EU AI Act Compliance: A 2026 Guide for Regulated Professions
The EU AI Act is the first comprehensive, risk-based law governing artificial intelligence in the European Union. Many treat it as a distant topic for corporate legal departments. For doctors, lawyers, tax advisers, and public administration, it is not. The moment you use AI in your day-to-day work, whether for drafting, research, or communicating with clients and patients, the Act applies to you, often in a role you did not expect to hold.
This guide explains, in plain language, what the EU AI Act is, which deadlines land when, how the risk tiers work, and which duties actually fall on you. Two points sit at the center, because they are the ones professionals miss most often: the transparency duty in Article 50 and the human oversight requirement in Article 14. At the end you will find a short, practical checklist for a practice, a firm, or an administration.
What is the EU AI Act?
The EU AI Act is Regulation (EU) 2024/1689. As a regulation it applies directly in every member state, with no separate national transposition law required. It is the first comprehensive, binding AI regulation of its kind, and its defining feature is a risk-based approach.
Rather than regulating each technology in the abstract, the Act asks what risk a given use poses to people. The higher the risk to health, safety, or fundamental rights, the stricter the obligations. A spelling assistant is treated very differently from a system that helps decide someone's creditworthiness or medical treatment. The Act does not regulate the technology in itself, it regulates the purpose you put it to.
One distinction runs through everything. A provider develops an AI system or places it on the market under its own name. A deployer uses an AI system under its own authority. The vast majority of practices, firms, and public bodies are deployers. Deployers carry obligations too, above all around AI literacy, transparency, and human oversight. Those three themes are the ones that touch everyday professional work most directly.
The timeline in plain language
The AI Act does not switch on all at once. It arrives in stages, and the stage that matters most to regulated professions lands in 2026.
- In force since 1 August 2024. The Act applies and the clocks are running.
- Since 2 February 2025: The bans on unacceptable-risk AI take effect. At the same time, the AI literacy duty applies: deployers must ensure their staff can use AI competently.
- Since 2 August 2025: The obligations for general-purpose AI models (the large language models) take effect, along with the rules on governance, national authorities, and penalties.
- From 2 August 2026: The bulk of the Act becomes applicable, above all the extensive obligations for high-risk systems. This is the milestone that matters now for regulated professions.
- From 2 August 2027: The final obligations apply, including those for high-risk AI built into regulated products, plus transition rules for models already on the market before August 2025.
So if you are adopting AI today, do not anchor to the entry-into-force date. Anchor to the stage that governs your particular use case. For most regulated professions, that is August 2026. Until then, note that the bans and the AI literacy duty are already live, and there is no grace period on those.
The four risk tiers
The heart of the Act is its classification into four risk tiers. The tier decides which obligations apply at all.
Unacceptable risk (prohibited)
Certain practices have simply been banned since February 2025: social scoring by public authorities, manipulative systems that steer people below the level of awareness, untargeted scraping of facial images from the internet, emotion recognition in the workplace and in education, and, with narrow exceptions, real-time remote biometric identification in public spaces. These systems may not be used in the EU.
High risk
This is where the Act concentrates its weight. High-risk systems are those that help decide sensitive matters about people: critical infrastructure, education and employment, access to essential services such as credit or insurance, law enforcement, migration, the administration of justice, and safety components in products such as medical devices. For these systems the Act requires a full bundle of duties: a risk management system, sound data quality and data governance, technical documentation, logging, effective human oversight, and an appropriate level of accuracy, robustness, and cybersecurity. Many must also be registered and undergo a conformity assessment.
Limited risk (transparency duties)
This tier covers the vast majority of everyday AI assistants and chatbots. It is subject mainly to transparency duties: people must be able to tell that they are interacting with an AI and that content was artificially generated. More on that below.
Minimal risk
By far the largest share of AI applications falls here: spam filters, recommendation systems, AI in video games. The Act imposes no specific obligations on these. Voluntary codes of conduct are possible but not required.
Which tier does your profession fall into?
For most regulated professions the answer is reassuring. Anyone using a general-purpose AI assistant for research, drafting, or organizing the working day is, as a rule, deploying a system of limited or minimal risk. Merely using a language model does not turn a law firm or a practice into a high-risk system.
The nuance is purpose. If you use AI in a way that decides matters about people on its own, such as a diagnosis or access to a benefit, the same technical building block can slip into the high-risk tier. What matters is not the model but what you use it for. As long as the AI assists and a person decides, you remain in limited risk. That is precisely why the next two duties matter so much.
The Article 50 transparency duty: the point most people miss
Article 50 governs transparency toward people, and it is the point deployers overlook most often. The core idea is simple: people should know when they are dealing with AI.
- Chatbots and AI assistants. When a person communicates with a chatbot, they must be told they are dealing with a machine, unless it is already obvious. The AI chat on your practice or firm website that answers client or patient questions must therefore identify itself as AI.
- Artificially generated content. AI-generated text, images, audio, and video must be marked as artificially generated, in a machine-readable way and, where it reaches people, in a recognizable way too.
- Deepfakes. Anyone distributing AI-generated or manipulated image, audio, or video content that convincingly resembles real people or events must disclose that the content is artificial.
- Text on matters of public interest. Where AI-generated text is published to inform the public about matters of public interest, that must be disclosed. The important nuance: this duty falls away when a human reviews the text and takes editorial responsibility for it.
In everyday terms: a cover letter, a draft opinion, or a patient information letter that AI prepares but that you review and stand behind under your own name is unproblematic, because you carry editorial responsibility. As soon as AI communicates directly with clients, patients, or the public, whether as a chatbot on the website or as automatically published text, the labeling duty applies. When in doubt, label rather than conceal. Disclosure rarely harms trust, concealment does.
Human oversight: the human in the loop under Article 14
The second point professionals miss is human oversight. Article 14 requires it explicitly for high-risk systems, but as a principle of responsible AI use it belongs in every regulated profession.
The idea is straightforward: AI supports the work, but a person makes the decision and stays responsible. Human oversight means a competent person can understand, question, correct, and if necessary reject the AI's output. The system must not be built or used so that the human simply defers to whatever it produces.
For medicine and law this is central. AI does not make the diagnosis, it offers signals that the doctor evaluates and weighs. AI does not issue the ruling or give the legal advice, it produces a draft that the lawyer reviews and stands behind. Professional responsibility cannot be delegated to a model, and liability stays with the person. Anyone using AI should therefore record, in writing, where a human reviews and signs off before an AI output has any external effect. This is not bureaucracy for its own sake, it is the evidence that the decision rested with you and not with the machine.
A practical checklist for a practice, firm, or administration
You do not need to wait for an inspection notice. These steps put you in a defensible position:
- Disclose AI use where required. Identify chatbots as AI, and disclose published AI text unless a human takes editorial responsibility for it.
- Keep a human in the loop. For each use case, define who reviews and approves the AI output before it takes effect.
- Do not let AI make autonomous decisions. AI produces drafts and signals, not the final decision about a person.
- Use tools that keep data in the EU and do not train on it. For every tool, establish where processing happens and whether your inputs are used for training.
- Keep a signed DPA. A data processing agreement is the contractual basis the GDPR requires, not a mere privacy policy.
- Document your AI usage and governance. Record which tools are allowed, which data may go in, who is responsible, and how your staff were trained. The AI literacy duty already applies.
These six points are not a one-off project but a routine. When a new tool enters the practice, walk the list again.
The AI Act and the GDPR belong together
A common misconception is that the EU AI Act replaces the GDPR. The opposite is true. The two apply in parallel and complement each other. The AI Act governs how an AI system must be built and how it must behave. The GDPR governs how personal data may be processed. The moment an AI system processes personal data, and almost every one in professional use does, both frameworks apply at once. Legal basis, purpose limitation, data minimization, data-subject rights, and the question of third-country transfers all remain fully relevant.
On top of that sits professional confidentiality, the duty of secrecy that binds doctors, lawyers, and other regulated professionals. Under German law this is § 203 StGB, and comparable secrecy obligations exist across Europe. When you put a client file or a patient record into an AI system, you are processing someone else's secrets. The AI Act governs how the system may work. The GDPR and professional secrecy govern where the data may go and who may see it. This is exactly where AI becomes either a risk or a defensible tool. A model that gives brilliant answers but stores your data on servers outside the EU, trains on it, and runs without a DPA may not violate the AI Act, but it does violate the GDPR and professional secrecy.
How an EU-hosted, GDPR-compliant AI platform helps
The fastest way to settle the data-protection side of AI use is to choose a platform built for regulated work. Four features are decisive, and together they cover several of the duties above:
- Processing in the EU. When requests are processed on EU servers, the thorny question of third-country transfers largely falls away.
- No training on your data. Your inputs do not feed the next model. That protects client and patient secrets.
- A signed DPA. The contractual basis the GDPR requires.
- Professional confidentiality accounted for. Anyone processing someone else's secrets needs a platform that keeps professional secrecy in mind.
Wysor is one example of such a platform: processing on EU servers, no training on your data, professional confidentiality under § 203 StGB accounted for, and a signed DPA. A foundation like this does not remove your duties under the AI Act, the GDPR, and professional law. It does make them considerably easier to meet, because data location, the training exclusion, and the contractual basis are already settled, and you can focus on the labeling and the human oversight.
The bottom line
The EU AI Act is no longer a distant topic. With the August 2026 stage, the substantive obligations land in practice, and the AI literacy duty already applies. For most regulated professions your own AI use is limited or minimal risk. Yet the Article 50 transparency duty, human oversight as a guiding principle, and the GDPR together with professional secrecy still apply.
Anyone who thinks about these layers together, labels AI where needed, lets a person make the decision, and chooses a platform that processes in the EU, does not train on your data, and signs a DPA, has done the greater part of the work before any supervisory authority ever asks.
Questions about applying this in your profession? Write to [email protected] or use the contact form in the app.
This guide is general orientation on the EU AI Act and is not a substitute for legal advice in an individual case.


