EU AI Act: What the new AI regulation means for companies - obligations, opportunities and risks

Why the EU AI Act affects companies now

With the EU AI Act (Regulation (EU) 2024/1689), the European Union has created the world's first comprehensive legal framework for the use of artificial intelligence. The aim is to promote innovation while guaranteeing security, fundamental rights and consumer protection.

The ordinance has been in force since August 1, 2024 and will be applied gradually:

• Since February 2, 2025, prohibited AI systems are no longer permitted and employees must be demonstrably trained on the AI systems used in the company,
• Since August 2, 2025, documentation and information obligations have applied to providers of AI systems with a general purpose, as well as penalties for the use of prohibited AI systems,
• From August 2, 2026, further obligations will come into force (in particular transparency obligations, e.g. labeling of AI-generated texts) including further penalties,
• until August 2, 2027: extended transition periods apply for certain embedded high-risk systems.

For companies - also outside the EU - the AI Act is highly relevant as soon as AI systems are made available on the EU market or their use affects people in the EU.

This article provides a structured overview of the regulation, highlights its advantages and disadvantages and outlines the strategic potential and risks it entails

Objective and scope of application of the EU AI Act

Objectives of the regulation

The EU AI Act essentially pursues three objectives:

1. Creation of a single internal market for AI
   • Harmonization of rules in all member states
   • Avoiding a patchwork of individual national regulations
2. Promotion of "trustworthy" AI
   • Protection of health, safety and fundamental rights (e.g. Data protection, anti-discrimination)
   • Transparency and traceability of decisions
3. Strengthening Europe's innovation and competitiveness
   • Predictable framework conditions for companies
   • Promotion of test environments ("AI sandboxes") and support for SMEs

Who is covered by the AI Act?

The regulation has a broad scope of application:

• Providers who develop an AI system and market it under their own name,
• Providers/importers/distributors who offer systems in the EU,
• Users/operators (deployers) who use AI systems in their own business operations,
• Manufacturers of regulated products (e.g. medical devices, machines) if they integrate AI,
• Companies outside the EU as soon as their AI systems affect people in the EU.

For many companies, this means that not only AI manufacturers, but also "normal" users - for example in HR, customer service, production or compliance management - will have to fulfill obligations if they use certain AI systems.

The risk-based approach: categories of AI systems

At the heart of the AI Act is a risk-based approach that classifies AI systems according to their risk to people and society.

Prohibited AI practices (inadmissible risk)

Certain applications are considered "unacceptable" and are generally prohibited, including

• Social scoring of individuals by public authorities or in the private sector
• AI systems to exploit the weaknesses of particularly vulnerable people (e.g. children)
• Emotion recognition at work or in schools (with a few exceptions)
• Real-time facial recognition in public spaces, with narrow exceptions for law enforcement
• Biometric categorization according to sensitive characteristics (e.g. religion, sexual orientation)

Companies must ensure that they do not use any prohibited practices - not even "indirectly" via purchased systems.

High-risk systems

High-risk AI is permitted, but is subject to strict conditions. It includes systems listed in Annex III of the Regulation, for example:

• Critical infrastructures (e.g. energy, transportation)
• Education and vocational training (access-controlling AI)
• Human resources (e.g. pre-selection of applicants, performance evaluation)
• Credit assessment and access to financial services
• Justice and law enforcement
• Access to essential public services

Such systems are subject to comprehensive requirements in terms of risk management, data quality, transparency, technical robustness, cyber security, human supervision and documentation.

Limited risk (transparency obligations)

AI systems with limited risk are primarily subject to transparency obligations, e.g:

• Chatbots where users need to be informed that they are interacting with an AI,
• Systems for deepfake generation where labeling obligations apply,
• certain emotion recognition or biometric systems, unless they are prohibited anyway.

Minimal risk

The majority of today's AI applications - such as spam filters, AI support in office software or simple analytics - are considered minimal risk and are not subject to specific obligations under the AI Act, but only to general legislation (e.g. data protection law).

Timetable and duties by role - what companies can expect in concrete terms

Important deadlines at a glance

Implementation is staggered:

• as of February 2, 2025
  • Prohibited practices must be discontinued.
  • Obligation to train employees ("AI literacy") for providers and operators of AI systems.
• as of August 2, 2025
  • Obligations for General Purpose AI (GPAI) and large base models, incl. transparency on training data, documentation and partial cyber security audits.
• as of August 2, 2026
  • Most of the obligations of the AI Act apply, in particular to high-risk systems under Annex III.
• until August 2, 2027
  • Extended deadlines for certain high-risk systems embedded in regulated products.

Obligations for providers and operators

The core obligations include, among others:

• Risk management system over the entire life cycle
• Data and model governance (data quality, bias controls, documentation)
• Technical documentation & conformity assessment (partly CE marking)
• Transparency towards customers and supervisory authorities
• Human oversight of critical decisions
• Monitoring during operation and reporting obligations in the event of serious incidents

The AI Act provides relief for small and medium-sized enterprises (SMEs) , e.g. support through guidelines, sandboxes and partially reduced fees to cushion the compliance burden.

Violations can be punished with fines of up to 7% of annual global turnover - in the order of magnitude of the GDPR or higher.

Advantages of the EU AI Act for companies

Despite the noticeable regulation, the AI Act offers a number of advantages, especially for companies that want to use AI strategically in the long term.

Legal certainty and harmonized rules

Instead of individual national initiatives, the AI Act creates uniform rules for the entire European market. This increases the predictability of investments in AI and reduces the effort of having to take different legal situations into account in the long term.

For internationally active companies - such as those from Switzerland, the UK or the US - it is clear that those who comply with the AI Act can offer AI solutions in a relatively standardized manner throughout the EU.

Confidence advantage with customers, partners and supervisory authorities

Companies that have a proven track record of managing AI risks, creating transparency and ensuring human control can build trust - vis-à-vis:

• customers (e.g. explainable credit decisions, fair HR processes),
• business partners (e.g. in supply chains that use AI),
• Supervisory authorities (e.g. in the financial or healthcare sector).

Studies and consulting reports indicate that compliance and responsible AI are increasingly perceived as a competitive advantage, especially in B2B business.

Framework conditions that promote innovation

Through AI sandboxes and targeted support for SMEs, the AI Act is intended to steer innovation in an orderly direction rather than slow it down. Companies can test new AI applications under supervision without immediately bearing the full liability risk and receive early feedback on regulatory expectations.

In addition, the regulation is forcing many organizations to take a structured approach to data, model and process quality - a driver for efficiency, standardization and digitalization beyond pure AI projects.

Disadvantages and burdens: Where it gets difficult for companies

Despite the opportunities, the AI Act poses considerable challenges, particularly in the implementation phase.

High implementation costs and organizational effort

Setting up an AI risk management system, classifying all AI use cases, adapting contracts, setting up monitoring processes and training employees means a lot for many companies:

• Additional personnel costs (e.g. for compliance, legal, IT security, data governance),
• Investments in tools and documentation systems,
• Projects for process adjustments and audits.

Small and medium-sized companies in particular fear being overwhelmed by the complexity, despite the support measures provided for in the law.

Regulatory uncertainty and dynamic design

The AI Act is fleshed out by guidelines, standards and supplementary regulations - for example by the EU AI Office and standardization bodies (CEN/CENELEC).

For companies, this means

• The specific interpretation of numerous obligations is still evolving,
• There is a risk of divergent interpretations in different member states,
• Adjustments are also likely after the initial implementation.

Current discussions and political debates - for example about possible deadline extensions or "omnibus adjustments" - are increasing the perception of uncertainty, even if the EU Commission has so far stuck to the core timetable.

Competitive disadvantages compared to less regulated markets?

One argument often put forward is that strict regulation in the EU could put companies at a disadvantage compared to competitors from regions with less strict AI regulation. Large tech companies have already publicly warned of excessive costs and barriers to innovation.

However, this is offset by the fact that:

• many global players have to adapt their systems to EU standards anyway,
• responsible AI is increasingly in demand internationally,
• other jurisdictions (e.g. USA, UK) are also working on sectoral or horizontal AI regulations.

Strategic potential of the EU AI Act for companies

Despite the burdens, the AI Act offers strategic opportunities, especially for companies that act early.

Development of a systematic AI governance framework

Investing in AI governance now - including an inventory of all AI systems, risk assessments, policies, controls and monitoring - lays the foundation for:

• Scalable use of AI beyond individual pilot projects,
• consistent decisions on "go/no-go" for new use cases,
• efficient interfaces to Data protection, information security, compliance and risk management.

Such structures can often be integrated into existing GRC and ISMS frameworks instead of setting them up in parallel. Specialized software solutions for governance, risk and compliance can help to capture AI use cases, assess risks, document controls and generate audit evidence.

Differentiation via "Trusted AI" and quality

Companies can consciously position themselves using "Trusted AI":

• Transparent, comprehensible models and decision-making processes,
• fair and non-discriminatory algorithms,
• reliable documentation and auditability.

This is particularly relevant in sensitive areas such as HR, financial services, healthcare or critical infrastructures, where trust is a key purchasing and selection criterion.

New business models and services

The AI Act creates a growing demand for:

• Advice on AI governance, compliance and technology,
• certified components (e.g. pre-validated data records, risk modules),
• Platforms that support compliance with requirements (risk management, documentation, monitoring),
• Training and awareness programs in the area of AI literacy.

This is creating new market segments for technology providers, consulting firms and GRC specialists.

Risks and liability issues for companies

In addition to opportunities, the AI Act brings legal and operational risks that need to be actively managed.

High fines and reputational damage

With fines of up to 7% of global turnover and the high level of public awareness of AI issues, a breach can have serious consequences - both financial and reputational.

Particularly critical are:

• the use of prohibited AI practices,
• serious deficiencies in high-risk systems (e.g. discriminatory HR algorithms, incorrect credit decisions, safety-critical systems with insufficient robustness).

Liability along the supply chain

Many companies use AI that they have not developed themselves - such as SaaS solutions, cloud services or embedded systems. This raises the question:

• Who is responsible for what - provider or operator?
• What due diligence obligations does the user company have (e.g. for selection, configuration, monitoring)?

The AI Act assigns duties to both sides; companies must adapt their contracts, SLAs and due diligence processes to appropriately allocate liability risks and at the same time fulfill their regulatory obligations as operators.

Interactions with other regimesGDPR, product liability, NIS2)

AI compliance under the AI Act does not stand alone, but in the context of other regulations:

• Data protection (GDPR) - for example, when processing personal data for training or operational purposes,
• Product safety and product liability law - especially for embedded systems,
• NIS2 Directive - for critical infrastructures and certain operators with regard to cyber security.

The interplay of these regimes makes an integrated governance approach almost imperative.

Recommendations for companies

In order to fulfill the obligations of the EU AI Act and at the same time take advantage of opportunities, a structured approach in several steps is recommended:

1. Create an inventory ("AI Inventory")
   • Which AI systems are used today?
   • Which are planned (pilot projects, roadmaps)?
   • Which systems are developed in-house and which are purchased?
2. Risk classification according to the AI Act
   • Classification as: prohibited, high risk, limited or minimal risk,
   • Comparison with Annex III and, if applicable, other guidelines.
3. Define roles and responsibilities
   • Who is responsible for AI governance internally (e.g. AI officer, GRC team, CISO, DPO)?
   • How are providers and operator obligations contractually mapped?
4. Implement risk management and controls
   • Processes for data quality, model validation, monitoring, incident management,
   • Documented human supervision and intervention options.
5. Carry out training ("AI Literacy")
   • Raising awareness among management, specialist departments and IT,
   • Specific training for employees who select, configure or monitor AI systems.
6. Using tools and platforms
   • Use of suitable GRC, ISMS and risk management software,
   • Integration of AI risks into existing governance structures (e.g. information security, compliance, Data protection).
7. Continuous monitoring and adaptation
   • Monitoring of new guidelines, standards and case law,
   • Regular reviews of AI use cases and their risk classification.

Conclusion: Regulation as a challenge - and an opportunity

The EU AI Act marks a turning point in the regulation of artificial intelligence: it creates an ambitious, globally recognized set of rules that both challenges and protects companies.

• The advantages lie in legal clarity, building trust and the opportunity to position oneself as a provider of responsible, high-quality AI.
• Disadvantages arise from implementation costs, complexity and the need to make far-reaching changes to existing processes and systems.
• There is potential above all where companies see the AI Act as an impetus to professionalize their data, IT and governance structures and embed AI strategically - instead of just using it selectively.

Whether the regulation ultimately proves to be more of a brake or a catalyst depends largely on how early and strategically companies approach the change. One thing is clear: AI will not become less important - but it will become more regulated. Those who prepare for the EU AI Act in a structured way today will not only be compliant tomorrow, but will also be able to gain competitive advantages from trustworthy AI.

Sources:

• Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024(EUR-Lex)
• AI Act | Shaping Europe's digital future(AI Act)
• Austrian Federal Chamber of Labor(AI Ordinance)
• Rundfunk und Telekom Regulierungs-GmbH(Time Frame for the AI Act | AI Service Desk | RTR)
• AI Act Service Desk(Timeline for the Implementation of the EU AI Act)