The EU AI Act without the legal jargon
The world's first comprehensive law on artificial intelligence is already in force. We explain what it actually means for small and mid-sized businesses in Lithuania — and why, for most companies, the duties are light.
What is the EU AI Act and does it affect my business?
The EU AI Act is Regulation (EU) 2024/1689, the world's first comprehensive law on artificial intelligence, in force since 1 August 2024. It is a regulation, so it applies directly in Lithuania — no separate national law is needed for it to be binding.
Even if you only USE AI tools, a few duties already apply to you: ensuring your staff's AI literacy, disclosing when people interact with a chatbot or AI-generated content, and avoiding banned uses. The duties differ sharply depending on which AI system you use and what role you play.
The good news: the large majority of everyday AI use in a small business falls into the minimal-risk tier and is barely regulated. Strict duties only apply to high-risk systems (such as AI for hiring or credit scoring), not to ordinary office AI.
What applies, and when
The AI Act rolls out in phases. Here are the key dates worth knowing.
- 2024-08-01
The AI Act entered into force
Regulation (EU) 2024/1689 entered into force 20 days after publication in the Official Journal. All subsequent phased deadlines are counted from here.
- 2025-02-02
Banned uses and AI literacy
The Article 5 prohibitions (e.g. social scoring, emotion recognition at work) and the Article 4 AI literacy duty began to apply. The literacy duty binds both providers and deployers — so even companies that merely use AI.
- 2025-08-02
General-purpose AI, governance and penalties
Rules for general-purpose AI models, the governance bodies (the EU AI Office) and the penalty regime began to apply. GPAI models already on the market have until 2 August 2027 to comply.
- 2026-08-02
General application date
Most remaining provisions begin to apply, including the Article 50 transparency duties for chatbots and AI-generated content. This is the main application date of the regulation.
- 2027-12-02
Standalone high-risk systems (proposed)
ProposedUnder the 'Digital Omnibus' proposal, obligations for standalone high-risk systems (Annex III) would be deferred to this date. The original date was 2 August 2027. These dates are not final.
- 2028-08-02
Product-embedded high-risk (proposed)
ProposedUnder the proposal, obligations for product-embedded (Annex I) high-risk systems would be deferred to this date. Until the 'Digital Omnibus' is finally adopted, this date may change.
Important: the high-risk deadlines are moving. The EU 'Digital Omnibus on AI' proposal (provisional agreement reached on 7 May 2026) would defer standalone high-risk obligations to 2 December 2027 and product-embedded ones to 2 August 2028. This is NOT yet final law: until it is adopted and published, the original dates remain the legal baseline. Always verify the dates against official sources.
The four risk levels, with examples
The AI Act uses a risk-based approach. The greater the potential harm to people, the stricter the duties. Here is which 'bucket' your tool might fall into.
Prohibited uses
These uses are banned outright under Article 5 and have been since 2 February 2025. No conformity procedure can make them lawful.
- Social scoring of people
- Emotion recognition of staff or students
- Untargeted scraping of faces to build recognition databases
- Manipulative or deceptive steering of behaviour that causes harm
Strict obligations
Annex III areas and product safety components. Even a deployer has Article 26 duties: human oversight, monitoring, log-keeping and informing affected people.
- AI for hiring and CV screening
- Creditworthiness and loan scoring
- Life or health insurance risk assessment
- Critical infrastructure and grading in education
Transparency duties only
Applies to chatbots and AI-generated content (Article 50). Clearly informing people is enough — no conformity procedure is required.
- Chatbots and virtual assistants
- AI-generated images, audio and video
- Deepfake content
- AI-generated text on matters of public interest
No special duties
Covers the large majority of AI use. Unregulated under the Act — only the cross-cutting AI literacy duty (Article 4) applies.
- Spam filters
- Recommendation features
- Inventory or route optimisation
- Most office and creative AI tools
Transparency for chatbots and AI content
Limited-risk systems follow one simple rule: people must know when they are dealing with AI or seeing AI-generated content. In practice this is usually a single short notice or label.
Disclose the chatbot
People must be able to tell they are dealing with AI rather than a person — at the latest at the first interaction (unless it is obvious).
Mark AI-generated content
AI-generated or manipulated images, audio and video must be marked in a machine-readable way.
Disclose deepfakes
If you create or manipulate a deepfake image, audio or video, you must disclose that the content is artificially generated or manipulated.
Label public text
AI-generated text published to inform the public on matters of public interest must be disclosed (with exceptions for edited content). A voluntary Code of Practice supports implementation.
AI literacy — it applies to you since February 2025
Article 4 binds both providers and deployers, i.e. any business that uses AI professionally. You must ensure that staff who use AI tools have a 'sufficient' level of understanding, proportionate to their role. For a small business, that can be very light.
A simple AI-literacy starter list
- A short internal briefing for staff who use AI tools.
- Clear usage guidelines: what is and isn't allowed with AI.
- Awareness of AI's limits — possible errors, 'hallucinations' and bias.
- A reminder to check outputs and protect confidential and personal data.
- A short note that literacy measures are in place (it shows your effort).
Who has which duties
Duties differ sharply by role. Most Lithuanian companies are deployers — with lighter duties than the makers of an AI system.
Provider
Develops or brands an AI system and places it on the market under its own name. The heaviest duties: risk management, documentation, data governance, conformity assessment, CE marking.
Deployer
Uses an AI system in its own business. Lighter duties: for high-risk, Article 26 (follow instructions, human oversight, monitoring), plus Article 50 transparency and Article 4 literacy. Most small companies sit here.
Importer
Places a system made outside the EU on the EU market. The main duty (Article 23) is to verify the CE marking, declaration of conformity and documentation before making a high-risk system available.
Distributor
Makes a system available in the supply chain. Under Article 24 it must check conformity before making a high-risk system available and act if it is non-compliant.
Warning (Article 25): if you re-brand a high-risk system with your own trademark, substantially modify it, or change its intended purpose, you BECOME a provider with all the heaviest duties.
What non-compliance can cost
Penalties under Article 99 have three main tiers. They target serious breaches, not the honest efforts of a small business.
Prohibited uses
Up to €35 million or up to 7% of total worldwide annual turnover, whichever is higher, for the Article 5 prohibited uses.
Other duties
Up to €15 million or up to 3% of turnover for other operator obligations, including transparency (Article 50) and high-risk deployer duties.
False information
Up to €7.5 million or up to 1% of turnover for supplying incorrect, incomplete or misleading information to authorities.
Protection for small businesses (Article 99(6)): for SMEs and start-ups, each fine is capped at whichever of the fixed amount or the percentage is LOWER (not higher). Fines must also be proportionate and take account of the company's economic viability.
Relief and support for small businesses
The AI Act provides specific relief for small and mid-sized businesses — from free sandboxes to simplified documentation.
Regulatory sandboxes (Article 62)
SMEs and start-ups get priority and free access to AI regulatory sandboxes.
Reduced fees
Conformity-assessment fees are reduced proportionately to company size, market size and other indicators.
Simplified documentation
SMEs and small mid-caps may provide technical documentation in a simplified form (Article 11 / Annex IV).
Awareness and help
Member States provide tailored awareness, training and dedicated help channels, and the EU AI Office offers templates and an AI Act Service Desk.
How the AI Act is implemented in Lithuania
Lithuania has already designated its national AI Act authorities, adopted enabling amendments in January 2025, and is among the first Member States to set up an AI sandbox.
Communications Regulatory Authority (RRT)
The main market surveillance authority and single point of contact (Article 70). Lithuania chose a centralised single-authority model.
Innovation Agency Lithuania
The notifying authority and the operator and supervisor of the national AI regulatory sandbox (Articles 28, 57).
National guidance
For specific questions and national guidance, contact RRT and the Innovation Agency. Remember — the GDPR applies in parallel, supervised in Lithuania by the State Data Protection Inspectorate (VDAI).
A checklist if you only USE AI tools
A typical company using non-high-risk AI has a light but non-zero compliance load. Here are the practical steps.
AI Act readiness self-check
Answer five short questions and instantly see which AI Act duties may be relevant to you. Nothing is stored or sent.
Answer five questions about how you use artificial intelligence. The results update instantly and flag which AI Act duties are worth your attention. This is an orientation tool, not legal advice.
Your results
Answer the questions above — tailored results will appear here.
This self-check is for orientation only and is not legal advice. The actual risk classification of an AI system depends on its specific use case. Before making decisions, consult a qualified legal or compliance professional.
Selected topics in detail
Dedicated pages for the most important AI Act topics. We are expanding these sections over time.
Frequently asked questions
Yes, but in a very limited way. If you only use AI tools, you are a deployer: AI literacy (Article 4) and, where relevant, transparency (Article 50) apply to you. No CE marking, conformity assessment or registration is required of a deployer using non-high-risk tools.
Important note: this is not legal advice
This page is general information and is NOT legal advice. The EU AI Act is complex and fact-specific, so consult a qualified lawyer or compliance professional before making decisions. The risk classification of a specific AI system depends on its use case, and the high-risk deadlines may change as the 'Digital Omnibus' is finalised. The figures, article references and dates were verified against official sources as of June 2026 — always check the latest official texts.
Need help with AI compliance?
We'll help you understand which AI Act duties apply to your specific business and lay out practical steps — without the legal jargon.