Back to insights
eu-ai-actbelgiumcompliancedeadline

The EU AI Act is already in force in Belgium — here's what to do before August 2026

Stéphane WillemsStéphane Willems6 min read

Most Belgian business owners I talk to think the EU AI Act is a 2027 problem. It isn't. Parts of it have been legally binding since February 2025, and the deadline that affects the most companies — high-risk AI systems — lands in August 2026. That's weeks away, not years.

I'm not a lawyer, and this isn't legal advice. I'm an engineer who builds and audits AI systems for Belgian companies, and I spend a lot of my week explaining what this regulation actually means once you strip away the legalese. This is the version I give to operations directors and CEOs who don't have a compliance department.

The part almost nobody knows: the literacy obligation is already live

Here's the one that surprises people. Since 2 February 2025, Article 4 of the AI Act has required that any organisation using AI systems ensures its staff have a sufficient level of AI literacy.

Not "should consider." Required. As of over a year ago.

In practice this means: if your team uses AI tools — and almost every Belgian company now does, even if it's just staff pasting things into ChatGPT — you are expected to be able to show that those people understand, at a basic level, what the tools do, what their limits are, and what the risks are.

There's no certificate to buy and no government inspector knocking on your door tomorrow. But the obligation exists now, and the simplest way to meet it is also the cheapest: a short internal AI usage policy plus a basic briefing for the team. Most companies have neither. If you do nothing else after reading this, do that.

The timeline, in plain language

  • February 2025 — already in force. Banned AI practices (social scoring, certain manipulation, untargeted face-scraping) are prohibited. The AI literacy obligation (Article 4) applies.
  • August 2025 — already in force. Rules for general-purpose AI models (the big foundation models) and the governance structure.
  • August 2026 — the big one. Obligations for high-risk AI systems apply. This is the deadline that touches ordinary businesses.
  • August 2027. Extended rules for AI built into already-regulated products.

If you're reading this in 2026, the question that matters is: do you have any high-risk AI? Because if you do, the clock is real.

"High-risk" — does it apply to you?

"High-risk" is a specific legal category, not a judgement about how advanced your AI is. A simple, well-built system can be high-risk; a flashy one might not be.

You're likely in high-risk territory if you use AI for:

  • Hiring and HR — CV screening, candidate ranking, performance evaluation, decisions about promotion or termination. This is the one that catches the most Belgian SMEs by surprise, because HR teams adopt these tools without realising the classification.
  • Credit and insurance — creditworthiness scoring, risk pricing.
  • Access to essential services — anything that decides who gets what.
  • Safety components — AI in critical infrastructure or as a safety function in a product.

If your AI just summarises documents, drafts emails, powers a chatbot that's clearly labelled as AI, or recommends products — you're almost certainly not high-risk. You have lighter transparency duties (mainly: tell people when they're talking to AI) and that's it.

The honest answer for most Belgian KMOs: you're probably not high-risk, but you can't assume it — you need to actually check the one or two systems that might be, and write down the conclusion. (I'll write a separate piece on exactly how the classification works.)

Who enforces this in Belgium?

This is where Belgian businesses get lost, because the EU writes the law but each member state names its own enforcers. In Belgium, two bodies matter:

  • BIPT (the telecoms/digital regulator) has been designated as a key part of Belgium's market-surveillance setup for the AI Act. They're the AI-Act-specific authority.
  • The GBA / APD (the Data Protection Authority — Gegevensbeschermingsautoriteit / Autorité de protection des données) handles where AI meets personal data. They published formal guidance on AI and the GDPR in December 2024, which tells you they're already paying attention.

You don't need to memorise this. You need to know that "no one is watching" is not true, and that AI + personal data has two sets of rules pointing at it (AI Act and GDPR), not one.

The checklist I actually give people

If you do these five things, you're ahead of the large majority of Belgian companies:

  1. Inventory your AI. List every AI tool and system in use — including the unofficial ones your team adopted on their own. You can't comply with rules about systems you haven't named. This single step takes an afternoon and surfaces surprises every time.

  2. Classify the risky ones. For anything touching hiring, credit, access to services, or safety — determine whether it's high-risk, and write down the reasoning. For everything else, note that it's minimal/limited risk and move on.

  3. Write a one-page AI usage policy. What's allowed, what isn't, what data must never be pasted into a public AI tool, who to ask. This is your cheapest single compliance win and it doubles as your Article 4 literacy evidence.

  4. Brief your team. Fifteen minutes. What the tools do, where they're wrong, what not to feed them. That's the literacy obligation, met.

  5. For genuine high-risk systems, get a real assessment. Documentation, logging, human oversight, bias testing — these are substantial and they need to be in place before August 2026, not bolted on after. Don't improvise this one.

Steps 1–4 you can do yourself this month. Step 5 is where it's worth getting help, because the cost of getting it wrong is regulatory, not just operational.

The honest bottom line

The EU AI Act is not the catastrophe some vendors are selling it as (conveniently, alongside the expensive product that "solves" it). For most Belgian KMOs, compliance is a few hours of honest inventory, a one-page policy, and a short team briefing.

The exception is real high-risk AI — and if you have it, August 2026 is a hard date you should be working toward now.

The mistake I see is the two extremes: companies that panic and overspend on consultants for systems that were never high-risk, and companies that assume it doesn't apply to them and discover otherwise the hard way. The cure for both is the same: spend the afternoon, do the inventory, write it down.

I write a short, practical newsletter on exactly this — the EU AI Act, GDPR and AI, and senior engineering for Belgian businesses, in plain language and without the fear-selling. If that's useful to you, subscribe below.

If you'd rather have someone go through your actual systems with you, WDC's AI Readiness Audit does exactly that — an honest, written review of what you're running and where it sits under the Act.

Ready to start?

Talk to us about your project.

Most engagements start with a 30-minute conversation.

Book a call

Subscribe to our newsletter

Sign up for occasional, practical writing on AI integration, EU AI Act, and senior engineering for Belgian businesses.