide turnover, whichever is higher. Violations of the obligations for high-risk systems and GPAI models reach up to fifteen million euros or three percent of annual worldwide turnover. Providing false or incomplete information to the authorities is punished with up to seven and a half million euros or one and a half percent of turnover. For SMEs and startups, penalties are calculated proportionally, but even a small percentage on modest turnover can be devastating for an early-stage company. In Italy the role of National Competent Authority has been assigned to the Agency for Digital Italy in coordination with the Data Protection Authority for the components that intersect with the GDPR.

With less than thirty-five days to the deadline, a concrete action plan is needed. The first step, to be done this week, is a complete inventory of AI systems in use: which AI-enabled tools the company uses, where they sit in the value chain (are you provider, deployer, importer), what data they handle and in what operational domain. The second step is the classification of each system against the AI Act risk categories, immediately separating the prohibited systems (to be decommissioned at once), the high-risk ones (to be brought into compliance with the nine obligations listed above), the limited-risk ones (to be equipped with disclosure and watermarking) and the minimal-risk ones (where only the GDPR baseline needs to be maintained).

The third step is gap analysis: for each high-risk system, compare the current state with the AI Act requirements and produce a prioritized list of technical and documentary interventions. The fourth step is appointing an internal AI compliance lead, a figure who acts as the contact point with the authorities and coordinates the work between legal, IT, security and business. The fifth step is training: all staff using AI systems in their role must be trained on correct use, on the limits of the systems and on their oversight obligations, because the deployer's responsibility does not end with the choice of supplier.

August 2, 2026 is not a technical date for lawyers: it is a paradigm shift for any company that integrates AI into its products, processes or decisions. Those who arrive ready will turn compliance into a competitive advantage, communicating it to their customers as a guarantee of reliability and governance. Those who arrive unprepared risk heavy financial penalties, reputational damage and de facto exclusion from the European market. The good news is that, with a clear-headed action plan and a focused month of work, the goal is still within reach.