The EU AI Act is the world’s first comprehensive law governing artificial intelligence, and it is no longer a future concern. Its obligations are phasing into force in stages, and the parts that affect most businesses are already live or arriving soon. If your company builds, sells, or even just uses AI inside the EU — or serves EU customers — it applies to you.

The good news: for the vast majority of businesses, compliance is manageable. The bad news: “we didn’t realise it applied to us” is not a defence, and the penalties are serious — up to €35 million or 7% of global annual turnover for the worst breaches. Here is what actually matters, in plain language.

It works by risk, not by technology

The Act does not regulate “AI” as a monolith. It sorts AI systems into tiers based on how much harm they could do, and the obligations scale with the tier.

  • Unacceptable risk — banned. Things like social scoring by governments, manipulative systems that exploit vulnerabilities, and most real-time biometric identification in public spaces. These are simply prohibited.
  • High risk — heavily regulated. AI used in hiring, credit scoring, education, critical infrastructure, medical devices, law enforcement, and similar consequential domains. This tier carries the bulk of the obligations.
  • Limited risk — transparency only. Chatbots, AI-generated content, and similar. The core requirement is honesty: people must know they are interacting with AI or looking at AI-generated material.
  • Minimal risk — essentially unregulated. Spam filters, recommendation engines, most internal automation. The large majority of business AI lives here.

The single most important first step is figuring out which tier each of your AI uses falls into. Most companies discover they are mostly in “limited” or “minimal” — but they often have one or two systems quietly sitting in “high risk” that they had not flagged.

What “high risk” actually requires

If you operate a high-risk system, the obligations are substantial but concrete:

  • A risk management system maintained across the lifecycle.
  • Data governance — quality, relevance, and bias checks on training and input data.
  • Technical documentation and detailed record-keeping (logging) of the system’s operation.
  • Transparency so deployers understand how to use the system correctly.
  • Human oversight designed into the system, not bolted on.
  • Accuracy, robustness, and cybersecurity appropriate to the use case.
  • A conformity assessment before the system goes to market.

This is exactly the kind of requirement where how the software is built matters enormously. Compliance is far cheaper when documentation, logging, and oversight are designed in from day one rather than retrofitted. It is a core reason we treat governance as part of the engineering brief in our custom software work, not as paperwork added at the end.

The transparency rules catch almost everyone

Even if nothing you do is high-risk, the limited-risk transparency obligations are broad and easy to overlook:

  • Chatbots and AI assistants must make clear that users are talking to a machine.
  • AI-generated or manipulated content (images, audio, video, text published to inform the public) must be labelled, and increasingly carry machine-readable provenance markers.
  • Deepfakes must be disclosed as artificially generated.

If you have added an AI assistant to your website or product in the last year, this almost certainly applies to you. The fix is usually small — clear labelling and disclosure — but it has to actually be done. When we build AI integrations, this disclosure layer is part of the standard, not an extra.

The timeline you should hold in your head

The Act applies in waves. The prohibitions on unacceptable-risk systems came first. Obligations for general-purpose AI models followed. The full high-risk regime phases in over a longer window, with some embedded-product rules arriving last. The precise dates shift as guidance is published, so the practical advice is simple: do not wait for the deadline that applies to your highest-risk system before starting. Inventory and classification take time, and remediation takes longer.

A pragmatic compliance path

You do not need a dedicated AI law department. You need a structured pass through five steps:

  1. Inventory every AI system you build or use — including the ones embedded in tools you bought.
  2. Classify each by risk tier. This is where most of the clarity comes from.
  3. Apply transparency labelling everywhere limited-risk rules bite — this is quick and removes the easiest exposure.
  4. For anything high-risk, build the documentation, logging, oversight, and assessment the Act requires — ideally by improving how the system is engineered, not by writing reports about it.
  5. Assign ownership. Someone needs to keep the inventory current as you adopt more AI, because you will.

For many mid-sized companies, the hard part is not the work itself but knowing where to start and who should own it. This is one of the most common reasons businesses bring in senior technical leadership on a fractional CTO basis — to run the inventory, make the risk calls, and set up the governance so it keeps working as the company’s AI footprint grows.

The mindset shift

It is tempting to treat the AI Act as a compliance tax — a cost to minimise. The companies handling it best see it differently. Building AI that is documented, auditable, transparent, and overseen by humans is not just legally safer; it is better engineering. It produces systems you can trust, debug, and explain to customers. Those are exactly the systems that win in regulated markets.

The regulation is here. Treating it as an excuse to build AI properly — rather than a hurdle to clear — is the move that pays off.

Not sure which tier your AI systems fall into, or where to start? Get in touch and we will help you map your exposure and a realistic path to compliance.

Written by anfedev anfedev builds custom software, AI integrations and automation for growing businesses.

Sound like a problem in your business?

We build production AI — assistants, agents and automation grounded in your data. Free discovery call, fixed written quote, no obligation.

Get a free proposal