The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 as the world's first horizontal AI law. Most coverage focuses on what it means for AI providers. This is what it means for you, the person on the receiving end of an AI decision.

The Phase-In Calendar (What's Already Live, What's Not)

The Act phases in over three years. As of April 2026, two big tranches are already in force: Regulation 2024/1689

Prohibited Practices (Article 5) — Live Now

Article 5 bans certain AI uses entirely. If a service deploys one of these against you in the EU, it is not a question of "the AI got it wrong" — the deployment itself is unlawful. The bans include:

High-Risk AI Systems (Annex III) — The Ones You'll Actually Meet

Annex III lists eight categories of high-risk AI. These are the systems most likely to make a decision about you:

If an AI in one of these categories makes a decision that legally or significantly affects you, the deployer (the company using the AI) has to meet a list of obligations — and you get the rights below.

Article 86: The Right to a Clear Explanation (from 2 August 2026)

Article 86 is the consumer-facing core of the Act. From 2 August 2026, any person subject to a decision made by a deployer on the basis of a high-risk AI system listed in Annex III (with the narrow exception of point 2 — critical infrastructure) has the right to "clear and meaningful explanations of the role of the AI system in the decision-making procedure and the main elements of the decision taken." AI Act Art.86

The decision must (a) produce legal effects, or (b) similarly significantly affect the person in a way they consider adverse to their health, safety, or fundamental rights. Two practical examples:

This sits alongside, and is broader than, GDPR Article 22, which only covers solely automated decisions. Article 86 covers AI-assisted decisions where a human formally signed off but the AI clearly drove the outcome.

Article 85: The Right to Lodge a Complaint

From 2 August 2026, any person can complain to the national market-surveillance authority of the EU member state where the AI is being deployed. AI Act Art.85 Each member state designates an authority — many will use existing regulators (data protection authorities, telecoms regulators, sector-specific bodies). The Commission's AI Office maintains the central register.

Penalties That Make This Real

Fines under the AI Act are tiered and substantial: AI Act Art.99

SMEs and start-ups get capped fines at the lower of the two figures.

What to Do Today (Before 2026 Obligations Kick In)

  1. If an AI made a significant decision about you, ask in writing whether the system is classified as high-risk under Annex III and what role it played.
  2. Combine with a GDPR Article 15 DSAR for the underlying personal data and any profiling logic.
  3. Keep the response. If the company misclassifies the system or refuses to explain, the response itself becomes evidence for a complaint after August 2026.

Related Guides

Fix AI is built around the gap the AI Act is trying to close: AI systems making consequential decisions and refusing to explain why. Practice the explanation request before the law starts biting.

Practice AI Disputes Free →
← Back to Fix AI