EU AI Act in brief: what you need to know
The core of the EU AI Act is risk-based. Not every AI application is treated the same. The greater the impact on people, processes, or decision-making, the heavier the obligations become.
The implementation will occur in phases. The first prohibited applications are expected to disappear around 2025, after which the rules for high-risk AI systems will come into effect in 2026. In the following years, further enforcement and tightening will follow. That may seem far away, but for organizations already using AI, this is precisely the time to start.
Virtually every organization falls under the law. As soon as AI is used in processes that affect customers, employees, or decision-making, responsibility arises under the AI Act.
Insight as a starting point: map your AI usage
Before compliance can be established, it must be clear where AI is actually being used. In practice, this often proves to be more challenging than expected. AI is now integrated into marketing tools, CRM systems, analytics tools, and even standard software.
A good first step is therefore to systematically map all applications. This does not have to be a complicated process. A simple overview that records a number of fixed elements per tool is often sufficient to provide structure:
- the purpose of the application
- the data used and how sensitive it is
- the supplier or technology
- the internal responsible party
Once that overview is in place, there is automatically more insight into risks. These vary greatly by sector. In e-commerce, for example, it often concerns recommendation systems and price optimization, applications that typically carry a limited risk. In sectors such as healthcare, education, or HR, it is different, as AI can directly influence decisions about people.
It is important that it is not the tool itself that is decisive, but the way in which it is used.
From insight to action: what does your risk profile mean?
Once it is clear which AI applications exist, the next step follows: classification. The AI Act distinguishes between applications with minimal, limited, and high risk. This classification largely determines what is expected of an organization.
For applications with minimal risk, it usually remains at basic registration and awareness. Think of internal tools without direct impact on customers or decision-making. The emphasis here is primarily on overview.
For applications with limited risk, the focus shifts to transparency. Organizations must make it clear when AI is used and can explain in broad terms how decisions are made.
This changes with high-risk applications. In sectors such as healthcare, finance, or HR, stricter requirements apply. Organizations are expected to:
- conduct risk analyses
- document processes and decisions
- incorporate human oversight
- explicitly define responsibilities
What makes it complex is that this classification is not static. AI tools are evolving rapidly. An application that falls under a lower risk category today may be assessed differently tomorrow. Periodic reassessment is therefore essential.
The costs of compliance – and why delaying is more expensive
A common reason for delaying compliance is the costs. And indeed: setting up processes, documentation, and oversight requires time and resources.
These costs typically consist of three components:
- internal hours for inventory and management
- tooling and any adjustments
- legal and compliance checks
Depending on the organization, these costs range from a few thousand euros to amounts of €50,000 or more.
However, the biggest risk is not in the investment itself, but in delaying it. The indirect consequences are often greater and less visible in the short term:
- loss of trust among customers and partners
- operational disruptions
- recovery costs under time pressure
In contrast, organizations that set up compliance well often also benefit from the advantages. It forces better data quality, sharper processes, and clearer responsibilities.
Practical approach: making it workable
Although the AI Act may seem complex, the practical approach is surprisingly straightforward. It starts with inventory, followed by determining risk and impact. Then it revolves around defining responsibilities and establishing transparency and oversight.
In practice, it boils down to four logical steps:
- map all AI applications
- determine the risk and impact for each application
- document who is responsible
- ensure that the use of AI is explainable and verifiable
It is precisely the last point that is often underestimated. It is not just about documentation, but especially about explainability. Organizations must be able to demonstrate how AI is used and what role humans play in it.
Where it often goes wrong
In practice, there are several recurring misunderstandings that slow down organizations.
The most common ones are:
- thinking that "light tools" fall outside the scope
- completely relying on suppliers
- having no visibility into shadow AI within teams
A common statement is, for example: "we only use ChatGPT." That sounds logical but overlooks the context. It is not the tool but the usage that determines the risk.
Relying entirely on suppliers is also risky. Software vendors can provide support, but the responsibility for use always lies with the organization itself.
Additionally, the problem of shadow AI is growing. Employees independently use tools without this being centrally documented. This brings risks but is difficult to prevent entirely. The solution lies in creating clear frameworks and awareness.
Start small, but start now
For many organizations, AI compliance feels like a large project that will come later. In practice, the opposite is often true. Those who wait make it harder for themselves. Processes become further embedded, and adjustments become more complex.
By starting now with a relatively simple inventory and initial classification, a quick overview can be created. From there, step by step, further structuring and optimization can be worked on.
The EU AI Act forces organizations to deal with AI more consciously. This requires adjustment but also offers the opportunity to gain control over technology that is becoming increasingly important. Those who take that step now will not fall behind later — but will be ahead.
