AI Regulation Watch

Challenges of Implementing the EU Artificial Intelligence Act (AI Act) for Businesses: Preparing for Compliance

The European Union has adopted the Artificial Intelligence Act (AI Act, Regulation (EU) 2024/1689) as the world’s first comprehensive regulatory […]

The European Union has adopted the Artificial Intelligence Act (AI Act, Regulation (EU) 2024/1689) as the world’s first comprehensive regulatory framework for artificial intelligence. The Regulation was published in the Official Journal of the EU on 12 July 2024 and entered into force on 1 August 2024. This legislation imposes rigorous requirements on all commercial entities that develop, import, distribute or use AI systems in the EU market. Businesses that fail to prepare in time expose themselves to serious financial and reputational risks. This text is informational in nature and does not substitute individual legal advice.

Fundamentals of the EU AI Act: Structure and Risk Logic

The EU AI Act is built on a risk-based approach. All AI systems are classified into four categories according to the degree of potential risk they pose to the health, safety and fundamental rights of individuals.

Unacceptable risk — the strictest category comprises systems that are entirely prohibited. These include: AI systems used by public authorities for social scoring, manipulative techniques that circumvent users’ free will, and certain applications of real-time biometric identification in public spaces.

High risk — this is the central category of the AI Act. Systems falling within it must satisfy a comprehensive set of technical and organisational requirements before they can be placed in use. These are AI systems used in critical infrastructure, education, employment, access to social benefits, border surveillance, the administration of justice, and similar fields with a significant impact on individuals’ lives.

Limited risk — systems such as chatbots are subject to transparency obligations: users must be informed that they are interacting with an AI system.

Minimal risk — the largest number of AI applications (video games with AI elements, spam filters) fall into this category and are not subject to specific regulatory obligations.

Who Are the Duty-Bearers and What Roles They Hold

The AI Act defines several key roles in the AI system value chain:

Provider is a commercial entity that develops an AI system or places an AI system on the market under its own name or trademark. Providers of high-risk systems bear the most onerous obligations — establishing a risk management system, technical documentation, registration in the EU database, and compliance with accuracy and robustness standards.

Deployer (user) is any legal or natural person who uses an AI system in a professional context. The deployer’s obligations are somewhat lighter than those of the provider, but are not negligible — particularly regarding transparency towards end users and monitoring of the system’s operation.

Importer and distributor bear responsibility for ensuring that the AI systems they place on the market comply with the regulatory requirements.

Businesses that simultaneously develop and deploy their own AI systems assume the combined obligations of both roles.

Specific Obligations for High-Risk Systems

For AI systems classified as high-risk, the AI Act prescribes a set of concrete requirements:

Risk management system — the provider must establish, implement and document a continuous process of identifying, analysing and mitigating risks throughout the entire lifecycle of the system.

Data and data governance — datasets used for training, validation and testing must be relevant, representative and free from unacceptable bias. Documentation of data provenance is required.

Technical documentation — must be drawn up before placing the system on the market and regularly updated. It covers the description of the intended purpose, technical characteristics, performance, limitations and risk mitigation measures.

Logging — high-risk AI systems must be capable of automatically recording events during operation, so that the sequence of actions can be reconstructed in the event of an incident.

Transparency towards users — a clear and intelligible instruction for use must be provided, enabling users to apply the system in an informed manner.

Human oversight — the system must be designed so that a natural person can effectively monitor it, intervene in its operation and, where necessary, shut it down.

Accuracy, robustness and cybersecurity — the system must attain an appropriate level of performance, with resilience to errors and attempts at misuse.

Timelines and Phased Application

The AI Act entered into force on 1 August 2024, but its provisions apply in phases. Provisions on prohibited practices apply from 2 February 2025, and obligations for general-purpose AI models (General Purpose AI — GPAI) from 2 August 2025. Requirements for high-risk systems have a longer transitional period — according to available information, the application deadlines for these provisions were subject to subsequent amendments and deferrals at EU level, and businesses should consult the current text of the regulation and relevant guidance from the competent authorities in order to verify the exact deadlines that apply to them as of the date of publication of this text and thereafter.

Sanctions and Supervision

The AI Act provides for substantial penalties for infringers. For the most serious violations, such as the use of prohibited AI systems, fines of up to EUR 35 million or up to 7% of total global annual turnover are prescribed — whichever is the greater. For breaches of obligations relating to high-risk systems, fines of up to EUR 15 million or up to 3% of turnover apply. For providing inaccurate or misleading information to supervisory bodies, fines of up to EUR 7.5 million or up to 1% of turnover are prescribed.

National supervisory authorities in each EU Member State will be responsible for enforcing the legislation, with the European Artificial Intelligence Office (AI Office) assuming a coordinating role at EU level.

Compliance Strategy: Where to Begin

Businesses wishing to approach compliance proactively should take the following steps:

First, mapping AI systems — a full inventory of all AI tools and systems that the business develops or uses, with identification of their intended purpose and context of application.

Second, risk assessment — for each identified system, it is necessary to determine which risk category it falls into under the AI Act.

Third, gap analysis — for high-risk systems, assess the extent to which current practices comply with the requirements and identify non-conformities.

Fourth, drawing up an action plan — define priorities, resources and deadlines for implementing the necessary adjustments.

Fifth, designating an AI compliance function — regardless of the size of the business, a person or team responsible for monitoring and implementing compliance is necessary.

Frequently Asked Questions (Q&A)

Does the EU AI Act also apply to businesses outside the EU that provide AI services to European users? Yes. Similarly to the GDPR (General Data Protection Regulation, Regulation (EU) 2016/679), the AI Act has extraterritorial reach. It applies to all providers of AI systems whose outputs have effects in the EU, regardless of the company’s registered seat.

What is GPAI and why is it relevant? General-purpose AI (GPAI) models are models such as large language models that can be applied in a large number of different contexts. The AI Act introduces specific obligations for providers of GPAI models that are integrated into other systems, including transparency obligations and, for the most powerful models, systematic risk assessment.

Does every business that uses AI tools (e.g. ChatGPT for internal communications) need to be compliant? The use of generally available AI tools for internal purposes of minimal risk generally does not entail specific obligations. However, if a business integrates AI into its own processes or products that affect third parties, particularly in areas classified as high risk, obligations arise.

What does CE marking mean for AI systems? For high-risk AI systems, the AI Act provides for mandatory CE marking as confirmation that the relevant regulatory requirements have been met, following a conformity assessment that in certain cases involves the participation of a notified body.

Conclusion

The EU AI Act transforms the manner in which businesses must approach the development and deployment of artificial intelligence. The regulation is not merely a bureaucratic requirement — it lays the foundations for trust in AI systems and the long-term sustainability of the digital economy. Businesses that begin the compliance process immediately will be better positioned than those who leave it to the last moment. A proactive approach not only reduces regulatory risks but also builds competitive advantage.

If you wish to assess the extent to which your AI activities comply with the EU AI Act and which specific steps need to be taken, schedule a consultation with our team specialising in artificial intelligence regulation.

Sources: – https://eur-lex.europa.eu/eli/reg/2024/1689/oj – https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai – https://www.europarl.europa.eu/news/en/press-room/20240308IPR19015/artificial-intelligence-act-meps-adopt-landmark-law – https://www.consilium.europa.eu/sr/policies/eu-artificial-intelligence-act/

The content of this website is informational and does not constitute legal advice. For specific legal advice, contact a lawyer directly. The firm operates in accordance with the Law on the Legal Profession and the Code of Professional Ethics for Lawyers.

Scroll to Top