EU AI Act

what the EU AI Act is and what it regulates

The EU AI Act is a regulation that establishes a legal framework for AI systems placed on or used within the EU market. It applies to providers (those who develop or place AI systems on the market) and to deployers (organizations that use AI systems in a professional context under their authority).

The regulation assigns AI systems to risk categories: unacceptable risk (prohibited), high risk (subject to significant requirements), limited risk (transparency obligations), and minimal risk (no mandatory requirements, but good practice guidance applies).

Most general-purpose AI tools used by businesses, such as AI writing assistants, summarization tools, and AI productivity software, fall into the limited or minimal risk categories under the Act. High-risk AI systems include those used for specific regulated purposes: employment decisions, credit scoring, critical infrastructure management, and biometric identification among others.

The regulation's provisions are phasing in over time. The prohibition on unacceptable-risk practices, backed by fines of up to EUR 35 million or 7% of global annual turnover, applied from February 2025. Obligations for general-purpose AI models applied from August 2025. The baseline date for high-risk system obligations is 2 August 2026 and remains operative for now. A digital omnibus amendment, provisionally agreed on 7 May 2026 and pending formal adoption, would move Annex III high-risk obligations to 2 December 2027 and Annex I high-risk obligations to 2 August 2028. Deployer organizations need to track which provisions apply to their specific AI system use cases and when.

why EU AI Act compliance is underestimated by deployer organizations

The EU AI Act has primarily been discussed as a regulation for AI developers and technology companies. The deployer obligations received less attention in early coverage, and many mid-market organizations have not yet assessed how the Act applies to their AI tool use.

Two gaps explain most of the underestimation. First, organizations do not have a complete inventory of the AI systems they use. Without an inventory, there is no way to classify tools against the Act's risk framework. The classification question cannot be answered without knowing what is in use.

Second, the concept of a "deployer" under the Act is broad. Any professional use of an AI system, whether the system was built in-house or adopted as a third-party service, may qualify as deployment under the regulation. Organizations that assumed the Act only applied to AI builders may need to revisit that assumption for specific use cases.

the deployer obligations that apply to mid-market organizations

Most mid-market organizations will primarily encounter the EU AI Act through its deployer obligations for high-risk systems and through the transparency requirements for limited-risk systems.

High-risk system deployer obligations. If your organization uses an AI system that the Act classifies as high-risk, for example AI-assisted hiring, AI used in credit decisions, or AI used in certain critical infrastructure management contexts, you have obligations as a deployer. These include conducting a fundamental rights impact assessment, ensuring human oversight, maintaining use logs, and informing affected individuals where required.

Transparency obligations. AI systems that interact with people (chatbots, AI-generated content delivered to individuals) must be identified as AI-generated unless the context makes this obvious. This is a limited-risk obligation, but it has practical implications for customer-facing AI deployments.

GDPR interaction. The EU AI Act does not replace GDPR. For AI systems that process personal data, both sets of obligations apply. A data protection impact assessment that was already required under GDPR for certain processing may now need to be accompanied by an AI-specific fundamental rights impact assessment.

Documentation requirements. Deployers of high-risk systems must maintain documentation of how they use those systems. This is a recordkeeping and accountability obligation that requires knowing, in some detail, which AI systems you use, what tasks they perform, and how oversight is exercised.

what works

Every obligation in the Act attaches to a specific AI system, so compliance work begins with an inventory: the tools IT adopted, the AI capabilities built into software the organization already runs, and the tools teams adopted informally without review. The directory's OAuth grant list captures much of the third category, and a factual inventory beats guesswork about what teams are using. Classification follows. Most general-purpose AI tools land in the limited or minimal risk categories, while AI used in employment decisions, financial assessments, or other regulated contexts may qualify as high risk and warrants deeper review. Anything approaching the prohibited categories, social scoring by public authorities, real-time biometric surveillance in public spaces, manipulative techniques that exploit psychological vulnerabilities, calls for specific legal review rather than internal judgment.

For systems that do classify as high risk, the deployer's position rests on documentation: the oversight processes in place, the fundamental rights impact assessments, and the log retention procedures the Act requires, worked through with legal counsel rather than improvised by IT. The organizations that stay compliant over time fold the Act into their standard AI tool vetting, adding one question to the checklist: could this tool's use, in this specific context, constitute high-risk deployment. Asked at adoption, the question costs a minute; asked after a regulator's inquiry, it costs considerably more.