// ai act guide

The EU AI Act,
in plain terms.

The world's first comprehensive AI regulation lands on European teams in full on August 2, 2026. Here's what it asks of you — and how to be ready by architecture, not by scramble.

29 days to enforcement August 2, 2026

// the law

A risk-based rulebook for AI in Europe.

The AI Act regulates AI by how risky its use is, not by the technology itself. It applies to anyone placing an AI system on the EU market or using one inside the EU — including companies that only integrate third-party models.

If your team puts AI into production for European users, the question is no longer whether the Act applies — it's which obligations you carry, and whether your stack can meet them.

// timeline

How it rolls out.

The Act phases in over three years. The date that matters for most enterprises is the next one.

  1. Aug 1, 2024
    In force

    The EU AI Act enters into force.

  2. Feb 2, 2025
    Bans apply

    Prohibited AI practices become illegal across the EU.

  3. Aug 2, 2025
    GPAI rules

    Obligations for general-purpose AI models begin.

  4. Aug 2, 2026
    Main enforcementyou are here →

    The bulk of obligations — high-risk systems, transparency and governance — become enforceable.

  5. Aug 2, 2027
    Embedded high-risk

    Rules for AI built into regulated products take full effect.

// risk tiers

Four levels of risk.

Your obligations depend entirely on which tier your use of AI falls into. Most enterprise tooling lands in the middle two.

Unacceptable

Banned

Social scoring, manipulative or exploitative systems. Prohibited outright since February 2025.

High-risk

Strict obligations

AI in hiring, credit, healthcare, critical infrastructure or justice. Risk management, data governance, logging, human oversight and documentation.

Limited risk

Transparency

Chatbots and generative systems. Users must be told they are interacting with AI, and AI-generated content must be labelled.

Minimal risk

No obligations

Spam filters, recommendation, most internal tooling. Free to use, with voluntary codes of conduct.

// penalties

The cost of getting it wrong.

Fines are tiered by severity and calculated on global turnover — whichever figure is higher. They are built to register at board level.

€35M / 7% Prohibited AI practices
€15M / 3% Breach of high-risk, transparency or GPAI obligations
€7.5M / 1% Supplying incorrect information to authorities

Figures are the higher of the fixed amount or the percentage of global annual turnover.

// your obligations

What you'll need to show.

For most teams running AI in production, compliance comes down to a handful of things you must be able to demonstrate.

Know where data is processed

Be able to show inference runs in the EU — not on a hyperscaler subject to the US Cloud Act.

No silent training on your data

Your prompts and outputs must not feed a third-party training set without basis.

Records & traceability

Keep an auditable trail of what system processed what, and where it ran.

Transparency to users

Disclose AI interactions and label AI-generated content.

Human oversight

Keep a person in the loop for decisions that carry real-world risk.

Data governance

Control the lawful basis, quality and residency of the data you feed in.

// compliant by design

Where Helmcode removes the work.

We can't classify your systems for you — but the hardest, most structural requirements are solved the moment your inference runs on Helmcode.

EU data residency

Inference processed exclusively on EU infrastructure — never a US hyperscaler.

No training on your data

Zero logs: prompts and completions are never stored and never train a model.

Traceability

A single, auditable stack with documented data flows and a sub-processor list.

Sovereignty

EU-owned and operated — outside the reach of the US Cloud Act.

See the full compliance posture

// ai act faq

The AI Act, answered.

The questions European teams ask as the deadline approaches.

Does the AI Act apply to my company if we just use AI?

Very likely. The Act covers providers and deployers of AI systems placed on the EU market or used within the EU — including companies that only integrate third-party models. Obligations scale with the risk level of how you use AI.

What actually changes on August 2, 2026?

The bulk of the obligations become enforceable: requirements for high-risk systems, transparency duties, governance and the supervisory/penalty regime. Prohibited practices and GPAI rules already apply from earlier dates.

How bad are the penalties?

Up to €35M or 7% of global annual turnover for prohibited practices, and €15M or 3% for breaching other obligations — whichever is higher. They are designed to be material at board level.

How does Helmcode help us comply?

By removing the hardest parts structurally: EU-only processing, zero logs, no training on your data and an auditable stack. You are aligned by architecture rather than by configuration. See Security & Compliance for the full posture.

Is this page legal advice?

No. It is an informational overview to help you scope the work. For your specific obligations and classification, consult qualified legal counsel.

// get started

START BURNING TOKENS

Skip the AI infra work. Deploy your first private inference endpoint today.

Flat rate. EU data. OpenAI API compatible.