Matthew Atherfold
AI Governance 15 May 2026
← Journal

The EU AI Act, Right Now

A 5-minute primer for people who need to understand what's happening without reading 459 articles.

By Matthew Atherfold

Share
EU AI ACT Briefing and Short Overview May 2026
Audience: SME execs, sales teams, anyone who needs to talk about this without being a lawyer
Compiled: 15 May 2026
Caveat: Some dates are provisional. The 7 May 2026 "Digital Omnibus" deal would change parts of the calendar. Parliament is expected to vote on the final text by 7 July 2026, with formal adoption expected before 2 August 2026. Plan to the in-force dates below; the new dates are a reasonable planning baseline subject to that formal adoption.
What's in here
  1. What it is, in one paragraph
  2. The four risk tiers
  3. The dates that matter
  4. Five things to do this quarter
  5. The watchlist
  6. How to talk about this with a buyer

1. What it is, in one paragraph

The EU AI Act is a single law that classifies AI systems by the harm they can do, and puts obligations on the people who build them and the people who use them. It applies to anyone placing an AI system on the EU market or using AI to affect people in the EU, regardless of where the company is based. If your CRM has AI in it, you're probably in scope. If you use ChatGPT, Copilot, or any third-party AI tool with customer data, you're definitely in scope.

= it applies to deployers, not just developers. That's the bit most people miss.

2. The four risk tiers (skip if you know them)

The Act sorts AI into four buckets. The bucket decides what you have to do.

  • Unacceptable risk = banned. Social scoring, real-time biometric identification in public, manipulating vulnerable people. Don't build it, don't buy it.
  • High risk = the heaviest obligations. Used in HR/hiring, education, lending, healthcare, law enforcement, critical infrastructure, migration. Risk management, documentation, logging, human oversight, conformity assessment, post-market monitoring. This is where the compliance cost lives.
  • Limited risk = transparency obligations. Chatbots must tell people they're chatbots. Deepfakes must be labelled. AI-generated content must carry a machine-readable mark.
  • Minimal risk = no obligation. Spam filters, AI in your video game.

If you only remember one thing: where your AI fits in this list is not a one-time decision. It can change when you change how you use the system.

In practice, this is how classification drift bites people:

  • A customer service chatbot starts in "limited risk." Marketing then expands it to recommend products based on customer profile data. It just gained a profiling dimension and may now be high-risk.
  • A generic analytics platform sits in "minimal risk." HR starts using it to score candidate CVs. The same tool is now Annex III high-risk because it's being used for an HR decision.
  • A document summariser is "limited risk." A health-tech team feeds patient notes through it to draft clinical correspondence. It just walked into a regulated healthcare context.
  • ChatGPT in your team is "you using a tool." The moment a manager uses it to draft termination letters with no human review, the use case is high-risk and the obligations are yours, not OpenAI's.

= the same model, the same vendor, two different use cases, two different sets of legal duties. You audit use cases, not products.

3. The dates that matter

This is where most articles get sloppy. Here's the clean version.

In force right now (you're already accountable)

ArticleWhat it requiresSince
Art. 4AI literacy: your people must understand the AI they use2 Feb 2025
Art. 5Prohibited practices are illegal2 Feb 2025
Footnote on Art. 4. A leaked Omnibus compromise text indicates the literacy obligation may be softened to a "Commission and Member States encourage providers and deployers to support the development of AI literacy" model rather than a hard duty on companies. As of 15 May 2026 it is still a binding obligation, but the substrate is moving. Plan to comply; do not over-build.

Coming up — the high-risk regime lands here

ArticleWhat it requiresDate (original)Date (under Omnibus, if adopted)
Art. 50(1), (3), (4) transparency dutiesTell users they're interacting with AI, label deepfakes, disclose emotion recognition / biometric categorisation2 August 20262 August 2026 — no change. No transition period for these.
Art. 50(2) — machine-readable marks for generative AI outputProvider duty to mark synthetic content (text / image / audio / video)2 August 2026Grandfathering window only: generative AI systems placed on the market before 2 August 2026 get until 2 December 2026 to comply. Systems newly placed on the market from 2 August 2026 onwards must comply from day one.
Annex III high-risk obligations (Arts. 9–17 providers; Art. 26 deployers)Risk management, documentation, conformity assessment; deployer registry, oversight, lineage2 August 20262 December 2027
Annex I embedded high-riskSame, for AI inside regulated products (lifts, toys, medical devices)2 August 20272 August 2028

A point worth being explicit about: Article 26 (deployer obligations) is not in force today. It applies on the same date as the rest of the high-risk regime — 2 August 2026 originally, or 2 December 2027 if the Omnibus is adopted. On the deployer side, the only things actually in force right now are Art. 4 (literacy) and Art. 5 (prohibitions).

The 7 May 2026 "Digital Omnibus" caveat

EU lawmakers reached a provisional deal on 7 May 2026 that pushes some of these dates back. Annex III moves to 2 December 2027. Annex I embedded moves to 2 August 2028. A grandfathering window for Art. 50(2) marking gives pre-2 August 2026 generative AI systems until 2 December 2026 to comply. A new ban on AI nudification tools applies from 2 December 2026.

Where this sits politically. Parliament is expected to vote on the final Omnibus text by 7 July 2026, with formal adoption expected before 2 August 2026. The Commission's own digital-strategy page now actively communicates the new dates, and the consensus legal view (White & Case, Bird & Bird, Hogan Lovells, and the Commission itself) is that the new dates can reasonably be used as the planning baseline, subject to that formal adoption.

= the defensible position for a board paper is: plan to the original 2 August 2026 dates and treat any Omnibus relief as upside. If you have a longer-cycle programme (embedded high-risk inside a regulated product, for example), the new dates are a reasonable planning baseline. Either way, do not stop work and wait.

4. The five things to actually do this quarter

If you do nothing else from this primer, do these.

  1. AI Inventory. List every AI tool your business uses. Include the shadow ones, the ones marketing bought, the ones embedded in your SaaS stack. You can't govern what you can't see.
  2. AI Literacy training (Art. 4). Already in force. If your team uses ChatGPT or Copilot and hasn't been trained, you're currently non-compliant. (See the Art. 4 footnote above — the obligation may soften under the Omnibus, but it is binding today.)
  3. Classify each AI use. Banned? High-risk? Limited-risk? Minimal? Write it down. Use the four-tier list above. When in doubt, go higher.
  4. Transparency check. For anything in "limited risk" (chatbots, generated content, deepfake demos), does the user know they're interacting with AI? If not, fix it before August 2026.
  5. Designate a Responsible AI Person. Someone with their name on a job description, not "the IT team." Cheapest single thing you can do this week. (Becomes a hard requirement when the deployer regime under Art. 26 kicks in.)

Five items, low six-figure cost ceiling, addresses 80% of practical exposure.

5. The bits that change weekly (the watchlist)

Three live items every SME should track:

  • EU Omnibus formal adoption. Parliament vote expected by 7 July 2026; formal adoption expected before 2 August 2026. If they hit that window, the new dates lock in. If not, originals stand.
  • Art. 50 transparency draft guidelines. The EU AI Office (Lucilla Sioli's team) opened consultation on the operational guidelines on 8 May 2026. Consultation closes 3 June 2026. The guidelines will tell you exactly how to implement Art. 50.

    In practice, these are the things the guidelines will pin down:

    • Your chatbot must clearly tell the user they're talking to AI, at the start of every session, in plain language. "Hi, I'm Aria" isn't enough.
    • AI-generated images on a marketing page need a machine-readable mark (think watermark for content provenance tools) AND a visible label.
    • Synthesised voices in IVR must announce they are AI.
    • Deepfake demos in corporate training, sales decks, or product launches must be labelled.
    • Emotion-recognition or biometric categorisation systems (retail traffic analysis, sentiment in call centres) trigger a disclosure to the people being analysed.
    • AI-drafted customer emails sent under a human's name need to clarify the AI involvement to the recipient, with some scope for "edited by human" exceptions.

    None of this is exotic. It's a list of small product and process changes, but if you have ten products across the business, that's ten small projects you should have already scoped.

  • National regulator guidance. Ireland's DPC, France's CNIL, the UK ICO, Germany's BfDI are all publishing implementation guidance throughout 2026. The national flavour matters.

6. How to talk about this with a buyer (sales-ready language)

The mistake most salespeople make is leading with compliance. Compliance is a cost story and buyers tune out.

Try this framing instead:

"The EU AI Act is in force today. The deadlines that matter for your business are 2 February 2025, already passed, and 2 August 2026, four months away (with some relief likely under the Digital Omnibus). By then, anyone you sell to in regulated sectors will be asking you 'how do you govern your AI?' If the answer is 'we don't,' you're losing that contract. We help you have an answer that wins the contract."

= trust differentiator, not compliance burden.

Three triggers that make a buyer ready:

  1. Customer pressure. A B2B client asks how you govern AI. You have 30 days to put something credible in front of them.
  2. Regulatory deadline. Art. 50 transparency duties at 4 months out. Annex III high-risk at 4 months out (with possible relief to Dec 2027). If your business touches hiring, lending, education, healthcare, critical infrastructure, or border systems, that calendar is yours.
  3. Incident or exposure. Someone in your team pastes confidential data into ChatGPT. A client gets a hallucinated quote. A competitor wins on certification. These happen weekly now.

If any of these is true for the buyer in front of you, the conversation is not "will you do something?" It's "what will you do, and how fast?"

What this primer is and isn't

This is a primer for business decision-makers. It is not legal advice. The dates and obligations above are accurate as of 15 May 2026 against the EC's published guidance and the 7 May 2026 Digital Omnibus provisional deal. The Omnibus has not been formally adopted as of writing; Parliament is expected to vote by 7 July 2026. For high-risk AI deployments, get qualified legal counsel before going live.

For ongoing updates, the AI Governance Daily newsletter at mattatherfold.com/blog covers regulatory changes as they happen, in plain English, for SME executives.

Compiled by Matt Atherfold for the AI Governance Daily readership. Share freely. Last updated 15 May 2026.

Tags
AIgovernancecompliance
Share

Get the AI Governance Daily

New articles, straight to your inbox.

Practical, plain-English notes — for executives, boards and operators.

One email per new article. Unsubscribe in one click. No spam, ever.

← Back to journal