ARTICLE
14 February 2025

EU AI Act – Mastering AI Compliance In A Rapidly Evolving Digital World

Boege Rohde Luebbehuesen

Contributor

Boege Rohde Luebbehuesen logo
BRL is an internationally oriented partnership of lawyers, auditors and tax consultants that was founded in 2006. Today, we have around 400 employees at eight offices in Hamburg, Berlin, Bochum, Hanover, Dortmund, Essen, Munich and Bielefeld. Through Moore BRL GmbH, BRL is a network partner of Moore Global in Germany, a global network of independent audit and accounting firms. BRL is therefore ideally positioned to provide reliable and efficient solutions for cross-border issues in the areas of Tax, Legal, Insolvency & Restructuring as well as Risk Advisory Services (RAS). The fully dedicated RAS Team at BRL Risk Consulting is dedicated to a professional service offering with regards to Corporate Governance, Risk Management, Compliance, Internal Audit, Internal Controls (SOX), ESG, IT, Cyber Security and Data Science & Artificial Intelligence.
Explore Firm Details
Artificial Intelligence (AI) is rapidly transforming industries – from healthcare and finance to transportation and entertainment. As AI becomes more embedded in products, services, and business
Germany Technology
Oliver Bungartz and Julian Horn
Your Author LinkedIn Connections

Introduction

Artificial Intelligence (AI) is rapidly transforming industries – from healthcare and finance to transportation and entertainment. As AI becomes more embedded in products, services, and business processes, ensuring reliability, transparency, and fairness is essential for maintaining trust and long-term success. While AI offers great opportunities for innovation, it also presents significant risks that must be managed to protect safety, privacy, and ethical standards. Trust in the reliability, transparency, and fairness of AI is so crucial for widespread use that the European Union (EU) has developed its own regulation for AI – the European Union Artificial Intelligence Act (EU AI Act).

As AI continues to evolve, businesses and individuals must understand the regulatory landscape. The EU AI Act introduces new compliance requirements that will affect various sectors, even commonly used applications such as AI-based HR software may fall under the EU AI Act. These systems can pose significant risks to the fundamental rights of workers, highlighting the importance of proactive compliance and governance measures.

Violations of the act can lead to fines of up to €15 million or 3% of global annual turnover, with penalties for prohibited AI systems reaching as high as €35 million or 7% of turnover. The EU AI Act entered into force on August 1, 2024, and its provisions will become applicable in stages. Most requirements will take effect by August 2, 2026, with specific obligations for high-risk AI systems and other provisions coming into full force by August 2, 2027. Organizations should note these timelines and prepare accordingly to ensure timely compliance.

This article will explore the Act's structure, risk classification, and responsibilities for AI developers and users, offering practical insights on what actions to take now. Understanding these regulations will help businesses prepare and ensure they are well-positioned to comply and innovate responsibly.

What is the EU AI Act?

The EU AI Act is the first comprehensive regulation on AI introduced by a major regulatory body. It governs the development and use of AI within the EU and takes a risk-based approach to regulation. The Act applies different rules to AI systems based on the level of risk they pose. AI systems deemed to pose unacceptable risks – such as social scoring – are banned, while high-risk systems – like CV-scanning tools – are subject to specific legal requirements. Applications that do not fall into these categories are largely left unregulated. The classification and further details on these risk categories will be explored later in the article.

1583436a.jpg

Who Needs to Comply?

Even seemingly simple tools that assist in the recruitment process by evaluating CVs, conducting interviews or ranking candidates fall within the scope of the EU AI law. This highlights how easy it is for organizations to operate unwittingly within the framework of the EU AI Act and face severe penalties if they fail to comply.

An AI system, as defined by the EU AI Act, is a machine-based system that operates with varying levels of autonomy and can adapt after deployment. It makes predictions, generates content, provides recommendations, or makes decisions based on input it receives. These outputs can affect both physical and virtual environments.

In simpler terms, an AI system uses data and different techniques like machine learning (learning from data) or logic-based methods (following rules or knowledge structures) to make decisions or suggestions that influence its surroundings.

It is important to note that the definition excludes basic traditional software or purely rule-based programs designed by humans to perform specific tasks automatically, without adaptiveness or learning capability.

The EU AI Act applies to a wide range of entities involved in the development, use, and distribution of AI systems within the EU, regardless of their location.

Key entities subject to the EU AI Act include:

  • Providers/Developers: Any natural or legal person, public authority, agency, or other body that develops or places an AI system or a general-purpose AI model on the market or puts it into service under their name or trademark, whether for payment or free of charge.
  • Deployers: Any entity using an AI system under its authority, except for personal, non-professional use.
  • Importers: Entities within the EU that place AI systems on the market under the name or trademark of a non-EU entity.
  • Distributors: Any person within the supply chain, apart from the provider or importer, that delivers an AI system to the EU market.

The Act also applies to providers and deployers outside the EU if their AI systems or outputs are used in the EU. For example, if a company in the EU sends data to an AI provider outside the EU, and the output is used within the EU, the provider must comply with the EU AI Act. Providers outside the EU offering AI services in the EU must designate authorized representatives in the EU to coordinate compliance efforts on their behalf.

Risk Categorization

Following the identification of the entities and stakeholders subject to the EU AI Act, the next critical component is the framework for regulating AI systems based on their associated risks. The Act introduces a risk-based approach to ensure that regulatory measures correspond to the potential harm posed by AI systems. This approach categorizes AI systems into distinct risk levels, ranging from minimal to unacceptable, each requiring specific levels of oversight and compliance.

The visual below illustrates the EU AI Act's risk categorization:

1583436b.jpg

  1. Unacceptable-Risk Systems

AI systems that pose a clear violation of EU fundamental rights and values fall under the unacceptable risk category. These systems are strictly prohibited as they are considered a threat to human dignity, safety, and democratic principles.

Examples of Unacceptable Risk AI Systems:

  • Social Scoring Systems: AI systems that classify individuals based on their behavior or characteristics, leading to unfair treatment or discrimination (e.g., societal control mechanisms).
  • Manipulative AI: Systems that manipulate human behavior to cause harm, such as subliminal messaging that exploits vulnerabilities, particularly of children or vulnerable populations.
  • Real-Time Biometric Identification: Use of AI for live biometric surveillance in public spaces, except in narrowly defined law enforcement scenarios under strict conditions.
  • Exploitation of Vulnerabilities: AI systems, designed to exploit an individual's circumstances, such as financial instability or cognitive limitations.

Prohibition applies universally, meaning no AI system under this category can be developed, deployed, or marketed within the EU.

  1. High-Risk AI Systems

High-risk AI systems are those that can significantly impact health, safety, or fundamental rights. They operate in critical domains where errors or misuse could lead to serious consequences for individuals or society.

Examples of High-Risk AI Systems:

  • Healthcare: AI used for medical devices, disease diagnosis, or treatment recommendations.
  • Employment: Recruitment tools that analyze resumes, conduct interviews, or rank candidates.
  • Law Enforcement: AI for crime prediction, facial recognition, or risk assessment in judicial decisions.
  • Education: AI systems that assess students, such as grading software or proctoring tools.
  • Finance: Credit scoring, loan approval systems, or fraud detection tools.

Regulatory Requirements for High-Risk Systems:

  1. Conformity Assessment: Systems must undergo pre-market evaluations to ensure compliance.
  2. Risk Management: Continuous monitoring and mitigation of AI-related risks throughout the lifecycle.
  3. Transparency and Documentation: Detailed documentation outlining the system's purpose, functioning, and associated risks.
  4. Human Oversight: Mechanisms for meaningful human intervention to prevent harmful outcomes.
  5. Cybersecurity Measures: Safeguards to ensure system resilience, accuracy, and security.
  1. Limited-Risk AI Systems

Limited-risk AI systems are applications that involve elements of impersonation, manipulation, or deception. While these systems are not classified as high-risk, they still carry notable societal implications and require specific transparency measures to ensure users are aware when they are interacting with AI.

Examples of Limited-Risk AI Systems:

  • Chatbots: AI systems that simulate human conversations must clearly inform users that they are not engaging with a human.
  • Deepfakes: AI-generated audio, video, or images designed to deceive must be labeled as synthetic content to prevent manipulation.
  • AI-Generated Content: AI tools used to produce text or visual content, such as automated journalism or AI-created art, must disclose their non-human origin.

Regulatory Requirements for Transparency-Risk Systems:

  1. Clear Disclosure: Users must be explicitly informed whenever they interact with an AI system or encounter AI-generated content.
  2. Transparency Obligations: Organizations must ensure that their AI tools provide adequate information, empowering users to make informed decisions and understand the nature of the content or interaction.

When implementing compliance with disclosure and transparency requirements, it makes sense to also integrate a level of risk management and assess the risks that AI systems pose to organizational processes. Even limited-risk systems, such as chatbots, can cause significant harm to an organization if improperly implemented or adapted.

  1. Minimal-Risk Systems

Minimal-risk systems represent most AI applications. These systems are low-impact and pose no significant threat to health, safety, or fundamental rights. As such, they are not subject to specific regulations under the EU AI Act beyond existing legal frameworks.

Examples of Minimal Risk AI Systems:

  • Spam Filters: Tools that automatically detect and filter unwanted emails.
  • Recommender Systems: AI systems suggesting products, videos, or content based on user preferences (e.g., streaming platforms).
  • Basic Automation Tools: AI used for process optimization, such as inventory management or customer service bots.

However, due to the rapid evolution of the regulatory landscape, it also makes sense to conduct a risk assessment for minimal risk AI systems. This will help organizations identify potential vulnerabilities while avoiding unintended consequences. A proactive approach prepares for future regulation as well as ensuring ethical and accurate use.

  1. General-Purpose AI Models (GPAI)

General Purpose AI Models (GPAI) include large-scale AI systems, often designed for broad, multi-domain applications. These systems, such as foundational AI models and large language models, require additional scrutiny due to their potential to create systemic risks when deployed at scale.

Examples of General-Purpose AI Models:

  • Large-scale language models like GPT-style systems.
  • AI models that provide broad capabilities, such as computer vision or speech recognition systems used across multiple applications and industries.

Regulatory Requirements for GPAI:

  1. Transparency Requirements: Developers and providers must disclose the AI model's capabilities, limitations, and intended use.
  2. Systemic Risk Management: If GPAI systems are found to present systemic risks (e.g., widespread bias or misuse), developers must implement measures for risk assessment and mitigation.
  3. Documentation and Accountability: Maintain detailed documentation about the AI model's design, development process, and training data.

Compliance Strategy: From Risk Assessment to Implementation

Achieving compliance with the EU AI Act requires a streamlined approach focused on three key phases: risk assessment, governance, and continuous monitoring. This strategy ensures AI systems align with regulatory requirements while balancing innovation and accountability.

1583436c.jpg

  1. Risk Assessment and Categorization

The first step is identifying and categorizing all AI systems according to their risk level: unacceptable, high-risk, transparency-risk, or minimal-risk. Accurate classification is essential to determine regulatory obligations and avoid non-compliance. Organizations must evaluate each system's purpose, impact, and potential risks, particularly for high-risk applications, where additional requirements like data quality and human oversight apply.

  1. Implementation of Governance Framework

A strong governance framework ensures oversight and accountability across the AI lifecycle. Organizations should assign leadership responsibility, such as a Chief AI Ethics Officer or a Compliance Team, to manage regulatory adherence. Internal policies must address transparency, cybersecurity, and risk mitigation while integrating human oversight mechanisms for high-risk systems. Detailed documentation and traceability processes are critical to meet conformity and audit requirements.

  1. Monitor, Audit, and Improve

Compliance requires ongoing monitoring and adaptation. Regular audits and post-market monitoring ensure AI systems remain safe, unbiased, and aligned with regulations. Organizations must continuously evaluate system performance, address emerging risks, and update processes in response to regulatory changes. Embedding a culture of improvement ensures long-term compliance and trust.

Conclusion

A structured approach—combining risk assessment, governance, and continuous monitoring—enables organizations to meet EU AI Act requirements effectively. By prioritizing compliance, businesses can deploy AI systems responsibly, build trust, and mitigate risks. Establishing a compliance framework not only addresses immediate obligations but also positions organizations to adapt as the regulatory landscape evolves with advancing AI technologies.

The EU AI Act establishes a robust framework for the governance of AI systems, focusing on transparency, risk management, and accountability. With full application set for 2026-2027, early preparation is essential. By acting now, organizations can identify risks, implement governance structures, and adapt to the evolving regulatory landscape, avoiding steep penalties and safeguarding trust.

Looking ahead, the EU AI Act will evolve in response to ongoing advancements in AI technology, including the rise of general-purpose AI and more sophisticated models. As AI increasingly shapes industries and everyday life, the act will need to address emerging challenges such as the ethical use of AI, data privacy concerns, and evolving security risks.

In this rapidly changing landscape, businesses of all sizes must take immediate action by conducting initial risk assessments, assigning compliance leadership, and embedding transparency into their AI practices. Compliance is not merely about avoiding penalties; it is a strategic advantage that enables organizations to gain customer trust, innovate responsibly, and stay competitive in an AI-driven future.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Oliver Bungartz
Oliver Bungartz
Photo of Julian Horn
Julian Horn
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More