What the AI Act is, in one sentence
The AI Act is the first European law that sets rules for how companies can use artificial intelligence. It doesn't ban its use. What it does is classify uses into risk levels based on who they affect and what decisions they make: there are prohibited uses, high-risk uses (with serious obligations), limited-risk uses (with transparency obligations) and minimal-risk uses (with no specific obligations).
An AI that helps you write emails isn't in the same league as an AI that decides who gets hired or who gets credit. And that's exactly what the regulation aims to sort out.
The official name is EU Regulation 2024/1689. It entered into force in August 2024 and its obligations apply in phases, with a calendar that has recently shifted, as we'll see next.
The calendar has moved
If a few weeks ago this article was going to be called "AI Act: the three-month countdown", today the right headline is a different one: start the inventory of the AI that's already inside your company.
The reason is twofold. First, the calendar has moved. On 7 May 2026, the EU Council and Parliament reached a political agreement on the Digital Omnibus on AI, delaying high-risk obligations:
- 2 December 2027 for Annex III high-risk systems (employment, credit, insurance, biometrics, education, critical infrastructure, etc.).
- 2 August 2028 for AI embedded in Annex I regulated products (medical devices, machinery, toys, lifts).
- 2 December 2026 for the transparency and synthetic-content marking obligations of Article 50(2) — this one does affect any SME using generative AI in marketing directly.
Second, and more important: the regulatory clock has moved, but the work that actually matters hasn't gone anywhere. What gets you sanctioned is not the calendar. It's not knowing which AI you have and what it's deciding on your behalf.
Why the inventory beats the calendar
Automating badly is more expensive than not automating. Applied to the AI Act, this translates into something concrete: the risk isn't in "having ChatGPT" or "putting AI everywhere".
The risk is in letting a tool enter HR, scoring, insurance or biometrics without knowing what it decides, with what data, how it's supervised and what obligations it drags along.
That's why I don't buy the "express compliance" pitch today. Before talking about compliance, you have to discover which AI you already have inside the company and where it's making decisions about people. Without that inventory, "compliance" is a slogan.
The inventory almost no SME has
Most SMEs don't "buy an AI system". They buy an ATS (Applicant Tracking System, the software that receives and filters incoming CVs), a CRM, an HR suite, a support platform, an ERP with a financial module, a marketing tool or a "copilot" feature that shows up activated in the next renewal.
AI enters the company as a feature, not as a conscious project. And that's where the regulatory problem is born: you are "using AI" without having decided to.
Eurostat data from 2025 puts around 20% of European companies with 10 or more employees already using at least one AI technology, up from 13.5% in 2024 and 8% in 2023. In other words: nearly double in two years.
Among the most-used technologies, text analytics leads (11.8%), followed by image, video and sound generation (9.5%) and natural-language generation (8.8%). AI is already distributed across the operational stack of the average company — often without leadership being fully aware.
Here's the difference between a serious implementation and a poor one: before automating, you have to name. Name the tool, the module, the vendor, the real purpose, the decision it influences, the data it touches, the affected person and the country where the results are used.
If you can't answer those questions, you aren't "doing AI" yet. You're piling up operational debt and, potentially, regulatory debt.
This reading fits the heart of the Regulation: classification depends on the system's intended use and the context in which it is deployed, not on the vendor's marketing.
Where high risk really shows up
This is where almost every generalist article fails: they throw all AI-enabled software into the same bucket. That doesn't help. Annex III does help, because it draws clear zones.
In employment and HR, high-risk systems are those intended to recruit or select people, place targeted job ads, analyse and filter applications or evaluate candidates. Also those affecting working conditions, promotion or termination, assigning tasks based on behaviour or personal traits, or monitoring and evaluating worker performance.
In essential private services, high-risk systems include those intended to evaluate the creditworthiness of natural persons or set credit scoring (except for financial fraud detection), and those for pricing and risk assessment in life and health insurance.
In biometrics, remote identification, sensitive biometric categorisation and emotion recognition occupy the delicate zone. Some practices are directly prohibited, not regulated: emotion recognition in the workplace, for example, is banned except for medical or safety scenarios.
That means the ATS with CV scoring, the software that analyses recorded interviews, the tool that ranks candidates, the module that decides promotions or detects "performance risk", or the engine that allocates tasks based on individual traits, are the kind of software an SME must review carefully. Same for a scoring engine to grant consumer credit, or a system that adjusts price and risk in life or health insurance.
You don't need the vendor to call it "high-risk AI". If the intended use fits Annex III, the regulatory problem is there all the same.
On the other hand, not every CRM and not every marketing AI automatically enters high risk. A CRM that summarises sales calls, drafts follow-up emails, suggests next steps or predicts churn does not fall into Annex III by itself. Neither does a creative generator, a ticket classifier or a copilot for drafting reports. In those cases, the conversation is closer to transparency, data protection and operational reliability than to the hard high-risk regime.
One important nuance: Article 6(3) opens a door for certain Annex III uses not to be considered high risk if they only perform a narrow procedural task, improve an already completed human result, detect patterns without replacing human judgement or do a preparatory task. But that door closes when the system profiles people. And, heads up: even if a vendor invokes that exception, the May 2026 Omnibus reinstated the obligation to register them in the European database all the same.
If a vendor tells you "don't worry, this isn't high risk", the professional response isn't to breathe easy. It's to ask for their documented assessment and the exact legal basis for that conclusion.
Andorra is not out by default
From Andorra you often hear a dangerous phrase: "that's an EU thing". Not exactly.
The AI Act applies to providers placing systems or models on the Union market, to deployers established in the Union and — especially relevant for Andorra — to providers and deployers from third countries when the system's output is used in the Union. Recital 22 of the Regulation gives a clear example: an operator established in the EU contracts services from a third-country one and uses the result produced by that system within the Union.
This forces you to qualify the local discourse. Processing data of European clients almost certainly puts you in a GDPR conversation. But the AI Act trigger is different: that the system or its output is placed on the market or used inside the Union.
In practical terms: an Andorran SME offering clients in Spain or France an ATS with CV filtering, a candidate scoring engine, a credit-rating engine or a system that influences decisions about people does not stay out by being in Andorra. By contrast, an Andorran company that uses internally a sales copilot or a meeting summariser for purely internal processes, whose results are not used in the Union, is much less exposed.
That difference matters more than the nationality of the company.
And in Spain, on top of that, the institutional framework is already set up. The AESIA (Spanish Agency for AI Supervision) has existed since 2023, was the first dedicated AI-supervision agency in a Member State according to the OECD, and in 2026 already coordinates with fundamental-rights authorities as a market surveillance authority. For Spanish SMEs there is no theory: there is a body with real sanctioning power.
What you should look at this week
If I had to boil all of this down to a fast business decision, I'd use a three-zone matrix.
Red zone. Tools that directly affect people in employment, credit, life or health insurance, biometrics or emotion recognition. Here a functional review isn't enough: you need formal system classification, vendor due diligence and, where applicable, serious documentary preparation.
Amber zone. Apparently "supporting" tools in HR, operations or services that in practice may materially influence human decisions. The key question: does the AI only prepare material, or does it de facto filter, score, prioritise or condition the outcome? If the vendor hides behind Article 6(3), ask for the documented assessment. If it also interacts with people or generates synthetic content, also check transparency obligations.
Green zone. Internal functions like meeting summaries, transcription, semantic search, writing help, document support or fraud detection without scoring of natural persons. Here you usually aren't in Annex III, but you should still have basic governance: internal owner, usage policy, data control, human validation and minimum team literacy.
The quick test I recommend to any SME. Open your software stack and locate five things:
- The ATS or recruiting tool.
- The HR suite.
- The CRM.
- The marketing or call-centre platform.
- Any financial tool that scores, recommends or automates decisions about people.
Then, ask each vendor in writing for four things: the intended use of the system, its classification under the AI Act, the basis for any Article 6(3) exclusion they invoke, and where applicable registration in the European database.
That database will be public. If the vendor can't answer, you aren't buying innovation. You're buying a contingency.
What isn't fully settled yet
Two caveats, for honesty.
The first is about the calendar. The Omnibus agreement is political and provisional: the final text still has to be formally adopted. For compliance, budget or procurement decisions, follow the final applicable version when it lands, not an old headline. In May 2026 sources with the original calendar coexist with sources reflecting the new one; that will get cleaned up over the coming weeks.
The second is about Spain's enforcement architecture. AESIA is already a central and visible player, and Spain has developed real guidance and institutional coordination. But the final distribution of sectoral authorities, national measures and enforcement regime should be checked in the BOE in force when a closed legal position is needed.
If what you want isn't a masterclass on the AI Act but to avoid the most expensive mistake, the conclusion is much simpler.
The point that matters
It isn't about "complying with the AI Act" in the abstract. It's about knowing which AI you already have inside the company and where it's making decisions about people.
Without that inventory, everything else is regulatory marketing. With that inventory, the AI Act stops being a vague threat and becomes a concrete list of things to decide.