The EU AI Act: what the regulation changes for companies using AI
The AI Act, adopted by the European Parliament and the Council in 2024 on a proposal from the European Commission, is the regulation governing the development and use of artificial intelligence systems within the European Union. It applies not only to AI system providers, but also to any company that deploys or uses these systems in its processes, including through third party tools.
The AI Act's four risk categories
| Category | Examples | Consequence |
|---|---|---|
| Unacceptable risk | Social scoring, behavioral manipulation | Prohibited systems |
| High risk | Automated recruitment, credit scoring, systems used in critical infrastructure | Strict obligations: risk management, documentation, human oversight |
| Limited risk | Chatbots, content recommendation systems | Transparency obligation towards users |
| Minimal risk | Spam filters, video games using AI | No specific obligation |
What this concretely changes for a company
A company that uses generative AI to automate part of its recruitment process, for example, must check whether this use falls into the high risk category, which then implies precise documentation of the system, effective human oversight and formalized risk management. Conversely, using an internal conversational assistant is generally subject to lighter transparency obligations.
Checklist to assess your level of readiness
- List all the AI systems used within the organization, including third party tools embedded in business processes.
- For each use, identify the likely risk category under the AI Act.
- Check that effective human oversight exists over high impact automated decisions.
- Document high risk uses: purpose, data used, control measures.
- Inform users when they interact with an AI system, in line with transparency obligations.
A regulation that complements, not replaces, existing best practices
The AI Act does not replace the AI governance frameworks already adopted by some organizations, such as ISO/IEC 42001 or the NIST AI RMF: it legally formalizes part of their requirements, with obligations now enforceable across the European territory.
AI Diagnostic·See a diagnostic preview
The application timeline is itself staggered over several years: prohibited practices have been banned since February 2025, the heaviest obligations for high risk systems only take effect later, and the national market surveillance authorities responsible for enforcing the text are not yet all fully operational in every member state. Mapping AI uses now, system by system, avoids discovering a high risk use only once the obligation is already in force rather than ahead of it.
Related diagnostic
Ready to assess your organization?
Try for free