What Does the EU AI Act Actually Require from Companies Using AI?

The EU AI Act requires IT leaders to govern how AI is used across their organization — not just approve which tools are allowed. As a deployer, your obligations depend on the risk tier of the AI systems you use. All deployers must ensure staff AI literacy (Article 4, enforceable since February 2025) and meet specific transparency requirements (Article 50). Deployers of high-risk AI systems face additional obligations: documented human oversight, operational log retention, and monitoring — under Article 26. The first step for any IT leader is knowing which tier your AI use falls under.

Key points:

The EU AI Act classifies any organization using AI professionally as a deployer with active legal obligations — regardless of company size, location, or whether they built the AI themselves.
Article 4 (AI literacy) has been enforceable since February 2, 2025. Most IT leaders are focused on the August 2026 deadline and have missed the one that already passed.
Being a deployer means you cannot transfer EU AI Act responsibility to your AI vendor — OpenAI, Anthropic, and Google meet their own obligations; yours remain separate.
The Act is explicitly risk-based: minimal-risk AI use has almost no obligations; limited-risk use requires transparency; high-risk use triggers extensive compliance requirements including oversight and log retention.
The first compliance task for any IT leader is classifying your organization's AI use by risk tier — because your obligations depend entirely on that answer.

‍

Who Does the EU AI Act Apply To — and What Is a Deployer?

The EU AI Act (Regulation 2024/1689) applies to any organization that develops, places on the market, or uses AI systems — including organizations outside the EU, if their AI use affects EU residents. It has the same extraterritorial reach as GDPR. A US-based marketing team producing AI-generated content for an audience that includes EU residents is in scope. An Australian SaaS company with EU customers is in scope.

The Act divides responsibility between two roles: providers (organizations that build and place AI systems on the market) and deployers (organizations that use those systems professionally). The moment a team uses an AI-powered tool to perform work — writing content, summarizing documents, responding to customers — that organization is a deployer.

This distinction carries a specific legal consequence: deployers cannot outsource regulatory responsibility to the AI vendor. Even if OpenAI, Anthropic, or Google meet their own compliance requirements as providers, your organization remains responsible for how AI outputs are used, whether human oversight is in place, and whether affected users are informed.

For IT leaders, this means EU AI Act compliance is an infrastructure problem, not just a policy one.

‍

What Are the EU AI Act Obligations That Are Already Enforceable?

Most IT leaders tracking the EU AI Act have August 2026 circled. That is when the high-risk AI system obligations kick in — the conformity assessments, the technical documentation, the formal oversight mechanisms. But one obligation has been enforceable since February 2, 2025, and most organizations that missed it don't know they missed it.

Article 4 — AI literacy (enforceable since February 2, 2025): All organizations deploying AI must ensure that staff involved in AI operations and oversight have sufficient knowledge to understand what the system does, recognize its limitations, and exercise meaningful human control over outputs. The European Commission's guidance is clear: this is not a one-off training session. Regulators expect a documented, ongoing programme, proportionate to each person's role.

In practical terms, this means staff who use AI daily need to understand how the model behaves, what kinds of errors it produces, and when human review is required. Staff who oversee AI outputs need deeper knowledge of governance frameworks and decision-making criteria. The obligation is proportionate, but it is documented and demonstrable on request.

‍

What EU AI Act Obligations Come into Force from August 2026?

The August 2, 2026 deadline is when the majority of high-risk AI system obligations become enforceable. Whether these apply to your organization depends on how your AI use is classified, which is why risk-tier classification is the essential first step, not an administrative formality.

⚠️ Timeline note: A provisional political agreement on the EU Digital Omnibus — reached on 7 May 2026 — would, if formally adopted, extend the high-risk AI system deadlines: to 2 December 2027 for stand-alone systems and 2 August 2028 for systems embedded in regulated products. As of June 2026, this agreement is still pending formal Council and Parliament endorsement. The current legal baseline remains August 2, 2026 until the Omnibus is published in the Official Journal. Compliance preparation should continue regardless — and Article 4 (AI literacy) and Article 50 (transparency) are not affected by the Omnibus extension.

Article 26 — Human oversight and log retention (high-risk AI systems only)

For deployers of high-risk AI systems, Article 26 requires implementing effective human oversight measures, using AI systems in accordance with the provider's instructions, monitoring AI system operation, and retaining operational logs — where the system generates them automatically — for at least six months. These obligations apply specifically to high-risk AI systems. They do not apply to general content generation, internal productivity tools, or most marketing and documentation workflows, which typically fall under limited or minimal risk.

Article 50 — Transparency (limited and higher risk)

Article 50 creates disclosure requirements for specific categories of AI interaction. AI systems designed to interact directly with people — chatbots and virtual assistants — must make clear to the user they are interacting with AI, unless this is obvious from context. AI-generated content that could deceive — deepfakes, synthetic images, audio, or video — must be labelled as artificially generated.

Importantly, Article 50 does not require labelling every piece of AI-assisted text. Routine AI-generated marketing copy, internal summaries, or documentation drafts are not automatically subject to disclosure under Article 50 unless they fall into one of the specific categories above.

⚠️ "Powered by AI" in a footer is not sufficient for AI systems that interact directly with users. The standard for chatbots and virtual assistants is disclosure at the point of interaction, not in general platform terms.

Article 27 — Fundamental Rights Impact Assessment (high-risk, sector-specific)

Deployers using high-risk AI systems in regulated sectors — recruitment screening, credit scoring, education assessment, healthcare — must assess and document the potential impact on individuals before deployment. This applies to high-risk systems specifically.

What Does EU AI Act Compliance Actually Look Like in Practice for IT Leaders?

The EU AI Act is explicitly risk-based. This is the most important thing to understand before doing anything else: your compliance obligations depend entirely on how your AI use is classified, not on the fact that you use AI.

The four risk tiers, and what they mean operationally:

Unacceptable risk — prohibited entirely. Social scoring systems, real-time biometric surveillance in public spaces, manipulative AI targeting vulnerable groups. Bans have applied since February 2025.
High risk — extensive obligations. AI used in recruitment, credit scoring, education assessment, biometric identification, and similar contexts. Requires conformity assessments, human oversight, log retention, and monitoring under Article 26.
Limited risk — transparency obligations only. AI systems that interact directly with users (chatbots, virtual assistants) and synthetic content that could deceive (deepfakes). Article 50 applies.
Minimal risk — almost no obligations beyond existing EU law. Spam filters, recommendation algorithms, AI writing assistants used for internal productivity.

Most content, documentation, and marketing teams using general-purpose AI tools operate in the limited-to-minimal risk tier. This does not mean no obligations exist — Article 4 (AI literacy) applies to all deployers, and Article 50 applies where chatbots or deceptive synthetic content are involved — but it does mean that the extensive Article 26 obligations around log retention and formal oversight do not automatically apply.

The compliance gap most IT leaders actually face is not a prohibited AI practice. It is the inability to answer basic questions when asked by a regulator, procurement auditor, or enterprise customer:

Which AI tools are in active use across your organization, and who approved each one?
Have your staff received documented AI literacy training proportionate to their role?
Where your AI interacts with users or generates synthetic content, is disclosure in place?
If you use any high-risk AI systems, do you have oversight and log retention mechanisms?

The practical starting point is risk classification — know what tier your AI use falls under, then build the appropriate controls for that tier.

‍

The five steps to get there:

Step 1: Run an AI tool inventory. List every AI tool in active use, including tools with embedded AI features adopted informally. Many organizations discover they have deployed more AI systems than IT is aware of.

Step 2: Classify each tool by risk tier. Use the Act's publicly available criteria. For most content and documentation workflows, you will confirm limited or minimal risk — but confirm it rather than assuming it. This step determines which obligations actually apply.

Step 3: Address Article 4 AI literacy. This applies to all deployers, regardless of risk tier, and is already in force. Document what AI literacy means for each role in your organization and how it is being maintained — not as a one-off training session, but as an ongoing programme.

Step 4: Apply the right controls by tier. For limited-risk use (chatbots, synthetic content): ensure Article 50 transparency is in place. For high-risk use: implement the oversight, monitoring, and log retention obligations under Article 26. For minimal-risk use: document that you assessed and confirmed the classification.

Step 5: Build the operational infrastructure to make governance sustainable. Centralizing prompt workflows into a shared library, controlling model access centrally, and maintaining consistent records of how AI is used are not legal requirements under the Act — but they are the operational conditions that make every other step manageable at scale. Promptitude's shared prompt library is built for exactly this: giving IT control of AI use across teams without requiring engineering involvement in every request.

‍

How Does Centralizing AI Prompts Help IT Leaders Manage EU AI Act Obligations?

A centralized prompt library is not required by the EU AI Act. The Act does not mandate prompt logging, a shared library, or any specific technical infrastructure. What it requires is that deployers can demonstrate appropriate governance for their tier of AI use — and the operational question is what infrastructure makes that possible at scale without making IT a bottleneck.

When prompts are centralized, the scope of AI use is defined by what is in the library. When access is role-based, the instructions going to models are controlled by IT rather than left to individual preference. When every prompt run goes through a managed layer, a consistent operational record exists without additional process overhead. None of this is mandated, but all of it makes the things that are mandated significantly easier to deliver.

Here is how the infrastructure maps onto the obligations that do apply:

‍

EU AI Act obligation	Who it applies to	How centralized prompt management helps
AI literacy (Art. 4)	All deployers	Prompt library makes AI instructions visible and reviewable — staff can see and understand what the system is doing
Human oversight (Art. 26)	High-risk AI systems only	IT controls which prompts are active and who has access — oversight is structural, not dependent on individual vigilance
Log retention (Art. 26)	High-risk AI systems only	Managed layer creates a consistent operational record by default
Transparency (Art. 50)	AI interacting with users; synthetic content	Explicit prompt-based workflows make the AI layer visible to operators; supports disclosure processes
Risk classification	All deployers	Central inventory of prompts and models makes classification and ongoing monitoring practical

‍

Teams at Promptitude use this structure to give IT governance over AI use across departments — without becoming a bottleneck for every request. Prompts are stored in a shared library with named owners, run against documented model configurations, with role-based access keeping API keys and model parameters under IT control.

‍

What Are the Penalties for Non-Compliance with the EU AI Act?

Penalties under the EU AI Act scale with the severity of the violation and the size of the organization, with lower thresholds for SMEs and start-ups.

Violations of prohibited AI practices (unacceptable risk tier): up to €35 million or 7% of global annual turnover, whichever is higher.
Non-compliance with high-risk system obligations: up to €15 million or 3% of global annual turnover.
Providing incorrect information to authorities: up to €7.5 million or 1% of global annual turnover.

For teams in the limited-risk tier, the direct penalty exposure is lower — but the reputational and procurement risk is significant. Enterprise buyers in regulated industries are already requiring EU AI Act compliance documentation from vendors as a condition of procurement. Early compliance is becoming a sales differentiator, not only a legal obligation. Teams using Promptitude can point to a documented, auditable prompt library when responding to vendor security questionnaires — a concrete operational record rather than a policy statement.

If your team's AI workflows are currently spread across personal accounts and informal documents with no central record, the practical starting point is consolidating prompts into a shared library with clear ownership. Promptitude is built for this — a central prompt library that makes AI workflows auditable, consistent, and easy to manage across your team. Start free → promptitude.io‍

Frequently Asked Questions

What does the EU AI Act require from organizations that use AI tools?The EU AI Act is risk-based — your obligations as a deployer depend on how your AI use is classified. All deployers must ensure staff AI literacy (Article 4, enforceable since February 2025). Deployers whose AI systems interact directly with users must meet transparency requirements (Article 50, August 2026). Deployers of high-risk AI systems face the most extensive obligations: human oversight, log retention, monitoring, and use within documented scope (Article 26, August 2026). The first step is knowing which tier applies to you.

What is the difference between a provider and a deployer under the EU AI Act?A provider is an organization that builds and places an AI system on the market — OpenAI, Anthropic, Google, and similar companies. A deployer is any organization that uses an AI system professionally. Most businesses are deployers. The critical point is that deployers cannot transfer their EU AI Act obligations to the provider — both parties have separate, concurrent obligations under the Act.

Does the EU AI Act apply if our organization is not based in the EU?Yes. The EU AI Act applies to any organization whose AI use affects EU residents, regardless of where the organization is headquartered. It has the same extraterritorial reach as GDPR. A US-based team producing AI-generated content for an audience that includes EU residents is in scope. An organization headquartered outside the EU with EU customers is in scope.

What is the Article 4 AI literacy requirement and is it already in force?Article 4 requires all deployers — regardless of risk tier — to ensure that staff involved in AI operations and oversight have sufficient knowledge to understand what the AI system does, recognize its limitations, and exercise meaningful human oversight. It has been enforceable since February 2, 2025. Regulators expect a documented, ongoing programme proportionate to each person's role — not a one-off training session.

Does Article 50 require disclosing all AI-generated content?No. Article 50 has a specific scope — and it distinguishes between provider and deployer obligations. The machine-readable marking obligation (ensuring AI outputs are detectable as artificially generated) falls on providers such as OpenAI, Anthropic, and Google — not on deployer organizations. Deployer disclosure obligations cover: AI systems interacting directly with users (chatbots, virtual assistants), deepfakes, and AI-generated text published to inform the public on matters of public interest. Routine AI-assisted marketing copy, internal documents, and product literature are generally outside scope unless they touch public-interest topics or constitute deepfakes.

How does Promptitude help IT leaders manage EU AI Act obligations?Promptitude provides operational infrastructure — a centralized prompt library, role-based access, and a managed model layer — that makes AI governance practical at scale. The Act does not mandate a prompt library, but centralizing AI workflows makes it significantly easier to demonstrate AI literacy, support oversight processes, maintain a record of AI use, and classify and monitor AI systems by risk tier. Explore Promptitude free →

‍

Seamless Integration with Plug & Play Solutions

Easily incorporate advanced generative AI into your team, product, and workflows with Promptitude's plug-and-play solutions. Enhance efficiency and innovation effortlessly.

Sign Up Free & Discover Now

Publications that may interest you

From Ad-Hoc Prompts to Scalable AI Tools | How Promptitude Transforms Technical Writing in 2026

Essential Technical Writing Style Guides Explained: Tips for Consistent, Scalable Docs

Top 10 Must-Attend Events for Technical Writers in 2026

How to Overcome Legacy Content Debt in Technical Writing for Scalable, AI-Optimized Docs

What Does the EU AI Act Mean for Teams Using AI Tools?

AI & Technical Writing: How to Keep Product Content Aligned in the Age of AI?

Navigating Tomorrow: Embracing Diversity in AI Beyond ChatGPT

What Are the Best PromptLayer Alternatives for Teams in 2026?

Potencie su empresa con la IA y agilice los flujos de trabajo.

Experimente la solución de IA perfecta para todas las empresas. Mejore sus operaciones con la gestión, las pruebas y la implantación sin esfuerzo de prompt . Agilice sus procesos, ahorre tiempo y aumente la eficiencia.

Unlock AI Efficiency: 50k Free Tokens

INSCRIPCIÓN

INICIAR SESIÓN

IA para Equipos, Hecho Fácil

GPT prompts para

Enterprises Redactores técnicos Translation & Localization Managers
Content Creators Casos de éxito Wall of Love

Casos prácticos

Document Summary

Perfect Email Tone & Style

Contract Analysis and Review

Review and Improve Code

Contextual Translation Editing

Localization Bug Detection

Producto

Precios Prompt Templates

Modelos Integraciones

Producto - Servicios

Hoja de ruta - Registro de cambios

Recursos

Blog Glossary Centro de ayuda Cómo funciona Partner Program

El panorama de la IA evoluciona a la velocidad de la luz. Prepara tu empresa para el futuro con Promptitude y gestiona todos tus proveedores de prompts e IA en un solo lugar, compártelos con tu equipo e integra la IA en tu negocio.

Certificada como empresa innovadora por el Ministerio alemán de Educación e Investigación.

Términos - Privacy · Imprint

Obtén acceso al PDF gratuito

Desbloque el podel del Prompt Engineering 101

Gestión de Prompts

AI Assistants

Flows

Herramientas

Bricolaje

Do-it-together

Done for you

Modelos de IA

Integraciones

How to Get Started

Redactores técnicos

Localization Managers

Content Creators

Enterprises

ChatGPT

Copilot

Promptmetheus

Blog

Glossary

Free Resources

Prompt Library

Cómo funciona

Registro de cambios

Casos de éxito