skip to main content

What is the 2026 EU AI Act?

Safeguarding your assets, your people and your customers | 5 minute read

By 2026, the EU AI Act will change how organisations use artificial intelligence (AI). It is the first major law to regulate AI at scale, introducing a framework designed to ensure AI systems that are being created and used are safe.¹

 

For organisations, the message is clear: AI is no longer just a technology issue. It is now a regulated risk that must be actively managed, monitored, and documented. 

Key takeaways

1. The EU AI Act makes AI a regulated organisational risk. Organisations will need to actively manage, monitor and document how AI is created and used.¹
2. The Act uses a risk-based approach, with AI systems grouped by risk level.¹
3. Organisations now need clear AI governance, records, human oversight and security controls.²


What is the EU AI Act?

The EU AI Act sets risk-based rules for AI, banning some uses and imposing strict duties on high-risk systems. Organisations must identify AI use, assess risk, keep records, and ensure proper oversight to stay compliant. 


€35mil

Fines can reach up to €35 million or 7% of global annual turnover for the most serious breaches, such as using banned AI practices.

Source: gov.ie


15 days

Serious AI incidents must usually be reported within 15 days.3

Source: The EU Artificial Intelligence Act

EU AI Act: a risk-based framework for AI

The EU AI Act groups AI systems based on the level of risk they may create. The higher the risk, the stricter the rules. This means organisations need to understand what AI systems they use and decide which risk category each one falls into. The risk level will determine what rules the organisation needs to follow.

AI systems that create an unacceptable risk are banned completely. This includes systems that could manipulate people in a harmful way or lead to unfair treatment. High-risk AI systems are allowed, but they must follow strict rules. These may include AI systems used in heavily regulated areas such as hiring, healthcare, finance or essential services.

Some AI systems are classed as limited risk. These are usually allowed, but organisations may need to be clear with people when AI is being used. AI systems that create very little risk are mostly not affected by the Act.¹

What the EU AI Act means for organisations

The EU AI Act makes it clear that AI must be properly managed throughout its use. Organisations need to know where AI is being used, what risks it may create, and who is responsible for overseeing it.

Managing AI is not a one-time task. Organisations should have a clear process in place from the moment a new AI system is introduced. This includes checking that the system is working as intended, updating it when needed, and making sure any issues are dealt with quickly.²

Failing to follow the rules can have serious consequences. Organisations can face large fines of up to €35 million or 7% of their total worldwide annual turnover of the preceding year, whichever is higher, as well as investigations by regulators. There is also the risk of reputational damage and real-world harm if AI systems make mistakes or are used irresponsibly. ¹

Key responsibilities for organisations under the EU AI Act

If an organisation uses AI in highly regulated areas, such as hiring, finance, healthcare, education, or essential services, it may need to follow stricter rules under the EU AI Act. ¹

One of the main responsibilities is risk management. Organisations must regularly check that their AI systems are working properly and are not causing harm. If problems are found, they need to be fixed quickly and effectively.

Organisations also need to keep clear records. This means documenting how the AI system works, what data it uses, and how decisions are made. Good record keeping helps show that the organisation is using AI responsibly and following the rules.

Human involvement is also important. AI systems should not be left to operate entirely on their own in high-risk situations. People must be able to review decisions, step in when needed, and take control if something goes wrong.

The quality of data used by AI systems also matters. Data should be accurate, relevant, and fair so that the AI does not produce biased, incorrect, or unfair outcomes.

Organisations must also make sure their AI systems are secure. AI should be protected from hacking, errors, or manipulation, just like any other business system.²

Who does the EU AI Act apply to?

The EU AI Act applies to organisations that create, sell, or use AI as part of their work. This includes organisations that develop AI systems, as well as those that use AI to support services, operations, or decision-making.

Organisations that build AI systems usually have the most responsibilities. However, organisations that use AI professionally also need to make sure they are using it safely and responsibly.

The Act can also apply to organisations outside the EU if their AI systems are used in the EU, or if the results produced by their AI affect people in the EU.¹

Cyber insurance and the EU AI Act

The EU AI Act marks a fundamental shift in how organisations use technology. It establishes that AI must be controlled, documented and secure; risk must be actively managed across the lifecycle; and accountability sits at an organisational and leadership level.

The EU AI Act introduces new and complex risks linked to how AI systems operate. Even with strong safeguards, these risks cannot be fully eliminated. Cyber insurance plays an essential role in helping organisations manage the financial impact of incidents. It also provides access to expert support during crises, helping organisations respond quickly and effectively.¹

Find out more on our Cyber Insurance offerings here or read about other cybersecurity mandates in our series.

The EU AI Act marks a fundamental shift in how organisations use technology. It establishes that AI must be controlled, documented and secure; risk must be actively managed across the lifecycle; and accountability sits at an organisational and leadership level.

David Dalton
Senior Account Executive

Want to see how we can help?

No matter the industry you operate in, you will have some sort of reliance on technology for the effective day-to-day running of your business. That’s what makes cyber insurance so important; every company has some level of vulnerability that cyber criminals can exploit.


General disclaimer

This insights article is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this article, NFP does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this article. This article has been compiled using information available to us up to its date of publication.

Margin Investments Ltd t/a NFP, RideSure is authorised and regulated by the Central Bank of Ireland. Registered office: ReSure House, Steeple View Court, Church Road, Malahide, Dublin, K36Y673 and its directors are Aidan Brady, Ross Barron, Garry Fitzroy,  Registered in Ireland No: 288386.


NFP contributors

David Dalton
Senior Account Executive



https://www.nfpireland.ie/insights/articles/what-is-the-2026-eu-ai-act/
2026 Copyright | All Right Reserved