HVNHAI

Legal & Compliance

EU AI Act

The short answer

The EU AI Act is the world's first comprehensive AI regulation. It classifies AI systems into risk categories and ties proportionate obligations to each: prohibited practices and AI competency requirements have been in effect since February 2025, rules for general-purpose AI models since August 2025, and most remaining obligations from 2 August 2026 onwards.

How the EU AI Act works

The AI Act follows a risk-based approach: the higher the risk an AI system poses to health, safety or fundamental rights, the stricter the requirements. Prohibited practices (such as social scoring) are banned, high-risk systems (for example in recruitment or credit assessment) face strict obligations, and many limited-risk systems are mainly subject to transparency requirements — such as labelling chatbots as AI.

The regulation phases in over time: since 2 February 2025, bans and AI competency obligations (Article 4) apply; since 2 August 2025, rules for general-purpose AI model providers (GPAI) take effect; and from 2 August 2026, most remaining provisions come into force, including many obligations for high-risk systems.

What this means for mid-market companies

Most typical AI applications in mid-market firms — email automation, document processing, internal assistants, chatbots — don't fall into the high-risk category. Three points are particularly relevant here: the transparency obligation (users must recognise they're interacting with AI), training requirements for staff operating AI systems, and clear documentation of which AI systems are in use.

Companies introducing AI now should factor in the AI Act from the start: maintain an internal AI register, clarify responsibilities and briefly assess each new system's risk category. This can be done with manageable effort and saves expensive remedial work later.

Provider or operator: understanding your company's role

The AI Act distinguishes several roles with varying obligations. A provider is whoever develops an AI system and places it on the market under their own name — they face the most extensive requirements. An operator is whoever uses an AI system professionally under their own responsibility — the role most mid-market firms occupy: anyone deploying a provider's chatbot, using an AI tool in back-office operations or running an agent for document processing is an operator. Their obligations are far more streamlined: use the system as intended, meet transparency and competency requirements, and for high-risk systems, ensure prescribed oversight.

One area needs careful attention: whoever substantially modifies a third-party system or markets it under their own name may legally become a provider — with all attendant obligations. In practice, this means: with standard off-the-shelf tools, the obligation landscape remains manageable; with bespoke or heavily customised solutions, the role question should be clarified upfront. A reputable implementation partner will answer it clearly — including documentation of who's responsible for what.

AI Act and GDPR: two separate frameworks

A widespread misconception is that the AI Act replaces or changes data protection law. The opposite is true: they are two independent frameworks with different protective aims that apply alongside each other. The GDPR protects personal data and examines whether and how processing is lawful. The AI Act addresses risks posed by AI systems to health, safety and fundamental rights — regardless of whether personal data is involved at all. A company can therefore be simultaneously subject to both frameworks: someone operating an AI assistant with customer data, for instance, meets GDPR obligations (legal basis, data processing agreements, data subject rights) and AI Act obligations (transparency, AI competency) in parallel.

In practice, the requirements overlap less than it first appears and can be addressed together effectively. An internal AI register, which makes sense for the AI Act anyway, can capture the same systems appearing in the GDPR's records of processing. The AI Act's transparency obligation and GDPR's information requirements can be fulfilled in one go. The key is not confusing the frameworks: GDPR-compliant processing doesn't automatically make an AI system AI-Act-compliant and vice versa. Anyone thinking both through from the start saves duplicate effort — anyone treating one as the other misses obligations.

Fines and enforcement: what's actually at stake

The AI Act provides a tiered fine system. The highest level — up to €35 million or 7% of global annual turnover — applies to breaches of prohibited practices. Violating obligations for high-risk systems, GPAI models or transparency rules risks up to €15 million or 3% of turnover. Providing false information to authorities carries fines up to €7.5 million. For SMEs, the lower of the two figures applies as the cap.

Supervision falls primarily to national market surveillance authorities, which each member state must designate. For general-purpose AI model providers, the newly established EU AI Office takes the lead role at European level. For most mid-market firms, the fine amount is less the immediate concern than documentation: whoever can demonstrate which systems they use, how they've classified them and what training has taken place stands on firm ground in dealings with authorities — and avoids frantic catch-up work if an inquiry arrives.

Practical example

A mid-market service provider launches an AI chatbot on its website. For AI Act compliance, essentially three things suffice: the bot is clearly labelled as AI, the team receives brief training on proper use, and the system is documented in an internal AI register with purpose and risk classification.

Frequently asked questions about EU AI Act

Does the EU AI Act apply to small businesses?

Yes. The AI Act has no blanket exemption for SMEs. Obligations depend on the risk category of the AI system in use, not company size. For typical mid-market applications, the requirements are manageable — mostly transparency, training and documentation.

When does the EU AI Act take effect?

In phases: prohibited practices and AI competency requirements have been in force since 2 February 2025, rules for general-purpose AI models since 2 August 2025. Most remaining obligations — particularly for high-risk systems — apply from 2 August 2026.

Is an AI chatbot a high-risk system?

Usually not. A chatbot for customer enquiries typically falls under transparency requirements: users must recognise they're communicating with AI. High-risk systems are mainly those in sensitive areas like recruitment, credit assessment or critical infrastructure.

What happens if you breach the AI Act?

Substantial fines apply, with amounts depending on the violation type — prohibited practices can incur fines up to €35 million or 7% of global annual turnover. For most companies, though, the real focus is early, straightforward compliance rather than penalties.

Does the AI Act replace the GDPR?

No. They are two independent frameworks with different protective aims, applying in parallel: the GDPR protects personal data, the AI Act addresses risks posed by AI systems — even without personal data involved. A company can be subject to both. GDPR-compliant processing doesn't automatically make a system AI-Act-compliant and vice versa.

Who oversees compliance with the EU AI Act?

Each member state must designate one or more national market surveillance authorities. For general-purpose AI model providers, the EU AI Office is the responsible body at European level. In practice: whoever documents which systems they use, how they've classified them and what training has occurred will be well-positioned in any authority inquiry.

How relevant is this for your business?

In the free intro call we look at your specific process.

Request a free intro call