PL 2338 and EU AI Act: What Changes in Your Enterprise Operations in 2026
Two heavy regulations arrive in 2026: PL 2338 (Brazilian AI Legal Framework) in Congress, and the EU AI Act in force from August. Fines up to €35M or 7% of global revenue.
60-Second Summary
Two laws land hard on corporate AI in 2026. The EU AI Act takes effect in phases starting in August, and its reach is extraterritorial: it catches any company that exports to the EU or touches European data, no matter where the headquarters sits. The top fine reaches €35 million or 7% of annual global revenue. Bill 2338 (Brazil's AI Regulatory Framework), already cleared by the Senate, is moving through the Chamber of Deputies. And only 22% of Brazilian companies say they are ready, according to a survey by MIT Technology Review with Peers Consulting + Technology. Here is the part nobody says out loud: the road to compliance does not run through buying a suite. It runs through listing what is already in production and putting a name on each owner. That is the easy work. The hard work is the bill the law never sends, how much of your senior payroll the coordination between human and machine already drains, every week, without making a sound.
Your company put generative AI into production over the last eighteen months and has not revisited its governance policy since. You are not alone in that, and you are about to run into a regulatory landscape that did not exist when the first copilot license was signed. Bill 2338, the AI Regulatory Framework, has been moving through Brazil's Chamber of Deputies since March 2025, after the Senate approved it in December 2024. The EU AI Act takes effect in phases starting in August 2026, and it reaches any company with so much as one foot in Europe.
Both laws start in the same place: classify each AI system by risk level and demand obligations in proportion. The sanction is not decorative. The EU AI Act sets fines of up to €35 million or 7% of annual global revenue for serious non-compliance, a number large enough to pull the topic off the footnote and onto the first page of the board agenda. Bill 2338 hands the ANPD the power to sanction, with an apparatus built in the spirit of the LGPD, Brazil's data protection law.
According to a survey by MIT Technology Review with Peers Consulting + Technology, only 22% of Brazilian companies say they are ready to integrate AI into critical systems. The other 78% have little time and a lot of ground to cover. The good news is that the first half of the work is cheap. The bad news is that the expensive half never shows up in the text of the law. Let us take both.
The EU AI Act in 60 Seconds: Four Risk Levels
The EU AI Act classifies by risk, and each level carries a different weight of obligation. The real work of getting compliant concentrates in the top two tiers; the rest asks for little or nothing. Read the table knowing where your operation lands before you panic at the whole.
| Level | Examples | Main Obligations | Sanction on Failure |
|---|---|---|---|
| Unacceptable risk | State social scoring, subliminal manipulation, real-time biometrics in public spaces (with exceptions) | Prohibited | Up to €35M or 7% of global revenue |
| High risk | AI in recruitment, credit scoring, education, critical infrastructure, justice | Risk management system, data governance, technical documentation, human oversight, transparency, registration in the EU database, conformity assessment | Up to €15M or 3% of global revenue |
| Limited risk | Chatbots, systems that generate synthetic content, deepfakes | Mandatory transparency: the user must know they are interacting with AI | Tiered administrative sanctions |
| Minimal risk | Spam filters, generic recommendations, AI in video games | Voluntary codes of conduct | No specific sanction |
The extraterritorial reach is what catches a foreign company off guard. You do not need a base in the EU. It is enough for the system's output to be used inside the European Union, or for a European citizen to be affected by an automated decision. B2B SaaS exporting, a fintech with operations in Europe, a platform with European users: all of them fall under the rule, and most only notice when the client's legal team abroad asks for the document.
Bill 2338 in Brazil: Aligned with Europe, with Local Nuances
The Brazilian framework mirrors the European architecture: same risk classification, same proportional obligation. Whoever is implementing cannot treat the two as a copy, though. A few practical differences change what you have to record and to whom you answer, and the table below sets them side by side.
| Dimension | EU AI Act | Bill 2338 (Brazil) |
|---|---|---|
| Status | In force in phases since August 1, 2024; main obligations August 2026 | Senate approval December 2024; in the Chamber since March 2025 |
| Classification | Four levels: unacceptable, high, limited, minimal | Risk-based classification with a list of excessive (prohibited) systems plus regulated high-risk ones |
| Transparency | About how the system works in the abstract | Goes further: transparency about the specific decision made about an individual |
| Regulator | AI Office (EU) plus designated national authorities | ANPD plus sector regulators (Central Bank, ANATEL, ANEEL, depending on the use) |
| Sanction | Up to €35M or 7% of global revenue (unacceptable); up to €15M or 3% (high risk) | ANPD applies LGPD parameters; specific sanctions left to later regulation |
The Brazilian difference that hurts most in the day to day is the transparency about a specific decision. Bill 2338 is not satisfied with you explaining how the system works in theory. It demands the reason behind a concrete decision made about a concrete person. Anyone who has lived through an audit knows the size of that: it moves the logging and audit-trail requirement from decoration to obligation, because now every high-risk decision has to be reconstructable later, one by one.
Where Your Operation Lands Today
Ask a director how many AI systems the company is running, and the number they guess is usually half the real one. AI came in through the edges, area by area, without passing the central desk. Five fronts hold most of the usage and, with it, the exposure to the law.
| Area | Common AI Usage | Typical Classification |
|---|---|---|
| Human Resources | Resume screening, candidate scoring, interview analysis | High risk |
| Credit and Finance | Credit scoring, fraud detection, risk analysis | High risk |
| Customer Service | Chatbot, ticket classification, reply automation | Limited risk |
| Marketing and Sales | Segmentation, lead scoring, offer personalization | Limited to minimal risk |
| Engineering and Product | Code copilot, test generation, bug analysis | Minimal risk |
If your operation uses AI to screen resumes or score credit, you are already in the high-risk band, like it or not. That left the desk of whoever talks about innovation and landed on the desk of whoever answers for the deadline. It is an obligation, and obligations have a date.
Five Practical Tasks to Start Now
The first wave of compliance asks for no new tool and no signed check. It asks for an inventory, a classification, and documentation of what already runs. Five moves cover the essentials, and none of them depends on a vendor.
- Inventory of AI systems in production. List every system, model, and pipeline in use or in pilot. Copilot, ChatGPT Enterprise, Claude, your own model, all of it. It is tedious and slow, and it is what draws the regulated universe. Without that list, the other four steps float in the air.
- Classification by risk.Place each system on the EU AI Act's four-level scale. Recruitment and credit almost always fall into high risk; an external chatbot falls into limited risk. Write down your reasoning, because in the audit they will ask you not only where you classified, but why.
- Algorithmic impact assessment (AIA). A high-risk system needs an impact assessment before it goes into operation. It is a cousin of the data protection impact assessment your company already runs for the LGPD, with the scope cut down to AI. Whoever already has the LGPD practice starts halfway there.
- Audit trail per decision. Bill 2338 demands an explanation of the automated decision made about a person. In practice, that means structured logging that lets you reconstruct the basis of each high-risk decision months later, without digging through the memory of whoever was in the room.
- A named owner for each high-risk system. Pointing at the AI team in general does not count. It is a role with a name, a badge, and the power to pause the system, review the output, and look the regulator in the eye. A high-risk system with no named owner is already, in itself, a documented failure.
Five moves, none of them costing a license, all of them costing executive decision and hours from your Legal, Compliance, Engineering, and Product teams. It is exactly the kind of cost the next section will charge you for again, for a different reason.
The Blind Spot Regulation Does Not Cover
Regulatory compliance closes the regulatory flank. It guarantees user rights, guarantees algorithmic transparency, guarantees you do not take a fine for operating outside the law. And it stops there. It says nothing about what your company pays, in senior payroll, to coordinate humans and agents around each hybrid decision. That spending runs off to the side: it does not show up in the model's audit trail, it does not appear in the European registry, it does not fit in the impact report. The law aims at the behavior of each isolated system. The money leaks in the whole, in the friction between the parts, exactly where no legal yardstick looks.
You can be one hundred percent current with Bill 2338, the EU AI Act, and the LGPD, and still burn millions a year coordinating human and machine in the dark. The two bills run in parallel, and one never comes bundled inside the other. Whoever handles only the first is shielded on one side and bare on the other, and the bare side makes no headline and no fine, it just corrodes the margin in silence. The cost of human-agent coordination is the invisible vector of AI governance, broken down into four interfaces, human with human, machine with machine, human with machine, and machine with human, each one in cash.
Frequently Asked Questions
What is Bill 2338 and when does it take effect in Brazil?
Bill 2338/2023, the AI Regulatory Framework, cleared the Senate in December 2024 and has been in the Chamber of Deputies since March 2025. It follows the same European logic, classifying systems by risk level, but with a local flavor: a list of user rights, governance in proportion to risk, and the ANPD as regulator alongside sector bodies. Taking effect depends on approval in the Chamber and presidential sign-off, with a likely start within the 2026 horizon. Put plainly: the clock is already running, even if the final text is not closed yet.
Does the EU AI Act apply to my company outside Europe?
If your operation touches Europe, yes, and it does not matter where the headquarters is. The EU AI Act catches any company that (a) places an AI system on the European Union market, (b) has that system's output used inside the EU, or (c) processes a European citizen's data through AI. B2B SaaS exporting, a fintech with operations in Europe, a platform with European users: all of them fall under the rule. It takes effect in phases starting in August 2026. Many companies find out they were in scope only when the European client asks for the report.
What is the difference between the EU AI Act and Bill 2338?
Both start from risk, but they diverge on two points that affect the operation. Bill 2338 is tighter on transparency: it is not enough to explain how the system works in the abstract, it requires you to justify the concrete decision made about a specific person. The EU AI Act is tighter on punishment and on timing: a harder sanctioning apparatus, up to €35M or 7% of global revenue, with a more defined schedule. And the institutional design differs: Bill 2338 splits regulation between the ANPD and sector bodies; the EU AI Act concentrates it in the European AI Office plus the designated national authorities.
What is the maximum fine for non-compliance?
Under the EU AI Act, up to €35 million or 7% of annual global revenue, whichever is higher, for a violation tied to a prohibited system. The other sanctions scale by severity. Bill 2338 is still moving through the Chamber; the current text gives the ANPD the power to sanction based on LGPD parameters, within an arrangement with sector bodies, and the specific penalties are left to later regulation. The European number is already large enough to make the board agenda without any rhetoric.
Where does my company start?
Three steps, in this order. First, inventory every AI system in production or pilot, because no one governs what they have not listed. Second, classify each one by risk level (high, limited, minimal). Third, name the owner for each high-risk system. In parallel, document the automated-decision criteria and build the audit trail. An operational governance framework comes later; the inventory comes before everything, and it costs time, not money.
The Bottom Line
2026 is not the year to discuss AI governance over coffee and a clear calendar. It is the year two laws start to charge. EU AI Act in force in phases, Bill 2338 moving through the Chamber, the ANPD with growing authority. The inventory has to be ready before enforcement knocks on the door. And the inventory, I repeat, is not the hard work. It is tedious, it is slow, but any organized company closes it in a few weeks.
The hard work comes after, and no law forces you into it: governing the invisible cost of the coordination this new AI layer pushed into your operation. Compliance protects you from the fine. Economic governance protects you from the margin that slips away without anyone noticing. They are defenses for different flanks, and you need both, because the regulator charges one and the board charges the other. The best-tested sector reference for the operational layer is Singapore's Model AI Governance Framework, soft law that touches the front the Brazilian hard law leaves open.