EU AI regulation trend 2026: deadlines, GPAI obligations and Switzerland's response

What does EU AI regulation mean in May 2026?

The EU AI Act (Regulation 2024/1689) was published in the EU Official Journal in June 2024 and came into force on 1 August 2024. It applies in a staggered way by risk category. As of May 2026 the picture is concrete:

In force since February 2025: the eight prohibited AI practices (Art. 5) – social scoring by authorities, manipulation, untargeted facial recognition databases, emotion recognition in work and education, biometric categorisation of sensitive traits. Violations: fines up to 7% of global annual turnover.

In force since August 2025: General-Purpose AI models (GPAI, Art. 53-55). Providers of models like GPT-4o, the current top Claude model, Gemini 2.5, Llama 4, Mistral Large 2 must produce a model card dossier, a training data summary and copyright compliance evidence. For "systemic risk" models (training compute > 10^25 FLOPS) additional obligations apply: model evaluation, cybersecurity, incident reporting. The GPAI Code of Practice (version 3, March 2026) concretises the obligations.

Applicable from August 2026 (in 3 months): high-risk AI systems per Annex III. These include systems in: candidate selection, credit scoring, insurance underwriting (life/health), migration and asylum, criminal justice, plus AI as a safety component in regulated products (machinery, medical devices). Obligations: risk-management system (Art. 9), data governance (Art. 10), technical documentation (Art. 11), logging (Art. 12), transparency (Art. 13), human oversight (Art. 14), accuracy/robustness (Art. 15).

Applicable from August 2027: all remaining provisions fully applicable. Includes the high-risk obligations for systems embedded in Annex I regulated products (machinery directive, toys directive, etc.).

Why it matters for Swiss SMEs

Switzerland is not an EU member – the AI Act does not apply directly. Yet it hits Swiss companies in at least three configurations.

First, market access: anyone selling AI systems or AI-containing products into the EU must meet AI Act obligations. A Swiss SaaS vendor with German customers becomes a provider under the EU AI Act. A Swiss law firm working with German clients is not directly a provider – but may use GPAI models and is therefore a "deployer" with its own duties.

Second, de-facto standard: Swiss authorities use the EU AI Act as reference. A federal Swiss AI strategy (May 2026) explicitly references the AI Act as the "international reference framework". The Federal Department of Justice and Police presented an April 2026 report preparing the AI Act's transposition into Swiss law – expected effective date 2028. Until then supervisory bodies (FINMA, Federal Data Protection Officer) use the AI Act as an interpretation guide.

Third, contractual cascade: international vendors (Microsoft, Google, SAP, Salesforce) extend their DPA templates with EU AI Act compliance clauses. Swiss firms using their services are contractually obligated to document GPAI risk assessment and high-risk categorisation. Even when effort is small (Swiss SMEs are rarely "high-risk"), it must be on file.

Particularly relevant for fiduciaries and lawyers in May 2026: AI-driven candidate selection is high-risk from August 2026. Anyone using HireVue, Pymetrics or in-house LLM-based CV screeners in recruiting falls under high-risk obligations – risk management, logging, human oversight to be documented. Welfare/credit scoring on clients: also high-risk if automated.

How it works

The AI Act follows a risk-based pyramid.

Prohibited (Art. 5): eight practices not allowed under any circumstances. In force since February 2025.

High-risk (Annex III + Annex I): AI systems in 9 areas – biometric identification, critical infrastructure, education, employment, essential services (credit, social benefits, insurance), criminal justice, migration, justice, democratic processes. Providers must meet 8 obligations (Art. 9-15 plus conformity assessment, CE marking, EU database registration). Effective August 2026 (Annex III) and August 2027 (Annex I).

Limited risk (Art. 50): chatbots, deepfakes, AI-generated content. Transparency duties – the user must know they are talking to AI. Effective August 2026.

Minimal risk: everything else. No obligations, voluntary codes of conduct recommended.

Cross-cutting GPAI (Art. 51-56): providers of foundation models (GPT-4, Claude, Llama, Mistral, Gemini) have their own duties – technical documentation, training data summary, copyright compliance, cooperation with authorities. For "systemic risk" models (10^25 FLOPS or by AI Office assessment) additionally model evaluation, cybersecurity, incident reporting. In force since August 2025.

The GPAI Code of Practice (prepared by the EU Commission with over 1000 stakeholders, version 3 in March 2026) concretises the rules. Providers can sign it as a "presumption of conformity" – signers gain a rebuttable presumption of compliance. As of May 2026 Mistral, OpenAI, Microsoft, Google and Anthropic have signed; Meta refused ("goes beyond what the regulation demands"). The separate "AI Liability Directive" was withdrawn in February 2026 and is not coming for now.

EU AI Office (part of the EU Commission, in Brussels, active since February 2024) supervises the GPAI rules. National market surveillance authorities supervise high-risk systems – in Germany partly BNetzA, BAFA, BfDI; in France CNIL and ANSSI.

How to track and adopt this trend in 5 steps

1. 01Market watch: monthly updates from the EU AI Office (digital-strategy.ec.europa.eu/en/policies/ai-office), EDPB and national authorities. On the Swiss side: Federal Office of Justice, FDPIC, FINMA notices.
2. 02AI inventory: list every AI tool used in the company (ChatGPT, Bexio-AI, Outlook Copilot, in-house n8n flows with Anthropic API). For each tool record data flow, AI Act category (prohibited / high-risk / transparency / minimal) and EU link.
3. 03GPAI provider check: for each model used, verify whether the provider signed the Code of Practice. For Llama 4 (Meta did not sign) explicitly document that own assessment was performed.
4. 04High-risk check: do any internal uses constitute a high-risk scenario per Annex III (recruiting AI, scoring, insurance underwriting)? If yes, implement the 8 duties before August 2026 or shut the system down.
5. 05Compliance dossier: per AI tool a short note with provider, model, AI Act category, DPA status, risk-assessment date. In May 2026 a 1-2 page document per tool suffices – existence matters more than depth.

When the AI Act is relevant for you

In May 2026 three configurations are directly relevant.

You use AI with EU customers or an EU establishment: you are a "deployer" (Art. 26). You must read and follow the provider's instructions, operate the system as intended, keep logs, ensure human oversight for high-risk systems and inform staff. A Swiss fiduciary with German clients: check for each AI tool whether it is classified high-risk.

You sell an AI product into the EU: you are a "provider" (Art. 16). Full obligations depending on risk category – for high-risk the eight main duties plus CE conformity assessment. For GPAI models as end product: documentation, training data, copyright.

You build a recruiting or scoring system for the EU: that is high-risk from August 2026. Even the SME variant of "internal candidate selection with GPT help" – if evaluated candidates are EU citizens, the obligations apply.

For purely Swiss-internal use (customers only in CH, no EU link) the AI Act does not apply in May 2026. But: revFADP (in force since September 2023) already includes parts of the transparency and data protection requirements. A clean revFADP implementation puts a sizeable share of the later Swiss AI Act transposition already in place.

When the AI Act does not bite

In May 2026 three configurations are exempt.

Research and pre-production: AI systems purely in research or development setting are out of scope, provided they are not placed on the EU market or put into service (Art. 2(6)).

Personal, non-professional use: a private individual using ChatGPT for homework help is not a "deployer".

Purely Swiss-internal AI without EU link: until the Swiss transposition (originally expected 2028, perhaps 2029 now) there is no direct scope. But: revFADP, SCC Art. 321 (professional secrecy), Art. 957a CO (bookkeeping) and FINMA requirements still apply. AI use in fiduciary or legal practice must meet those, AI Act aside.

Myths in May 2026:

"Chatbots are banned." Wrong. Chatbots are not high-risk, just under transparency duty – the user must know they are talking to AI.

"GPT-4o cannot be used in the EU." Wrong. GPT-4o is GPAI with systemic risk – OpenAI must meet the GPAI duties (it does per the Code of Practice). EU users can deploy it, with their own deployer duties.

"Open-weight is exempt." Partly. Art. 53(2) relieves open-source providers of some documentation duties, provided they have no systemic risk status. Llama 4 Maverick could be classified as systemic – in which case the duties apply anyway.

"Fines only from August 2026." Wrong. Fines for prohibited practices have been live since February 2025, for GPAI breaches since August 2025.

Trade-offs

FAQ

Related topics

Sources

1. EU AI Act – Regulation (EU) 2024/1689, full text · 2024-07
2. EU AI Office – GPAI Code of Practice (final version) · 2026-03
3. EU Commission – withdrawal of the AI Liability Directive (work programme) · 2026-02
4. Schweizerischer Bundesrat – Bericht zur KI-Regulierung · 2026-04
5. CEPS – Compliance cost study of the EU AI Act for SMEs · 2025-01