It's only eight weeks from a deadline that recruiters should already be worried about.
Most of the noise about the EU AI Act has been about the big model makers: who signed the General-Purpose AI Code of Practice, who didn't, and what Meta's refusal to sign says about the company. That's a fair commercial question, and I'll come back to it. But it has distracted a lot of leaders from the part of this law that will actually land on their desk first.
This usually surprises people. The vast majority of AI systems running in EU businesses right now are, in the eyes of the Act, minimal risk. Spam filters, AI in video games, most of the everyday tooling: no new rules at all. The regulation targets a specific list of uses where a bad decision ruins someone's life, and everyday chatbots fall outside it. And that list catches things ordinary companies do every week.
Read the high-risk categories and you'll find CV-sorting software for recruitment, tools for managing workers, exam-scoring systems in education, and credit scoring that decides whether someone gets a loan. None of that sounds exotic. A mid-sized firm using an off-the-shelf tool to filter job applicants is, on paper, operating a high-risk AI system. That carries real obligations: proper risk assessment, high-quality data to avoid discriminatory outcomes, activity logging so you can trace how a decision was reached, clear documentation, and meaningful human oversight. That means a human who can actually intervene rather than just tick a box.
The dates are close now. The Act entered into force on 1 August 2024 and becomes fully applicable on 2 August 2026. That's roughly eight weeks away. The bans on the worst practices, things like social scoring and emotion recognition in workplaces, already took effect in February 2025. The transparency rules arrive in August 2026 too, which means you'll need to tell people when they're talking to a machine rather than a person, and label AI-generated content like deepfakes. For a UK consultancy advising clients who sell into or operate in the EU, "we'll look at it later" has run out of road.
So the practical first move is a conversation. Sit down with each EU-operating client and answer one question honestly: does anything you run land in that high-risk list, or are you genuinely in minimal-risk territory? Most will be fine. The ones who aren't tend to be exactly the ones who assumed they were, because recruitment and credit tools feel mundane until you read where the law draws its lines.
Now, the model-maker question. The Code of Practice for general-purpose AI is a voluntary framework that the largest model providers can sign to show they meet the Act's expectations.
The reporting around this story notes that Anthropic, OpenAI and Google signed, and Meta did not and xAI signed some.
Meta refused to sign the EU’s voluntary General-Purpose AI Code of Practice, which helps companies demonstrate compliance with the legally binding EU AI Act. Meta argued that the code creates legal uncertainty & goes beyond the Act’s requirements.
xAI did not refuse the entire code. It signed the Safety & Security chapter, but did not sign the Transparency or Copyright chapters. The European Commission confirms that xAI must demonstrate compliance with those obligations through alternative means.
If you're building a tool on top of a provider's API, the supplier underneath you has a posture towards this law, and that posture is now part of your risk assessment. A vendor who has publicly backed the Code is a different proposition from one who has declined. Meta's absence is a legitimate line in a due-diligence document. Raise it plainly when a client's product leans on Meta's models, without treating it as a scandal.
None of this requires panic, and it certainly doesn't require treating the Act as a war on innovation. The law mostly asks for things good leaders should want anyway: know what your system does, keep a record of its decisions, make sure a person can step in, and don't pretend a machine is human. The work is unglamorous. It's documentation, data hygiene and ownership. But it's the kind of work that separates organisations who use AI responsibly from those who'll be explaining themselves to a regulator in 2027.
If you advise EU-operating clients, the useful thing to do this fortnight is simple: build a one-page register of every AI tool each client uses, mark each one against the four risk tiers, and flag the recruitment and credit-scoring tools first. That list will tell you who needs to act before August and who can relax.