Back to blogs

Blog | MAY 14, 2025

Understanding the EU AI Act: What You Need to Know to Stay Ahead

EU AI ActIndustrial ML/AI

As artificial intelligence becomes central to business operations across industries, new regulations are reshaping the landscape. The EU AI Act sets the global benchmark for how AI must be developed, deployed, and governed. In this post, we explain what businesses need to know, who is affected, and how to prepare for the future of AI in Europe.

Introduction to the EU AI Act

The European Union has introduced the world’s first horizontal legal framework on artificial intelligence: the EU AI Act. This regulation is designed to ensure that AI systems developed and used in Europe are safe, transparent, and trustworthy, without slowing down innovation. For companies building or deploying AI technologies, this Act represents a major shift. It introduces a structured approach to regulation based on risk levels, with clear obligations and penalties for non-compliance. Whether you're a global enterprise or a tech startup, the EU AI Act will likely affect how you develop, sell, and maintain AI systems.

Who is Affected?

The EU AI Act has a broad scope, meaning its impact goes far beyond EU borders. It applies not only to organizations operating within the EU but also to companies outside the EU that place AI systems on the EU market or whose systems affect EU citizens. This means that any company involved in the design, development, deployment, importation, or distribution of AI systems targeting the EU will need to comply. The regulation applies across sectors, including healthcare, finance, public services, transportation, and critical infrastructure such as energy, oil and gas, and water systems.

In short, if your business leverages AI in any capacity that might touch European users or systems, you may be affected.

Timeline for Compliance

Understanding the timeline is key to ensuring your organization is ready. The EU AI Act entered into force in 2024, with most required deadlines required by 2026 and 2027. A phased implementation means that certain rules, such as bans on unacceptable risk systems, will come into effect earlier, while others related to high-risk AI systems will have a longer adjustment period.

Businesses should act now to map their AI landscape and prepare for compliance within the next 12 to 24 months.

EU AI Act Timeline

Risk-Based Classification of AI Systems

EU AI Act Risks

At the heart of the EU AI Act is a risk-based classification framework. This structure classifies AI systems based on the potential harm they can pose to users and society with four categories:

Unacceptable Risk

This category covers AI systems that pose a clear threat to individual rights, democratic processes or human dignity and are therefore prohibited. Prohibited practices include the use of manipulative or exploitative techniques, unauthorized biometric categorization of sensitive attributes, social scoring, predictive criminal risk profiling without objective data, and indiscriminate facial recognition. There are specific exemptions for law enforcement in narrowly defined public safety and criminal investigation scenarios.

High-Risk

AI systems are high-risk if they are safety components in regulated products (Annex I) or used in sensitive areas listed in Annex III, such as biometric identification, critical infrastructure, education, employment, law enforcement, and access to essential services. These systems must meet stringent requirements, including risk

management, transparency, and human oversight. An AI system covered by Annex III may be exempted if it does not significantly influence decision-making outcomes. In such cases, the provider must document and register its assessment. However, if the system engages in profiling, it will always be considered high risk, regardless of its influence on decisions. This high risk category will also be discussed further later on in this blog post.

Limited Risk

These systems are subject to transparency obligations due to their interactive or content-generating nature. Users must be clearly informed when interacting with AI, especially when systems process biometric data to infer emotions or intentions or assign classifications. The focus is on user awareness and informed engagement, ensuring that the presence and influence of AI is not misleading or hidden.

Minimal Risk

AI systems in this category have a negligible impact on security or fundamental rights and are not subject to regulatory obligations under the AI Act. The EU encourages the use of voluntary codes of conduct for these systems, but does not impose specific compliance requirements.

Overview of AI Act Requirements

The EU AI Act establishes a detailed legal framework to ensure that AI systems operating in the EU are safe, trustworthy, and consistent with fundamental rights. It applies to both public and private organizations that develop, deploy or use AI that impacts individuals in the EU. The Regulation is divided into 13 chapters covering a wide range of topics, including prohibited practices, transparency, governance, and requirements for high-risk AI systems. Its risk-based structure ensures that the level of regulation depends on the potential impact of the system. High-risk AI systems, such as those used in critical infrastructure, human resources, or biometric identification, are subject to the most stringent obligations.

To clarify the structure, the following table provides an overview of the titles and summaries of all 13 chapters.

EU AI Act Chapter Summary

The Act establishes a multi-layered framework that prohibits dangerous uses of AI, sets technical and procedural rules for high-risk systems, and ensures clear responsibilities for transparency, data quality, and oversight. It also establishes independent bodies to assess and certify compliance. By combining legal safeguards with support for innovation, the EU AI Act sets a clear path for responsible AI across Europe.

High-risk AI Systems

The high-risk AI category is central to the EU AI Act and it encompasses a wide range of systems that, due to their potential impact on people’s rights, safety, or livelihoods, are subject to the most stringent requirements. These are not niche use cases, they're often the systems at the core of essential services and business operations.

AI systems are considered high-risk when they are used in contexts such as:

  • Managing or influencing access to critical infrastructure – This includes AI deployed in the energy sector, water management, transport networks, and digital infrastructure. These systems have a direct impact on public safety, economic stability, and national resilience. A failure or manipulation of such systems could disrupt essential services or endanger lives, which is why the EU imposes strict obligations around risk management, transparency, and accountability.

  • Recruitment and HR decision-making – AI that screens resumes, evaluates job applicants, or monitors employee performance can introduce bias and influence someone’s career trajectory. These tools must be explainable, fair, and auditable.

  • Education and training assessments – AI used in grading, admissions, or learner analytics must ensure accuracy and fairness. An error or bias here can affect students' futures and opportunities.

  • Judicial or law enforcement use – Systems that support criminal risk assessment, predictive policing, or case allocation must meet the highest standards of oversight and justification, given their impact on justice and individual freedoms.

  • Biometric identification and surveillance – Technologies like facial recognition, especially in real-time and public spaces, pose serious concerns about privacy and civil liberties. These are some of the most heavily regulated applications under the Act.

For AI systems in high-risk categories, non-compliance goes beyond regulatory issues and can create serious operational, legal, and reputational risks. These systems often influence decisions that directly affect people's lives, access to services, and public trust.

AI used in or around critical infrastructure, such as utilities, transportation, or industrial automation, requires special care. Even small failures can disrupt services or compromise security. Recognizing this, the EU AI law places a strong emphasis on transparency, robustness, and ongoing oversight.

In these cases, it's not enough for an AI system to work correctly; it must also be explainable, traceable, and auditable. Especially when tied to essential services, responsible deployment is key to ensuring resilience, reliability, and compliance.

Consequence of Non-Compliance

The EU AI Act introduces stiff penalties for organizations that fail to meet its requirements:

  • Fines up to €35 million or 7% of annual global revenue

  • Withdrawal or recall of non-compliant AI products

  • Public exposure of non-compliance (affecting trust and reputation)

It goes without saying that failure to meet EU standards can severely damage a company's reputation in the marketplace. In an environment where ethical AI is becoming a critical buying criteria, companies unable to demonstrate compliance could quickly find themselves excluded from public sector contracts, private sector partnerships, and large procurement processes. Buyers are increasingly prioritizing vendors that can demonstrate their commitment to transparency, security, and accountability.

Beyond the loss of business opportunities, reputational damage can be long-lasting. Public exposure of AI-related failures, especially those involving discrimination, security risks, or privacy violations, can undermine customer trust and brand loyalty, sometimes permanently. In highly sensitive sectors such as healthcare, finance, or critical infrastructure, such damage can be existential.

There is also a growing potential for civil litigation. Individuals or organizations adversely affected by the decisions or recommendations of non-compliant AI systems may seek legal redress, resulting in lawsuits, settlements, and further financial exposure.

Non-compliance with EU AI law is not just a regulatory issue. It is a strategic risk that could undermine an organization's financial health, market competitiveness, legal standing, and public reputation all at once. Organizations that invest early in compliance infrastructure will not only protect themselves from these risks, but will also position themselves as trusted leaders in a rapidly evolving AI-driven economy.

How to Prepare

To stay ahead, businesses should start taking action today. Here’s how:

  1. Audit your current AI systems to classify them by risk level.

  2. Create a compliance roadmap aligned with the upcoming deadlines.

  3. Implement robust data governance, human oversight, and documentation practices.

  4. Monitor systems continuously and update risk assessments.

  5. Involve legal, technical, and compliance teams early in the development lifecycle.

Investing now means fewer surprises later, positioning your company as a responsible, future-ready AI provider.

Building on a Verifiable Data Foundation

One of the most critical elements of AI compliance is the data layer. High-risk systems must demonstrate that the data used for training and inference is traceable, authentic, and auditable. Without this foundation, it becomes difficult, if not impossible, to meet the regulation's requirements for transparency and accountability.

This is where Tributech can help. Our technology provides a verifiable data infrastructure that ensures the integrity, provenance, and processing context of data across IoT, OT, and IT environments. Whether you're working with live sensor data or historical data sets for AI model training, Tributech's notarization and traceability capabilities make your AI systems audit-ready by design.

In our blog post Building Trustworthy ML and AI: A Reference Architecture for IoT / OT Data Provenance, we explain how organizations can build a trustworthy data architecture as the first and most important step toward AI compliance.

Download Whitepaper

An in-depth compliance strategy guide to the CRA, ESPR, Data Act, and AI Act, covering their impact on connected products and unified compliance.