To prepare for the EU AI Act, fully applicable around 2 August 2026, you take four steps: classify the risk of each AI system, document what it does and on what data, keep a human in the loop where people are affected, and train your team. The AI-literacy obligation is already in force, and in Romania ANCOM is the surveillance authority.
- In short: the EU AI Act becomes fully applicable around 2 August 2026, and practical preparation has four steps — classify the risk, document, keep a human in the loop, and train your staff.
- The first step is classification: most business AI systems fall into "limited risk" or "minimal risk", not "high risk".
- The obligation to train your staff on AI (AI literacy) is already in force — it does not wait for August 2026.
- In Romania, ANCOM has been designated the market-surveillance authority for the AI Act.
What changes with the EU AI Act from August 2026?
The EU AI Act is the first European regulation that sets clear rules on how firms develop and use AI systems. Its application is staged: some prohibitions and the AI-literacy obligation are already active, while the bulk of the rules for high-risk systems becomes fully applicable around 2 August 2026, according to the specialist press (Digi24). The regulation classifies AI systems by risk level and imposes obligations proportional to the risk — the more a system can affect people's rights or safety, the more requirements it carries. For most companies in Romania, the good news is that their business applications (an internal chatbot, a document automation, an assistant that answers from company documentation) fall into the light-requirement categories, not "high risk".
Important for companies in Romania: ANCOM has been designated the market-surveillance authority for the AI Act (financiarul.ro, cursuri-ai.ro). That means there is a national body that will check compliance, so "nobody is watching us" is no longer a strategy.
How do I classify the risk of the AI systems I use?
Risk classification is the first concrete step and decides how many obligations you have. The AI Act splits systems into four risk categories. The table below explains them for a non-lawyer, with examples and what is required at each level. Run every AI system in your firm through this table before anything else — without classification, you don't know what to document.
| Risk level | Examples | What is required |
|---|---|---|
| Unacceptable risk | Social scoring, manipulation, certain biometric surveillance | Banned — cannot be used |
| High risk | AI in hiring, credit scoring, healthcare, critical infrastructure | Documentation, human oversight, risk management, registration |
| Limited risk | Chatbots, AI-generated content | Transparency: the user must know they are interacting with AI |
| Minimal risk | Spam filters, internal automations with no impact on people | No specific obligations (good-practice code recommended) |
The most common trap is to assume you are "high risk" and block projects out of excessive caution, or the reverse — to run an AI hiring system without realising that this one is precisely "high risk". That is why correct classification, system by system, is the first investment to make.
What is the practical compliance checklist for a company?
For a firm without a dedicated AI legal department, preparation comes down to four operational steps, in order. You don't need to be a lawyer to go through them; you need to be organised.
- Classify the risk of every AI system you use or develop, using the four categories above.
- Document: what the system does, on what data, what it decides, who is responsible for it. For high risk, documentation is mandatory; for the rest, it is good hygiene anyway.
- Keep a human in the loop where the system makes decisions affecting people — the model proposes, the person confirms.
- Train your team: those who use AI must understand what it can and cannot do, and what its limits are. This is the AI-literacy obligation, already in force.
Step four is neither optional nor waiting for August 2026. The obligation to ensure a sufficient level of AI knowledge among staff (AI literacy) is already active, and training demand has followed: participation in AI courses grew by over 100% in 2025, according to StartupCafe. If your team uses AI without being trained, you have a compliance problem, not just a productivity one. For team training, see our AI services, including workshops and training.
What fines do I risk if I don't comply?
The AI Act provides serious sanctions, calibrated to the severity of the breach, going up to significant percentages of global annual turnover for the worst cases (for example, using a banned system), according to the specialist press (Digi24). For less severe breaches, fines are lower but still significant. The exact figures and how they apply in Romania remain with the surveillance authority (ANCOM) and the national legal framework, so for precise values and legal interpretation you need specialised legal advice — this article is an operational guide, not a legal opinion.
If you are unsure which risk category your systems fall into or what you need to document, book a free initial call with the Sapio team. We establish together where you stand against the requirements and which concrete steps follow — from risk classification to team training. The initial call is free; if you need a full technical assessment of your AI systems, the AI Technical Audit follows (our paid service). Start the conversation with a free discovery call.
The EU AI Act becomes fully applicable around 2 August 2026, and in Romania ANCOM has been designated the market-surveillance authority — according to Digi24 and financiarul.ro.
Frequently asked questions
When does the EU AI Act become mandatory for companies?
Application is staged. Some prohibitions and the AI-literacy obligation are already active, while the bulk of the rules for high-risk systems becomes fully applicable around 2 August 2026, according to the specialist press (Digi24). That means preparation should start now, not in the summer of 2026.
Who enforces the AI Act in Romania?
ANCOM has been designated the market-surveillance authority for the AI Act in Romania (financiarul.ro, cursuri-ai.ro). So there is a national body that will check compliance and apply sanctions. For a precise legal reading of your obligations you need specialised legal advice; this article is an operational guide.
Is my AI system considered "high risk"?
Probably not, if it is an internal automation or a chatbot. "High risk" covers AI in hiring, credit scoring, healthcare, or critical infrastructure. Most business applications fall into "limited risk" (where you just tell the user they are talking to an AI) or "minimal risk" (no specific obligations). Classify each system through the four categories before anything else.
Do I have to train my employees under the AI Act?
Yes. The obligation to ensure a sufficient level of AI knowledge (AI literacy) among staff using these systems is already in force; it does not wait for August 2026. Demand has followed: participation in AI courses grew by over 100% in 2025 (StartupCafe). If your team uses AI untrained, you have a compliance problem.
What fines does the AI Act provide?
Sanctions are calibrated to severity and can reach significant percentages of global annual turnover for the worst cases, according to the specialist press (Digi24). For lighter breaches, fines are smaller but still significant. Exact values and enforcement in Romania rest with ANCOM and the national framework; for precision, consult a legal specialist.
Want to discuss a project?
Book a free discovery call with the Sapio team.