The EU AI Act is the world’s first comprehensive AI regulation. It entered into force on 1 August 2024. The AI literacy obligation has been mandatory since 2 February 2025. The full ruleset hits on 2 August 2026. Fines stack higher than the GDPR — up to EUR 35 million or 7% of global annual turnover.
A 2025 DIHK digital survey found only a small share of German mid-market companies have started addressing it. The regulation also catches every US-headquartered company whose AI tools touch EU users — geography of the user, not the vendor.
If GDPR 2018 felt like a surprise, this one shouldn’t. The deadlines have been on the calendar since 2024. This article explains what’s coming in the language of CEOs and IT leaders, not lawyers.
What the EU AI Act actually changes
The EU AI Act (Regulation (EU) 2024/1689) is an EU regulation — directly applicable in every member state, no national transposition needed. It doesn’t regulate data (that’s the GDPR’s job). It regulates AI systems themselves: how they’re developed, distributed, and deployed.
Core principle: the higher the risk to fundamental rights and safety, the stricter the rules. That principle gets implemented through four risk tiers. The Commission estimates 5–15% of commercially used AI systems in the EU fall into the high-risk tier — thousands of applications in Germany alone, plus every US-built AI tool used by EU employees or customers.
The four risk tiers
Tier 1: Unacceptable risk — banned
Banned across the EU since February 2025:
- Government social scoring (the China-style model)
- Real-time biometric surveillance in public spaces (narrow law-enforcement exceptions)
- Behavioral manipulation through subliminal techniques
- Exploitation of vulnerabilities of specific groups (age, disability)
Mid-market relevance: Low. Normal businesses don’t deploy these.
Tier 2: High risk — strictly regulated
High-risk systems are allowed but heavily regulated: risk management system, technical documentation, conformity assessment, CE marking, human oversight.
Examples:
- AI in hiring (resume screening, candidate ranking)
- AI in credit scoring and lending
- AI in medical devices
- AI in law enforcement and migration
- Biometric identification
Mid-market relevance: Medium to high. If you use AI for applicant management, credit decisions, or quality control — you’re here.
Tier 3: Limited risk — transparency obligations
Limited-risk systems are allowed with one rule: users must know they’re talking to AI.
- Chatbots — must be labeled as AI
- AI-generated content (text, images, audio, video) — must be recognizable
- Deepfakes — must be clearly marked
Mid-market relevance: High. Chatbot on your site? AI-written marketing copy? AI in internal comms? You’re affected.
Tier 4: Minimal risk — no restrictions
Most AI is here: spam filters, search ranking, recommendation systems. No special obligations.
Who is affected: provider, deployer, importer
| Role | Description | Typical obligations |
|---|---|---|
| Provider | Develops or puts an AI system on the market | Conformity assessment, CE marking, technical documentation |
| Deployer | Uses an AI system inside their organization | Risk monitoring, training, transparency, human oversight |
| Importer / Distributor | Brings an AI system in from a third country | Verify provider conformity |
For most companies: you’re a deployer. You don’t build the AI. You use it — Copilot, ChatGPT, your own chatbot, AI-based analytics. Deployer obligations apply to you, independent of what the vendor does.
The obligations that bite first
AI literacy is already live (Art. 4)
The training obligation under Art. 4 has applied since 2 February 2025 — for every company using AI, regardless of risk tier. Anyone who works with AI systems or decides on their deployment must have “sufficient AI competence.”
The regulation doesn’t define “sufficient” with a number. What’s clear:
- Executives need to understand the basics (risk tiers, obligations, accountability)
- Users need to know how the specific tool works and where it breaks
- IT leads need to be able to technically evaluate the system
If you skip Art. 4 because the rest of the Act doesn’t fully apply until 2026, that’s already a violation today.
Deployer obligations for high-risk AI (Art. 26)
If you deploy high-risk AI:
- Operate only per the provider’s instructions
- Ensure human oversight — meaningful, not nominal
- Monitor input data (quality, bias)
- Report incidents (serious malfunctions, fundamental rights violations)
- Conduct a DPIA if personal data is involved
Transparency obligations (Art. 50)
- Chatbots labeled as AI
- AI-generated content (text, image, audio, video) recognizable as such
- Deepfakes clearly marked
Documentation — for everyone
Every company needs an AI inventory: every system in use, with risk tier, vendor, purpose, and a named owner. It’s implicit in the monitoring and training obligations.
Most AI usage is uncontrolled — shadow AI is the elephant in the room. You can’t document tools your IT department doesn’t know about. Another reason controlled on-premise platforms beat bans.
Timeline: what’s already missed, what’s coming
Worth repeating: the AI literacy obligation is already enforceable. Companies that haven’t started training employees are already non-compliant — not at risk of becoming non-compliant in 2026.
Is your AI usage EU AI Act-ready? contboxx Vault: on-premise, fully documentable, GDPR-compliant. No US-provider dependency.
Fines: three tiers, all painful
| Violation | Fine |
|---|---|
| Deploying prohibited AI systems | Up to EUR 35 million or 7% of global annual turnover |
| Violating obligations for high-risk AI | Up to EUR 15 million or 3% of annual turnover |
| False statements to authorities | Up to EUR 7.5 million or 1.5% of annual turnover |
SMEs and startups get reduced fines — the lower of the two amounts (absolute vs. percentage) applies. Even reduced, these numbers dwarf the cost of a controlled AI setup.
The supervisory authority in Germany: the Bundesnetzagentur was designated as the central national AI authority. It’s still ramping up its capacity, but enforcement starts on the same schedule as the obligations.
EU AI Act + GDPR: what stacks on top of what
The EU AI Act and the GDPR aren’t alternatives. They apply in parallel.
| Topic | GDPR | EU AI Act |
|---|---|---|
| Focus | Personal data | AI systems (regardless of data type) |
| Legal basis | Art. 6 GDPR | Risk classification |
| Impact assessment | Art. 35 (high risk for data subjects) | Art. 26/27 (Fundamental Rights Impact Assessment for high-risk AI) |
| Supervision | Data protection authorities | National AI authority + data protection authorities |
| Fines | Up to EUR 20M / 4% turnover | Up to EUR 35M / 7% turnover |
| Training | Not explicitly required | Art. 4: mandatory |
If your AI processes personal data, both apply. GDPR-compliant AI is necessary but not sufficient. The EU AI Act adds requirements to the system itself.
Checklist: what to do now
Already required (since February 2025):
By August 2026:
Strategic:
FAQ
Does the EU AI Act apply to small businesses?
Yes — independent of size. SMEs and startups get accommodations: reduced fines, priority access to regulatory sandboxes, simplified conformity assessment. None of that exempts you from the Art. 4 training obligation, which applies to every company that uses AI.
What's the difference between the EU AI Act and the GDPR?
The GDPR regulates personal data. The EU AI Act regulates AI systems themselves — regardless of whether personal data is involved. Both apply in parallel. If your AI touches personal data, you need to satisfy both at once.
Do I need to train employees on the EU AI Act?
Yes. The AI literacy obligation under Art. 4 has been in force since February 2025 for every company that deploys AI. Scope and depth depend on the employee’s role and the risk tier of the system. No exceptions for SMEs.
Which authority oversees the EU AI Act in Germany?
The Bundesnetzagentur (Federal Network Agency) is the central national AI authority. It coordinates with data protection authorities (BfDI plus state authorities) and sector-specific market surveillance bodies. Capacity is still ramping up; enforcement starts on the same schedule as the obligations.
Does the EU AI Act apply to US-built AI systems?
Yes. The Act applies to any AI system deployed in the EU, regardless of where the provider sits. Both the US provider and you as the EU deployer have obligations. They’re allocated between you, not waived. The Act follows the user, not the vendor.
Bottom line
The EU AI Act isn’t a future-state scenario. Parts of it are already enforceable. The Art. 4 training obligation has been live since February 2025. Full application lands on 2 August 2026. Every quarter spent waiting compresses the window for getting ready.
The good news: companies that already run controlled, documentable AI infrastructure clear most of the bar by accident. On-premise AI platforms like contboxx Vault are easier to audit, document, and control than a sprawl of cloud tools. The Act rewards order. It penalizes sprawl.
Shadow AI in the enterprise — why uncontrolled AI is the biggest risk → | AI knowledge management →