AI Act 2026: the obligations for Canadian businesses

identifiable · AI Insights

Four risk levels, four regimes: the higher the risk, the higher the obligations.

Regulation (EU) 2024/1689, the AI Act, came into force in August 2024. It is in 2026 that the step gets steep: since 2 August, the bulk of the obligations for high-risk systems has applied. For many Canadian businesses, the question is no longer whether they are in scope, it is where to start.

In short: a Canadian business is in scope of the AI Act the moment it sells into the Union, its outputs are used there, or its European clients are exposed to it. Since 2 August 2026, the bulk of the regulation applies: obligations for high-risk systems, transparency for limited risk, and fully applicable penalties of up to 35 million euros or 7% of worldwide turnover. Three workstreams carry the answer: classify your systems by risk level, put transparency in place where it is required, document the supplier chain. The same inventory serves Law 25 and the NIST AI RMF.

Why a Canadian business is in scope

The regulation reaches across borders, and it does so through three doors:

You sell into the Union. A system or a product embedding AI placed on the European market falls under the regulation, wherever the business is established.
Your outputs are used there. If the results of your AI system are used in the Union, the regulation can apply even without a direct sale.
Your clients are exposed there. European buyers, and the Canadian exporters that serve them, are already passing the requirements down into their contracts: documentation, transparency, human oversight.

The timeline, plainly stated

Since	What applies
August 2024	The regulation comes into force.
February 2025	Prohibited practices (social scoring, manipulation exploiting vulnerability) and AI literacy obligations.
August 2025	Obligations for general-purpose AI models (GPAI): transparency, documentation, copyright.
August 2026	The bulk of the regulation: obligations for high-risk systems, transparency for limited risk, fully applicable penalties.
2027	Residual requirements, notably for certain regulated products that embed AI.

The penalties follow the same slope: up to 35 million euros or 7% of worldwide turnover for prohibited practices. Distance offers no protection; documentation does.

The three concrete workstreams

Classify your systems by risk level. Most common business uses fall under minimal or limited risk. But the triage has to be done and documented: employment, credit, health and safety are the classic high-risk zones. Without a written classification, you cannot answer a single European client.
Put transparency in place where it is required. Limited risk, in practice: the person must know they are interacting with an AI, and generated or manipulated content must be identifiable as such. It costs little, and it is verifiable from the outside.
Document the supplier chain. Which models, which versions, which contractual guarantees? Your suppliers' GPAI obligations become your answers to your clients' questions. Require the documentation, keep it, and link it to your systems.

One inventory, three frameworks served

The underlying work, the inventory of systems, uses, data and affected people, is exactly the one required by Law 25 in Quebec and by the NIST AI RMF among your American clients. An organization that keeps this inventory up to date answers all three frameworks with the same document. It is also the raw material for the Map property of your profile.

The AI Act does not ask for perfection. It asks for written answers to the questions you will be asked anyway.

Go further

The guide EU AI Act, seen from Quebec details the four risk levels, and the Law 25 guide covers the Quebec side of the same inventory.

Frequently asked questions

Is a Canadian business in scope of the AI Act?

Yes, through three doors. A system or a product embedding AI placed on the European market falls under the regulation, wherever the business is established. If the outputs of your system are used in the Union, the regulation can apply even without a direct sale. And European buyers are already passing the requirements down into their contracts: documentation, transparency, human oversight.

What applies as of 2 August 2026?

The bulk of the regulation: the obligations for high-risk systems, transparency for limited risk, and fully applicable penalties. Prohibited practices and AI literacy have applied since February 2025, and the obligations for general-purpose models since August 2025.

What penalties does the AI Act set out?

Up to 35 million euros or 7% of worldwide annual turnover for prohibited practices. Distance offers no protection; documentation does.

Which workstreams should you start with?

Three of them. Classify your systems by risk level and document that triage, because without a written classification you cannot answer a single European client. Put transparency in place where it is required, so the person knows they are interacting with an AI and the generated content is identifiable. Document the supplier chain: which models, which versions, which contractual guarantees.

Does the AI Act create a workstream separate from Law 25 and the NIST AI RMF?

No. The inventory of systems, uses, data and affected people is exactly the one required by Law 25 in Quebec and by the NIST AI RMF among your American clients. An organization that keeps this inventory up to date answers all three frameworks with the same document.

Wissam Daibess

Founder, identifiable. AI governance, evaluation, and reproducibility.

About identifiable

Could you answer a European client tomorrow morning?

The diagnostic situates your practices against the four frameworks, including the AI Act, in twelve questions.

Get your Indice IA Read the EU AI Act guide