AI Act 2026 - what it really changes for your business (and how it ties into GDPR)

The AI Act (EU Regulation 2024/1689) has generated a lot of anxiety and even more myths. Some companies are convinced it already requires six-figure audits today. Others decided "this is only about OpenAI and Google." Both extremes are wrong.

In practice, for a typical business - e-commerce, hospitality, SaaS, B2B services - in 2026 the AI Act comes down to a handful of concrete obligations, the most important of which starts to apply on 2 August 2026. Below we break it down: what, when, who it applies to, and how it dovetails with GDPR.

Note: this article explains the legal landscape as of June 2026; it is not legal advice. Some changes (the so-called Digital Omnibus) were at the political-agreement stage in May 2026 and only take effect once published in the EU Official Journal.

Timeline: what applies and when

The AI Act entered into force on 1 August 2024, but the rules switch on in stages:

2 February 2025 - ban on prohibited practices (Art. 5) and the duty to ensure staff have sufficient AI literacy (Art. 4). Already in force.
2 August 2025 - rules for general-purpose AI models (GPAI - like GPT or Claude), governance bodies and part of the penalty regime.
2 August 2026 - transparency obligations (Art. 50). This is the date that touches the vast majority of ordinary businesses.
2 December 2027 / 2 August 2028 - obligations for high-risk systems (after the Digital Omnibus deferral, see below).

What the Digital Omnibus changed

In May 2026 the EU agreed a simplification package (the AI Act Omnibus / Digital Omnibus). The headline: obligations for stand-alone high-risk systems under Annex III were pushed to 2 December 2027, and for AI embedded in regulated products (Annex I) to 2 August 2028.

Crucially, though: the Art. 50 transparency obligations were NOT postponed - they apply from 2 August 2026 unchanged. So if you use a chatbot or generate content with AI, the timeline did not pass you by.

Four risk levels - where does your business sit

The AI Act classifies AI systems by risk, not by how "advanced" they are:

Unacceptable risk - prohibited (see below).
High risk - e.g. AI in recruitment, credit scoring, access to public services. Hard obligations (documentation, human oversight, risk management) - but only from 2027/2028.
Limited risk - chatbots, assistants, AI-generated content. Transparency duty from August 2026. This is where most companies are.
Minimal risk - spam filters, product recommendations. No extra obligations.

Second key point: your role. Most often a company is a deployer of an off-the-shelf AI tool, not its provider. Provider obligations (e.g. on the model maker) are far heavier - but usually do not fall on you if you merely use someone else's tool.

Prohibited practices - check you are not using one

Since February 2025 the following are banned, among others:

manipulative and subliminal techniques that distort decisions and cause harm,
exploiting vulnerabilities of specific groups (age, disability, economic situation),
social scoring of individuals,
scraping facial images from the internet/CCTV to build recognition databases,
emotion recognition in the workplace and in education (outside medical/safety exceptions).

It sounds remote, but it is worth checking your HR and marketing-automation tools - that is where scoring or emotion recognition often ships "in the bundle."

AI chatbot on your site - the duty to disclose from August 2026

This is the most common point of contact between an ordinary business and the AI Act. Art. 50 requires that:

the customer is informed they are interacting with an AI system (unless it is obvious from context),
AI-generated content (text, image, audio, video) is labelled - including deepfakes and synthetic publications,
the labelling is machine-readable (watermarking). Generative AI systems already on the market get until 2 December 2026 to comply.

In practice, if you run an AI chat on your site, from 2 August 2026 it should clearly state that it is an AI assistant, and handing over to a human should be possible. That is a few lines in the interface and the privacy policy - not a six-month project.

Our enuchat.com has this built in: the chat presents itself as an AI assistant and escalates harder cases to a human operator. Conversation data is encrypted, hosting is in the EEA, and retention is configurable - so the AI Act transparency layer and the GDPR layer are both covered in a single tool.

The AI Act does not replace GDPR - it layers on top of it. When AI processes personal data (and a customer-facing chatbot usually does), both regimes apply at once. In practice this is a single coherent list:

AI inventory - map where you use AI (chat, marketing, HR, content generation) and in what role (provider / deployer).
Risk classification - assign each use a level (prohibited / high / limited / minimal).
Transparency (Art. 50) - label chatbots and AI-generated content.
Legal basis and GDPR - update the privacy policy for AI use, sign data-processing agreements with vendors (processors), check transfers outside the EEA.
Human oversight - the ability for a human to take over a conversation/decision.
AI literacy (Art. 4) - brief training for the team using AI tools.
Records and retention - who keeps data from AI interactions, for how long, and why.

Penalties - the scale worth knowing

The AI Act sets fines higher than GDPR itself:

up to EUR 35m or 7% of global turnover - for prohibited practices,
up to EUR 15m or 3% - for breaching the remaining obligations (including transparency),
up to EUR 7.5m or 1% - for supplying incorrect information to authorities.

For SMEs the amounts are capped, but the reputational risk is real anyway - especially since a chatbot with no "you are talking to an AI" notice is a breach visible to any customer or competitor at a glance.

What to do in 30 days

You do not need a huge project. A sensible minimum before August 2026:

Week 1. Inventory - where you use AI and in what role.
Week 2. Risk classification and screening out any prohibited practices.
Week 3. Transparency - label the chatbot and AI content, update the privacy policy.
Week 4. GDPR - processing agreements, retention, transfers, brief team training (AI literacy).

Next step

If you use a chatbot or content-generating tools, the August deadline applies to you directly. Book a free call - in 30 minutes we will tell you whether closing the transparency and GDPR gaps is enough, or whether you need a broader GDPR audit focused on AI.

The technical side - an AI chat that meets the transparency requirement from day one and runs GDPR-compliant - we deliver through enuchat.com.