The EU AI Act explained: what it is, what it requires, and why it matters

Artificial intelligence increasingly shapes how team.blue delivers digital services to entrepreneurs across Europe. With more than 3.3 million customers in 22 countries and AI embedded across products from website builders to marketing and customer communication tools, we see daily how it can improve products, automate processes and accelerate growth.

Those opportunities only hold up when built on trust, accountability and responsible use. That balance sits at the heart of the EU AI Act, which introduces a common framework for the development, provision and use of AI across the European Union, and which matters to us as the foundation for services that stay reliable and transparent at scale. That is why the EU AI Act and the wider European regulatory landscape matter to us: not only as a compliance obligation, but as the foundation for AI-enabled services that stay reliable, transparent and sustainable at scale.

This balance between innovation and responsibility sits at the heart of the EU AI Act, which introduces a common framework for the development, provision and use of AI across the European Union.

What is the EU AI Act

The EU AI Act is the world's first comprehensive legal framework for artificial intelligence. It entered into force in August 2024, with the ban on prohibited AI practices and the AI literacy obligation applying since February 2025 and GPAI (General Purpose AI) model obligations following in August 2025. Most of the Act’s remaining provisions are due to apply progressively.

On 16 June 2026, the European Parliament approved the agreed Digital Omnibus on AI. The amendments still require formal adoption by the Council and publication in the Official Journal before becoming binding. Subject to those steps, the high-risk AI rules would apply from 2 December 2027 for stand-alone high-risk systems and from 2 August 2028 for high-risk AI systems embedded in regulated products.

For businesses operating in Europe, knowing what the Act requires and how it evolves is an important first step.

Why the AI Act exists

AI is now embedded in how businesses hire, market, serve customers and make decisions, a shift that has outpaced regulation. Automated systems can discriminate, algorithms can make consequential decisions with no human in the loop, and synthetic content can mislead at scale.

The EU AI Act was designed to address those risks and to ensure that people affected by AI systems benefit from appropriate safeguards, transparency and accountability. Much as GDPR made data protection a legal standard, the AI Act sets one for trustworthy AI.

How the Act works

The AI Act does not apply a single set of rules to every AI system. Instead, it applies different requirements depending on the intended purpose, context of use, risk classification and role of the organisation involved.

A risk-based framework

- Unacceptable risk: Certain AI practices are prohibited outright. These include specified forms of harmful manipulation or deception, the harmful exploitation of vulnerabilities linked to factors such as age, disability or social or economic circumstances, certain social-scoring practices, and particular forms of biometric categorisation and emotion recognition. The Act also prohibits, subject to narrowly defined exceptions and safeguards, the use of real-time remote biometric identification systems in publicly accessible spaces for law-enforcement purposes.

- High-risk: systems are permitted but heavily regulated. This category includes AI used in hiring and recruitment, credit scoring, access to education, critical infrastructure, and law enforcement, migration, asylum and border control, and other areas expressly listed in the Act. Providers of high-risk AI systems are subject to extensive requirements, including risk management, data governance, technical documentation, record-keeping, human-oversight design, accuracy, robustness, cybersecurity and conformity assessment. Deployers have a separate set of obligations. These may include assigning human oversight to suitably competent persons, monitoring the system’s operation, retaining logs under their control and reporting serious incidents. In specified cases, deployers must also carry out a fundamental-rights impact assessment or register the system in the relevant EU database.

- Limited risk – transparency obligations: Specific transparency obligations apply to certain AI systems and uses. For example, providers of AI systems intended to interact directly with individuals must generally ensure that those individuals are informed that they are interacting with AI, unless this is obvious from the circumstances and context of use.

- Minimal risk: Many everyday AI applications, such as AI-enabled video games or spam filters, will not be classified as high-risk and may not be subject to system-specific mandatory requirements under the AI Act.

- General-purpose AI (GPAI) models: large-scale models capable of performing a wide range of tasks, such as those powering many tools SMBs use today. Their providers face additional documentation, transparency and copyright-related obligations, which applied from August 2025; providers of models with systemic risk face further risk-management and safety obligations.

Classification depends on the intended purpose and context of use rather than the technology’s commercial label alone. Of course, other legislation, including the GDPR, consumer-protection law and the Digital Services Act, may still apply. Voluntary codes of conduct may also be developed for AI systems that are not classified as high-risk.

The penalties for non-compliance are significant: up to €35 million or 7% of global annual turnover for prohibited AI-practice violations, and up to €15 million or 3% of turnover for other breaches.

Who it applies to

The AI Act applies broadly, covering both providers (those who develop or place AI systems on the market) and deployers (businesses that use AI systems in their operations). It also has extraterritorial reach. It may apply to providers established outside the EU where they place AI systems or GPAI models on the EU market, and to providers or deployers established outside the EU where the output produced by the AI system is used in the Union.

For most SMBs, the practical question is what role they perform in relation to each AI system and how that system is classified. A business using AI-powered marketing, customer service automation, HR software, or website personalisation is operating AI systems, and the Act's transparency and oversight requirements apply.

Compliance is shared: providers and deployers each have obligations under the Act, which makes it a compliance decision as much as a commercial one.

The Digital Omnibus on AI: where it stands and what it changes

The Digital Omnibus on AI is an agreed amendment to the AI Act intended to simplify and clarify aspects of its implementation. The European Parliament approved the agreed text on 16 June 2026. It still requires formal adoption by the Council and publication in the Official Journal before the amendments become binding law.

Under the agreed text, the application of the high-risk AI requirements would be postponed to fixed dates. The rules for stand-alone high-risk AI systems listed in Annex III would apply from 2 December 2027, while the requirements for high-risk AI systems embedded in regulated products would generally apply from 2 August 2028.

The provisional agreement also introduces or confirms several other changes, including:

• a targeted prohibition on AI systems intended to generate or manipulate non-consensual intimate material involving identifiable persons, or child sexual abuse material. It may also cover systems where those outcomes are reasonably foreseeable and reproducible and reasonable, adequate safeguards are missing;
• stronger and more centralised supervisory powers for the European AI Office, particularly in relation to AI systems built on GPAI models;
• the extension of certain simplified requirements available to SMEs to qualifying small mid-cap companies, including simplified technical-documentation requirements; 
• a proportionate registration mechanism for certain AI systems that providers conclude are not high-risk.

Businesses should therefore continue preparing under the AI Act currently in force. The Parliament-approved text provides a strong indication of the future framework, but it should not be presented as binding law until the Council has formally adopted it and it has been published in the Official Journal.

How team.blue approaches this

team.blue serves millions of customers across Europe, with AI embedded in a growing number of products, from website builders and marketing tools to customer communication platforms. At that scale, AI compliance is a group-level priority supported by product-level assessments and controls.

The approach to the AI Act builds on the same foundation as the group's approach to GDPR: consistent standards across markets, transparent practices, and giving customers the information they need to make informed decisions.

As the regulatory landscape matures through the EU AI Act and proposed amendments such as the Digital Omnibus, team.blue tracks these developments closely and translates applicable requirements into concrete steps as guidance evolves.

In a regulated market, the choice of digital partner carries more weight than it used to: a partner's compliance posture can become part of your own. That is the standard team.blue holds itself to, and why it matters which infrastructure a business builds on.

Learn more about how we use AI to empower entrepreneurs: https://team.blue/ai/