The EU AI Act (Regulation (EU) 2024/1689) is the world’s first comprehensive AI law. It entered into force on 1 August 2024 and applies in phases — banning some AI practices outright, putting strict duties on “high-risk” systems, and requiring transparency whenever people interact with AI or see AI-generated content. In 2026 the “Digital Omnibus on AI” shifted several deadlines, so here is the up-to-date picture: what the Act covers, who must comply and by when, the penalties, and what it means for an ordinary website.
The AI Act is a product-safety-style regulation for AI systems placed on the EU market or whose output is used in the EU. It doesn’t regulate “AI” as a technology — it regulates specific uses by risk. The higher the risk to health, safety or fundamental rights, the heavier the obligations. Most everyday AI (spam filters, recommendation widgets, spell-checkers, AI features in productivity tools) is minimal-risk and gains no new duties at all.
Everything in the Act hangs off this classification:
The Act entered into force on 1 August 2024 and was due to apply almost fully on 2 August 2026. In November 2025 the Commission proposed the “Digital Omnibus on AI” to simplify and stagger that; Parliament endorsed it on 16 June 2026 and the Council gave final approval on 29 June 2026. The key dates now:
Obligations attach to roles in the value chain: providers (who develop or place an AI system on the EU market, under their own name), deployers (who use an AI system professionally), plus importers and distributors. The reach is extraterritorial — a US or UK SaaS whose AI output is used inside the EU is in scope. SMEs get some relief: simplified documentation, priority access to sandboxes, and fines capped at the lower of the two amounts rather than the higher.
For most companies the first real touchpoints are the transparency rules that apply from August 2026 — they concern what visitors see on your site:
The fine structure is deliberately GDPR-like: up to €35 million or 7% of worldwide annual turnover (whichever is higher) for prohibited practices; up to €15 million or 3% for most other violations, including high-risk and GPAI duties; up to €7.5 million or 1% for supplying incorrect or misleading information to authorities. For SMEs each cap is the lower of the two amounts. Enforcement is shared between national market-surveillance authorities and, for GPAI models, the EU AI Office.
Beacon now includes an AI Act Readiness tool: a free scan of your website’s visitor-facing transparency signals (chat/assistant widgets, AI-disclosure wording, AI-policy links, machine-readable content marking) plus an interactive 14-point checklist mapped to the Act’s articles — with severity, deadlines and concrete fixes you can push straight into your action plan. It isn’t legal advice — but it shows you, concretely, what your site exposes today and what to fix first. The scan and the core checklist are free.
Yes. Like the GDPR, it has extraterritorial reach: if you place an AI system on the EU market or the system’s output is used in the EU, you are in scope regardless of where your company is established.
Prohibitions and AI-literacy since 2 February 2025; GPAI model duties since 2 August 2025; transparency duties and penalties from 2 August 2026. After the 2026 Digital Omnibus, high-risk duties were deferred to 2 December 2027 (Annex III use-cases) and 2 August 2028 (Annex I product-embedded AI).
If you publish AI-generated or AI-manipulated images, audio or video (deepfakes), yes — they must be labeled, and synthetic media should carry machine-readable marking. AI chatbots must disclose they are AI. AI-written text on matters of public interest must be disclosed unless a human editor takes responsibility.
Responsibilities are split by role. The model provider (e.g. OpenAI) carries GPAI-provider duties; you, as the deployer who puts a chatbot on your site or publishes AI content, carry the deployer-side transparency duties toward your visitors.
No. Generating marketing copy with AI is minimal/limited risk — perfectly legal. The Act only requires transparency in specific cases (deepfakes, public-interest text, chatbots) and bans a short list of harmful practices unrelated to normal marketing.
Inventory where AI touches your site (chatbot, generated images/text), add clear AI disclosures and labels, check your synthetic-media marking, and brief your team. Then keep an eye on 2 December 2027 if you use AI in hiring or other Annex III areas.
Six statements — answer honestly. Your answers stay in your browser.
Free website signal scan + interactive checklist in your Beacon account. No credit card.