Bajorat Media

The EU AI Act for Businesses: What the AI Regulation Requires from August 2026

Which obligations the EU AI Regulation creates for businesses and how to organise AI use, transparency and responsibility in practice.

With 2 August 2026, the EU AI Act becomes concrete for most businesses for the first time. On that date the transparency obligations of the AI Regulation start to apply, and market surveillance authorities gain their enforcement powers. Anyone running an AI chatbot on their website, generating images with AI or having text drafted by it should know which of these obligations actually land on them.

The good news for most small and medium-sized businesses: fewer than the headlines suggest. The regulation distributes its obligations very precisely between whoever builds an AI system and whoever uses it. A large share of what currently circulates in newsletters as an “AI Act obligation” applies to the providers of the tools, not to their users. Which makes it all the more worthwhile to determine your own role properly instead of labelling everything as a precaution.

This article reflects the legal position as of 17 July 2026 and is not a substitute for individual legal advice.

The EU AI Act for businesses: who does the AI Regulation apply to?

The AI Act is an EU regulation. It therefore applies directly in every member state, including Germany. Its central distinction is between providers and deployers of AI systems:

  • Providers develop an AI system, or have it developed under their name, and place it on the market.
  • Deployers use an AI system under their own responsibility, for example in customer service, HR, marketing or internal operations.

A business using an external AI service for text, summaries or a chatbot is usually a deployer. Anyone developing their own system for customers, substantially modifying an existing system or offering it under their own brand may additionally trigger provider obligations. This classification belongs at the start of every review, because documentation, transparency and control obligations differ accordingly.

The AI Regulation comes on top of the GDPR. Where personal data is processed, purpose limitation, data minimisation and, where applicable, a data protection impact assessment continue to apply unchanged. For website projects, AI use therefore belongs on the table alongside privacy consulting for WordPress and websites.

What applies when: the current timeline

The AI Regulation entered into force on 1 August 2024. Its rules apply in stages. Worth noting: in 2026 the EU reorganised the deadlines for high-risk systems as part of the Digital Omnibus. Older timelines are therefore still circulating, according to which certain high-risk rules were supposed to start as early as August 2026.

Date What applies? What businesses should do
2 February 2025 Prohibited AI practices and AI literacy Rule out unacceptable applications and train teams appropriately for their use.
2 August 2025 Rules for providers of general-purpose AI models, and governance Check the provider role for self-offered models or substantial modifications.
2 August 2026 General application of the regulation; transparency obligations for certain AI uses Review chatbots, deepfakes and the relevant disclosure obligations.
2 December 2027 High-risk systems in areas such as employment, education or critical infrastructure Classify use cases early and prepare for the requirements.
2 August 2028 High-risk AI as a safety component or part of regulated products Clarify manufacturer and conformity obligations for product integration.

The current European Commission overview of the AI Act explains the risk tiers and the postponed high-risk deadlines. The Council gave its final approval to the simplified timeline on 29 June 2026.

2 August 2026: what website operators need to check

As of 2 August 2026 the transparency obligations under Article 50 apply, and authorities gain their enforcement powers. For a typical mid-sized company with a corporate website, everything hinges on one question: are you the provider or the deployer of the AI system? Article 50 allocates its obligations strictly by that role, and getting it wrong means either labelling too much or missing precisely the two obligations that do apply to you.

If you buy in an AI service and embed it on your website, you are the deployer. This overview shows what that means for the usual cases:

Case on your website Legal basis and addressee What you must do as the website operator
AI chatbot in support or initial enquiries Article 50(1) addresses the provider of the system Contractually ensure the bot identifies itself as AI. Watch the role switch: offering the bot under your own brand or modifying it substantially makes you the provider.
AI-generated or manipulated images, video or audio that are deepfakes Article 50(4) addresses the deployer, meaning you Disclose the artificial nature. For artistic or satirical works, an appropriate notice that does not impair the work is enough.
AI-generated text published to inform the public on matters of public interest Article 50(4) addresses the deployer Disclose — unless a human has reviewed the text and a person or organisation holds editorial responsibility.
Emotion recognition or biometric categorisation Article 50(3) addresses the deployer Inform the people affected and comply with the GDPR as well. This should not appear on an ordinary corporate website at all.
Machine-readable marking of synthetic content in the file format Article 50(2) addresses the provider of the generator No obligation of your own. For systems already on the market before 2 August 2026, the transition period runs until 2 December 2026 anyway.

Three points that regularly bring relief in client conversations:

Your company blog is, as a rule, not a “matter of public interest”. That wording targets subjects of public opinion-forming, not a product article, a service page or a specialist piece about your own industry. And even if an article did fall under it: once a human has reviewed it and your business holds editorial responsibility, the disclosure requirement falls away. An AI notice under every blog post is not an obligation that can be derived from Article 50.

The deepfake rule means deepfakes, not every AI image. It covers content that depicts existing people, places or events in a deceptively realistic way. A generated abstract hero image or an illustration does not fall under it. A photorealistic “team photo” showing people who do not exist is a case for review.

Chatbot labelling is formally the provider’s job — but practically your risk. Because the moment you put your own name and logo on the bot, you slide into the provider role and therefore into paragraph 1. That is exactly what most website bots do. If the bot visibly presents itself as AI, the matter is settled; if it carries a human first name and nowhere says what it is, put that on the list.

One point has applied since February 2025 and only becomes enforceable with August: AI literacy under Article 4. If you have done nothing here, that is the more urgent gap than any labelling.

Four risk tiers: which use is critical?

The classification depends on the specific purpose and the consequences of the use, not on the tool’s name. A text assistant can be used in a low-risk area, yet become part of a critical decision in another.

Prohibited practices

Certain applications have been unacceptable since February 2025. These include harmful manipulative or deceptive systems, social scoring, the untargeted scraping of images to build facial recognition databases, and emotion recognition in the workplace or in educational institutions. The European Commission guidelines on prohibited AI practices provide examples; ultimately only the European Court of Justice decides bindingly.

For many SMEs, what matters most is what should not be introduced casually in HR: an AI meant to infer the emotions of applicants or staff is a different matter from a scheduling tool. Behaviour-steering campaigns that deliberately exploit vulnerabilities and can cause significant harm also need particularly critical review.

High-risk AI

Not all generative AI tools are high-risk. Systems become critical above all when they influence access to education, help decide on employment or applications, assess creditworthiness or important public and private services, or serve as a safety component in regulated products. A system for the automated pre-selection of applications may therefore be classified differently from a tool that polishes the language of a job advert.

Businesses with such use cases should not wait until 2027. They need robust documentation early: of the purpose, the data, human oversight, testing and the consequences for the people affected. For in-house projects in particular, a technical and organisational concept pays off before a pilot moves into regular operation.

AI with transparency obligations

This tier affects most businesses from August, and it is already broken down in detail above. The core in one sentence: anyone interacting with an AI system should be able to recognise that, and artificially generated deepfakes must be disclosed as such. The details are in Article 50 of the AI Regulation.

The role question remains decisive: the provider owes the labelling of the system itself, while the deployer owes the disclosure of deepfakes and of AI text on matters of public interest. Anyone creating website content, customer communication or media formats with AI is best served organising human sign-off and responsibility clearly regardless — the editorial exemption in Article 50 only holds if someone actually takes that responsibility.

Low or minimal risk

Many applications sit below these thresholds: a draft for an internal summary, translation help or collecting ideas. The AI Act asks little here — the other rules still apply. Business internals, customer or employee data do not belong in arbitrary tools unchecked, and output quality, copyright, the provider’s terms and data protection remain your concern.

Which obligations deployers should organise now

Nowhere does the AI Act require an AI officer or a single certificate. What it does require is responsible use. For normal business applications, this order has proven itself:

  1. Build an AI inventory: record all tools, interfaces and embedded functions in use, including trial accounts and individual departments.
  2. Record purpose and role: for each use, document what the system is meant to do and whether the business is deployer, provider or both.
  3. Check risks: does the use affect applications, prices, access, assessments, health data, biometric data or other rights of individuals?
  4. Limit data flows: which inputs are necessary, which personal data can be avoided or pseudonymised, and where is it processed?
  5. Assess providers: review contracts, data processing agreements, storage locations, access rights, security measures and options for human control.
  6. Define sign-offs: determine which outputs may only prepare a decision, and when a human confirms the decision or publication.
  7. Build in transparency: label chatbots and other affected interactions clearly; review deepfake and content formats separately.
  8. Document operations: keep responsibilities, training, incidents, tests, changes and complaints traceable.

Illustration of an AI governance checklist with risk review, transparency and human sign-off

These steps fit an established automation and AI process: first understand the business process and the data paths, then select a technology and provide for controlled sign-off points. The article AI automation for SMEs shows why this order makes sense regardless of regulation.

AI literacy: training has to match the use

Article 4 of the AI Regulation has required measures since February 2025 to ensure that staff and other people using or operating AI on the business’s behalf have sufficient AI literacy. The regulation prescribes neither a standard certificate nor a uniform course. What counts are the role, prior knowledge, tool and risk level.

For an editorial team, clear rules on source checking, confidential inputs and sign-off may be enough. Anyone using AI in recruiting, in customer assessment or to process sensitive documents needs considerably more: the limits of automated decisions, typical failure modes, escalation paths, data protection and human oversight. The European Commission’s FAQ on AI literacy likewise stresses the context-specific approach.

In practice, a short usage policy with risk-appropriate training per role works well. It should cover permitted tools, prohibited inputs, review duties, contacts and how to handle faulty output. A mere pointer to a tool’s manual is generally not enough for critical use cases.

AI on your website: beyond the label

Labelling alone does not make an AI chatbot properly set up. If it collects data, the privacy policy has to reflect the actual data flow — including the provider behind it and the storage location. And a bot that asks for health details, ID data or contract specifics when the enquiry does not call for it is a data protection problem the AI Act does not even address. A reachable human contact option belongs there too, for service reasons alone.

For AI-assisted content, the editorial team checks whether statements are accurate, current, traceable and consistent with the brand. That protects against hallucinations and is what makes the editorial exemption in Article 50 hold in the first place: it only applies if the review actually happens. On websites with tracking, embedded services and forms handling personal data, AI functions belong in the same regular privacy and security check as everything else.

Germany: who supervises the AI Act?

Germany regulated its national supervision only shortly before the deadline: the act implementing the AI Regulation, known as the KI-MIG, passed the Bundesrat on 10 July 2026. This makes the Bundesnetzagentur the central market surveillance authority for the AI Regulation in essence, sets up a coordination and competence centre, and gives citizens and businesses a point of contact for complaints.

The KI-MIG changes nothing about your obligations: it governs responsibilities and procedures, not the substantive requirements. Those continue to come directly from the EU regulation. What changes is enforcement — an authority now stands ready to request documentation and follow up complaints. Depending on the area of use, sector-specific authorities may also be competent, for example in product regulation.

Where personal data is processed, the competent data protection authority remains relevant as well. AI compliance therefore cuts across the usual responsibilities: technology, the business unit, data protection and management own the use together.

Conclusion: create transparency first, then expand in a controlled way

The starter list is short: clarify where AI runs in your business, whether you are the provider or the deployer, whether your chatbot identifies itself as AI, and whether the people working with these tools daily know what they are allowed to do. That is an afternoon’s work.

What comes after is the real task: not letting AI use grow in the shadow of individual tool accounts, but running it with an inventory, clear rules for data and sign-offs, and traceable responsibility. High-risk applications call for a considerably deeper review, though under the new EU rules they have until December 2027. Anyone connecting the legal classification with the technical implementation early turns isolated experiments into an operation you can also explain to an authority.

Discuss a project

Do you want to apply this topic to your project?

We help you decide which technical, editorial or strategic steps make sense for your website - and what truly has priority.

Pascal Bajorat, owner of Bajorat Media

Drop me a line — together with my team I’ll look at how we can best help you.

Pascal BajoratOwner & Marketing Expert