Artificial Intelligence 22.04.2026

As of 6 April 2026, the EU AI Act’s first binding prohibitions take effect. State-run social scoring, manipulative AI that undermines free will, workplace emotion recognition and biometric mass surveillance are no longer permitted in the EU. Violations can trigger fines of up to €35 million or 7 % of a company’s global turnover. Germany’s digital-industry association Bitkom estimates annual compliance costs for German firms at up to €20 billion. Status: 14 April 2026.

RelatedCSRD data model 2026 for mid-market firms  /  Medtech mid-market: MDR, NIS2, PFAS

The regulation rolls out in stages. The provisions that entered into force on 6 April initially target prohibited practices. From August 2026 the real work begins: high-risk AI systems in HR, healthcare, education and critical infrastructure must be certified, documented and monitored. Between now and then, every company has four months to sort out its AI landscape.

The official legal basis is available on the European Commission website. Prefer actionable pressure over paperwork? What follows is not a panic guide but a concrete checklist that can be worked through by a tech team over three evenings.

What is banned as of 6 April 2026

Article 5 of the regulation lists eight practices prohibited across the EU. Three are most relevant to business. First, workplace emotion recognition. This covers systems that infer employee mood via camera, voice or typing-pattern analysis—even if results are supposedly aggregated. Many call-centre and recruitment tools fall into this trap when they tout emotion-scoring features.

Second, biometric categorisation that deduces sensitive traits such as political stance, sexual orientation or religion. Social-media analytics that enrich customer profiles often do this inadvertently. Any ad-tech stack with face-recognition modules must be audited.

Third, manipulative AI that undermines free will. The EU targets chiefly subconscious nudging mechanisms aimed at vulnerable groups. The use-case is narrow but precisely framed. E-commerce sites deploying aggressive dark-patterns sit in a grey zone; regulators will sharpen their interpretation over the next 18 months.

The silver lining: state-run social scoring affects public bodies, so most companies are unaffected. Biometric mass surveillance mainly hits security providers. The heart of the new prohibitions therefore lands on HR and mar-tech systems.

Who is affected – the numbers

The regulation’s reach is wider than many mid-sized companies realize. It affects not only AI developers. Every company that uses AI systems – including purchased ones – is responsible as a deployer. This also includes SaaS products that internally use AI without explicitly communicating it.

The penalty system is tiered. Violations of prohibited practices (Article 5) sit at the top with fines of up to 35 million or 7 percent of annual revenue. Breaches of high-risk obligations incur penalties of up to 15 million or 3 percent. Inaccurate documentation for foundation models is fined up to 7.5 million or 1.5 percent. The federal government has simultaneously launched a 500-million-euro support program to help small and medium-sized enterprises implement compliance.

Pros and cons of operational implementation

The regulation brings clear advantages and drawbacks for affected companies.

“Social scoring by states, manipulative AI that undermines free will, emotion recognition in the workplace, and mass biometric surveillance are no longer permitted in the EU.”

4-Month Action Checklist

If you run high-risk applications in your stack and need to be ready by August 2026, work through three blocks. The first is an inventory. Create a complete list of every AI system in the company—including embedded components that are often overlooked. Chatbots, recommendation engines, fraud-detection tools, HR-screening software, CRM scoring modules. In modern ERP systems, AI agents often fly under the radar and must now be explicitly classified.

Block two is risk classification. For each system, determine its AI Act category: prohibited, high-risk, limited-risk, minimal-risk. The European Commission publishes guidance, but interpretation will tighten over the coming months. Err on the side of caution: when in doubt, classify higher. A high-risk label triggers documentation workload; a wrong low-risk label can cost up to €15 million.

Block three is documentation. High-risk systems require technical documentation (data provenance, training methodology, evaluation results), risk-management processes, human oversight, and transparency disclosures to users. Many of these elements overlap with CSRD reporting obligations and existing ESG data models if your company already has those in good shape.

What’s Realistic by August—and What Isn’t

Four months is tight. For a company running ten to thirty AI systems, an eight-week inventory is doable if one person is dedicated full-time. Classification plus initial documentation packages take another six to ten weeks. Kick off on 15 April and you’ll finish high-risk systems by late July—just before the August deadline.

What isn’t realistic is having every system certified by August. External conformity-assessment bodies only start work in June. For most high-risk systems, August is about having the documentation and an internal conformity statement in place; external certification follows by late 2026 or early 2027. Regulators have designed the phased rollout with this bottleneck in mind.

Prioritization matters. Systems that could fall into prohibited practices sit at the top—highest fines and immediate effect. High-risk systems in HR and customer contact come next because of their public exposure. Everything else can be tidied up with a clean roadmap by end-2026. Think of it like the e-invoicing mandate that took effect in January 2025: early movers face no crunch on the deadline date.

What Role Do the Federal Program and EU Funding Play?

In March 2026 the German government launched a €500 million AI-Compliance funding program running through 2028. Small and medium-sized enterprises with up to 500 employees are eligible if they can show at least one high-risk AI system in use. Grants cover up to 50 percent of compliance costs, capped at €250,000 per company. Applications go through BAFA; first approvals are expected from May 2026.

At the same time, EU funds from the InvestAI initiative—roughly €20 billion in total—are flowing into AI infrastructure and research. Part of that money supports conformity-assessment bodies that perform certifications. Companies with international ambitions should also eye national programs in France (€800 million) and the Netherlands (€275 million), which are running in parallel.

Practical tip: if you plan to apply for funding, document your AI inventory in a structured way. BAFA’s process asks for a register of affected systems, a risk classification, and a project plan for compliance implementation. If you’re already preparing that for AI Act conformity, you avoid duplicate work.

What Tech Teams Need to Build Right Now

The AI Act introduces three new requirements that must be integrated into existing dev workflows. First: a model registry. Every production AI system needs a unique ID, version history, training-data provenance, and compliance status. Tools like MLflow, Weights and Biases, or a simple database with a clearly defined schema are sufficient to start. The key is that every production deploy generates an entry.

Second: bias and fairness testing as part of the CI pipeline. High-risk systems require regular evaluations that are documented. Open-source tools such as Fairlearn, AIF360, or Google’s What-If Tool can be plugged into existing test pipelines. The requirement isn’t a one-time certification but continuous monitoring. Automating this saves effort once and for all.

Third: audit logging for human oversight. The AI Act mandates that humans can monitor AI decisions and override them. Each high-risk system needs logs that make decisions traceable—input, output, timestamp, model version. Structurally, this resembles an event log many teams already maintain for monitoring and debugging, but with longer retention periods.

In practice: these three requirements can be rolled out in stages. In the first two weeks, a spreadsheet-based model registry is enough to complete the inventory. Next comes migration to a more robust tool. Bias testing is ideally added as an extra check in an existing CI system (GitHub Actions, GitLab CI, Jenkins)—not as a new system. Audit logs leverage existing observability infrastructure when available.

The most common early mistake in compliance projects is over-engineering. Teams build new specialist tools for AI governance even though many requirements can be met with existing components. Clean code-review procedures, well-defined deploy processes, and structured monitoring dashboards already cover 60 to 70 percent of technical requirements. The remaining 30 percent are documentation and governance processes—organizational work, not technical.

One final thought on prioritization: the biggest efficiency gains come when AI governance is merged with existing IT-compliance processes. ISO 27001, GDPR records of processing, TISAX, or SOC 2—all these frameworks overlap with AI Act requirements. Building an integrated compliance framework instead of maintaining separate documentation for each standard saves 40 to 60 percent of effort in the long run. The organizational challenge lies here, not in the technology.

Frequently Asked Questions

Does the EU AI Act also apply to US providers like OpenAI or Anthropic?

Yes. The regulation applies territorially: as soon as an AI system is offered on the EU market or its output is used in the EU, the rules come into force. US providers have announced EU-compliant products for 2026—some with functional differences compared to the US market.

Who monitors compliance in Germany?

The Federal Network Agency (Bundesnetzagentur) coordinates oversight, while sector-specific authorities (BaFin, BfArM, data-protection bodies) retain their existing responsibilities. The structure is still being built; uniform practice is not expected by 2026.

What happens to existing AI systems already in use before 6 April?

Limited grandfathering applies. Prohibited practices must cease immediately. High-risk systems have until August 2027 to achieve full compliance if placed on the market before 2 August 2026. New systems after that date must comply immediately.

What are realistic costs for a mid-sized company?

Bitkom estimates total annual costs for German companies at €20 billion. For a 500-employee business with moderate AI use, initial compliance costs are estimated between €80,000 and €250,000, plus ongoing documentation costs of €30,000 to €70,000 per year. The federal programme covers up to 50 percent.

Are there exceptions for research and development?

Yes. The regulation includes research privileges—AI systems in pre-market research projects are largely exempt. Once product testing with end users begins, standard obligations apply. EU member-state regulatory sandboxes offer additional experimental spaces.

Source image: Pexels / Jonas Horsch (px:11682403)