AI and the AI Act 2026: what changes for businesses
The AI Act regulates AI across the Union. Prohibited risk, high risk, transparency: what French businesses must organise in 2026, with the timeline and penalties.
Expert note: This article was written by our chartered accountancy firm. Information is current as of 2026. For a personalised review of your situation, contact us.
Quick answer. The AI Act (EU Regulation 2024/1689) has regulated AI across the European Union since 1 August 2024, with a phased application running to 2027. For a French business, the 2026 stake is to know whether your uses fall under prohibited risk, high risk or simple transparency, then to organise AI literacy, documentation and human oversight before the deadlines.
Artificial intelligence has settled into companies' everyday tools, from chatbots to recruitment software. In parallel, the European Union has adopted the world's first comprehensive legal framework on AI. Many business owners believe this text only targets technology giants. That is a mistake: it also concerns SMEs that merely use AI. Here is what changes concretely, and how we support owners in their digital transformation.
The AI Act, a directly applicable regulation#
Regulation (EU) 2024/1689, known as the AI Act, was adopted on 13 June 2024 and published in the Official Journal of the Union on 12 July 2024. As a regulation, it applies directly across the 27 Member States, without national transposition. It entered into force 20 days after publication, on 1 August 2024, but its obligations roll out in stages through 2027.
The text targets two main actors: the provider, who develops or places an AI system on the market, and the deployer, the business that uses an AI system in the course of its activity. The vast majority of French SMEs are deployers: they do not write the algorithm, they use it. This does not exempt them from every obligation, as we will see. The scope is also extraterritorial: a vendor established outside the Union whose system is used in France falls within the regulation.
The four risk levels#
The AI Act classifies uses, not technologies. The same model can be harmless in one case and high risk in another. Four levels structure the regulation.
| Risk level | Examples of use | Main obligation |
|---|---|---|
| Unacceptable (prohibited) | Social scoring, behavioural manipulation, certain biometrics | Banned since 2 February 2025 |
| High risk | CV screening in recruitment, credit scoring, biometrics, education | Documentation, human oversight, risk management |
| Limited risk | Chatbot, generated content (text, image, audio) | Transparency: inform the user |
| Minimal | Spam filter, product suggestions, games | No specific obligation |
For an SME, the level that surprises most is high risk, because it covers uses that are very common in human resources. Software that automatically screens applications or evaluates employees falls under Annex III of the regulation: it is a high-risk use, with heavy obligations attached.
The application timeline#
Obligations do not enter into force all at once. Here are the milestones set by the base text.
| Date | What becomes applicable |
|---|---|
| 2 February 2025 | Ban on unacceptable practices and AI literacy obligation |
| 2 August 2025 | Rules on general-purpose AI models and governance (authorities, penalties) |
| 2 August 2026 | High-risk system obligations under Annex III and transparency rules |
| 2 August 2027 | High-risk systems embedded in already regulated products (Annex I) |
Between publication and full application of the high-risk strand, a little over 24 months pass. This delay is not wasted time: it serves to map your uses, train your teams and document your systems. Many businesses discover late that an HR tool or a scoring module bought off the shelf falls under high risk.
Provider or deployer: your obligations differ#
The distinction is decisive, because the obligations do not weigh in the same way.
The provider of a high-risk system bears the heaviest load: a risk management system, complete technical documentation, logging, CE marking, declaration of conformity, and registration in the European database.
The professional deployer has more targeted but very real obligations: use the system in line with its instructions, ensure effective human oversight, monitor operation, keep the logs for the required period (at least 6 months in several cases), and inform the persons concerned when a decision affecting them relies on a high-risk system.
Concrete obligations from 2026#
Three obligations deserve a business owner's attention this year.
AI literacy (Article 4) has been in force since 2 February 2025. Providers and deployers must ensure a sufficient level of AI understanding among the people who use it. In practice, this means awareness and training tailored to the company's real uses, as shown in our article on AI agents to automate the back office.
Transparency (Article 50) requires, from 2 August 2026, informing the user that they are interacting with an AI and labelling content generated or manipulated by AI (text, image, sound, video). A chatbot on your site or visuals produced by AI are directly concerned.
Human oversight applies to any high-risk use: a person must be able to understand, monitor and, if needed, override the automated decision. On a CV screening tool, this means a human keeps control over the final selection.
Penalties#
The regulation sets some of the highest fines in EU law (Article 99).
| Breach | Cap |
|---|---|
| Use of a prohibited practice | 35 million euros or 7% of worldwide turnover |
| Breach of other obligations (including high risk) | 15 million euros or 3% of worldwide turnover |
| Incorrect information supplied to authorities | 7.5 million euros or 1% of worldwide turnover |
The cap applied is, in principle, the higher of the fixed sum and the percentage. For SMEs and start-ups, however, the regulation provides that the fine corresponds to the lower of the two, so as not to penalise small structures disproportionately.
The 2026 update: the Digital Omnibus revision#
A timeline adjustment is under discussion. On 7 May 2026, the Council, the Parliament and the Commission reached a provisional political agreement, known as the Digital Omnibus, which would defer the application of Annex III high-risk obligations from 2 August 2026 to 2 December 2027, and those of Annex I to 2 August 2028. The text would also introduce new bans targeting AI-generated child sexual abuse material and non-consensual intimate imagery.
At the date of this article, this agreement has not yet been formally adopted or published in the Official Journal: it therefore remains indicative. We recommend continuing to prepare for compliance on the basis of the timeline in force, while tracking the final adoption of the text. Anticipating almost always costs less than catching up.
Our view#
In our files, the AI Act raises less a technological question than a governance one. The first useful reflex is not legal but documentary: list the AI tools actually used in the business, which often holds surprises (a scoring module in the CRM, application screening in the HR software, a drafting assistant). Once the map is laid out, classification by risk level becomes simple, and the compliance burden narrows to two or three uses at most.
This is especially true for tech start-ups that embed AI at the core of their product, and that may be a provider on one component and a deployer on another. For the accounting and finance function itself, we have detailed the uses, the return on investment and the risks in our guide to AI in accounting. The AI Act must not slow AI adoption: handled well, it remains a productivity lever, as shown by our generative AI use cases for a business owner.
A common case#
A 40-employee services SME asks us about its recruitment software, which automatically ranks applications by relevance score. This use falls under Annex III: it is high risk. The company is a deployer, not a provider, but it must still ensure human oversight of the selection, inform candidates that the tool is involved, and keep the logs. We helped the owner obtain the conformity documentation from the vendor, build human oversight into the HR process, and add an information notice in the candidate journey. The work took a few weeks, without blocking the activity, because it was handled before the deadline rather than in a rush.
For the related issues of data security, also see our cybersecurity checklist for SMEs and our note on the NIS2 directive.
Frequently asked questions
Is my business covered by the AI Act if it does not develop AI?+
Yes, very probably. The regulation also targets deployers, that is, businesses that use an AI system in their activity. If you operate a chatbot, a CV screening tool or a scoring module, you fall within scope, with obligations that depend on the risk level of the use.
Which AI uses are prohibited?+
Since 2 February 2025, uses deemed of unacceptable risk are banned: social scoring of individuals, manipulation techniques exploiting vulnerabilities, certain forms of real-time biometric recognition in public spaces, or emotion inference in the workplace outside safety cases. These practices are not negotiable.
What is a high-risk AI system?+
It is a use listed in Annex III of the regulation: recruitment and worker management, access to credit, biometrics, education, justice or critical infrastructure, among others. For these uses, providers and deployers must ensure documentation, human oversight, risk management and traceability. Many HR tools on the market fall into this category.
What are the penalties for non-compliance?+
Fines can reach 35 million euros or 7% of worldwide turnover for a prohibited practice, 15 million euros or 3% for breach of other obligations, and 7.5 million euros or 1% for incorrect information to authorities. For SMEs, the cap applied is the lower of the two amounts.
What does the AI literacy obligation involve?+
Since 2 February 2025, you must ensure a sufficient level of AI understanding among the people who use it in the business. This means awareness and training tailored to the tools actually used, proportionate to your size and your uses. No diploma is required: the goal is informed and responsible use.
Will the AI Act timeline be pushed back?+
A provisional political agreement from May 2026, known as the Digital Omnibus, plans to defer the application of Annex III high-risk obligations to 2 December 2027. At this stage, it is not definitively adopted. We advise continuing to prepare for compliance on the basis of the timeline in force, while tracking the final adoption of the text.
Key takeaways#
- The AI Act (EU Regulation 2024/1689) has been directly applicable since 1 August 2024, with a phased ramp-up through 2027.
- It classifies uses into four levels: unacceptable (prohibited), high risk, limited risk and minimal.
- Most SMEs are deployers: their obligations focus on human oversight, transparency and AI literacy.
- HR uses (CV screening, evaluation) often fall under high risk, by virtue of Annex III.
- Penalties reach 35 million euros or 7% of worldwide turnover for prohibited practices.
- A deferral of the high-risk strand to 2 December 2027 is under discussion (Digital Omnibus) but not yet adopted: prepare on the current timeline.
Article written by the Hayot Expertise firm, registered with the Order of Chartered Accountants of Ile-de-France. Updated for 2026. This article is for information purposes and does not replace an analysis of your own situation.
Article written by Samuel HAYOT
Chartered Accountant, registered with the Institute of Chartered Accountants.
Regulated French accounting and audit firm based in Paris 8, built to support companies across France with a digital and decision-oriented approach.
Sources
Official and operational sources cited for this page.
This topic is part of our service Finance transformation | Automation & dashboards
Need a quote or personalised advice?
Our accountancy firm supports you through all your steps. Get a free quote to review your situation and receive a bespoke fee proposal, or contact us directly.