EU AI Act

The Technical Definition

The EU AI Act is the European Union’s comprehensive regulation governing the development, deployment, and use of AI systems. It entered into force in August 2024 with phased compliance deadlines running through August 2027. The Act classifies AI systems into four risk tiers: unacceptable risk (banned outright — social scoring, real-time biometric surveillance in public spaces, manipulative systems), high-risk (heavily regulated — HR/hiring, credit scoring, education, critical infrastructure, law enforcement, medical devices), limited risk (transparency obligations — chatbots must disclose they’re AI, generated content must be labeled), and minimal risk (no obligations — spam filters, AI in video games).

Penalties run up to €35 million or 7% of global annual turnover, whichever is higher. That’s a higher ceiling than GDPR.

What This Actually Means for Your Business

Here’s the part most US CEOs miss: the Act’s reach doesn’t stop at the EU border. If your AI system is used by anyone in the EU, or if its output is used in the EU, you’re in scope. Sell software to a European subsidiary. Run a hiring tool that screens an applicant in Munich. Embed a chatbot on a website that serves European customers. You’re a “provider” or “deployer” under the Act.

This is what trade lawyers call the Brussels effect. The EU writes the rules, the rules become global by default because no large vendor builds two versions of their product, and your compliance team inherits Brussels’ definitions whether your CEO ever set foot in Belgium.

The high-risk categories are where most small-cap and mid-cap companies actually get caught. Using AI to screen resumes? High-risk. AI in performance reviews or promotion decisions? High-risk. Credit decisioning, even on B2B terms? High-risk. AI managing access to vocational training? High-risk. These aren’t exotic use cases. They’re the default deployments your HR and finance teams are piloting right now.

High-risk classification triggers real obligations: risk management systems, data governance documentation, human oversight requirements, accuracy and robustness testing, conformity assessments, post-market monitoring, and registration in an EU database. None of that is a checkbox. Each one is a process your operations team has to own, with evidence, on an ongoing basis.

General-purpose AI models (the GPT-4s, Claudes, Llamas of the world) have their own obligations under the Act, which mostly fall on the model providers — but downstream deployers inherit documentation requirements when they integrate those models into high-risk uses.

Reality Check

What the vendor says: “We’re fully EU AI Act compliant — no work needed on your end.”

What that means in practice: They’ve published a model card and a transparency notice. You, the deployer, are still on the hook for human oversight, impact assessments, post-market monitoring, and proving that your specific use of their tool meets the Act’s requirements. Compliance isn’t transferable. The vendor handles their slice. The rest is yours.

What Operators Actually Do

The companies handling this well started by mapping every AI system already in use across the business — including the ones IT didn’t approve, the marketing team’s content tools, the HR pilot, the finance forecasting model. You can’t classify what you can’t see. The shadow AI inventory is usually three times longer than the official one.

Then they classified each system against the Act’s risk tiers. Most fall into limited or minimal risk, which is mostly a labeling exercise. The handful that land in high-risk get the heavy treatment: documented risk assessments, defined human oversight, logging, and a designated owner who can answer regulator questions.

Smart operators are also using the EU AI Act as the forcing function for governance they should have built anyway. The same registry, the same risk reviews, the same human-in-the-loop patterns satisfy NIST AI RMF for US procurement, ISO 42001 if they pursue it, and most state-level US laws coming online. Build it once for Brussels and you’re 80% of the way to every other framework.

The Questions to Ask

1. Which of our current AI deployments are high-risk under the Act, and who owns the conformity assessment for each? If nobody can answer this in under a week, you don’t have an AI governance function — you have an AI governance problem.

2. What’s the inventory of AI systems we’ve deployed, including the ones procured through line-of-business budgets? The shadow AI question matters more than the strategy slide. You can’t comply with what you don’t know exists.

3. When the EU asks for our documentation on a specific system, who produces it and how long does it take? If the answer is “we’d need to ask the vendor” or “we’d have to reconstruct it,” you’re carrying risk you haven’t priced.