The EU AI Act in Plain English: What Your Business Actually Has to Do

The EU AI Act is the world's first comprehensive law governing artificial intelligence. It's being phased in through 2025–2027, and like GDPR before it, it has extraterritorial reach: if your AI system affects people in the EU, it applies to you — wherever you're based.

The full text is hundreds of pages. Here's what actually matters for a normal business, in plain English.

A note: this is a practical overview, not legal advice. For a binding assessment of your obligations, talk to a qualified lawyer.

The core idea: risk tiers

The Act doesn't regulate "AI" as one thing. It sorts AI uses into four risk levels and applies rules proportionate to the risk.

1. Unacceptable risk — banned

A short list of uses is prohibited outright: social scoring by governments, manipulative systems that exploit vulnerabilities, untargeted scraping of faces to build recognition databases, and most real-time biometric identification in public spaces. Most businesses never touch these — but if your idea is in this zone, it's simply off the table in the EU.

2. High risk — heavily regulated

This is the tier that carries real obligations. AI is "high risk" when it's used in sensitive areas: recruitment and HR decisions, credit scoring, education access, essential services, medical devices, critical infrastructure, and law enforcement. If you build or deploy AI here, you face requirements like risk management, data governance, human oversight, transparency, accuracy testing, and documentation.

Translation: if your AI helps decide who gets hired, gets a loan, or gets into a program, assume you're in scope and budget for compliance work.

3. Limited risk — transparency obligations

This is where most businesses land. Chatbots, AI customer service, content generation. The main rule is simple: be transparent.

• Tell people when they're interacting with an AI, not a human (your chatbot should make this clear).
• Label AI-generated or AI-manipulated content — "deepfakes" and synthetic media especially.
• Disclose when emotion-recognition or biometric-categorisation is in use.

4. Minimal risk — no new obligations

Spam filters, AI in video games, recommendation engines, inventory forecasting. The vast majority of everyday AI falls here and isn't specifically regulated by the Act (though GDPR and other laws still apply).

What about ChatGPT-style general-purpose AI?

The Act has a separate track for general-purpose AI (GPAI) models — the big foundation models. Providers of those models face transparency and documentation duties (and stricter rules for the most capable "systemic risk" models). If you're using these models via an API rather than building one, most of that burden sits with the provider, not you — but you're still responsible for how you deploy the result.

The deadlines that matter

• Already in force: the bans on unacceptable-risk uses.
• 2025: obligations for general-purpose AI models begin.
• 2026: the bulk of the high-risk rules become applicable.
• 2027: remaining high-risk obligations (for AI embedded in regulated products) phase in.

Penalties are GDPR-scale: up to €35 million or 7% of global annual turnover for the most serious violations. This is not a law to ignore.

What most businesses actually need to do

If you're a typical company using AI for chat, content, automation, or analytics — not making high-stakes decisions about individuals — your realistic to-do list is short:

1. Inventory your AI uses. List every place AI touches your business — tools, features, vendors. You can't classify what you haven't mapped.
2. Classify each by risk tier. Most will be limited or minimal risk. Flag anything near hiring, credit, or access decisions for closer review.
3. Add transparency where required. Make sure chatbots identify as AI and AI-generated content is labelled.
4. Check your vendors. Ask your AI providers how they support AI Act compliance, and keep their documentation.
5. Keep GDPR tight. The AI Act sits on top of GDPR, not instead of it. Solid data governance covers a lot of ground for both.
6. Get a proper assessment if you're in or near high-risk.That tier is where the heavy obligations live — don't guess.

The bottom line

The EU AI Act sounds intimidating, but for most businesses it boils down to: know where you use AI, be honest with users that it's AI, and apply extra rigour only where the stakes for individuals are high. The companies that get caught out are the ones that never mapped their AI usage in the first place.

As a Vienna-based studio, EU compliance is home turf for us. If you want a clear-headed assessment of where your AI usage falls and what — if anything — you actually need to do, that's a focused engagement we're happy to run. Usually it's far less work than people fear.