AI Act: What Brands Need to Know About AI

The EU AI Regulation is no longer just a forward-looking piece of legislation. It has been in effect since August 2024. Since February 2025, it has prohibited certain practices. And by the end of 2026, transparency requirements will directly affect brands that use AI to generate content, personalize the user experience, or automate their e-commerce operations.

For marketing, product, and digital teams, the question is no longer “Should we be interested in this?” but “Where do we start?” Here’s what the AI Act actually requires and what it means for your product data.

‍

What is the AI Act, and who does it apply to?

Regulation (EU) 2024/1689 was adopted by the European Parliament on March 13, 2024, published in the Official Journal on July 12, 2024, and entered into force on August 1, 2024. Its approach is risk-based: the greater the impact an AI system may have on safety, fundamental rights, or human health, the stricter the obligations.

The regulation applies to any entity that develops, distributes, imports, or deploys an AI system on the European Union market, including suppliers based outside the EU, provided that the system’s output is used within the EU. In other words: if your brand uses an AI tool to enhance product listings, make personalized recommendations, or generate marketing content, the AI Act applies to you, even if you did not develop the technology yourself.

‍

The four risk levels: where do brands stand?

The AI Act classifies AI systems into four categories. Understanding which category your system falls into determines your actual obligations.

Unacceptable risk: practices prohibited since February 2025

As of February 2, 2025, the following practices are prohibited: social scoring, behavioral manipulation, and real-time biometric identification in public spaces (with certain exceptions). These prohibitions target the most intrusive uses, which have no direct connection to traditional marketing practices, but they establish a red line that must not be crossed.

High risk: strict requirements, but a delayed timeline

High-risk systems involve sensitive areas such as recruitment, credit, healthcare, and the justice system. Following the provisional political agreement on the Digital Omnibus reached on the night of May 7, 2026, the requirements applicable to high-risk systems listed in Annex III, which were scheduled to take effect on August 2, 2026, have been postponed to December 2, 2027. For brands, this primarily affects automated HR tools and certain credit systems, not standard marketing tools.

Limited risk: the e-commerce brand category

This is where the vast majority of AI’s marketing applications are found: chatbots, content generators, personalization tools, and product recommendations. Providers of chatbots, virtual assistants, and other general-purpose AI systems must comply with minimum requirements for documentation and transparency.

In practical terms: inform the user that they are interacting with an AI, and label AI-generated content as such.

Minimal risk: no specific requirements

Spam filters, data sorting tools, and recommendation systems that do not impact fundamental rights fall into this category. There are no regulatory requirements, but best practices should be followed.

‍

The updated schedule following the Digital Omnibus

The AI Act does not take effect all at once. Article 113 of the regulation sets out four key implementation dates spread across 2025, 2026, and 2027. Here is the status as of June 4, 2026, following the Digital Omnibus agreement:

• August 1, 2024: Effective date of the regulation
• February 2, 2025: Bans (unacceptable risk)
• August 2, 2025: Requirements for General-Purpose AI (GPAI) Models
• August 2, 2026: General implementation
• December 2, 2027: High-Risk Bonds, Annex III

‍

What the AI Act Will Require of Brands in 2026

Transparency regarding AI-generated content

This is the most direct requirement for marketing and e-commerce teams. In the European Union, the AI Act requires that content generated or modified by AI be identifiable as such, at a minimum through machine-readable mechanisms (metadata, watermarking).

The responsibility for ensuring this transparency lies primarily with brands and agencies, which must label and clearly indicate to consumers when content has been generated or manipulated by AI. Arcom and the DGCCRF will be responsible for enforcing these provisions in France.

For brands, this means, in practice: AI-generated product descriptions, AI-edited images, customer service chatbots, and automatically generated advertising content.

Information on interactions with AI systems

If your website uses a chatbot or an AI-powered shopping assistant, users must be clearly informed of this. Failure to comply with the obligation to provide information and ensure transparency is punishable by a fine of €7.5 million or 1% of global annual revenue.

AI Literacy for Teams

Since February 2025, companies have been required to ensure that individuals who use or oversee AI systems possess the appropriate level of competence. This is not a requirement for formal training but rather an internal governance responsibility that must be documented.

‍

Why product data quality is becoming a compliance issue

This is the aspect that brands are least prepared for: the AI Act establishes a direct link between regulatory compliance and the quality of the data fed into AI systems.

Inaccurate or non-compliant product information can quickly spread on a large scale, directly impacting customer trust and exposing companies to regulatory risks.

Whether you’re using AI to generate product descriptions, power recommendation engines, or personalize the user experience, the reliability of the output content depends directly on the quality of the input data. Without a clean product information management (PIM) system, algorithms lack the necessary data to learn. An AI project almost always begins with a data initiative. 

PIM governance capabilities PIM validation rules, approval workflows, completeness scoring, version history, and auditability) serve as a robust safety net. They ensure that the product data fed into AI engines has been checked, validated, and enriched through a combination of automation and human oversight.

In other words: a PIM is no longer just a productivity tool; it is a compliance infrastructure for AI.

‍

Conclusion

The regulation of AI-generated content marks a new milestone in the maturation of e-commerce. It compels brands to shift from an opportunistic, experimental approach to a structured, governed, and sustainable one. The companies that succeed will not be those that use the most AI, but those that know how to use it intelligently, based on reliable product data, within a clear and controlled framework.

The AI Act is not a barrier to innovation; it is a framework that distinguishes brands that have structured their data management from those that have not. For teams that have invested in a centralized product repository, compliance is a mere formality. For others, it highlights gaps in data governance.