EU Artificial Intelligence Act: What Businesses Need to Know

InsightsNewsAudit News

EU Artificial Intelligence Act

Somewhere in a finance department, a tool is quietly making decisions. It scores risk. It flags anomalies. It filters candidates. It has been running for months. Nobody is quite sure who put it there — or whether anyone is responsible for what it does.

This is not a hypothetical. It is a pattern playing out across organisations of every size and sector, as artificial intelligence embeds itself into daily operations faster than governance frameworks can follow. For years, regulators watched carefully. Now they have acted. 

The EU Artificial Intelligence Act entered into force in August 2024. Its key obligations for businesses become fully applicable by August 2026. For the first time, AI is no longer just a technology question; it is a compliance question. And for many organisations, the most uncomfortable discovery will not be about the systems they knowingly deployed. It will be about the ones they forgot to govern. 

The Act is implemented in phases: provisions on prohibited AI practices have applied since February 2025; rules for general-purpose AI (GPAI) models from August 2025; and most other obligations from August 2026, with some extended deadlines until 2027. The direction of travel is clear, and the window for preparation is narrowing.

Regulatory Framework in Brief 

The AI Act establishes a risk-based approach, classifying AI systems into categories ranging from minimal to high-risk, with stricter requirements applied to systems that may significantly impact decisions or individuals. 

The framework includes four categories: 

  • Unacceptable risk — prohibited systems 
  • High-risk systems — subject to the most stringent obligations 
  • Limited risk systems — subject to transparency requirements 
  • Minimal risk systems — no specific obligations 

Prohibited systems include practices such as certain forms of social scoring and manipulative AI that can cause harm. These bans are already in force.

Importantly, the regulation applies not only to developers but also to companies that use AI systems in their operations, regardless of whether the AI solution was built in-house or procured from a third party. The Act distinguishes between providers (developers placing AI on the market), deployers (businesses using AI systems), importers, and distributors, each with distinct but interconnected obligations. 

If your business uses AI — in any form — the Act considers you a regulated party.

Impact on Businesses 

Responsibility for AI Use 

Companies using AI are classified as deployers under the Act, and with that classification comes a clear set of responsibilities. Deployers must understand how their AI tools function, assess the risks they introduce, and ensure those tools are used in accordance with the provider's instructions. 

This is particularly relevant in finance, HR, and operations, areas where AI is most commonly embedded in consequential decisions. Credit scoring, fraud detection, and automated candidate screening all warrant close scrutiny under the new framework. 

Critically, human oversight is not optional. Where AI informs significant decisions, appropriate mechanisms to review, challenge, and override those decisions must exist. 

Governance and Control Requirements 

Where AI systems are classified as high-risk, businesses must implement structured controls. These include: 

  • Risk management procedures 
  • Reliable and high-quality data inputs 
  • Documentation and traceability 
  • Human oversight mechanisms 
  • Ongoing performance monitoring 

For providers, these obligations extend further to conformity assessments and CE marking before placing high-risk systems on the market. 

Deployers face fewer formal obligations, but must still monitor performance, maintain relevant records, and ensure that AI use remains within the scope of what was intended. In practice, this introduces a need for structured AI governance frameworks, not as bureaucratic add-ons, but as operational necessities. 

Increased Regulatory Exposure 

Non-compliance carries significant financial consequences. The Act introduces tiered penalties: 

  • Up to €35 million or 7% of global annual turnover for violations related to prohibited practices 
  • Lower thresholds for other types of non-compliance 

Beyond fines, businesses face reputational risk if AI-related failures become public, particularly where customer data or employment decisions are involved. Regulators, press, and public attention in this space are only increasing. 

General-Purpose AI (GPAI) 

The AI Act introduces specific obligations for general-purpose AI models, large language models and similar systems increasingly embedded in business tools, productivity suites, and customer-facing applications. 

Providers of such models must meet transparency requirements: documentation of training data, disclosure of capabilities and limitations, and compliance with EU copyright law. Additional obligations apply to models classified as posing systemic risk. 

For businesses, this raises an immediate practical question: do you know which GPAI systems are operating within your organisation, and do you know whose responsibility it is to manage them? 

Practical Considerations 

Preparation need not be overwhelming, but it must be deliberate. In practice, organisations should: 

  • Identify AI systems used across all business processes 
  • Assess their regulatory classification under the Act 
  • Review governance and internal control frameworks 
  • Engage with third-party providers to understand compliance responsibilities 
  • Involve cross-functional teams - finance, IT, legal, and compliance 
  • Conduct a formal AI inventory and risk classification mapping 
  • Perform a gap analysis against AI Act requirements 
  • Review contracts with AI vendors for explicit compliance obligations 
  • Establish internal AI policies and usage guidelines 

Early assessment is not merely advisable; it is the difference between managing compliance proactively and reacting to it under pressure. 

Conclusion

The AI Act does not ask businesses to stop using artificial intelligence. It asks them to take responsibility for it. 

That is, in many ways, a reasonable request. The same rigour organisations apply to financial controls, data protection, and operational risk should now extend to the AI systems making consequential decisions on their behalf. The Act simply formalises what good governance would have demanded anyway. 

The question is not whether your organisation uses AI. You almost certainly do. The question is whether you know which systems, what risks they carry, and who is accountable when something goes wrong. 

Organisations that answer those questions now, thoughtfully and systematically, will not only be compliant. They will be better governed, better protected, and better positioned to benefit from AI-driven innovation over the long term. 

The Act is not the end of AI in business. It is the beginning of AI done properly. 

 

Contact

GettyImages-1150706454.jpg

Digital advisory

We help you bring your company to the next level with an effective digital strategy enabled by agile culture transformation

Read more

Contact us

+385 1 4864 420
Meet our local team
Discover our offices
Or use our contact form