To be honest, if your business touches the European market in any way, this is a message you need to take seriously. In May 2026, the European Commission formally adopted the final implementation guidelines for the EU AI Act, and the core provisions will be fully enforced starting August 2, 2026 — that's just over a month away.
This means that regardless of where your company is registered, if your AI product or AI-enabled service operates within the EU, you need to comply with these rules. It's not a suggestion. It's the law.
First, understand: what exactly is the EU AI Act regulating?
The core logic of this legislation is actually straightforward: risk-based tiered regulation. You can think of it as an "AI product risk classification table" with four levels:
- Unacceptable risk — outright banned. Examples include social scoring systems, real-time remote biometric identification (with narrow exceptions), and manipulative AI systems.
- High risk — requires pre-compliance assessment, technical documentation filing, and human oversight mechanisms. Primarily covers recruitment, credit scoring, education, critical infrastructure, and law enforcement scenarios.
- Limited risk — requires transparency disclosure. Examples include chatbots and deepfake content — users have a right to know.
- Low/minimal risk — voluntary adherence to codes of conduct; no mandatory requirements.
For most SaaS products, the key question is determining which tier you fall into. Landing in the "high risk" category means significantly higher compliance costs.
Key deadlines in 2026
The EU AI Act doesn't cut off all at once — it has a phased effective date. We're now at the most critical juncture:
- August 1, 2024 — the Act formally entered into force, but most provisions entered a "transition period"
- August 2025 — prohibitions on unacceptable-risk AI applications became enforceable
- May 2026 — the European Commission adopted final implementation guidelines, clarifying assessment standards for high-risk AI systems and transparency requirements for general-purpose AI models
- August 2, 2026 — full compliance requirements for high-risk AI systems become mandatory; there is no further transition period
- August 2027 — remaining provisions fully applicable
If your product falls into the "high risk" category, the period between now and August 2 is your last compliance window. Missing the deadline means facing fines of up to €35 million or 7% of global annual revenue (whichever is higher).
Transparency requirements for General-Purpose AI Models (GPAI)
The May 2026 final guidelines specifically address transparency requirements for providers of "general-purpose AI models" — the foundational large models like GPT, Claude, and Qwen:
- Must disclose training data sources and use of copyrighted content
- Must provide sufficient technical documentation enabling downstream users to understand model capabilities and limitations
- Systemic risk assessment and mitigation (for models above certain parameter thresholds)
This primarily impacts large model providers, but for companies building applications on top of model APIs, selecting a "compliant" model provider will become a procurement requirement.
Do Chinese companies need to care?
Yes. You're within scope if any of the following apply:
- Your product has users in Europe (even if you're a Chinese company)
- You provide AI-related technical services to European clients
- You have subsidiaries in Europe or use cloud infrastructure located within the EU
A common misconception is "I operate domestically and don't touch the European market, so this doesn't apply to me." But if you use AI services hosted on EU-based data centers, or if your product is accessible to users in Europe, you're already within scope.
What can you still do now?
With just over a month until August 2, here are the things you can and should be doing:
- Conduct an AI product risk self-assessment — benchmark your product against the EU AI Act risk categories to determine your tier
- Prepare technical documentation — high-risk AI systems need technical documentation, risk assessment reports, and human oversight plans ready before August
- Audit your supply chain — are the foundation models and third-party AI services you rely on already compliant? If not, you need a contingency plan
- Appoint a compliance responsible person — the Act requires designated internal compliance responsibility for high-risk AI systems (similar to the DPO role under GDPR)
Frankly, compliance is always a case of "early action = lower cost, late action = higher cost." Acting now gives you over a month to identify gaps and fix them. Reacting after August means the fines could exceed the cost of compliance itself.
If you're currently assessing your product's compliance status or want to discuss specific technical approaches, feel free to share your thoughts in the comments — this topic will only become more prominent through the second half of 2026.