€35M maximum fine
4 risk categories
August 2026 full effect
The AI Act in 2026 — What Czech Businesses Need to Know (a No-Legalese Guide)

When we at LK Media first analyzed in detail what this new European law on artificial intelligence actually means, a cold sweat broke out. As an agency, we're built on AI, quite literally. We help clients automate processes, we cut work from weeks down to hours, we generate copy, we analyze data. And suddenly it turned out that plenty of things the whole market treats as standard practice are, from the new regulation's point of view, borderline at best. Or over the line.

We had to rethink from the ground up how we use AI for clients (and for ourselves).

The vast majority of businesses in the Czech Republic are still living in blissful ignorance. They think AI regulation doesn't concern them, because after all they "aren't developing their own ChatGPT". Wrong. Deeply wrong. The legal language may be dry and impenetrable, but the impact is entirely real for anyone in a company who hits Enter in any AI tool.

Let's be straight with each other. I don't want to scare you, I want to prepare you.

The short version for those short on time

What the AI Act is and why it matters to you

Let's put it in plain terms. The EU AI Act is the world's first comprehensive law on artificial intelligence. And it has one absolutely crucial property: it's a regulation, not a directive.

Why does that matter? A directive first has to be laboriously rewritten by each country into its own laws (which here usually takes years and produces a mess). A regulation applies directly. Just like that, and it's here.

The basic trap that a lot of business owners will fall into is the word "deployer" (in the Czech version of the regulation translated rather clumsily as "zavádějící subjekt", or simply the party that deploys the AI). You might think the regulation is aimed only at the giants like OpenAI, Google or Microsoft. They're in the "provider" category and, of course, face the strictest standard.

But you, as an e-shop using AI to write product descriptions, or as an accounting firm having AI extract data from invoices, are a deployer.

And you have obligations.

Remember spring 2018. The GDPR hysteria. Anyone who waited until the last minute paid absurd sums for hastily patched-together audits, or simply got burned on fines. In many respects the AI Act is even stricter. Where GDPR's bogeyman was a €20 million ceiling, here we're at €35 million.

The AI Act vs. GDPR — lessons from the past

Since we've brought up GDPR, let's put these two bogeymen side by side so you can see the difference.

What we're actually dealing with

GDPR (personal data protection)

AI Act (regulation of artificial intelligence)

Maximum fine

€20 million or 4% of turnover

€35 million or 7% of turnover

Main goal

Protecting people's privacy and data

Safety, health and fundamental rights

Regulatory approach

Blanket (more or less the same for everyone)

Tiered by 4 risk categories

Remember what it looked like just before May 2018? Companies that waited until the last minute paid dearly. Lawyers and consultants were booked solid for months ahead, and the ones left over charged absurd "panic premiums". Plenty of entrepreneurs underestimated it back then and then just stared at hefty fines from the ÚOOÚ. With the AI Act we're heading straight for the very same wall, only much faster.

The AI Act is also far more complex, technically and legally. It doesn't stand in a vacuum — it overlaps heavily with GDPR and, on top of that, with the new NIS2 cybersecurity directive. And here comes the worst news for your wallet: if your AI system breaks the artificial intelligence rules and at the same time unlawfully processes personal data, the authorities don't treat it as a single offense. In that case the company faces fines from BOTH regulations at once. Try adding up those percentages of turnover — that's a sum that would topple even a very stable business.

Timeline — what applies when (a visual overview)

The legislation is changing fast, with constant votes on exemptions and postponements. Take it with a grain of salt; this is the state of play as of April 2026.

(A small aside: there's some confusion around high-risk systems right now. The European Parliament recently voted, as part of the so-called Omnibus, by 569 to 45 to push the effective date for some high-risk systems all the way to December 2027. But watch out — it hasn't yet been definitively approved by the Council of the EU, so definitely don't count on that delay.)

The 4 risk categories — which one are you in?

The European Union approached this through risk. It doesn't ban the technology as such, but it restricts what you use it for. They split it into four boxes.

1. Prohibited systems (These you simply must not do)

An absolute taboo. This covers things that sound straight out of Black Mirror. Social scoring (rating citizens as in China), subliminal manipulation (AI that pushes you to do something you normally wouldn't), biometric classification of people by race or political views.

But there's one huge exclamation mark here for businesses: emotion recognition in the workplace. If you wanted to deploy AI cameras or software that rates, from employees' facial expressions, whether they're sufficiently motivated or whether they might be depressed — forget it. Full stop. Various "nudifier" apps for generating fake nudes fall in here too. This is where the maximum fine of €35 million lands.

2. High-risk systems

This is where the real bureaucracy starts. It covers 8 specific areas where AI decides people's fates. Justice, critical infrastructure, education (AI that grades exams).

And above all — HR and recruitment.

To be completely precise, the AI Act defines exactly these 8 high-risk areas: biometrics, critical infrastructure (e.g. managing traffic or water), education, employment (HR), access to essential services (e.g. banking), law enforcement, migration and, finally, justice.

Let's illustrate it with concrete examples for ordinary Czech businesses. If, as a bank or a non-bank lender, you deploy AI credit scoring that automatically decides whether to give Franta from Horní Dolní a mortgage, you're up to your neck in the high-risk category. You're in exactly the same boat if you use modern HR software with AI CV screening at your company. Tools like Recruitee, HireVue or other platforms that automatically comb through CVs and eliminate candidates drop you straight into this strict box. Or AI that evaluates your employees' performance for promotion purposes – that's high-risk too.

And you're in for hell. You need flawless technical documentation, robust risk management in place and, above all — you must ensure "human oversight". A flesh-and-blood person must always be able to switch the AI off or override its decision. On top of that you have to log the AI's decision history for at least 6 months back, so that during an inspection you can prove why the algorithm decided the way it did. And the cherry on top? Before you even start using such a system, you have to pass a formal conformity assessment and obtain a CE mark for it, much like when you sell electronics or children's toys.

3. Limited risk (This is where the vast majority of us are)

This is where chatbots, AI image generation, deepfakes and AI text fall. Your only, but absolutely crucial, obligation is transparency.

You have to tell people they're talking to a machine.

If your e-shop has customer support handled by AI, it must clearly state: "I'm an AI assistant". The customer must not live under the illusion that they're chatting with Jana from Brno. But there's one rather amusing exception. If AI generates the text but you, as a human, check it before publishing, edit it and take editorial responsibility for it, you don't have to label it "Generated by AI".

This is absolutely key news for all marketers, copywriters and content agencies. It means your blogs, newsletters and social posts won't turn into a parade of mandatory warnings like a cigarette pack. Lawmakers thankfully understood that AI is essentially an advanced typewriter today. The condition, though, is that human factor — the text can't go from ChatGPT straight to the web. It has to pass through human editing, and the named author (or company) bears full legal and factual responsibility for it. If you meet that, you're off the hook and you don't have to slap any AI labels on it.

4. Minimal risk (Relax)

Spam filters. Translators. Algorithms that recommend similar products on your e-shop. AI in video games. Here you have no obligations. You can use it however you like.

To sum it up in Czech terms:

When a local e-shop has a chatbot answering shipping questions, that's limited risk. When a Czech corporation deploys AI to filter CVs, that's high-risk. When a marketer has ChatGPT draft a newsletter and then fine-tunes it themselves, that's minimal risk.

See the difference? It depends on the use, not on the tool itself.

Shadow AI — the biggest headache

This is the thing that keeps heads of IT awake at night across the world. And you should lose sleep over it too.

According to the latest data, 57% of employees paste sensitive company data into unapproved AI tools. And 78% of people literally "bring their own AI to work" — they simply open their personal account with some AI tool on their phone or in the browser, because the company systems are too slow or banned.

This is a ticking time bomb.

Picture Pepa from sales. Pepa is a great salesperson, but he doesn't like reading long texts. And he's just received a huge, sixty-page NDA and cooperation agreement from a client. Pepa thinks: "I'm no fool, I'll save time." He takes the PDF, drops it into the free version of ChatGPT or some random PDF summarizer he found on Google, and writes the prompt: "Summarize the main risks in this contract for me."

Pepa is thrilled, he has the result in a minute.

What Pepa doesn't know? He's just sent complete client data, trade secrets and personal data to a third party's servers, where the model can train on them. The legal department would probably commit ritual suicide at that moment. There's been a breach of the NDA, a breach of GDPR and a breach of internal policies.

Shadow AI means your people are using AI, you don't know about it, you have no control over it, and you bear full legal responsibility for it.

What you ALREADY have to comply with (and maybe don't)

As I wrote in the timeline above, one crucial thing has applied since February 2025. It's called AI literacy.

The European Union decided that since we're deploying these machines, people have to understand how they work. And it ordered companies to ensure a sufficient level of AI literacy for all employees who work with these systems.

No, it's not enough to drop a link to a ten-minute YouTube video in the company Slack.

The European Commission was fairly clear about it. You must have a demonstrable training system. You have to explain to people how AI works, what its risks are (hallucinations, bias), what data they may and may not feed into it. And note — this doesn't apply only to core full-time employees. You also have to train suppliers and freelancers if, as part of their work for you, they reach into your AI systems.

Responsibility for this lies with company leadership. If an inspection comes, you must show the documentation: who was trained, when, on what, and how you verified they understood it. If you don't have this, you're already in breach.

A practical checklist — what to do now, what by summer, what by year-end

Theory is nice, but what do you do in practice? I've split it into three phases so you can tackle it step by step and not collapse under it.

NOW (It's on fire)

Yesterday was too late. This you have to sort out over the coming weeks.

BY AUGUST 2026 (Time to prepare)

This is your main milestone for transparency.

BY THE END OF 2026 / 2027 (Heavyweight)

If you've found that you have high-risk systems (say, that AI CV filtering), this is where the real fun begins.

ONGOING (A never-ending story)

Ticking off the tables unfortunately isn't the end of it. Both AI and the laws are evolving at breakneck speed.

The Czech context — who will be policing us

How does all this filter into Czech bureaucracy? The gestor (the body politically in charge) is the Ministry of Industry and Trade (MPO). The government commissioner for digitalization and AI is Jan Kavalírek, who is trying to hold a fairly sensible course.

But the main thing: who can actually hit you with the fine?

Whereas with GDPR everyone knows the Office for Personal Data Protection, oversight of the AI Act here will most likely go to the Czech Telecommunication Office (ČTÚ). It makes sense, they already have the digital agenda under them from other European regulations (the DSA, for instance).

The Czech adaptation law (the act on artificial intelligence), which will merely technically link the European regulation with our legal order, is due to be submitted by September 2025. The good news is that the Czech government has chosen a "minimalist approach". That means no gold-plating. They won't dream up extra, stricter rules on top; they'll simply transpose what Europe requires.

The Czech Standardization Agency (ČAS) is even rolling out a so-called regulatory sandbox. That's a playground where companies can test their AI solutions under the authorities' supervision and find out whether they comply with the law, without immediately getting their knuckles rapped.

And how are we doing as a market? The recent huge AI MOMENTUM 2026 survey, which involved 1,033 Czech companies, illustrated it nicely. The numbers speak plainly: a full 90% of Czech companies are counting on AI for the future and see opportunity in it. The reality, though, is that a mere 11% of them actually have it anchored in any formal company strategy. The rest are simply improvising. And improvisation really doesn't sit well with the AI Act.

One more enormous problem emerged from that survey. For 80% of companies, the biggest barrier to safe and meaningful AI deployment is currently a lack of in-house experts. Companies know they should tackle it, but they simply don't have people who can connect business, technology and the new legislation into one working whole.

Conclusion

Let's go back to the start. €35 million or 7% of turnover. Those are ruinous sums. Even though for smaller companies the fines will of course be lower and should be proportionate, risking it makes no sense. Ignoring it is currently the worst business decision you can make.

At LK Media we deal with this daily. We help companies with safe and legal AI implementation. We're not just armchair theorists — we use AI to the max ourselves. Recently we built a system for one client that cut the processing of specific data from 5 weeks to 1 hour. But we did it so that it's bulletproof from both a GDPR and a new AI Act point of view.

If you'd rather not spend your nights studying European directives, get in touch. We'll go through how you actually use AI, find your "shadow AI" skeletons in the closet, and set the rules. Our consultations are practical and hands-on. Trust me, it's a better investment than later explaining to the ČTÚ why your chatbot promised a customer something it shouldn't have, and nobody knew it was a machine.

FAQ

What is the AI Act?

It's the European Union's first comprehensive legal framework (a regulation) governing artificial intelligence. It sorts AI systems into four categories by risk (from minimal to prohibited) and sets rules for their development and use.

When does the AI Act take effect?

It officially came into force in August 2024. The AI literacy obligation has applied since February 2025. The key rules on transparency (e.g. labeling chatbots) and high-risk systems start applying for most businesses in August 2026.

What are the fines for breaching the AI Act?

The fines are extremely high. Breaching the prohibited practices carries penalties of up to €35 million or 7% of a company's total annual worldwide turnover. For less serious breaches (e.g. missing transparency) the fines are lower, but still ruinous (up to €15 million).

Do I have to label AI-generated content?

Yes, if it involves interacting with a machine (a chatbot) or deepfakes (photorealistic images, video, audio). The exception is AI-generated text that then goes through human editorial review and a person takes responsibility for it – that you don't need to specially label.

How do you prepare for the AI Act?

Start with an audit of which tools your people actually use (uncover so-called shadow AI). Issue an internal policy, arrange mandatory AI literacy training for all employees, and map out whether you fall into the high-risk category (e.g. with automated hiring).