The clock is ticking. On 2 August 2026, key provisions of the EU AI Act enter enforcement. For the first time, companies deploying artificial intelligence in the European Union face a structured regulatory framework — not a patchwork of national rules, but a single risk-based law with real penalties.

Most businesses we speak with assume the AI Act will not apply to them. "We are not building AI. We just use ChatGPT." This assumption is becoming one of the most expensive misunderstandings of 2026.

The reality: the AI Act reaches any organisation that places AI systems on the EU market or puts them into service, regardless of where the company is based. If your team uses an AI tool to score candidates, screen customers, make credit decisions, or analyse health data — you are likely in scope.

Here is what changes, who is affected, and why the next 90 days matter more than most leadership teams realise.

What Actually Changes on 2 August 2026

The EU AI Act has been rolling out in phases since its adoption. The prohibited practices ban took effect in February 2025. Rules for general-purpose AI models — the foundation models behind tools like ChatGPT and Claude — began applying in August 2025.

On 2 August 2026, the regulation reaches its most consequential milestone for everyday businesses: transparency obligations and rules for high-risk AI systems begin enforcement.

High-risk AI systems are defined in Annex III of the Act and cover a wide range of business uses, including:

• AI used in employment, worker management, and access to self-employment
• AI that determines access to essential private and public services (credit scoring, insurance pricing, healthcare triage)
• AI used in law enforcement, migration, and border control
• AI involved in the administration of justice and democratic processes
• AI used to evaluate the creditworthiness or establish credit scoring of individuals
• AI used to assess risk in life and health insurance

From 2 August 2026, companies deploying these systems must maintain AI inventories, document risk classifications, implement third-party due diligence, and demonstrate model lifecycle controls. These are no longer voluntary best practices — they are enforceable legal obligations.

"This Does Not Apply to Us" - and Why It Probably Does

The most common objection from leadership teams is that the AI Act is about "building AI", which most companies are not doing. This reading is outdated.

The Act regulates deployers of AI systems, not just developers. A Bulgarian company using an off-the-shelf AI tool to filter CVs is a deployer of a high-risk AI system, with specific obligations under Article 26 of the Act. A real estate agency using an AI model to evaluate property risk is a deployer. A healthcare provider using AI-assisted diagnostic support is a deployer.

The question is not whether you use AI. The question is how you use it — and whether the use case falls into one of the Annex III categories.

Based on conversations with Bulgarian mid-market companies over the past six months, we estimate that more than half of organisations with 50 or more employees are already deploying at least one AI system that falls within scope. The majority have no formal inventory of where these systems are deployed, who is responsible for them, or what data they process.

The 5 Practical Steps to Take Before August

Regulatory readiness is not a last-minute task. Based on our work with clients preparing for the Act, here are the five steps that make the difference between being ready and being exposed.

1. Build an AI inventory. Map every AI tool, model, and system currently used across your organisation — including shadow deployments your IT team may not know about. Include tools bundled into CRM, HR, marketing, and finance platforms. Most inventories reveal 3–5 times more AI usage than leadership expected.

2. Classify each system by risk. For each entry in the inventory, determine whether the system is prohibited, high-risk (Annex III), limited-risk, or minimal-risk. The classification determines the obligations. Get this wrong and you either over-invest in systems that do not need it, or under-invest in systems that do.

3. Assign ownership. Every high-risk AI system needs a named accountable person within your organisation. This is not a technical role — it is a governance role. In most of our engagements, this sits with a compliance officer, a COO, or a designated Chief AI Officer.

4. Document data flows and decision logic. For every high-risk system, regulators will expect documentation of what data the system uses, what decisions it influences, and how outputs are reviewed by humans. If you cannot explain how the system works in plain business language, you cannot demonstrate compliance.

5. Create an incident and redress process. Under the Act, individuals have the right to an explanation and, in some cases, to challenge AI-driven decisions. You need a clear internal process for receiving, reviewing, and responding to these requests before they arrive.

What Happens If You Do Not Comply

The penalty structure under the EU AI Act is significant and tiered. Prohibited practices can result in fines up to €35 million or 7% of global annual turnover — whichever is higher. Violations of high-risk system obligations can reach €15 million or 3% of turnover. Providing incorrect or misleading information to regulators can result in fines of up to €7.5 million or 1% of turnover.

For context, this penalty structure is stricter than the GDPR framework that many companies are already familiar with. Enforcement will be coordinated across member states, and Bulgaria's Commission for Personal Data Protection is expected to take on a central coordinating role for AI Act matters in the country.

Non-compliance also creates commercial exposure beyond fines. Clients — particularly multinational clients — will increasingly require AI Act compliance as a condition of working with Bulgarian suppliers and service providers. Demonstrating readiness becomes a competitive advantage in B2B sales.

Откъде да започнете

The companies that will navigate the next 90 days well are the ones that treat AI regulation as a strategic readiness exercise, not a last-minute compliance scramble. The goal is not to slow down AI adoption — it is to make sure AI adoption does not slow the business down when enforcement begins.

At Ethera Technologies, we help Bulgarian businesses build the structure and documentation needed to use AI with confidence under the EU AI Act. From inventory and risk classification to governance and ongoing advisory, we work as a strategic partner through every stage of readiness.

If the 2 August 2026 deadline is on your calendar — or if it should be — we would value a conversation. Schedule an AI consultation or write to info@ethera-tech.com to discuss where your organisation stands and what the path to readiness looks like.