EU AI Act: What Companies Need to Know  

The EU AI Act follows a risk-based approach, which means that stricter requirements apply to high-risk AI applications than to lower-risk ones. To this end, the Act distinguishes between four risk categories:

• Unacceptable Risk

AI applications with unacceptable risk have been banned since 2 February 2025. These include systems for real-time facial recognition and behavioral manipulation, such as social scoring. AI systems designed to monitor individuals, and which could be exploited for anti-democratic purposes, are also included in this category.

• High Risk

AI systems that could affect a person’s health, safety, or fundamental rights are classified as high-risk. These systems are subject to strict obligations and organizations are required to take risk mitigation measures. Examples include AI used in critical infrastructure like healthcare or transport. AI that profiles individuals also falls into this category. This could include recruitment tools that filter applicants automatically or systems in the financial sector that assess creditworthiness.

Digital Omnibus Update: High-risk AI deadlines expected to shift 

The core obligations for many high-risk AI systems were originally expected to apply from 2 August 2026. Under the Digital Omnibus changes currently progressing through the EU process, this is expected to shift to 2 December 2027. For high-risk AI systems embedded in regulated products, the expected date is 2 August 2028.

• General-Purpose AI

This category includes generative AI such as ChatGPT or Midjourney. Applications like this are subject to transparency obligations. Developers and deployers must label deep fakes as such and disclose that a text was generated by AI if it provides information on matters of public interest. Manufacturers must also ensure that this AI cannot be used for the production of illegal content. These obligations started to apply from 2 August 2025, although enforcement and transition periods differ depending on the provider and model.

• AI for Direct Human Interaction

Popular applications in this category include chatbots and virtual assistants. Here, the following rule applies: providers must disclose to end-users that they are interacting with an AI and not with a human. If the AI also belongs to the High-Risk or General-Purpose category, these obligations must also be met. The general transparency rules under Article 50 are still scheduled to apply from 2 August 2026, unless further changes are adopted.

The following obligations remain central to the AI Act’s high-risk regime. What is changing is mainly the expected application timeline, not the substance of the obligations.

In principle, all AI systems are subject to documentation and transparency requirements. However, the EU AI Act requires high-risk AI systems meet particularly strict requirements, including:

• Risk assessment regarding health, safety and fundamental rights
• Comprehensive technical documentation and a quality management system
• Oversight of data used, event logging, mandatory human oversight and requirements for data accuracy and security
• Transparency for users and/or data subjects
• A declaration of conformity, CE marking and registration in an EU database

The first step for companies is to identify which AI systems they use. Next, these systems must be classified by risk level. Each category comes with specific legal obligations. Digital tools like the EQS Governance solution can help. They support efficient AI assessments, enable proactive risk management and ensure audit-proof documentation.

Even if some high-risk AI deadlines are delayed, companies should not postpone this work. AI inventories, role mapping, risk classification, documentation structures, data governance and internal accountability processes all take time to build — and several AI Act obligations already apply.

Under Article 4 of the AI Act, companies must also ensure that they have sufficient AI competency in their workforce. This includes offering e-learning and awareness training to promote a responsible approach to AI use and information about the risks. In addition, they should publish an AI policy and clearly communicate guidelines.

Compliance with the EU AI Act is not a one-time task, but requires ongoing oversight. Companies are therefore advised to appoint an AI compliance officer to manage and monitor this process. Penalties for non-compliance can be steep, depending on the infringement: up to €35 million or 7% of global annual turnover for the most serious violations.

The launch of ChatGPT sparked both global excitement and concern. While many people were eager to explore its potential, others quickly raised warnings about the risks. Calls for regulation followed, including a public appeal from leading AI entrepreneurs to pause development and set clear rules.

After 37 hours of negotiations, a provisional agreement on the AI Act was reached in December 2023. EU Commissioner Thierry Breton called it a “historic” step. The final text was published on 12 July 2024 and came into force on 1 August 2024.

Criticism from Business

While the EU takes pride in leading the way on AI regulation, the business community has voiced strong concerns. In June 2023, over 100 top European executives, including the CEOs of Siemens, Airbus, and ARM, signed an open letter warning that the proposed law went too far.

Their main objection was the strict regulation of generative AI. They feared companies would need entire compliance departments just to meet the transparency rules. The cost and effort, they argued, could hurt Europe’s competitiveness and push innovation abroad. A recent Deloitte survey of 500 managers supports this view: more than half of respondents said regulation is holding back AI innovation.

Their concerns could be justified. Although the EU hoped others would follow its lead, the opposite may now be true. One of Donald Trump’s first actions after returning to office was to scrap Joe Biden’s earlier AI regulation. His new “Stargate” project aims to invest $500 million in AI development— without regulatory limits.

Some AI experts see the EU AI Act not as a burden, but as an opportunity. By building trust in AI among customers and partners, the law could give Germany and Europe a competitive edge. Companies that comply signal that they take social responsibility seriously, boosting their reputations. Put simply, an ethical approach to AI is essential for driving sustainable innovation and preventing misuse.

We’re still at the start of the AI journey. No one can say exactly where it will lead. That’s why the EU has built flexibility into the law. The Act is designed to evolve alongside the technology.

For companies, this means it’s worth investing in digital processes and a centralized platform for AI governance now. The more agile your setup, the better equipped you’ll be to handle what comes next.