Securance logo

The EU AI Act: what European organisations need to know in 2026

The EU AI Act: what European organisations need to know in 2026

The EU AI Act is now law and the obligations it creates are real, phased, and coming faster than many teams realise. Whether you're a SaaS provider deploying AI-powered features or a tech company using third-party AI tools in hiring, customer service, or fraud detection, there's a good chance you're already in scope. 

Here's a clear, practical breakdown of what the regulation requires, what the timelines look like, and where to focus your attention first. 

Carl gruner dx Q6 I Sn7 t Q unsplash

How the AI Act actually works: a risk-based model

 The AI Act doesn't treat every AI system the same. It uses a four-tier risk classification that determines how much compliance work you'll need to do. 

Unacceptable risk (prohibited) — A small category of AI practices that are outright banned. These include social scoring systems, real-time biometric surveillance in public spaces (with narrow exceptions), AI that exploits psychological vulnerabilities, and systems that predict criminality based on profiling. These prohibitions have been enforceable since 2 February 2025. 

High risk — The category most organisations deploying AI in critical processes will want to scrutinise closely. High-risk systems include AI used in recruitment and HR decisions, credit scoring, educational assessments, healthcare, critical infrastructure, and law enforcement. These systems face the most demanding obligations: risk management frameworks, data governance controls, technical documentation, human oversight mechanisms, and registration in the EU database. 

Limited risk — Systems like chatbots and deepfake generators face lighter transparency obligations, mainly requiring disclosure to users that they're interacting with AI. 

Minimal risk — The vast majority of AI applications — spam filters, AI in video games — fall here and face no mandatory requirements under the Act. 

For most SaaS and tech teams, the high-risk category is where the real compliance work lies. The question is: do your AI systems qualify? 

 

Updated deadlines you need to know 

The timeline has shifted recently. On 7 May 2026, EU institutions agreed to a provisional deal under the so-called Digital Omnibus — a package of regulatory simplifications — that pushes back certain high-risk AI compliance deadlines. According to reporting by Latham & Watkins (May 2026), the obligations for high-risk Annex III AI systems are now deferred to 2 December 2027, giving organisations roughly 18 more months to prepare. 

Here's where things stand right now: 

  • 2 February 2025 — Prohibited AI practices and AI literacy obligations became enforceable 

  • 2 August 2025 — Rules on general-purpose AI (GPAI) models entered into force 

  • 2 August 2026 — Full application of the AI Act (excluding deferred high-risk provisions) 

  • 2 December 2027 — High-risk Annex III obligations (now deferred under the Omnibus deal) 

Don't let the extended deadline become an excuse to wait. Gap assessments, internal classification exercises, and documentation frameworks take time to build properly — and the August 2026 date still applies to a broad set of obligations. 

 

What general-purpose AI means for your organisation 

If your organisation develops or integrates GPAI models — think large language models embedded in your product — rules have applied since August 2025. Providers of GPAI models must maintain technical documentation, publish a summary of training data used, and comply with EU copyright rules. Models considered to pose systemic risk (those trained on compute exceeding 10²⁵ FLOPs) face additional obligations including adversarial testing and incident reporting. 

For most SaaS teams using third-party GPAI via API, you're likely a deployer rather than a provider — which changes your obligations significantly, but doesn't eliminate them. 

 

The fines are significant 

Non-compliance isn't a theoretical risk. Article 99 of the AI Act sets out a three-tier penalty structure: 

  • Up to €35 million or 7% of global annual turnover for violations involving prohibited AI practices 

  • Up to €15 million or 3% of turnover for non-compliance with other requirements 

  • Up to €7.5 million or 1.5% of turnover for providing incorrect or misleading information to authorities 

These figures are comparable to GDPR penalty levels, and enforcement is expected to be just as serious. If your team works across GDPR compliance and data protection already, you'll recognise the pattern: proactive readiness beats reactive remediation every time. 

 

Practical steps to start your compliance journey 

1. Classify your AI systems. Map every AI system your organisation deploys or develops and assess which risk tier it falls into. This sounds straightforward, but many teams underestimate how many AI-embedded tools they use — in HR platforms, customer analytics, and security monitoring. 

2. Conduct a risk and gap assessment. For any system that may qualify as high-risk, a formal cybersecurity risk assessment will help you identify where your controls fall short of the Act's requirements. This maps naturally onto existing ISO 27001 and SOC 2 control frameworks. 

3. Build your documentation. The AI Act requires technical documentation, logs, and evidence of ongoing human oversight for high-risk systems. If you're already working toward ISO 27001 or SOC 2, some of this infrastructure already exists — it just needs extending. 

4. Establish AI literacy programmes. Since February 2025, organisations must ensure staff working with AI have appropriate levels of AI literacy. This is a lower barrier than the high-risk obligations, but it's already in force and easy to overlook. 

5. Review your vendor contracts. The AI Act assigns different obligations to providers and deployers. If you're relying on third-party AI tools, you need clarity about which obligations sit with you and which sit with the vendor. 

 

How existing compliance frameworks help 

One of the more reassuring aspects of the AI Act is that it doesn't exist in isolation. If your organisation is already working toward SOC2, you've already built many of the foundational controls the AI Act depends on. 

This is where working with an experienced compliance partner makes a real difference. Securance works with SaaS and tech companies across Europe to align compliance obligations across multiple frameworks simultaneously, reducing duplication and helping teams avoid building separate programmes for every new regulation. Our Single Audit, Multiple Standards approach means AI Act readiness can be woven into existing audit and advisory work rather than treated as a standalone project. 

The NIS2 Directive, which also applies to many technology organisations, shares some overlapping requirements with the AI Act around risk management and incident reporting. Getting both right at the same time is entirely achievable. For a detailed look at how NIS2 applies to your organisation, the NIS2 compliance guide is worth reading alongside this article. 

 

Start now, not in December 2027 

The deadline extension is welcome breathing room, but it shouldn't be mistaken for a reason to delay. Classification exercises, internal governance structures, and documentation frameworks need months to implement well. Organisations that treat the Omnibus delay as an invitation to pause will find themselves under real pressure in late 2027. 

The AI Act represents a genuine shift in how European regulators expect AI to be governed — and for tech companies that already operate in a regulated environment, it's more of an extension of existing good practice than a leap into the unknown. Start with a clear inventory of your AI systems, map them to the risk tiers, and build from there. 

If you'd like support assessing where your organisation stands against the AI Act's requirements, Securance's compliance advisory services are designed exactly for this kind of structured, practical readiness work. 

Back to article overview