The EU is tightening AI regulation significantly: With the Omnibus VII package adopted in June, comprehensive transparency requirements take effect from August 2, 2026. This affects you directly as a business owner – whether you operate a chatbot, publish AI-generated content, or work with deepfakes. The labeling requirement applies regardless of how your AI system is classified. This means: Even low-risk applications must clearly disclose that they are AI-generated.
The rules become particularly strict for sensitive applications. Deepfakes, emotion recognition, and biometric categorization must be clearly labeled from August onwards. It gets even tougher from December 2, 2026: Nudification tools and intimate deepfakes without explicit consent from the affected person will be completely banned. Existing AI systems must also comply with the new transparency requirements by then – there is no grandfathering clause.
The penalties are substantial. Failing to implement transparency requirements from August risks fines up to €35 million or 7 percent of global annual turnover. But that's not all: German courts have already confirmed platform operators' liability for AI errors. Munich Regional Court ruled in May that operators are liable for AI-generated summaries. The Hamm Higher Regional Court attributed chatbot errors directly to the operator in May. This means for you: You cannot simply say "the AI did it."
Executives Face Personal Liability for AI Risks
Often overlooked: Executives can be held personally liable under the Operational Security Act if cybersecurity violations occur in connection with AI. This is no longer theoretical – it's a concrete compliance issue for your management team. In parallel, a basic requirement has applied since July 1: Organizations must demonstrate AI competence. From August 2026, this requirement becomes enforceable.
Germany is preparing accordingly. On July 2, a new AI task force began its work – with planned cooperation with the British AI Safety Institute. Other EU countries are following suit: Ireland plans an independent "AI Office of Ireland" with regulatory sandboxes for startups. Spain distributes oversight across multiple authorities. This means: Oversight becomes fragmented but intensive.
High-Risk Systems Get a Reprieve – But Limited
There is some good news, though limited. Standalone high-risk AI systems under Annex III get until December 2, 2027 to comply. Manufacturers of AI security components even until August 2028. But this reprieve only partially helps you: Transparency requirements from August apply alongside other digital laws like NIS2. You'll need to build your compliance infrastructure anyway.
The EU Commission has already published a code of conduct on labeling. That's your guidance. For German companies, this concretely means: Now is the time to audit your AI systems, establish labeling processes, and brief your management team on personal liability. The EU AI Act deadlines are tight – delays will be costly.
Sources
Editorially owned by Ideal Syka. Sources and method: Newsroom & method. Tips and corrections: ai@i6eal.de.




