PL 2338 and EU AI Act: What Changes in Your Enterprise Operations in 2026
Two heavy regulations arrive in 2026: PL 2338 (Brazilian AI Legal Framework) in Congress, and the EU AI Act in force from August. Fines up to €35M or 7% of global revenue.
60-Second Summary
Two major regulatory frameworks will impact the corporate use of AI in 2026. The EU AI Act enters into force with a phased implementation starting in August, featuring extraterritorial reach that applies to any global enterprise exporting to the EU or processing European citizen data. Meanwhile, Bill 2338 (the Brazilian AI Regulatory Framework), already approved by the Senate, is currently progressing through the Chamber of Deputies. The maximum EU sanction is severe: up to €35 million or 7% of annual global revenue. Yet, only 22% of companies declare themselves fully prepared for these changes. Achieving compliance does not require purchasing an expensive software suite; it begins with building a comprehensive inventory of your production models and assigning clear, named individual accountability.
If your company has deployed generative AI tools over the last 18 months without updating its governance policies, you are entering a new regulatory landscape. In Brazil, Bill 2338 (the AI Regulatory Framework) has been advancing through the Chamber of Deputies since March 2025, following its Senate approval in December 2024. Globally, the EU AI Act enters into force with phased deadlines starting in August 2026, directly affecting international companies with any European operational exposure.
Both frameworks share the same underlying architecture: classifying AI systems by their level of risk and imposing proportional obligations. The sanctions are substantial. The EU AI Act establishes fines of up to €35 million or 7% of global annual revenue for severe non-compliance. Bill 2338 delegates enforcement authority to the National Data Protection Authority (ANPD), utilizing a punitive framework modeled on the highly active LGPD (Brazilian General Data Protection Law).
Recent market research indicates that only 22% of growth-stage enterprises declare themselves fully prepared in terms of AI governance. The remaining 78% must act quickly. Governance is no longer an innovation project; it is now a priority agenda item for corporate boards.
The EU AI Act: Four Risk Classifications
The EU AI Act categorizes applications into four distinct levels of risk, each carrying different compliance duties. The two highest tiers command the vast majority of operational and engineering resources required for alignment.
| Risk Level | Corporate Examples | Key Compliance Obligations | Severe Non-Compliance Sanction |
|---|---|---|---|
| Unacceptable Risk | State-sponsored social scoring, subliminal behavioral manipulation, real-time public biometric identification. | Prohibited entirely. | Up to €35M or 7% of annual global revenue. |
| High Risk | AI in employment recruitment, credit scoring, education grading, critical infrastructure, justice systems. | Risk management systems, high-quality data governance, robust technical logging, human-in-the-loop oversight, strict transparency, registration in EU databases. | Up to €15M or 3% of annual global revenue. |
| Limited Risk | Customer-facing chatbots, synthetic media generators, deepfakes. | Mandatory disclosure: users must be clearly informed they are interacting with an AI system. | Escalated administrative sanctions. |
| Minimal Risk | Email spam filters, generic recommendation algorithms, videogame AI. | Voluntary codes of conduct; no mandatory operational requirements. | No specific regulatory fines. |
Extraterritoriality is the primary point that catches international enterprises by surprise. You do not need to be headquartered in the EU to fall under its scope. If the output of your AI model is utilized within the European Union, or if a European citizen is affected by an automated decision generated by your systems, your workflows are regulated. B2B SaaS platforms exporting globally, fintechs serving international clients, and digital platforms with European users are all subject to the Act.
Bill 2338 (Brazil): Aligned with European Logic, with Local Nuances
The Brazilian AI Regulatory Framework shares a similar risk-based structure with the EU AI Act, utilizing the same risk levels and proportional obligations. However, four operational nuances distinguish the Brazilian text, requiring unique attention during implementation.
| Dimension | EU AI Act | Bill 2338 (Brazil) |
|---|---|---|
| Legislative Status | Enforced via phased deadlines since August 1, 2024; primary compliance mandates active August 2026. | Senate approval secured in December 2024; actively progressing through the Chamber of Deputies. |
| Risk Classification | Four canonical tiers: unacceptable, high, limited, minimal. | Risk-based system with a list of prohibited excessive systems and regulated high-risk applications. |
| Transparency Mandate | Requires disclosure of the model's abstract operational mechanics. | Extends further: mandates clear explanations for specific automated decisions impacting a specific individual. |
| Enforcement Authority | EU AI Office + designated national regulators in member states. | ANPD (Data Protection Authority) + sector-specific regulators (Central Bank, telecom, and utility authorities). |
| Fines & Sanctions | Up to €35M or 7% global revenue for prohibited applications; up to €15M or 3% for high-risk violations. | ANPD applies sanctions based on LGPD limits; specific operational penalties to be defined in subsequent rules. |
The most critical Brazilian nuance is the individual decision transparency mandate. Bill 2338 requires that your company must be capable of explaining not just how an algorithm works in theory, but exactly why a specific automated decision was made about a specific person. This requirement substantially increases the technical standard for system logging, audit trails, and data lineage.
Mapping Your Regulatory Exposure
The majority of enterprises underestimate the volume of AI they currently run in production. Five operational areas represent the highest concentration of AI usage and, consequently, the greatest regulatory exposure.
| Business Function | Common AI Application | Typical Risk Classification |
|---|---|---|
| Human Resources | Resume screening pipelines, automated candidate scoring, interview transcript analysis. | High Risk |
| Credit & Finance | Automated credit scoring, fraud detection algorithms, custom risk assessments. | High Risk |
| Customer Operations | Interactive customer support chatbots, ticket routing, automated reply drafts. | Limited Risk |
| Marketing & Sales | Dynamic user segmentation, lead scoring, highly personalized offers. | Limited to Minimal Risk |
| Product & Engineering | Software generation copilots, automated test generation, code bug analysis. | Minimal Risk |
If your business utilizes AI models in recruitment or credit evaluation, you are already operating in the high-risk category. This is no longer an innovation choice or a marketing narrative; it is a binding operational compliance requirement with strict legal deadlines.
Five Operational Tasks to Begin Now
Preparing your enterprise does not require purchasing a complex software suite. It requires building an inventory, classifying systems, and documenting what is already active in your production pipelines. These five steps establish your compliance foundation:
- Build Your AI Systems Inventory. Document every AI model, external LLM integration, and automated pipeline in production or active piloting (including Claude, ChatGPT Enterprise, Copilots, and proprietary models). This defines the scope of your regulated assets.
- Classify Systems by Risk Level. Mapear each active system against the four risk classifications of the EU AI Act. Document your reasoning and criteria for each classification, particularly for systems determined to be high-risk or limited-risk.
- Conduct Algorithmic Impact Assessments (AIA). High-risk systems require a formalized impact assessment before being utilized in production. This represents the AI equivalent of the data protection impact assessments (DPIAs) your company already executes for privacy frameworks.
- Establish Decision Audit Trails. Bill 2338 mandates that you must be able to explain individual automated decisions. Implement structured logging that records the exact prompts, model versions, and data inputs used to generate high-risk outputs.
- Assign Named Individual Accountability. High-risk systems must have a designated human owner. This must be a specific corporate role with the authority to halt the system, override outputs, and represent the system before regulatory authorities. The absence of a named owner is a documented compliance failure.
Five clear steps. None of them require new tools, but all of them demand executive focus and cross-functional coordination across your Legal, Compliance, and Engineering departments.
The Blind Spot: What Regulation Fails to Track
Regulatory compliance mitigates legal risks, protects user rights, and ensures algorithmic transparency. What it fails to measure is the cash your company spends in senior payroll hours to coordinate the human-agent workflows surrounding these systems. This operational overhead never appears in model audit trails, regulatory registries, or impact reports.
An enterprise can achieve 100% compliance with international AI acts and data privacy laws while continuing to lose millions annually in unmonitored coordination friction. The legal and economic layers of governance run in parallel. Managing compliance without managing coordination leaves your enterprise protected against fines but exposed to declining operating margins. Human-agent coordination costs represent the missing link in AI governance, a cost structure categorized through the four interfaces of H2H, A2A, H2A, and A2H in cash terms.
Frequently Asked Questions
What is Bill 2338 and when does it take effect in Brazil?
Bill 2338/2023, the Brazilian AI Regulatory Framework, was approved by the Senate in December 2024 and is currently progressing through the Chamber of Deputies. It utilizes a risk-based classification system similar to European frameworks, combined with strict user rights, proportional governance, and enforcement by the ANPD. Full implementation is projected within the 2026 horizon.
Does the EU AI Act apply to international or non-EU companies?
Yes, due to its extraterritorial scope. The Act applies to any global enterprise if (a) they place AI systems on the EU market, (b) their AI systems have outputs utilized within the EU, or (c) their models process data belonging to European citizens. Growth-stage B2B SaaS platforms exporting internationally, fintechs with European clients, and digital platforms with EU users are all fully subject to its requirements.
What are the primary differences between the EU AI Act and Bill 2338?
While both share a risk-based logic, Bill 2338 mandates a higher standard of transparency for individual automated decisions, requiring enterprises to be able to explain specific automated outcomes to affected individuals. The EU AI Act features a more aggressive fine structure (up to €35M) and has centralized enforcement via the European AI Office, whereas the Brazilian framework utilizes a collaborative model between the ANPD and sector-specific regulators.
What is the maximum financial penalty for non-compliance?
Under the EU AI Act, the maximum fine is €35 million or 7% of annual global revenue (whichever is higher) for prohibited AI practices. Fines for high-risk violations scale up to €15 million or 3%. In Brazil, the current text of Bill 2338 aligns enforcement parameters with LGPD limits, with specific operational penalties to be defined in subsequent regulatory rules.
How should an enterprise begin its compliance alignment?
By executing three practical steps: build a complete inventory of all production AI models, classify each model against risk classifications, and assign named human owners to any system classified as high-risk. Establishing clear audit logs and documenting decision criteria are the priorities that must precede any complex technical tooling.
The Bottom Line
2026 is not the year to discuss AI governance as a theoretical roadmap; it is the year when international regulations begin active enforcement. With the phased implementation of the EU AI Act, the progression of Bill 2338, and the expanding authority of data privacy regulators, your corporate AI inventory must be completed before audits arrive. Building the inventory is the straightforward task.
The real operational challenge is governing the invisible coordination costs that these AI systems introduce to your daily workflows. Legal compliance protects against regulatory fines, while economic governance protects against declining operating margins. Your enterprise requires both. For a proven framework addressing operational governance at the enterprise level, see the Singapore Model AI Governance Framework—a highly regarded standard covering the operational edges that hard law leaves unaddressed.