Leadership & AI Governance

The EU AI Act, explained for business leaders

The first comprehensive law for artificial intelligence is already in force in stages, and its biggest deadline is weeks away. Here is what it means for your business, and what to do about it.

Martin Wilkings, Co-founder  -   -  5 min read

If your business uses, builds, or sells AI, the European Union now has a law that applies to you, and for many companies the most important deadline is only weeks away. The EU AI Act is the first comprehensive law anywhere in the world to govern artificial intelligence, and its reach extends well beyond Europe's borders.

The EU AI Act is a regulation that sets binding rules for how AI systems can be developed, sold, and used, sorting them into risk tiers and attaching specific obligations and penalties to each.It applies to any organisation whose AI touches people in the EU, regardless of where that organisation is based.

This post explains what the Act actually regulates, who it applies to, the deadlines that matter, the penalties for getting it wrong, and the practical steps leaders and risk owners should take to prepare in time.

The Act regulates AI by risk, not by industry

The Act's central idea is straightforward. It does not regulate AI by sector, by company size, or by how clever the technology is. It regulates by risk. The more harm a system could cause to people's rights, safety, or livelihoods, the stricter the rules that apply to it. Every AI system falls into one of four tiers.

Unacceptable risk: banned outright.A small set of uses are prohibited entirely. These include social scoring of individuals, untargeted scraping for facial recognition, real-time biometric identification in public spaces, and systems designed to manipulate behaviour or exploit vulnerable groups. If your business uses anything in this category, the rule is simple: stop.

High risk: permitted, but heavily regulated.This is the tier most businesses need to watch. It covers AI used in hiring and employee management, credit scoring and insurance, critical infrastructure, education, healthcare, and similar decisions that materially affect people. These systems are allowed, but only if you meet a full set of obligations: risk management, quality data, activity logging, documentation, human oversight, cybersecurity, and registration in an EU database.

Limited risk: must be transparent.Chatbots, deepfakes, and AI-generated content fall here. The obligation is honesty. People must be told when they are interacting with an AI, and AI-generated media must be labelled as such.

Minimal risk: no new obligations.Spam filters, recommendation engines, and AI in video games carry no additional requirements. Most everyday AI sits here.

The Act does not ask whether you call yourself an AI company. It asks what your AI does, and how much harm it could cause if it goes wrong.

It applies to you even if you are not in Europe

Many leaders assume a law like this is aimed at the large model developers. It is not. The Act applies across the whole chain: the providers who build AI systems, the importers and distributors who bring them to market, and the deployers who put them to use. A deployer is any organisation that uses an AI system in the course of its work, which means almost every business.

It also reaches beyond the EU's borders. The obligations are triggered by where the AI's effects land, not where your company is registered. If you sell an AI product to EU customers, or use AI to make decisions about people in the EU, you must comply even if you have no office in Europe. For UK and international SMEs serving European clients, that extraterritorial reach is the part most often missed.

The deadlines are closer than the headline date suggests

The Act does not switch on all at once. It arrives in stages, and several of those stages have already passed.

The bans on unacceptable-risk AI have applied since February 2025. The rules for general-purpose AI took effect in August 2025. General-purpose AI is a model that can be adapted to many different tasks, such as the large language models behind most generative AI tools. If your business builds on or resells those models, those obligations already apply to you today.

The next milestone is the significant one. On 2 August 2026, now only weeks away, the bulk of the framework and the transparency obligations come into force. After that, the high-risk requirements become binding on 2 December 2027, with a further extension into 2028 for AI embedded in regulated physical products. The high-risk deadline sounds distant, but the controls it requires take many months to design, document, and embed, which is why the work needs to start now rather than in 2027.

The penalties are tied to global turnover, not EU revenue

The Act has real teeth, and the fines are deliberately scaled to hurt. Using prohibited AI can cost up to 35 million euros or 7 percent of global annual turnover, whichever is higher. Breaching the high-risk obligations can cost up to 15 million euros or 3 percent of global turnover. Transparency failures carry lower but still meaningful penalties.

The detail that catches businesses out is the basis for those figures. The percentages apply to global annual turnover, not just the revenue you earn inside the EU. A company with a modest European footprint can still face a fine calculated against its worldwide income. That is what turns the AI Act from a compliance footnote into a board-level risk.

Related service

AI Governance & Compliance

Dynome's AI Governance and Compliance service helps you assess your exposure to the EU AI Act and GDPR, then prepare and implement the policies, processes, architecture, and ways of working you need. The governance assessment is delivered in 14 days.

Learn more about AI Governance & Compliance

What leaders and risk owners should do now

Compliance is far cheaper to build before AI is operating at scale than to retrofit afterwards. A few practical moves put you ahead.

Map your AI.Build an honest inventory of every AI system you develop, sell, or use, including the tools your teams have adopted informally.Classify by risk.Place each system into one of the four tiers, because the tier determines everything that follows.Fix the banned uses first.Anything in the unacceptable tier needs to stop immediately.Build high-risk controls early.If you run hiring, credit, or other high-risk AI, start on the risk management, logging, documentation, and human oversight now.Label the obvious things.Disclose chatbots and mark AI-generated content ahead of the August 2026 transparency deadline.

Where do you start if you have never mapped your AI?

Start with shadow AI. Shadow AI is any AI tool used inside a business without the knowledge or approval of IT or leadership. It is the most common source of governance exposure, because you cannot manage a risk you cannot see. A structured audit that surfaces every tool in use, who owns it, and what data it touches is almost always the first real piece of work, and it gives you the inventory the rest of your compliance plan depends on.

Do you really need to act before August 2026?

Yes. Two parts of the Act, the bans and the general-purpose AI rules, are already live, so any exposure there is current rather than future. The August 2026 transparency obligations are imminent, and the high-risk controls due in 2027 take long enough to build that starting late is the expensive option. Governance built proactively costs far less than governance retrofitted under deadline pressure or after an incident.

How Dynome helps you get ready

This is exactly what Dynome'sAI Governance and Complianceservice is built for. It is designed for SMEs and SMBs that want to move fast: lightweight enough to implement in days, robust enough to satisfy regulators, and built to scale with your business rather than weigh it down.

It starts with a governance assessment, a complete audit of your current AI usage including shadow AI, with every tool classified by risk and your exposure mapped against the EU AI Act and GDPR, delivered in 14 days. From there we put a practical governance framework in place: an acceptable use policy, a named owner for every AI system across business, legal, and technical roles, risk-tiered usage rules, and a monthly review rhythm that takes 30 minutes. For businesses building or buying AI, we design compliance in from the start, with documentation, data governance, audit logging, and human oversight built to survive inspection. We train your teams on safe, compliant use, and for those who need it, we provide a structured pathway to ISO 42001 readiness.

The EU AI Act is not a reason to slow down your AI adoption. It is a reason to make the AI you adopt trustworthy, defensible, and ready to scale. If you want to understand how the Act applies to your business and what you should do to prepare, the best next step is a conversation. No obligation, no hard sell, just an honest look at where you stand and what would move you forward.

Martin Wilkings

Co-founder, Dynome

Martin Wilkings is the co-founder of Dynome. He has spent over a decade delivering technology programmes for organisations including Lockheed Martin, Worldpay, and UK Government, and has been building AI products since 2022.

EU AI ActAI GovernanceAI ComplianceRisk ManagementGDPR

Not sure where the EU AI Act leaves your business?

Book a free consultation with us. We'll look at how the Act applies to your AI, where your exposure sits, and what you should do to prepare before the deadlines.

No obligation. No hard sell. Just a conversation.Take the free AI Readiness Assessment →