In 2026, the use of artificial intelligence is not only a competitive advantage — it is a legal and operational responsibility.
Artificial intelligence (AI) has become a standard part of business operations. In most organisations, it is already used on a daily basis in document preparation, search, HR processes, communications, development, analysis and decision-support functions. Against that background, 2026 is the year in which the EU AI Act becomes a material compliance issue in practice.
Certain parts of the AI Act are already applicable. These include, in particular, the rules on prohibited AI practices, the requirements relating to AI literacy, and a significant portion of the framework applicable to general-purpose AI models. The next important milestone is 2 August 2026, when the Regulation begins to apply more broadly and a number of obligations come into force that will directly affect day-to-day business operations.
Who does this actually affect?
From a practical perspective, the AI Act affects not only businesses developing AI, but also companies that:
use AI tools in internal processes;
rely on AI to support decisions concerning employees, customers or users;
embed AI functionalities into their products or services;
integrate solutions provided by external AI vendors into their operations; or
use AI to support development, analysis or content-generation processes.
What do companies need to know now?
AI compliance is not simply a matter of putting a single document in place. Many businesses instinctively assume that an internal AI policy is the first and principal step. While that may indeed be important, it is rarely sufficient on its own. In practice, the real exposure usually does not arise because no policy exists, but because the organisation:
does not have a clear picture of where AI is actually being used;
lacks visibility over what data is being entered into those systems;
has not defined who may use such tools, for what purposes and under what conditions;
has not clarified responsibility and accountability lines; and
has not assessed which other legal regimes are engaged by its use of AI.
For that reason, preparation for 2026 is less about producing a single compliance document and more about asking the right questions in good time and obtaining targeted legal support.
In our experience, most businesses currently need practical, clearly scoped support that enables them to answer questions such as the following and to bring their use of AI within an appropriately governed framework:
1. Which of our AI use cases are actually legally relevant?
Not every use of AI carries the same level of risk. The first step is usually to identify which use cases genuinely require legal review or intervention.
2. Do we need to update our internal policies and processes?
In many cases, what is needed is not a new standalone document, but amendments to existing data protection, HR, IT, trade secret protection, procurement, development and approval processes and policies.
3. What data should not be entered into AI tools?
This question will typically need to be addressed from data protection, confidentiality and contractual perspectives alike.
4. What contractual risks arise from the AI tools we use?
Many businesses assume significant AI-related exposure without having adequately reviewed the terms governing the tools they use, including liability limitations, data transfer arrangements and intellectual property provisions.
5. Which decisions call for particular caution?
Any use of AI that may influence decisions relating to employees, customers or consumers requires especially careful scrutiny.
6. Is an AI policy enough, or is more required?
In most cases, the correct answer is that a policy is necessary, but it needs to be accompanied by legal review, contractual review, data protection assessment and appropriate operational controls.
Which business interests require particular protection?
In reality, AI-related legal compliance is driven by a number of clear and legitimate business interests.
Above all, businesses need to protect:
confidential business information;
personal data;
the company’s intellectual property and development outputs;
customer trust and reputation; and
accountability and control structures surrounding decision-making.
In many cases, the immediate consequences of uncontrolled AI use are not regulatory fines. More often, they take the form of confidential information leakage, data protection incidents, inaccurate or misleading business communications, decisions based on insufficiently reviewed AI outputs, employment or contractual disputes, intellectual property concerns, and accountability issues that are difficult to reconstruct after the event.
Which other laws need to be considered alongside the AI Act compliance requirements?
It is important for companies to recognise that the AI Act does not provide a complete answer on its own. The use of AI will often engage other areas of law as well, in particular:
data protection (GDPR);
trade secrets and information security;
intellectual property and copyright;
employment law;
consumer protection and digital regulation; and
contractual and supplier compliance.
Accordingly, AI legal readiness is, for most businesses, not a matter of a single regulatory issue, but of coordinating multiple legal disciplines.
For that reason, the most effective first step for many companies is a targeted legal assessment. Its purpose is typically to enable the business, within a relatively short period of time, to obtain a clear view of where AI is currently being used, which uses require immediate action and what kind of action is needed, where internal governance may be sufficient, where contractual, data protection or employment law review is required, and what steps ought to be taken before 2 August 2026.
How can our Firm assist?
In the area of AI compliance, our Firm’s role is first and foremost to help businesses obtain clear, accurate and commercially practical answers to the questions most relevant to them.
We typically assist with:
legal mapping and risk classification of AI use;
the design of internal AI governance frameworks and policies;
addressing data protection, confidentiality and employment law issues;
reviewing AI vendor and technology agreements;
assessing customer-facing or internal AI processes from a legal perspective;
providing focused training and preparedness support to management and business teams.
We do not offer generic, template-based solutions. Rather, we provide legal support tailored to the organisation’s actual operations, risk profile and commercial objectives.
If helpful, we would be very pleased to discuss which AI use cases within your organisation ought to be prioritised for legal review at this stage.
