Artificial intelligence is no longer a future issue. It is already present in many areas of business life: emails, chatbots, customer service, data analysis, recruitment tools, marketing, translations, image generation and internal productivity systems.
However, from 2 August 2026, the use of artificial intelligence in the European Union will enter a new regulatory phase.
The European Artificial Intelligence Regulation, also known as the EU AI Act, will become fully applicable, subject to certain exceptions and a gradual implementation calendar. Its aim is not to prohibit artificial intelligence, but to ensure that it is used safely, transparently and in a way that respects fundamental rights.
The question many companies should now be asking is not simply whether they use artificial intelligence.
The real question is:
Do we know exactly which AI tools we are using, what we are using them for, and what legal risks they may involve?
What is the European Artificial Intelligence Regulation?
The European Artificial Intelligence Regulation is the first major EU law specifically designed to regulate the development, placing on the market and use of artificial intelligence systems.
Its approach is based on risk. Not all AI tools have the same impact, and not all of them require the same level of legal control.
Using an AI tool to help draft a general text is not the same as using an automated system to select candidates, assess a person’s creditworthiness, process biometric data or make decisions that may affect fundamental rights.
For this reason, the Regulation distinguishes between different levels of risk:
✔️Unacceptable risk: AI systems that are prohibited.
✔️High risk: AI systems that may affect safety, employment, education, migration, access to essential services, critical infrastructure or fundamental rights.
✔️Limited risk: systems mainly subject to transparency obligations.
✔️Minimal risk: everyday uses with a lighter regulatory burden.
Why should companies pay attention?
Many businesses assume that the EU AI Act only applies to large technology companies or to businesses that develop artificial intelligence systems.
That assumption may be risky.
The Regulation can also affect companies that use AI systems in their daily activity, even if they did not create those systems themselves.
For example, a company may be using AI for:
- recruitment or HR processes;
- customer service;
- data analysis;
- content generation;
- marketing;
- client scoring or profiling;
- document management;
- productivity tools;
- translations or contract reviews;
- automation of internal decisions.
The legal issue is not just the use of AI. The real issue is using it without knowing exactly which tool is being used, what data is being entered, who has access to that information, what decisions are being automated and what impact this may have on clients, employees or third parties.
What obligations may apply?
The obligations will depend on the type of AI system, the role of the company and the level of risk involved.
A company that develops an AI system will not have the same obligations as a company that simply uses one. Likewise, using AI to draft an internal note is not the same as using AI to make decisions that affect individuals.
Depending on the case, companies may need to:
- identify which AI systems are being used;
- classify the level of risk;
- inform individuals when they are interacting with AI;
- ensure human oversight;
- keep appropriate documentation;
- review suppliers and contracts;
- establish internal AI policies;
- train staff on the responsible use of AI;
- avoid prohibited AI practices;
- protect personal and confidential data;
- control the use of generative AI tools such as ChatGPT, Copilot and similar systems.
The Regulation also provides for significant sanctions. In the most serious cases, breaches involving prohibited AI practices may lead to fines of up to €35 million or 7% of the company’s total worldwide annual turnover, whichever is higher.
The common mistake: thinking “we are only testing it”
Many companies are currently in what seems to be an informal phase. They are testing tools, automating tasks, generating texts, analysing information or introducing AI assistants without a clear internal policy.
But from a legal point of view, “testing” does not always eliminate risk.
If personal data, confidential information, client documents, employee data or information affecting real decisions is being entered into an AI system, the company may already be creating legal exposure.
Artificial intelligence can be an excellent tool, but it must be used with judgement, traceability and care.
What should companies do before 2 August 2026?
There is no need for panic, but companies should start preparing in an organised way.
A first legal review should include:
1. AI tools inventory
Identify which AI tools are being used, who is using them and for what purpose.
2. Risk classification
Assess whether the use is low risk, limited risk or potentially high risk.
3. Data review
Check whether personal data, sensitive data, trade secrets or confidential information are being entered into AI systems.
4. Internal AI policy
Establish clear rules for employees, collaborators and management.
5. Supplier review
Review contractual terms, data protection clauses, confidentiality, server location and liability provisions.
6. Transparency
Assess when clients, users or employees must be informed that they are interacting with AI or that certain content has been generated by AI.
7. Training
Staff should know what they can and cannot do with AI tools.
AI yes, but responsibly
Artificial intelligence should not be seen as a threat in itself. Used properly, it can save time, improve processes and increase business productivity.
However, technological enthusiasm should not replace legal judgement.
The European Artificial Intelligence Regulation requires companies to move from improvisation to responsible management. It will no longer be enough to say “we use an AI tool”. Companies will need to understand and explain what they use, why they use it, what data is involved, what controls are in place and what safeguards apply.
Conclusion
2 August 2026 is a key date for the application of the European Artificial Intelligence Regulation.
Companies that already use AI should begin reviewing their processes now. The point is not to stop innovation, but to innovate with legal certainty.
At Bennet & Rey Abogados, we can help businesses review their use of artificial intelligence, identify legal risks and prepare an internal AI policy adapted to their needs.
Artificial intelligence can be a powerful ally. But only if it is used with judgement, transparency and responsibility.
Contact us at: [email protected]
or click here an book a consultation with a lawyer
