Author: Ingolf Rauh

Does the EU AI Act matter for your business?

On August 2, important new provisions of the EU AI Act will take effect. Contrary to what one might assume at first glance, these provisions do not affect only the industry giants behind the large language models. The EU defines deployers of AI systems much more broadly: "The notion of 'deployer' referred to in this regulation should be interpreted as any natural or legal person, including a public authority, agency or other body, using an AI system under its authority, except where the AI system is used in the course of a personal non-professional activity.”, AI Act, recital (13). So every business using AI should think twice about the new regulation and whether they might be affected – especially since fines of up to 35 million euros may be imposed.

We have compiled a few key takeaways on the new regulation.

Background: Why the EU introduced the AI Act

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive AI legislation, aiming to balance innovation and regulation. European policymakers believe that the revolutionary technology creates new challenges that existing laws do not address, including negative effects on personal rights and security, as well as on public safety. To prevent such consequences, the EU has defined certain uses of AI as posing an unacceptable risk and has explicitly prohibited their use. In addition, the categories "High Risk",  "Limited Risk",  and "Minimal Risk" have been defined, each corresponding to tiers of compliance requirements. With the new fundamental regulation, trust in the technology shall be strengthened amongst citizens. Furthermore, a single EU market for AI products and services shall be established to ensure fair competition and compliance with applicable EU standards.
.

The four risk categories

To determine whether at all or how a business is affected by the AI Act, it is helpful to look at the four risk categories first:

 

Description

Examples

Unacceptable risk
AI systems that pose an unacceptable threat to safety or fundamental rights. These are generally banned.
  • Social scoring of citizens by private actors or public authorities
  • AI that manipulates people into harmful decisions through deceptive or exploitative techniques
  • Emotion recognition in workplaces or schools (with limited exceptions)
  • Certain forms of real-time remote biometric identification by law enforcement in public spaces (subject to narrow exceptions)

     

High risk
AI used in areas where errors or bias could significantly affect people's lives. These systems are allowed but must comply with strict requirements.
  • AI used to screen job applicants or evaluate employees
  • AI determining eligibility for loans or insurance
  • AI supporting medical diagnosis in medical devices
  • AI used in critical infrastructure (e.g., electricity grids)
  • AI used in education, such as grading exams or admissions decisions
  • AI used by law enforcement or border control for risk assessments
Medium risk
AI systems that mainly require transparency so users know they are interacting with AI.
  • Customer service chatbots
  • AI-generated images, audio, or video (deepfakes) that must be disclosed as AI-generated in many cases
  • AI writing assistants
  • Virtual assistants that interact directly with users
Limited risk
AI applications with little or no impact on safety or fundamental rights. These face few, if any, additional obligations under the AI Act.
  • Spam filters
  • AI-powered video game characters
  • AI in recommendation systems for music or movies
  • Grammar and spell checkers
  • AI used for photo enhancement


What the categories mean in practice

Companies whose offerings fall into the first two categories are either already affected by the AI Act – since restrictions on prohibited AI have been in effect since early 2025 – or they operate in industries that are already strictly regulated.

Most private-sector companies will likely fall into categories 3 and 4, with category 4 being the least problematic and imposing virtually no additional requirements (existing regulations, such as the GDPR or specific industry guidelines, will of course continue to apply).

At this time, a major challenge for many AI use cases is the transparency requirements for category 3 as laid out in Art. 50, AI Act. However, it is unclear how these are to be implemented in practice. For this reason, the EU AI Office has published a Code of Practice (CoP). This document was drafted by eligible stakeholders who replied to a public call and was published on June 10, 2026. Currently, the code is undergoing a final assessment by the EU Commission and the AI Board.

👉 Get a breakdown of the different transparency requirements here in our free whitepaper.


The cost of non-compliance

Non-compliance with the AI Act can result in severe fines. The regulation allows law enforcement agencies a margin of discretion of up to €35 million or 7% of global annual turnover for certain prohibited AI violations.