Mindzy
business10 min read

European AI Regulation 2026: The Operational Compliance Guide

Everything you need to map your organization's exposure to the 2026 EU AI Act: risk pyramid, concrete use cases, 38-point compliance checklist, 2026-2027 calendar and ready-to-use document templates.

M
Mindzy
European AI Regulation 2026: The Operational Compliance Guide

European AI Regulation 2026: The Operational Compliance Guide

In short: Regulation (EU) 2024/1689 — known as the AI Act — enters into force on 2 February 2025 and applies in waves, with the first binding obligations on 2 August 2026 (prohibitions and GPAI rules) and full high-risk coverage on 2 August 2027. Maximum fine: €35 million or 7% of global turnover. This operational guide gives you, in 8 chapters, the method to map your exposure, qualify your use cases, and build your compliance file before the deadline.

If you deploy, purchase, or resell an AI system in the European Union — even a simple chatbot, a scoring model, or an augmented HR tool — you are in scope. The question is no longer "does the AI Act apply to me?" but "by which date, for which risk, and with which compliance file?"


The AI Act in 5 minutes

The AI Act is the world's first horizontal AI regulation. It does not replace the GDPR: it stacks on top of it. Where the GDPR regulates personal data, the AI Act regulates the systems that process them and the models that produce them.

Three principles structure the text:

  1. A risk-based classification — unacceptable, high, limited, minimal — with increasing obligations.
  2. Shared responsibility between provider, deployer, importer, and distributor.
  3. A use-case approach, not technology-led: it is the final use that determines the risk level, not the underlying algorithm.
The AI Act applies to any organization placing an AI system on the European market, regardless of its headquarters — a company based in San Francisco, Dubai, or Singapore is bound by the same obligations if it serves European users.

Chapter 01 — Scope of application

The AI Act targets:

  • Providers who develop or have developed an AI system and place it on the EU market.
  • Deployers who use an AI system under their own authority (client company, public administration, association).
  • Importers and distributors who introduce a third-party system onto the European market.

Out of scope: systems purely military, R&D systems before market placement, and AI models used for scientific research activities before any commercial exploitation.

A French company deploying ChatGPT Enterprise to write its internal reports is a deployer under the AI Act. An SME integrating a CV scoring API into its ATS is both a provider (of the final integration, if it sells a product) and a deployer (of its internal use).


Chapter 02 — Risk classification

The AI Act organizes use cases in four levels (actually six, including the GPAI sub-categories with/without systemic risk):

| Level | Examples | Main obligations | |-------|----------|------------------| | Unacceptable | Social scoring, real-time biometric identification in public spaces (with strict exceptions) | Prohibited | | High | Recruitment, credit scoring, education access, justice, healthcare | Technical documentation, risk management, human oversight, transparency | | Limited | Chatbots, content generation, deepfakes | User information | | Minimal | Spam filters, video games, code completion AI | No specific obligation |

The classic trap: the same system can shift from one level to another depending on its context of use. The same recommendation algorithm is "minimal" on a B2C e-commerce site, but "high" if used to direct access to a public service.


Chapter 03 — Unacceptable risk: the blacklist

Prohibited since 2 February 2025 (entry into force) and fully applicable on 2 August 2026:

  • Exploiting vulnerabilities (age, disability, socio-economic situation) to push harmful behavior.
  • General-purpose social scoring.
  • Real-time biometric identification in publicly accessible spaces, except for tightly framed purposes (searching for victims, imminent terrorist threat, etc.).
  • Emotion recognition in the workplace and in education (with exceptions).
  • Biometric categorization inferring race, political opinions, sexual orientation, religious beliefs.
If any of these uses is in your 2026-2027 roadmap, you must stop it now — not after 2 August 2026.

Chapter 04 — High risk: the bulk of the work

High-risk systems represent the bulk of the compliance burden. Two sub-ensembles:

  1. Systems embedded in products subject to conformity assessments (Annex I, e.g., medical devices, toys, vehicles).
  2. Systems listed in Annex III: recruitment, worker management, credit scoring, insurance, essential public services, education, justice, law enforcement, migration, democracy.
For each high-risk system, you must build a file compliant with Article 11 (technical systems) and Annex IV, including:
  • A detailed functional description.
  • A documented and iterated risk management analysis.
  • Data governance: traceability, bias, representativeness.
  • Automatic logging of events.
  • Up-to-date technical documentation.
  • Instructions for use for the deployer.
  • Effective human oversight (not just formal).
  • A documented level of accuracy, robustness, and cybersecurity.
For organizations that deploy a high-risk system without being the provider, Article 27 requires: appointing a human oversight responsible, keeping an automatic log, informing the provider and the data subjects in case of serious incident, and performing a DPIA (Data Protection Impact Assessment) if the processing is likely to result in a high risk to rights and freedoms.

Chapter 05 — General-purpose AI (GPAI)

Foundation models — GPT, Claude, Gemini, Mistral, Llama — fall under a specific regime. "General-purpose AI" (GPAI) models are subject to:

  • Technical documentation of the model (architecture, training data, capability).
  • Transparency vis-à-vis downstream providers: the GPAI provider must provide the documentation and information needed for compliant integration.
  • A copyright-respect policy (opt-out respected).
Models classified as systemic risk (above 10^25 FLOPs of training) have additional obligations: adversarial evaluations, reporting of serious incidents, cybersecurity assurance.

From 2 August 2026, these obligations apply. Concretely: if you use GPT-5, Claude 4, or a European open-source model to serve your customers, you must be able to demonstrate that you received and archived the upstream provider's documentation, and that you informed your own users in a compliant manner.


Chapter 06 — Transparency obligations

For limited risk uses (chatbots, content generation, deepfakes), the AI Act imposes minimum transparency:

  • Users must know they are interacting with an AI (except medical or emergency exceptions).
  • Synthetic content (text, audio, image, video) must be markable as such.
  • Deepfakes must be flagged.
  • Biometric categorization or emotion analysis systems must inform the persons concerned.
Article 50 is dense: it covers AI interactions, deepfakes, advertising, scoring, biometrics. From 2 August 2026, every AI user interface must make the intervention of the AI perceptible.

Chapter 07 — Sanctions and governance

Sanctions are calibrated by the nature of the violation:

  • Prohibited practices (unacceptable risk): up to €35M or 7% of global turnover, the higher amount being retained.
  • Non-compliance of high-risk systems: up to €15M or 3% of turnover.
  • Misleading information: up to €7.5M or 1% of turnover.
SMEs benefit from a proportional cap.

Governance is shared between:

  • The AI Office at European level (Commission, in liaison with Member States).
  • National authorities designated by each Member State (in France: the CNIL and the DGCCRF share competence).
  • Notified bodies for conformity assessments of high-risk systems.
  • The European AI Board (Member States + Commission) for opinions and guidance.

Chapter 08 — 90-day action plan

Here is an operational roadmap for a 50 to 500-person organization that uses or deploys AI.

Days 1 to 15 — Cartography

  • List all AI systems used or deployed (internal providers, APIs, integrations).
  • Identify GPAI models consumed (API, self-hosted).
  • For each system, qualify the risk level (unacceptable / high / limited / minimal).

Days 16 to 45 — Documentation

  • Build the AI systems register (template in the full guide).
  • For high-risk uses, start the risk management analysis.
  • Document effective human governance.
  • Verify GDPR compliance (DPIA, legal basis, AIPD).

Days 46 to 75 — Compliance

  • For limited-risk uses, set up user information (mention "you are interacting with an AI").
  • For high-risk uses, write the instructions for use and technical documentation.
  • For GPAI, check the documentation received from the upstream provider.

Days 76 to 90 — Audit and continuous improvement

  • Robustness, bias, and cybersecurity testing on high-risk systems.
  • Set up continuous monitoring (logging, alerts).
  • Train business and IT teams.
  • Incident escalation procedure.

Key features of the full guide

  • Complete legal framework: from Regulation (EU) 2024/1689 to implementing acts, every article is decoded with its operational implications.
  • 4-tier risk pyramid: unacceptable, high, limited, minimal — for each level, your concrete obligations and the list of prohibited use cases.
  • 12 concrete use cases: AI recruitment, banking scoring, healthcare, education, GPAI — commented by legal practitioners.
  • 38-point compliance checklist: governance, data, transparency, human oversight, technical documentation.
  • 2026-2027 calendar: the 6 key dates to anticipate, from 2 February 2025 to 2 August 2027.
  • Document templates: risk assessment form, AI systems register, subcontracting clause, AI usage policy — ready to use.

Key statistics

  • Maximum fine: €35M or 7% of global turnover.
  • First application date: 2 August 2026.
  • Full application: 2 August 2027.
  • Risk levels: 4 (unacceptable, high, limited, minimal) + 2 GPAI sub-categories.

Want to go further?

If you use AI in your organization — chatbot, scoring, content generation, automation, model integration — Mindzy can help you:

  • Map your uses and qualify your risks.
  • Build your AI Act + GDPR compliance file.
  • Set up an AI systems register and operational governance.
  • Train your legal, IT, and business teams.
Let's discuss your specific case — schedule a 30-minute call.
#ai act, gdpr, ai compliance, artificial intelligence, european regulation, 2026

Did you enjoy this article?

Discover how Mindzy can help you.

Related articles