Is my company in scope?

If you operate, deploy, distribute or provide an AI system that is placed on the EU market or whose output is used in the EU — yes. The regulation reaches non-EU vendors when their AI affects EU users. SMEs are not exempt; they get fine relief, not scope relief. ~95% of Hungarian SMEs sit in limited- or minimal-risk categories — but they still owe the AI literacy duty (Art. 4) and chatbot/deepfake transparency (Art. 50).

What is the maximum penalty?

Article 99 sets three tiers. Prohibited practices: up to EUR 35M or 7% of global turnover. High-risk non-compliance: EUR 15M or 3%. Inaccurate information to authorities: EUR 7.5M or 1%. SMEs benefit from the lower of the percentage and absolute amount — meaningful relief but not exemption.

What is FRIA and when do I need it?

The Fundamental Rights Impact Assessment (Article 27) must be done BEFORE deploying a high-risk AI system. Required for public bodies and private operators of essential services using Annex III AI. It must cover deployment purpose, affected persons, risks, human oversight, complaints handling and remediation. Result must be notified to the market surveillance authority.

Who supervises compliance in Hungary?

Article 70 requires Member States to designate market surveillance authorities. As of 2026-05-04, the Hungarian government decree on AI authorities has not been published; oversight is provisionally distributed across NMHH, NAIH, MNB and other sector regulators based on the AI use-case domain. The EU AI Office (Articles 64-69) at DG CNECT directly supervises GPAI models.

How long and how much does a project take?

Single high-risk system: 4–6 weeks, EUR 13k–32k for risk classification + Annex IV documentation pack + FRIA. Notified Body audit support: +8–16 weeks, +EUR 21k–66k (NB fees additional). Multi-system or GPAI integrator program: 3–6 months, EUR 40k–130k. Exact quote after a free 30-min scoping call.

What if we use ChatGPT, Copilot, Claude or Gemini internally?

These are general-purpose AI models (GPAI). The provider (OpenAI, Microsoft, Anthropic, Google) carries Article 53–55 obligations. As a deployer you owe: AI literacy training for staff (Article 4), transparency to end-users when they interact with AI output (Article 50), and a documented use-policy. If the AI output drives a high-risk decision (HR shortlist, credit limit, customer dispute resolution), the high-risk regime applies even though the underlying model is GPAI.

What should we do RIGHT NOW if we have nothing in place?

(1) AI inventory: list every AI in production, pilot or vendor contract. (2) Risk-classify each. (3) Gap-assess high-risk items against Annex IV. (4) Build a roadmap to 2026-08-02. (5) Roll out AI literacy training (already required since 2025-02-02). A 30-minute free scoping call gives you a concrete action plan with a project price band.

Reg. 2024/1689 · GPAI · Main deadline 2026-08-02

EU AI Act compliance for EU companies

The EU's Artificial Intelligence Regulation (EU 2024/1689) reaches its main compliance deadline on 2 August 2026. Maximum fine: EUR 35M or 7% of global turnover — whichever is higher. We map your AI systems to the regulation, then deliver compliance in a fixed-price 4–8 week project: DPIA, FRIA, technical documentation, human oversight, prompt-injection defences.

Request an EU AI Act audit

30-min free consultation

The essence in 30 seconds

The EU AI Act (Reg. 2024/1689) is the EU's first comprehensive AI law. It classifies AI systems into four risk tiers (prohibited, high, limited, minimal) and assigns separate obligations to each.
~95% of EU SMEs sit in limited- or minimal-risk categories — three concrete duties by 2 August 2026: AI policy for staff, privacy notice update, and transparency for chatbot / AI-generated content.
High-risk operators (HR screening, credit scoring, education scoring, medical diagnosis support, biometric identification) need full conformity by 2 August 2026: Annex IV technical file, FRIA, CE marking, EU database registration. Typical mid-market project cost: EUR 15k–50k.
Article 4 (AI literacy) and Article 5 (prohibited practices) already apply — since 2 February 2025.

Risk classification

The four risk tiers — which one is your AI in?

The EU AI Act classifies every AI system by its use, not its underlying technology. The same large language model can be "high-risk" in one corporate use and "minimal" in another.

Tier 1<1%
Prohibited AI
Typical examples
Social scoring, subliminal manipulation, untargeted biometric mass surveillance in public, emotion recognition at the workplace or in schools.
Obligations
Cannot be operated in the EU in any form. Banned since 2 February 2025 — fines up to EUR 35M or 7% of global turnover.
Tier 2~5%
High-risk AI
Typical examples
HR CV-screening and hiring scoring, credit scoring, insurance pricing, education exam scoring, medical diagnostic support, critical-infrastructure control, biometric identification, justice systems.
Obligations
Conformity assessment, detailed technical documentation (Annex IV), FRIA, CE marking, EU database registration, post-market monitoring, human oversight on every decision.
Tier 3~30%
Limited-risk AI
Typical examples
Customer-service chatbots, deepfake and AI-generated media, emotion detectors in marketing, AI assistants in marketing/sales flows.
Obligations
Transparency duty: users must know they are talking to AI or seeing AI-generated content. Content-level labelling.
Tier 4~65%
Minimal-risk AI
Typical examples
Spam filtering, AI in video games, recommendation engines in webshops, automatic image editing, code completion (Copilot, Cursor) inside closed internal environments.
Obligations
Voluntary code of conduct recommended. No specific statutory obligation — GDPR still applies to any AI processing personal data.

~95% of EU SMEs are in tiers 3 and 4 — the full enumeration is in Article 6 and Annex III.

Official applicability timeline (Article 113)

Source: artificialintelligenceact.eu/implementation-timeline and EUR-Lex 2024/1689.

Date	Article	What becomes applicable
2024-08-01	Art. 113	EU AI Act enters into forceOfficially published in the Official Journal of the European Union. Most articles are not yet applicable — but the 6/12/24/36-month transition clocks all start ticking from this day.
2025-02-02	Art. 4 + Art. 5	Prohibited practices ban + AI literacy dutySubliminal manipulation, social scoring, untargeted biometric mass surveillance and workplace/school emotion recognition are banned across the EU. AI literacy training becomes mandatory for staff who use AI. Fines up to EUR 35M or 7% of global turnover.
2025-08-02	Art. 53–55	GPAI obligations applyGeneral-purpose AI providers (OpenAI, Anthropic, Google, Meta, Mistral) must publish technical documentation, downstream-integrator info, copyright policy and a sufficiently detailed training-data summary. Systemic-risk GPAI gets adversarial testing and serious-incident reporting.
2026-08-02	Art. 6 + Annex III	High-risk AI obligations apply (main deadline)Operators of high-risk AI (HR screening, credit scoring, medical diagnosis support, education scoring, biometric identification) must demonstrate full compliance: technical documentation, FRIA, post-market monitoring, human oversight, CE marking, EU database registration.
2027-08-02	Art. 111	Full compliance — transitional periods endThe grace period for high-risk AI systems placed on the market before 2 August 2024 ends. GPAI transitional periods close. Every AI system in the EU is then under the full regulation, including annual post-market updates for high-risk models.

Penalties (Article 99)

Three fine bands. SMEs benefit from the lower of the percentage or absolute amount — relief, not exemption.

Art. 99(3)

Prohibited AI practices

EUR 35M or 7% of global annual turnover

Whichever is higher. Applies to operating any AI system listed in Article 5.

Art. 99(4)

High-risk non-compliance

EUR 15M or 3% of global annual turnover

Applies to obligations under Articles 16, 22-24, 26, 31, 33-34, 50.

Art. 99(5)

Inaccurate / misleading info

EUR 7.5M or 1% of global annual turnover

Information given to authorities or notified bodies. SMEs benefit from the lower of % vs absolute amount.

30-day action plan to start compliance

The minimum viable compliance program for a mid-market company with one or two high-risk AI systems.

1
Week 1 — AI inventory & risk classification
Catalogue every AI system in production, in pilot or under contract (vendor, in-house, embedded SaaS Copilots). Classify each as prohibited / high / limited / minimal under Articles 5 and 6 + Annex III.
2
Week 2 — Gap analysis vs Annex IV
For every high-risk system, score the gap against the Annex IV technical documentation set: data governance, accuracy/robustness, transparency, human oversight, post-market plan.
3
Weeks 3–5 — Documentation pack + FRIA
Produce: Annex IV technical file, instructions for use (Article 13), Fundamental Rights Impact Assessment (Article 27), data governance policy, AI literacy training plan (Article 4).
4
Weeks 6–8 — Conformity, CE, post-market
Conformity assessment (self-assessment for most Annex III, third-party for biometric / Annex I product-embedded). CE marking + EU database registration. Wire up post-market monitoring telemetry.

For high-risk systems we map every step to a specific Article in the 24-step Annex III compliance checklist.

GYIK

EU AI Act — frequently asked questions

Reg. 2024/1689 entered into force on 1 August 2024. Prohibited practices (Art. 5) and AI literacy (Art. 4) have applied since 2 February 2025. GPAI obligations (Art. 53–55) since 2 August 2025. The main high-risk deadline is 2 August 2026 (Art. 113). Annex I product-embedded AI gets until 2 August 2027 (Art. 6(1)).

Kapcsolódó megoldások

Request an EU AI Act gap analysis + roadmap

4–8 weeks, fixed-price project. Output: risk classification of every AI system, FRIA draft, gap list, prioritised action plan to 2 August 2026. You will be ready for supervisory questions.

Request an EU AI Act audit →30 perc ingyenes konzultáció

EU AI Act compliance for EU companies

The essence in 30 seconds

The four risk tiers — which one is your AI in?

Prohibited AI

High-risk AI

Limited-risk AI

Minimal-risk AI

Official applicability timeline (Article 113)

Penalties (Article 99)

Prohibited AI practices

High-risk non-compliance

Inaccurate / misleading info

30-day action plan to start compliance

Week 1 — AI inventory & risk classification

Week 2 — Gap analysis vs Annex IV

Weeks 3–5 — Documentation pack + FRIA

Weeks 6–8 — Conformity, CE, post-market

EU AI Act — frequently asked questions

Related content and services

EU AI Act 24-step high-risk checklist

AI ROI calculator

NIS2 compliance

NIS2 checklist for IT leaders

AI development & integration

Process automation

Request an EU AI Act gap analysis + roadmap