The European AI regulation is progressively coming into force in 2026. Like GDPR before it, it will structure practices well beyond EU borders. Here is what every business needs to understand and anticipate.
What the AI Act prohibits and what it regulates
The AI Act classifies AI systems into four risk levels. Unacceptable risk systems are outright banned: citizen social scoring, behavioural manipulation, real-time facial recognition in public spaces (with limited exceptions).
High-risk systems are permitted but regulated: automated recruitment, credit scoring, medical systems, critical infrastructure. They require full documentation, robustness testing and human oversight.
What this changes concretely for SMEs and mid-caps
Chatbots and AI assistants
Any AI system interacting with humans must now identify itself as such. Your chatbot must inform users they are speaking with an AI. Simple to implement, but mandatory or face sanctions.
Recruitment systems
If you use an AI tool to filter CVs or score candidates, it falls in the high-risk category. Mandatory documentation, regular audits, right of appeal for candidates.
Do this now: inventory all your AI systems in production and classify them by risk level. This is the first deliverable expected by supervisory authorities.
How to prepare: our 4-step method
Step 1: map the existing. Identify every AI system used in your organisation, including third-party SaaS tools with AI integration.
Step 2: assess each system's risk according to the AI Act framework. Most office AI tools (Copilot, ChatGPT for writing) are minimal risk.
Step 3: document high-risk systems. For each: objective, data used, identified biases, mitigation measures, designated owner.
Step 4: train your teams. Compliance is not just a legal matter, it is an operational governance issue.
DataSAI supports companies in their AI Act compliance. Our 2-week compliance audit gives you a complete mapping and prioritised action plan.
With care,
Excellent article, this matches exactly what we're seeing with our enterprise clients. The section on inference costs is especially valuable. It's a topic most articles gloss over but it's make-or-break at scale.
Thanks James! Inference cost optimization is often deprioritized during prototyping but becomes critical in production. Feel free to book a session if you'd like to go deeper on this.
Sharing this with my whole team. The distinction between an impressive demo and robust production is exactly the debate we're having internally right now. The human checkpoint advice is immediately actionable.
Great article. I'd push back slightly on the 18-day deployment estimate, in our experience with enterprise security and GDPR requirements, 4–6 weeks is more realistic for a first production agent.
Completely fair point David. The 18 days refers to a scoped first agent in a test environment. For full enterprise production with security constraints, your estimate is accurate.