EU AI Act 2025 - What Companies Must Know Now

Since 1st August 2024, the EU AI Act has been in force - the world's first comprehensive regulation for artificial intelligence. From February 2025, the first prohibitions take effect, with additional obligations rolling out through 2026. For businesses, this means: if you're using AI or planning to use it, you must act now. Not later. Now.

This regulation doesn't just affect tech giants or AI startups. Every company using AI systems - whether for recruitment, customer communication, process automation or decision support - potentially falls under these new rules. And the penalties for non-compliance are severe: up to €35 million or 7% of global annual turnover.

What many companies underestimate: even using tools like ChatGPT or Copilot in daily work can fall under the EU AI Act. Once AI-generated content goes external - to customers, in recruitment processes, in product communications - transparency obligations kick in. Ignore this, and you risk not just fines, but serious damage to your reputation.

The EU AI Act uses a risk-based approach. AI systems fall into four categories: unacceptable risk (banned), high risk (strict requirements), limited risk (transparency obligations) and minimal risk (no special requirements). Your classification determines which requirements you must meet.

Most business applications fall into "limited" or "high" risk categories. High risk includes AI in recruitment: if an algorithm pre-screens applications, you must establish risk management systems, ensure data quality and maintain human oversight. The same applies to credit decisions, education or biometric identification. The requirements are extensive - but manageable if you approach them systematically.

Limited risk mainly covers chatbots and generative AI: users must know they're interacting with AI. AI-generated content must be labelled as such. Sounds simple - but requires clear processes and responsibilities within your company. Who handles the labelling? Which templates are used? How do you ensure no one on the team forgets these obligations?

First: audit your current position. Which AI systems are you using? Which are you planning? List all tools, suppliers and use cases. Many companies are surprised by how much AI they already use - from automated invoice processing through AI-powered customer service to marketing text generation. Often these systems run under the radar, without anyone recognising them as "AI".

Second: classify the risks. Assign each use case to a risk category. Third: clarify responsibilities. Who in your company handles AI compliance? This doesn't need to be a new role, but it needs clear ownership. Someone who maintains oversight, organises training and checks new AI projects meet all requirements.

Fourth: build documentation. The AI Act demands transparency - about training data, functionality and limitations of your AI systems. This particularly applies to high-risk applications, but also affects simpler uses. Fifth: train your people. Anyone using AI must know the ground rules. Not everyone needs detailed legal knowledge, but basic understanding of responsible AI use is essential - and protects your company from mistakes that could prove costly.

Yes, the EU AI Act requires effort. Documentation, processes, training - it all demands time and money. But companies that approach this systematically don't simply achieve compliance. They build trust - with customers, employees and business partners. At a time when AI scepticism runs deep, demonstrably responsible AI use becomes a genuine differentiator.

My talks and workshops on the EU AI Act aren't about legal technicalities. They're about giving leaders and teams a clear picture: What must we do? By when? And how do we implement this pragmatically without stifling AI adoption? Because that's precisely the danger of excessive caution: companies that avoid AI altogether through regulatory fear will fall behind.

Regulation isn't designed to prevent AI. It's designed to make AI use responsible. Companies that understand this and act upon it gain a double advantage: they achieve regulatory compliance, and they compete with an AI strategy built on solid foundations. The EU AI Act enforces structure - and structure is exactly what most AI initiatives have been lacking.