European AI Regulation 2026: The Operational Compliance Guide
In short: Regulation (EU) 2024/1689 — known as the AI Act — enters into force on 2 February 2025 and applies in waves, with the first binding obligations on 2 August 2026 (prohibitions and GPAI rules) and full high-risk coverage on 2 August 2027. Maximum fine: €35 million or 7% of global turnover. This operational guide gives you, in 8 chapters, the method to map your exposure, qualify your use cases, and build your compliance file before the deadline.
If you deploy, purchase, or resell an AI system in the European Union — even a simple chatbot, a scoring model, or an augmented HR tool — you are in scope. The question is no longer "does the AI Act apply to me?" but "by which date, for which risk, and with which compliance file?"
The AI Act in 5 minutes
The AI Act is the world's first horizontal AI regulation. It does not replace the GDPR: it stacks on top of it. Where the GDPR regulates personal data, the AI Act regulates the systems that process them and the models that produce them.
Three principles structure the text:
- A risk-based classification — unacceptable, high, limited, minimal — with increasing obligations.
- Shared responsibility between provider, deployer, importer, and distributor.
- A use-case approach, not technology-led: it is the final use that determines the risk level, not the underlying algorithm.
Chapter 01 — Scope of application
The AI Act targets:
- Providers who develop or have developed an AI system and place it on the EU market.
- Deployers who use an AI system under their own authority (client company, public administration, association).
- Importers and distributors who introduce a third-party system onto the European market.
Out of scope: systems purely military, R&D systems before market placement, and AI models used for scientific research activities before any commercial exploitation.
A French company deploying ChatGPT Enterprise to write its internal reports is a deployer under the AI Act. An SME integrating a CV scoring API into its ATS is both a provider (of the final integration, if it sells a product) and a deployer (of its internal use).
Chapter 02 — Risk classification
The AI Act organizes use cases in four levels (actually six, including the GPAI sub-categories with/without systemic risk):
| Level | Examples | Main obligations | |-------|----------|------------------| | Unacceptable | Social scoring, real-time biometric identification in public spaces (with strict exceptions) | Prohibited | | High | Recruitment, credit scoring, education access, justice, healthcare | Technical documentation, risk management, human oversight, transparency | | Limited | Chatbots, content generation, deepfakes | User information | | Minimal | Spam filters, video games, code completion AI | No specific obligation |
The classic trap: the same system can shift from one level to another depending on its context of use. The same recommendation algorithm is "minimal" on a B2C e-commerce site, but "high" if used to direct access to a public service.
Chapter 03 — Unacceptable risk: the blacklist
Prohibited since 2 February 2025 (entry into force) and fully applicable on 2 August 2026:
- Exploiting vulnerabilities (age, disability, socio-economic situation) to push harmful behavior.
- General-purpose social scoring.
- Real-time biometric identification in publicly accessible spaces, except for tightly framed purposes (searching for victims, imminent terrorist threat, etc.).
- Emotion recognition in the workplace and in education (with exceptions).
- Biometric categorization inferring race, political opinions, sexual orientation, religious beliefs.
Chapter 04 — High risk: the bulk of the work
High-risk systems represent the bulk of the compliance burden. Two sub-ensembles:
- Systems embedded in products subject to conformity assessments (Annex I, e.g., medical devices, toys, vehicles).
- Systems listed in Annex III: recruitment, worker management, credit scoring, insurance, essential public services, education, justice, law enforcement, migration, democracy.
- A detailed functional description.
- A documented and iterated risk management analysis.
- Data governance: traceability, bias, representativeness.
- Automatic logging of events.
- Up-to-date technical documentation.
- Instructions for use for the deployer.
- Effective human oversight (not just formal).
- A documented level of accuracy, robustness, and cybersecurity.
Chapter 05 — General-purpose AI (GPAI)
Foundation models — GPT, Claude, Gemini, Mistral, Llama — fall under a specific regime. "General-purpose AI" (GPAI) models are subject to:
- Technical documentation of the model (architecture, training data, capability).
- Transparency vis-à-vis downstream providers: the GPAI provider must provide the documentation and information needed for compliant integration.
- A copyright-respect policy (opt-out respected).
From 2 August 2026, these obligations apply. Concretely: if you use GPT-5, Claude 4, or a European open-source model to serve your customers, you must be able to demonstrate that you received and archived the upstream provider's documentation, and that you informed your own users in a compliant manner.
Chapter 06 — Transparency obligations
For limited risk uses (chatbots, content generation, deepfakes), the AI Act imposes minimum transparency:
- Users must know they are interacting with an AI (except medical or emergency exceptions).
- Synthetic content (text, audio, image, video) must be markable as such.
- Deepfakes must be flagged.
- Biometric categorization or emotion analysis systems must inform the persons concerned.
Chapter 07 — Sanctions and governance
Sanctions are calibrated by the nature of the violation:
- Prohibited practices (unacceptable risk): up to €35M or 7% of global turnover, the higher amount being retained.
- Non-compliance of high-risk systems: up to €15M or 3% of turnover.
- Misleading information: up to €7.5M or 1% of turnover.
Governance is shared between:
- The AI Office at European level (Commission, in liaison with Member States).
- National authorities designated by each Member State (in France: the CNIL and the DGCCRF share competence).
- Notified bodies for conformity assessments of high-risk systems.
- The European AI Board (Member States + Commission) for opinions and guidance.
Chapter 08 — 90-day action plan
Here is an operational roadmap for a 50 to 500-person organization that uses or deploys AI.
Days 1 to 15 — Cartography
- List all AI systems used or deployed (internal providers, APIs, integrations).
- Identify GPAI models consumed (API, self-hosted).
- For each system, qualify the risk level (unacceptable / high / limited / minimal).
Days 16 to 45 — Documentation
- Build the AI systems register (template in the full guide).
- For high-risk uses, start the risk management analysis.
- Document effective human governance.
- Verify GDPR compliance (DPIA, legal basis, AIPD).
Days 46 to 75 — Compliance
- For limited-risk uses, set up user information (mention "you are interacting with an AI").
- For high-risk uses, write the instructions for use and technical documentation.
- For GPAI, check the documentation received from the upstream provider.
Days 76 to 90 — Audit and continuous improvement
- Robustness, bias, and cybersecurity testing on high-risk systems.
- Set up continuous monitoring (logging, alerts).
- Train business and IT teams.
- Incident escalation procedure.
Key features of the full guide
- Complete legal framework: from Regulation (EU) 2024/1689 to implementing acts, every article is decoded with its operational implications.
- 4-tier risk pyramid: unacceptable, high, limited, minimal — for each level, your concrete obligations and the list of prohibited use cases.
- 12 concrete use cases: AI recruitment, banking scoring, healthcare, education, GPAI — commented by legal practitioners.
- 38-point compliance checklist: governance, data, transparency, human oversight, technical documentation.
- 2026-2027 calendar: the 6 key dates to anticipate, from 2 February 2025 to 2 August 2027.
- Document templates: risk assessment form, AI systems register, subcontracting clause, AI usage policy — ready to use.
Key statistics
- Maximum fine: €35M or 7% of global turnover.
- First application date: 2 August 2026.
- Full application: 2 August 2027.
- Risk levels: 4 (unacceptable, high, limited, minimal) + 2 GPAI sub-categories.
Want to go further?
If you use AI in your organization — chatbot, scoring, content generation, automation, model integration — Mindzy can help you:
- Map your uses and qualify your risks.
- Build your AI Act + GDPR compliance file.
- Set up an AI systems register and operational governance.
- Train your legal, IT, and business teams.
