The EU AI Act for companies in Romania: obligations and concrete steps

Published: June 9, 2026 · Updated: June 10, 2026

The EU AI Act (Regulation (EU) 2024/1689) is the first comprehensive law for artificial intelligence. It classifies AI systems by risk level, bans certain practices, and sets obligations for both providers and the companies that use AI. It entered into force on August 1, 2024, and its obligations apply in stages through 2027.

Many companies in Romania treat the EU AI Act as tomorrow's problem. The calendar says otherwise: part of the obligations have applied since February 2, 2025, and the big application milestone arrives on August 2, 2026. This guide shows you what concretely applies to you, depending on your role and the systems you use, without panic and without unnecessary legal jargon.

Governance is not a legal brake. It is operating discipline: who decides, by what criteria, with what evidence. Companies that treat it this way turn compliance into an advantage with customers and partners.

Who it applies to: provider or deployer?

The regulation splits responsibility by role. The provider develops an AI system or places it on the market under its own name. The deployer uses an AI system professionally: a customer chatbot, a hiring screening tool, a scoring system.

Most companies in Romania are deployers, not providers. The good news: deployer obligations are fewer. The news that deserves attention: they exist for you too, even if you only use bought tools, and in certain situations you can become a provider without intending to, for example if you rebrand an AI system or modify it substantially.

The application calendar: what applies now and what comes next

  • August 1, 2024: the regulation entered into force. All the deadlines below flow from here.
  • February 2, 2025, already applicable: the bans on unacceptable-risk practices (for example social scoring, manipulation through subliminal techniques, certain forms of emotion recognition in the workplace) and the AI literacy obligation: staff working with AI must have a sufficient level of understanding.
  • August 2, 2025, already applicable: the obligations for general-purpose AI models (GPAI) and the governance and penalties framework.
  • August 2, 2026: general application of the regulation: the transparency obligations for systems such as chatbots, the governance framework, and the penalties become applicable. For the obligations of high-risk systems under Annex III, see the Digital Omnibus note below.
  • August 2, 2027: the extended deadline for high-risk systems embedded in regulated products (Annex I).

One context note, updated: on May 7, 2026, the Council and the European Parliament reached a provisional political agreement on the Digital Omnibus package, which defers the obligations for high-risk systems under Annex III to December 2, 2027 (and for regulated products under Annex I, to August 2028), pending formal adoption. The obligations already in force are not affected: the bans, AI literacy, and the rules for general-purpose models remain applicable, and transparency, the governance framework, and the penalties take effect on August 2, 2026.

If you are reading this guide in 2026, the practical conclusion is simple: the bans and AI literacy already apply to you, transparency and penalties arrive on August 2, 2026, and for high-risk you have gained time until December 2027. That time is for inventory and classification, not for postponement: systems contracted in 2026 will outlive every deadline.

The risk categories, in business terms

  1. Unacceptable risk: practices banned outright. Examples: social scoring by authorities, manipulating behavior through subliminal techniques, exploiting vulnerabilities. The answer here is simple: no.
  2. High risk: systems used in sensitive areas, for example recruitment and employee management, access to essential services, credit scoring, education, critical infrastructure. Most obligations concentrate here.
  3. Limited risk: transparency obligations. People must know they are interacting with an AI, and generated or manipulated content (for example deepfakes) must be labeled.
  4. Minimal risk: the vast majority of applications, from spam filters to product recommendations. No new obligations, but good practices remain good practices.

The useful question for you is not "what is AI in general" but: which category does each system you use or build fall into?

Concrete examples: where do common systems land?

A few typical classifications to calibrate your inventory (every real case needs checking against the regulation's criteria):

  • Customer support chatbot: usually limited risk; the main obligation is transparency, the customer knows they are talking to an AI.
  • CV screening or employee evaluation: high risk; here you enter the full set of deployer obligations.
  • Credit scoring or evaluating access to essential services: high risk.
  • Spam filter, product recommendations, automatic proofreading: minimal risk; no new obligations.
  • Marketing content generation with public tools: transparency obligations for generated content in the situations the regulation covers, plus AI literacy for the people using them.
  • Monitoring employee emotions in the workplace: in the forms the regulation targets, a banned practice.

The same tool can land in different categories depending on use: a generative model used for marketing is one thing, the same model used for hiring decisions is something else entirely. You classify the use, not the logo.

What you must do if you only use AI

For high-risk systems, the deployer has obligations of its own, including:

  • use the system according to the provider's instructions;
  • assign competent human oversight: someone understands the system and can intervene;
  • make sure the input data under your control is relevant to the system's purpose;
  • monitor operation and inform the provider when problems appear;
  • keep the logs the system generates, to the extent they are under your control;
  • inform employees and their representatives before using a high-risk system in the workplace.

For chatbots and generated content, the transparency rule is simple: people must know they are talking to an AI, and generated content must be labeled appropriately in the situations the regulation covers.

AI literacy: the obligation that already applies

Article 4 requires that staff working with AI systems have a sufficient level of AI literacy: understanding what the system can and cannot do, what risks it brings, and how to use it correctly. The obligation has applied since February 2, 2025, to providers and deployers alike.

In practice this means an internal program proportional to your use of AI: who works with AI, on which systems, what each role needs to know, and how you prove it happened. A generic training ticked once does not honor the spirit of the obligation; real, documented enablement does.

The penalties, so you know the stakes

Fines can reach up to EUR 35 million or 7% of global annual turnover for banned practices, and up to EUR 15 million or 3% for breaching other obligations. For small and medium companies, the lower of the two values applies. The real stakes are not just the fine: they are customer and partner trust, plus the operational blockages when you discover late that a system needed different documentation.

The concrete steps, in order

  1. Inventory your AI systems: everything the company uses, from bought tools to internal scripts. Without an inventory, any compliance discussion is theory.
  2. Establish the role for each system: are you a deployer or, for some, even a provider?
  3. Classify by risk: banned, high, limited, minimal. Document the reasoning.
  4. Name an owner: one person accountable for AI governance, with a real mandate. If the board asks you tomorrow who owns AI, you have a name.
  5. Start the AI literacy program: proportional, role-based, with evidence.
  6. Put the minimum operating discipline in place: usage instructions, assigned human oversight, retained logs, an incident reporting channel.
  7. Check your vendor contracts: who guarantees what, what documentation you receive, what happens in an incident.
  8. Reassess periodically: systems change, usage changes, classification can change.

This guide is orientative and is not legal advice. For your concrete situation, our team includes a legal consultant who saw the EU AI Act negotiations from the inside, at Renew Europe.

FAQ

Does the EU AI Act apply to small companies too?

Yes. The regulation does not exempt SMEs from obligations; it provides support measures and proportional penalties. Your obligations depend on your role and the risk of the systems you use, not on company size.

We only use ChatGPT and Copilot. Does it concern us?

Yes, on at least two fronts: the AI literacy obligation for the staff using them, already in force, and the transparency rules for generated content. You also need a clear internal policy: what data employees are allowed to put into these tools.

What do we risk if we do nothing until August 2, 2026?

For banned practices, penalties already apply. For the rest, exposure grows with general application: fines of up to EUR 15 million or 3% of turnover for breaching obligations, plus the commercial risk with customers who ask you for compliance evidence.

Where do we start, practically?

With the inventory and classification: which AI systems you use and which risk category each falls into. Then name the owner and start AI literacy. The first three actions cost time, not big budgets, and show you the real size of the topic for your company.

Do we need a dedicated AI Officer?

The regulation does not mandate a role with that name, but it does require that someone effectively owns human oversight and operating discipline. In small companies the role can be carried by someone existing, with a written mandate; what matters is that accountability is owned, not diffuse.

Sources

Working on an AI decision?

Tell us what you want to solve. A practitioner replies by email within 48 hours with next steps.

Let's talk