Why Is Everyone So Confused with the EU AI Act?
It's not just you.
You have some AI systems in the company. You are aware there is some AI Act.
But what are you supposed to do? Classify them? Report them somewhere? Write documentation? Put them in a spreadsheet and hope for the best?
So you decide you need help. You hire a consultant — the one whose LinkedIn posts freaked you out. Only to realize he doesn’t understand half of what he’s talking about.
So you try something else. Online courses. In-person workshops. Seminars with important-sounding titles.
And they read you the regulation.
They read it to you.
But they don’t tell you what to do. What are the steps. How to actually be compliant. You walk out knowing the AI Act exists (you already knew that) and not much else.
You have no idea what to do.
It looks hopeless.
It’s not. And here’s the thing nobody is saying out loud:
You’re confused because the people writing the rules haven’t finished explaining them.
A study of 106 enterprise AI systems found 40% had unclear risk classification. That’s not company incompetence — that’s a guidance gap. If you don’t have your AI systems classified, if you genuinely don’t know what to do next, the reason is not you.
Psst. It’s them.
So what happened?
The Commission missed its own deadline
The guidelines on high-risk AI classification — Article 6, the single most important question every company has — were due February 2, 2026.
It’s still missing at the end March 2026.
“Is my AI system high-risk?” That’s the question. The Commission was supposed to answer it over a year ago. They haven’t.
The guidance they did publish made things worse
In February 2025, the Commission published guidelines on the definition of an AI system. The idea was to bring clarity. Legal analysts noted the guidelines “may actually lead to more debate.” The guidance on “limited capacity” machine learning systems created new borderline cases instead of resolving old ones.
Ambiguity creates confusion. Confusion creates more ambiguity.
The standards won’t be ready before enforcement starts
CEN and CENELEC — the bodies creating the technical standards companies need to demonstrate compliance — are targeting Q4 2026 for key harmonized standards.
The high-risk obligations become enforceable August 2, 2026.
Read that again. Companies are supposed to comply with rules whose technical standards don’t exist yet on the enforcement date.
Guidance arrives weeks before deadlines
The transparency Code of Practice under Article 50? First draft came out December 2025. Final version expected June 2026. Enforcement starts August 2, 2026.
That gives companies two months. Two months to implement something they just learned about.
Nobody knows who enforces this
Only 8 out of 27 EU member states have established designated national competent authorities. In most countries, the body responsible for enforcing the AI Act hasn’t been appointed yet.
You can’t comply with confidence when you don’t know who’s watching — or whether anyone is.
The deadlines themselves keep moving
On March 13, 2026, the Council agreed to a position that would push the high-risk deadline from August 2026 to December 2027 for stand-alone systems, and August 2028 for systems embedded in regulated products.
But this is a Council position. Not finalized law. So companies are planning against deadlines that might change — again.
What do you actually need to remember?
Here’s where it stands as of March 2026:
Prohibited AI practices — social scoring, certain biometric systems, manipulative AI — have been enforceable since February 2, 2025. This is not coming. This is here.
GPAI provider obligations — if you provide a general-purpose AI model — have been in force since August 2, 2025.
Full enforcement for high-risk AI systems is currently set for August 2, 2026 — but the Council’s March position suggests December 2027 is more likely.
There has been no major public enforcement action yet.
The penalty structure, when enforcement does come:
Prohibited AI practices: EUR 35 million or 7% of global turnover
High-risk AI violations: EUR 15 million or 3% of global turnover
Incorrect or misleading information: EUR 7.5 million or 1% of global turnover
Whichever is higher. That’s the ceiling. Most companies won’t get anywhere near it — but you need to know what the ceiling is.
If I were you
I would focus on three things right now.
First — make absolutely sure you are not running any prohibited AI practices. That’s the one category where enforcement is already live and the fines are the steepest. If you’re not sure what counts as prohibited, that’s a future article. But start there.
Second — get a rough inventory of the AI systems in your company. You don’t need to classify them perfectly yet (the Commission hasn’t given you the tools to do that). But you need to know what you’re working with. You can’t comply with regulation you can’t map to your actual systems.
Third — come back here regularly. I’ll be covering each of these topics in depth — what high-risk actually means, how to classify your systems, what the documentation requirements look like, and what happens as the deadlines shift. This is not a one-time problem. It’s an ongoing one, and I’ll be tracking it so you don’t have to.
The EU AI Act is confusing right now. That’s a fact. But it won’t always be — and the companies that start preparing now, even imperfectly, will be in a much better position than the ones still waiting for someone to hand them a checklist.
Nobody is going to hand you a checklist.
But I might build you one.