EU AI Act Compliance 2026: What Every Business Deploying AI Must Know

The EU AI Act — the world's first comprehensive legal framework for artificial intelligence — entered into full force in August 2024 and its provisions are rolling out on a staggered timeline through 2026 and 2027. If your company uses AI in any customer-facing or decision-making context, you are almost certainly in scope.

This post cuts through the legal jargon and gives you what you actually need: which rules apply to you, by when, and what to do about it.

Note: This is practical guidance, not legal advice. For binding compliance decisions, consult a qualified legal professional familiar with EU AI regulation.

The Four-Tier Risk Framework

The EU AI Act classifies AI systems into four risk tiers. Your obligations scale with the tier.

Tier	Examples	Obligation
Unacceptable	Social scoring, real-time biometric surveillance in public, subliminal manipulation	Banned outright. Fines up to €35M or 7% of global turnover.
High Risk	CV screening, credit scoring, medical devices, critical infrastructure, law enforcement tools	Mandatory conformity assessment, risk management, data governance, human oversight, transparency to users.
Limited Risk	Chatbots, deepfake generators, emotion recognition tools	Transparency obligations — users must know they're interacting with AI.
Minimal Risk	AI-powered email filters, recommendation engines, most internal productivity tools	No mandatory requirements, but voluntary codes of practice are encouraged.

Most businesses using Claude or similar LLMs for internal productivity, content creation, or customer support chatbots fall into Limited Risk. The key obligation: make clear to users that they are interacting with an AI system.

What Changed in 2026

February 2025 — Prohibited practices ban effective Unacceptable-risk AI systems became illegal across the EU. Social scoring by public authorities, biometric categorisation from sensitive attributes, and AI that exploits psychological vulnerabilities are now banned.

August 2025 — GPAI rules and governance obligations Rules for General-Purpose AI (GPAI) models — covering foundation models like Claude, GPT-4o, and Mistral — became applicable. Providers must publish model cards, comply with copyright law, and implement adversarial testing.

2026 (ongoing) — Codes of Practice finalised The EU AI Office has finalised the voluntary Code of Practice for GPAI providers. Anthropic, Google, and Microsoft are among the signatories. Following the Code creates a presumption of compliance.

August 2026 — High-risk AI full obligations The full high-risk AI regime applies. CV screening tools, loan decisioning systems, and medical AI must complete conformity assessments and register in the EU database.

GPAI Models: What Providers Like Anthropic Must Do

General-Purpose AI models with sufficient capability (measured in FLOPs used for training, with the current threshold at 10²⁵ FLOPs) are subject to additional obligations:

Technical documentation — publish a sufficiently detailed model card covering training data, architecture, and intended use.
Copyright compliance — document that training data respects EU copyright law, including the text and data mining exception.
Adversarial testing — conduct red-teaming before deployment and share results with the EU AI Office on request.
Systemic risk models — models above a higher capability threshold (current guidance: 10²⁶ FLOPs) face additional adversarial testing, incident reporting, and cybersecurity obligations.

Anthropic has engaged with the EU AI Office and participates in the GPAI Code of Practice process. Claude models used through the Anthropic API benefit from Anthropic's compliance work at the provider level — but deployers (that's you) still have their own obligations.

What Claude Deployers Must Do

Even if you're just calling the Claude API, you are a deployer under the Act. Here's what that means in practice:

For Limited-Risk (Chatbot) Deployments

Add a clear disclosure that users are interacting with an AI system before the conversation starts.
Do not design the system to deceive users into thinking they are talking to a human.
If generating synthetic audio, video, or images, label them as AI-generated.

For High-Risk Deployments

Conduct a Fundamental Rights Impact Assessment before deployment.
Implement a risk management system with documented human oversight procedures.
Keep logs sufficient for post-hoc audit (minimum 6 months for most use cases).
Appoint a person responsible for AI compliance (the Act does not require a dedicated role, but accountability must be documented).
Register the system in the EU database before deploying to end users.
File an incident report with your national authority within 15 working days of any serious incident.

The Transparency Obligation in Practice

The most immediate requirement for most SMEs is also the simplest: tell people they're talking to AI. A sentence at the start of a chat widget — "This assistant is powered by AI. For complex issues, you can reach a human at [email]." — satisfies the core obligation.

What you cannot do:

Give the AI a human name and persona without any disclosure that it is AI-powered.
Design the system to deny it is an AI when sincerely asked.
Use emotion recognition AI on employees or customers without disclosure and, in many cases, consent.

Practical Compliance Checklist for 2026

Here is a minimal checklist for an SME using Claude or a similar LLM in a customer-facing context:

Classify your use case — Is it customer support (Limited Risk)? CV screening (High Risk)? Internal search (Minimal Risk)? Know your tier before anything else.
Add AI disclosure — Update your chatbot welcome message, email footer, or app UI to disclose AI involvement.
Review your data practices — Ensure the data you feed into prompts (customer records, employee data) is handled in line with GDPR. The AI Act and GDPR overlap heavily here.
Document your system — Write a one-page description of what the AI does, what data it processes, and what human oversight is in place. This is your baseline technical documentation.
Establish an escalation path — High-stakes decisions (credit, employment, medical) must have a human review option. Document it.
Monitor and log — Enable logging in your LLM calls sufficient to investigate complaints or anomalous outputs.
Stay current — The EU AI Office publishes guidance regularly. Sign up for their newsletter and revisit your compliance posture every six months.

Penalties and Enforcement

The Act gives national market surveillance authorities the power to investigate, order corrections, and impose fines. The penalty structure:

Prohibited practices: up to €35M or 7% of global annual turnover (whichever is higher).
High-risk non-compliance: up to €15M or 3% of global turnover.
Supplying incorrect information to authorities: up to €7.5M or 1.5% of turnover.
SME proportionality: The Act requires authorities to consider company size and financial capacity. SME-specific guidance from the EU AI Office is being developed.

Enforcement in 2026 is focused primarily on high-risk and prohibited-practice cases. The EU AI Office has indicated that it will prioritise systemic and systemic-risk GPAI models before turning to SME deployers in lower-risk tiers. That said, proactive compliance is far cheaper than reactive remediation.

How This Affects AI Strategy

The EU AI Act is not just a compliance checkbox — it is reshaping how enterprises design AI systems. The patterns we are seeing among clients:

Human-in-the-loop by default — Teams that designed agentic AI with full automation are adding human review gates for consequential decisions.
Audit trails from day one — Logging prompt inputs and outputs is now a standard design requirement, not an afterthought.
Vendor due diligence — Procurement teams are asking AI vendors for their technical documentation and GPAI Code of Practice adherence before signing contracts.
Privacy-AI convergence — DPOs and AI compliance leads are starting to work together. GDPR data minimisation principles apply directly to training and fine-tuning pipelines.

The bottom line: For most SMEs using Claude for productivity or customer support, compliance is achievable in a few days of work — primarily adding transparency disclosures and documenting your use case. High-risk deployments need more sustained effort, ideally starting now ahead of the August 2026 deadline.

Resources

Need Help Navigating EU AI Act Compliance?

We help Croatian and European businesses classify their AI use cases, implement transparency requirements, and build audit-ready documentation — so you can deploy confidently without legal exposure.

Talk to an AI Compliance Expert