Back to blogAI

The EU AI Act: what the regulation changes for companies using AI

NRNicolas Renard·July 30, 2026· 8 min read

The AI Act, adopted by the European Parliament and the Council in 2024 on a proposal from the European Commission, is the regulation governing the development and use of artificial intelligence systems within the European Union. It applies not only to AI system providers, but also to any company that deploys or uses these systems in its processes, including through third party tools.

The AI Act's four risk categories

CategoryExamplesConsequence
Unacceptable riskSocial scoring, behavioral manipulationProhibited systems
High riskAutomated recruitment, credit scoring, systems used in critical infrastructureStrict obligations: risk management, documentation, human oversight
Limited riskChatbots, content recommendation systemsTransparency obligation towards users
Minimal riskSpam filters, video games using AINo specific obligation

What this concretely changes for a company

A company that uses generative AI to automate part of its recruitment process, for example, must check whether this use falls into the high risk category, which then implies precise documentation of the system, effective human oversight and formalized risk management. Conversely, using an internal conversational assistant is generally subject to lighter transparency obligations.

Checklist to assess your level of readiness

  • List all the AI systems used within the organization, including third party tools embedded in business processes.
  • For each use, identify the likely risk category under the AI Act.
  • Check that effective human oversight exists over high impact automated decisions.
  • Document high risk uses: purpose, data used, control measures.
  • Inform users when they interact with an AI system, in line with transparency obligations.

A regulation that complements, not replaces, existing best practices

The AI Act does not replace the AI governance frameworks already adopted by some organizations, such as ISO/IEC 42001 or the NIST AI RMF: it legally formalizes part of their requirements, with obligations now enforceable across the European territory.

AI Diagnostic·See a diagnostic preview

The application timeline is itself staggered over several years: prohibited practices have been banned since February 2025, the heaviest obligations for high risk systems only take effect later, and the national market surveillance authorities responsible for enforcing the text are not yet all fully operational in every member state. Mapping AI uses now, system by system, avoids discovering a high risk use only once the obligation is already in force rather than ahead of it.

Ready to assess your organization?

Try for free