BEACON Guide

The EU AI Act, explained.

The EU AI Act (Regulation (EU) 2024/1689) is the world’s first comprehensive AI law. It entered into force on 1 August 2024 and applies in phases — banning some AI practices outright, putting strict duties on “high-risk” systems, and requiring transparency whenever people interact with AI or see AI-generated content. In 2026 the “Digital Omnibus on AI” shifted several deadlines, so here is the up-to-date picture: what the Act covers, who must comply and by when, the penalties, and what it means for an ordinary website.

Start free Run a free check
Risk-based, not blanketFour tiers: prohibited practices, high-risk systems, limited-risk (transparency duties), and minimal risk — most AI falls in the last tier with no new obligations.
Phased timelineBans and AI-literacy duties since Feb 2025; general-purpose AI (GPAI) rules since Aug 2025; transparency duties from Aug 2026; high-risk duties now deferred to Dec 2027 / Aug 2028.
Extraterritorial reachIt applies to providers and deployers outside the EU whenever the AI system’s output is used in the EU — like the GDPR, you don’t need an EU office to be in scope.
Hard bansSocial scoring, manipulative techniques, untargeted facial-image scraping, emotion recognition at work and school (with narrow exceptions) — prohibited since February 2025.
Transparency for websitesChatbots must disclose they are AI; AI-generated and manipulated content (deepfakes) must be labeled, with machine-readable marking for synthetic media.
GDPR-scale finesUp to €35M or 7% of global turnover for prohibited practices; up to €15M or 3% for most other violations; up to €7.5M or 1% for supplying misleading information.
The four risk tiers at a glance
Unacceptable risk
Banned outright
High-risk
Strict duties + registration
Limited risk
Transparency duties
Minimal risk
No new obligations
Maximum fines
Prohibited practices€35M / 7%
Most other violations€15M / 3%
Misleading information to authorities€7.5M / 1%
of global annual turnover (whichever is higher)
The timeline — updated for the 2026 Digital Omnibus
1.8.2024Act enters into force
2.2.2025Bans + AI literacy apply
2.8.2025GPAI model rules apply
2.8.2026Transparency duties + penaltiesToday
2.12.2026New content bans (NCII / CSAM)
2.12.2027High-risk duties — Annex III
2.8.2028High-risk duties — Annex I

What the AI Act is (and isn’t)

The AI Act is a product-safety-style regulation for AI systems placed on the EU market or whose output is used in the EU. It doesn’t regulate “AI” as a technology — it regulates specific uses by risk. The higher the risk to health, safety or fundamental rights, the heavier the obligations. Most everyday AI (spam filters, recommendation widgets, spell-checkers, AI features in productivity tools) is minimal-risk and gains no new duties at all.

The four risk tiers

Everything in the Act hangs off this classification:

  • Unacceptable risk — banned outright since 2 February 2025: social scoring, exploitative or manipulative techniques, untargeted scraping of facial images, emotion recognition in workplaces and schools (narrow safety exceptions), biometric categorisation to infer sensitive attributes, and real-time remote biometric ID in public spaces for law enforcement (limited exceptions). From 2 December 2026 the 2026 amendment also explicitly bans AI systems for generating non-consensual intimate imagery or CSAM.
  • High risk — allowed but strictly regulated: AI used as a safety component of regulated products (Annex I — machinery, medical devices, lifts…) or in sensitive use-cases (Annex III — recruitment and worker management, education scoring, credit scoring, essential services, law enforcement, migration, justice). Duties include risk management, data governance, technical documentation, logging, human oversight, accuracy/robustness testing and registration in an EU database.
  • Limited risk — transparency duties (Article 50): tell people when they interact with an AI system (chatbots), label AI-generated or manipulated image/audio/video content (deepfakes), mark synthetic content in a machine-readable way, and disclose AI-generated text published to inform the public on matters of public interest.
  • Minimal risk — everything else: no new obligations, voluntary codes of conduct encouraged.

The timeline in 2026 — updated for the Digital Omnibus

The Act entered into force on 1 August 2024 and was due to apply almost fully on 2 August 2026. In November 2025 the Commission proposed the “Digital Omnibus on AI” to simplify and stagger that; Parliament endorsed it on 16 June 2026 and the Council gave final approval on 29 June 2026. The key dates now:

  • 2 February 2025 — prohibitions on unacceptable-risk practices and AI-literacy duties applied.
  • 2 August 2025 — obligations for general-purpose AI (GPAI) model providers (technical documentation, copyright policy, training-data summaries; extra duties for systemic-risk models) plus the EU AI Office and governance structures.
  • 2 August 2026 — the Act becomes generally applicable: transparency obligations (Article 50), penalties, and most remaining provisions. Machine-readable marking of synthetic content gets a grace period to 2 December 2026 for systems already on the market before 2 August 2026.
  • 2 December 2026 — new prohibitions on AI generating non-consensual intimate imagery and CSAM apply.
  • 2 December 2027 — high-risk obligations for Annex III use-cases (recruitment, credit scoring, education…) — deferred 16 months from the original Aug 2026 date.
  • 2 August 2028 — high-risk obligations for Annex I product-embedded AI (medical devices, machinery…) — deferred one year from Aug 2027. National regulatory sandboxes are due by 2 August 2027.

Who has to comply

Obligations attach to roles in the value chain: providers (who develop or place an AI system on the EU market, under their own name), deployers (who use an AI system professionally), plus importers and distributors. The reach is extraterritorial — a US or UK SaaS whose AI output is used inside the EU is in scope. SMEs get some relief: simplified documentation, priority access to sandboxes, and fines capped at the lower of the two amounts rather than the higher.

What the AI Act means for your website

For most companies the first real touchpoints are the transparency rules that apply from August 2026 — they concern what visitors see on your site:

  • AI chatbots and assistants on your site must make clear the visitor is talking to a machine (unless it’s obvious from context).
  • AI-generated or AI-manipulated images, audio and video (deepfakes) that you publish must be visibly labeled as artificially generated or manipulated.
  • Synthetic media should carry machine-readable marking (e.g. metadata/watermarking) — the marking duty for pre-Aug-2026 systems applies from 2 December 2026.
  • AI-written text published to inform the public on matters of public interest must be disclosed as AI-generated unless it went through human editorial review with responsibility taken.
  • If you use AI in hiring, credit or other Annex III use-cases, plan for the high-risk regime that applies from 2 December 2027.
  • AI-literacy: organisations using AI professionally should take measures so staff understand the systems they operate.

Penalties

The fine structure is deliberately GDPR-like: up to €35 million or 7% of worldwide annual turnover (whichever is higher) for prohibited practices; up to €15 million or 3% for most other violations, including high-risk and GPAI duties; up to €7.5 million or 1% for supplying incorrect or misleading information to authorities. For SMEs each cap is the lower of the two amounts. Enforcement is shared between national market-surveillance authorities and, for GPAI models, the EU AI Office.

How Beacon fits in

Beacon now includes an AI Act Readiness tool: a free scan of your website’s visitor-facing transparency signals (chat/assistant widgets, AI-disclosure wording, AI-policy links, machine-readable content marking) plus an interactive 14-point checklist mapped to the Act’s articles — with severity, deadlines and concrete fixes you can push straight into your action plan. It isn’t legal advice — but it shows you, concretely, what your site exposes today and what to fix first. The scan and the core checklist are free.

FAQ

Does the EU AI Act apply to companies outside the EU?

Yes. Like the GDPR, it has extraterritorial reach: if you place an AI system on the EU market or the system’s output is used in the EU, you are in scope regardless of where your company is established.

When do the main obligations actually apply?

Prohibitions and AI-literacy since 2 February 2025; GPAI model duties since 2 August 2025; transparency duties and penalties from 2 August 2026. After the 2026 Digital Omnibus, high-risk duties were deferred to 2 December 2027 (Annex III use-cases) and 2 August 2028 (Annex I product-embedded AI).

Do I have to label AI-generated content on my website?

If you publish AI-generated or AI-manipulated images, audio or video (deepfakes), yes — they must be labeled, and synthetic media should carry machine-readable marking. AI chatbots must disclose they are AI. AI-written text on matters of public interest must be disclosed unless a human editor takes responsibility.

Is ChatGPT or my AI vendor responsible instead of me?

Responsibilities are split by role. The model provider (e.g. OpenAI) carries GPAI-provider duties; you, as the deployer who puts a chatbot on your site or publishes AI content, carry the deployer-side transparency duties toward your visitors.

Is using AI for SEO or content marketing banned?

No. Generating marketing copy with AI is minimal/limited risk — perfectly legal. The Act only requires transparency in specific cases (deepfakes, public-interest text, chatbots) and bans a short list of harmful practices unrelated to normal marketing.

What should a website owner do right now?

Inventory where AI touches your site (chatbot, generated images/text), add clear AI disclosures and labels, check your synthetic-media marking, and brief your team. Then keep an eye on 2 December 2027 if you use AI in hiring or other Annex III areas.

Quick self-check: where do you stand?

Six statements — answer honestly. Your answers stay in your browser.

Visitors are told when they chat with an AI on our site (or we have no AI chat).
AI-generated images, audio or video we publish are visibly labeled (or we publish none).
AI-written articles on matters of public interest are disclosed or human-reviewed.
We checked that none of our AI uses is a prohibited practice (Art. 5).
We know whether any of our AI uses falls under Annex III high-risk.
Our team has had basic AI-literacy training.
0/6 answeredGet your free AI Act readiness scanThe free Beacon account includes the website signal scan and the interactive checklist — no credit card.

Check your AI Act readiness — free

Free website signal scan + interactive checklist in your Beacon account. No credit card.

Start free Run a free check