EU AI Act: What Regulated Businesses Need to Know and Do in 2026: A practical guide to the EU AI Act for businesses in regulated industries — what it covers, which risk categories apply, key deadlines and what…
HubSecure is relevant when teams need secure client records, document collection, workflow ownership, role-based access and audit-ready evidence in one governed workspace.
The EU AI Act entered into force on 1 August 2024. By August 2026, the majority of its provisions apply to businesses deploying AI systems in the EU — including the High-Risk AI System requirements that are most relevant to regulated industries. If you use AI in your business processes, you need to understand what this means for you.
This guide explains the Act in plain English, identifies the requirements most likely to affect regulated businesses, and gives you a practical starting point for compliance.
Related HubSecure buying path
AML/KYC & Onboarding guideclient onboarding softwareAML/KYC moduleSumsub comparisonAML/KYC compliance software guideGuide Librarybook a workflow demo
Related security, privacy and governance resources
Continue with HubSecure security and trust center, data processing agreement, subprocessors, compliance workflows, governed AI operator.
Related use case
This guide belongs to the Workspace Alternatives and Tool Consolidation Guides cluster. Continue with the product hub for workspace alternatives and tool consolidation.
What is the EU AI Act?
The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive horizontal regulation on artificial intelligence. It applies to providers, deployers, importers and distributors of AI systems in the EU — regardless of where the provider is based. If you use AI that affects people in the EU, the Act applies to you.
The regulation takes a risk-based approach. AI systems are classified into four tiers based on their potential impact:
- Unacceptable risk — banned outright (e.g., social scoring by public authorities, real-time biometric surveillance in public spaces)
- High risk — permitted but subject to strict requirements
- Limited risk — transparency obligations only (e.g., disclosing that users are interacting with an AI)
- Minimal risk — no specific obligations
Which businesses are likely to use High-Risk AI?
High-risk AI systems include those used in:
- Credit scoring and creditworthiness assessment — directly relevant to fintechs and banks
- Employment and HR decisions — recruitment, performance evaluation, promotion
- Access to essential services — public benefits, insurance risk assessment
- Education and vocational training — outcomes that affect access to education
- Law enforcement — risk assessments in investigative contexts
- Administration of justice — AI assisting judicial decisions
- Safety components — AI in critical infrastructure, medical devices
For most law firms, accountants and professional service providers, the most relevant categories are employment decisions (AI used in HR), credit and risk assessment, and any AI used in client-facing recommendations.
General-purpose AI tools (like large language models used for drafting, summarisation or internal knowledge management) typically fall into the limited or minimal risk categories — meaning transparency obligations apply but not the full High-Risk compliance framework. However, if you fine-tune or integrate a general-purpose model into a decision-making workflow that qualifies as high-risk, the High-Risk requirements may apply.
Key requirements for High-Risk AI systems
If you deploy a High-Risk AI system, the EU AI Act requires:
Risk management system
A documented risk management system covering the entire lifecycle of the AI system. This includes identification of risks to health, safety and fundamental rights, evaluation of those risks and implementation of appropriate mitigation measures.
Data governance
Training data must be relevant, representative, and as free from errors and biases as feasible. Documentation of data provenance, characteristics and pre-processing operations is required.
Technical documentation
Comprehensive technical documentation before the system is placed on the market or put into service. This includes system design, capabilities and limitations, intended purpose and foreseeable misuse.
Record-keeping and logging
Automatic logging of events throughout the operation of the system to enable post-hoc audit and investigation of incidents.
Transparency to users
Deployers must provide users with clear information about the AI system, its capabilities and limitations, and the human oversight mechanisms in place.
Human oversight
High-Risk AI systems must allow for meaningful human oversight, including the ability to override, halt or correct the system. Deployers must assign responsibility to individuals with appropriate competence to exercise this oversight.
Accuracy, robustness and cybersecurity
High-Risk systems must achieve appropriate levels of accuracy, robustness and cybersecurity throughout their lifecycle.
Key dates for 2026
| Date | Requirement |
|---|---|
| February 2025 | Prohibited AI practices ban in force |
| August 2025 | GPAI (General Purpose AI) model obligations in force |
| August 2026 | High-Risk AI system requirements fully in force |
| August 2027 | Obligations for AI systems in regulated products (CE marking) in force |
What should regulated businesses do now?
- Inventory your AI use: Map every AI system used in your business — purchased tools, built solutions and third-party integrations. Note the vendor, the use case and the decision or process it influences.
- Classify each system: Assess whether each system falls into the High-Risk categories. Focus especially on any AI that influences consequential decisions (hiring, client risk assessment, lending, access to services).
- Assess your role: Are you a deployer (using an AI system in your business) or a provider (developing AI for others)? The obligations differ.
- Review vendor contracts: If you use AI from third-party vendors, your contracts should address EU AI Act compliance — who is responsible for documentation, risk management and logging.
- Implement transparency disclosures: Even for Limited-Risk systems, ensure users know when they are interacting with AI. This is a relatively simple step with August 2025 applicability already passed.
- Build governance: Designate responsibility for AI governance within your organisation. The EU AI Act requires someone to be accountable for High-Risk AI system oversight.
Practical note: The vast majority of AI used by professional services firms today — AI drafting tools, summarisation, internal search, basic automation — falls into the limited or minimal risk categories. The High-Risk requirements are targeted at AI that makes or significantly influences consequential decisions about people. Focus your compliance effort on those specific use cases first.
Frequently asked questions
Does the EU AI Act apply to non-EU businesses?
Yes. Like GDPR, the AI Act has extraterritorial reach. If your AI system's output is used in the EU — whether you are based in the US, UK or elsewhere — the Act may apply. The operative question is whether the AI affects people or outcomes in the EU.
What are the fines for non-compliance?
Up to $35 million or 7% of global annual turnover for prohibited AI violations. Up to $15 million or 3% for most other violations. Up to $7.5 million or 1.5% for providing incorrect information to authorities.
How does the EU AI Act interact with GDPR?
They are complementary. GDPR governs how personal data is collected and used. The AI Act governs how AI systems are developed and deployed. Where AI processes personal data, both apply. The AI Act specifically acknowledges this interaction and regulators are expected to coordinate enforcement.
Does using ChatGPT or Claude in our business trigger compliance obligations?
Using general-purpose AI for internal drafting, summarisation or knowledge management typically falls in the Limited Risk category — you need to disclose AI use where relevant but the High-Risk framework does not apply. If you integrate these models into consequential decision workflows, reassess.
Get compliance insights in your inbox
Join 300+ compliance officers and legal teams getting weekly updates on AML, GDPR, and security regulation — no noise, unsubscribe anytime.
See HubSecure in action
AML/KYC screening, GDPR-compliant CRM, encrypted mail and AI automation — all in one platform built for regulated businesses.
Book a 20-minute demo →