You’re in the boardroom. The quarterly results look good. But then legal speaks up:
โWe need to talk about the AI tools in operations. The EUโs new regulation kicks in next yearโand right now, we donโt even know what weโre using.โ
Sound familiar?
The EU AI Act isnโt a future problem. Itโs the next GDPR โ only this time, itโs not about privacy, itโs about control.
Control over what AI systems you build, buy, or embed. Control over whoโs responsible when something goes wrong. And control over how you document, monitor, and prove you’re playing by the rules.
Just like GDPR forced companies to rethink data, this law will force you to rethink how AI decisions happen โ across IT, legal, ops, product, and the board.
But hereโs the good news: if you act early, you wonโt just avoid fines. Youโll gain operational clarity, risk alignment, and even market trust.
What the Law Actually Applies To
A German medtech startup launches an AI feature for diagnostics. Itโs just part of the productโuntil itโs flagged as high-risk under the EU AI Act.
Now the founder is expected to show risk controls, logging, oversight, and compliance documentationโฆ fast.
Thatโs the reality. The AI Act isnโt about software. Itโs about responsibilityโwhat your system does and what role you play in using or distributing it.
โ๏ธ Four Risk Levels
Unacceptable
Fully banned. Covers social scoring, public facial recognition, emotion detection at work, and more.
High-Risk
Allowed with strict controls. Think medical diagnostics, hiring tools, financial scoring.
Transparency Risk
You can use itโbut users must be told theyโre interacting with AI. Applies to chatbots, synthetic media, etc.
Minimal Risk
No obligations. Applies to low-impact systems like spam filters or AI-enabled grammar checkers.
๐งฉ Four Roles, Four Sets of Duties
Provider
You built or sell the system. Youโre responsible for compliance, documentation, risk controls, and post-market monitoring.
Example: A French firm offering an AI-based hiring tool across Europe.
Deployer
You use the system in your own operations. You need to ensure oversight, transparency, and internal controls.
Example: A retailer using an AI chatbot to automate customer service.
Importer
You bring non-EU AI into the EU. You must check the providerโs compliance before market entry.
Example: A Dutch firm importing a U.S. analytics model for local hospitals.
Distributor
You offer AI tools to others. If you discover a compliance issue, you must act.
Example: An IT vendor selling third-party AI solutions to clients.
Your first move?
Map every AI tool your company touches. Tag the role you play in eachโand identify the risk level.
Thatโs how compliance begins.
Your Timeline in Plain Terms
Think of the EU AI Act timeline as a project schedule, not just a legal countdown. The earlier you move, the easier it is to control the outcome. Delay too long, and youโll be reacting under pressure.
Hereโs what mattersโand when:
๐ August 2024
The law is in force. Youโre already on the clock, even if some provisions havenโt kicked in yet.
๐ February 2025
Initial general provisions start applying. This is the right moment to assess how exposed you are to GPAIโespecially if you rely on large external models.
๐ August 2025
GPAI-specific rules take effect. That means transparency obligations, copyright safeguards, and mandatory information sharing with downstream users.
If you use tools like OpenAI, Claude, or open-source LLMsโthis applies to you.
๐ August 2026
Most core requirements become enforceable, especially for high-risk systems. Youโll need governance in place: risk classification, documentation, human oversight, logging, and post-market monitoring.
๐ August 2027
Full rollout is expected, including new rules for systemic-risk GPAI and any lagging standards. By this point, regulators expect you to be running a mature AI governance modelโreadiness wonโt be optional.
Where to start now
You donโt need to do everything at onceโbut you do need to start. Focus on:
- Building an AI inventory
- Identifying high-risk systems
- Assigning roles and control ownership
Every quarter you act early buys you time, control, and credibility. Wait too long, and youโll be playing catch-up when enforcement begins.
Whatโs Banned vs Whatโs Just Hard
A startup in Spain installs facial recognition in public areasโwithout realizing itโs now banned under Article 5 of the EU AI Act. By the time regulators intervene, itโs too late.
The fines come fast, and so does the reputational damage.
Meanwhile, a logistics firm classifies its route optimization AI as high-risk. It’s complex, yesโbut with documented oversight, clean data, and internal logging, it passes pre-assessment with no major issues.
This is the line the Act draws.
โ Some AI use-cases are prohibitedโno exceptions
- Social scoring systems by governments
- Facial recognition scraped from the web
- Emotion detection in schools or workplaces
- Real-time biometric ID in public, except under very narrow conditions
- Predictive policing based on profiling
These systems arenโt risky. Theyโre illegal. And enforcement starts early.
In contrast, high-risk systems are allowedโbut regulated. Tools like CV screening software, educational testing platforms, medical diagnostics, and credit-scoring AI all fall under this category.
These systems must meet strict requirements, including:
- Documented risk management
- Human-in-the-loop oversight
- High-quality training data
- Logging and traceability
- Clear technical documentation
- Ongoing post-market monitoring
One category requires a complete stop. The other requires operational maturity.
You donโt need perfection to comply with the high-risk rulesโyou need ownership, structure, and process. Start early, move steadily, and compliance becomes manageable.
GPAI Without the Hype: What You Must Do Now
General-purpose AI isnโt just a Big Tech issue. If your teams use tools like ChatGPT, Claude, or Gemini, youโre in scopeโand now on the hook.
Under the EU AI Act, GPAI providers must publish training data summaries, maintain technical documentation, follow copyright rules, and pass key details downstream.
If their models pose โsystemic risk,โ extra safeguards apply.
But if youโre using these tools inside your business, youโre not off the hook. Youโre expected to:
- Confirm vendor compliance
- Request documentationโmodel cards, data summaries, intended use
- Log internal use cases
- Apply human oversight where needed
The GPAI Code of Practice (July 2025) gives you a clear head start. Use it to guide vendor asks and build your internal playbookโeven if youโre not high-risk.
Start simple: list the tools, providers, and documents received. Thatโs your baseline.
When speed matters, firms often bring in an interim AI compliance lead to build this foundation and get everyone alignedโfast.
Build Your AI Inventory and Classify Risk
Picture this: you’re in a boardroom and someone asks,
โHow many AI systems are we runningโand whatโs their risk level?โ If your answer starts with a pause, you’re not alone. But you’re also not ready.
Hereโs how to take controlโquickly and clearly.
Start by creating a simple table with five columns:
System | Owner | Risk Level | Role | Documentation
I. Begin with whatโs obvious: chatbots, pricing engines, CV screeners, scoring models.
II. For each, tag the risk level: banned, high-risk, transparency-only, or minimal.
III. Identify your role: Did you build it (provider)? Use it (deployer)? Source it externally (importer/distributor)?
IV. Collect what you already have: contracts, model cards, vendor docs, internal assessments.
In just a few working sessions, the fog starts to clear.
Before: No inventory, vague guesses, disconnected teams.
After: 15 tools mapped, 3 high-risk systems flagged, clear owners named, documentation gaps visible.
This is how readiness beginsโnot with theory, but with a shared view of whatโs real and what needs work.
Role Clarity and the Minimum Controls That Work
Running AI in your business without defined roles is like managing a factory floor without shift leads. It might function on good days โ but it breaks when things go wrong.
Treat this like your AI task force. Each team has a clear role to play, and while the setup doesnโt need to be heavy, it does need to be intentional.
The Board defines the risk appetite and checks progress quarterly. Their job is to ask: โIs this our GDPR moment โ and are we resourcing it seriously?โ
The CIO or Chief Data Officer owns the AI inventory, vendor oversight, and compliance workflows. They know which models are in use, and whoโs accountable for each.
Product and operations keep human safeguards in place โ ensuring fallback processes and real-world testing are part of the workflow. Their question: โWhat happens when the AI goes sideways at 2 a.m.?โ
Data science and ML teams manage technical documentation, model drift detection, and version control. They stay alert to one key concern: โAre we still running the model we approved last month?โ
Legal and compliance drive policy, assessments, and audit readiness. Their role is simple but critical: โCan we show documentation โ before weโre asked for it?โ
Whatโs the smallest stack of controls that actually works?
- One shared AI inventory
- Defined human oversight for high-risk systems
- Active logging
- A technical file in motion
- A standard vendor checklist
Keep it light. Keep it live. Thatโs what survives an audit.
When to Call In Temporary Leadership
When deadlines accelerate or scope balloons beyond the teamโs capacity, companies bring in a temporary AI compliance lead โ someone who builds the inventory, aligns vendors, and drives documentation forward without pulling product teams off-track.
CE Interim specializes in placing these operators with 30- to 90-day mandates โ focused, embedded, and ready to execute.
Fines Are Not the Point โ Avoid Them by Design
Yes, the fines are steep: up to โฌ35 million or 7% of global turnover for the worst violations. But thatโs not what should keep you up at night.
The real risk? Deals delayed because of compliance gaps. Products blocked at launch. Investor calls derailed by governance questions.
Fixing those problems later costs more โ in money, in time, and in reputation.
The cheapest path is to design compliance in from the start, not bolt it on after the fact.
30-Day Readiness Plan
Youโve made it this far โ now hereโs how to move, fast and smart.
Week 1: Map the landscape
Build your AI inventory. Assign owners. Flag anything that touches sensitive data, customers, or compliance areas.
Checkpoint: 80% of tools mapped, red flags surfaced.
Week 2: Engage your vendors
Request documentation โ model cards, training summaries, compliance declarations. Use the GPAI Code of Practice as your guide.
Checkpoint: Docs collected, workflows drafted.
Week 3: Pressure test
Run a simulation on a high-risk use case. Test human-in-the-loop procedures and review how fallbacks and logs are triggered.
Checkpoint: Gaps identified, fixes planned.
Week 4: Align leadership
Brief the board on risks, gaps, and budget asks. Present a clear 90-day roadmap tied to product and compliance objectives.
Checkpoint: Plan approved, momentum secured.
When teams are stretched thin, an interim program lead can run this entire sprint, hand over cleanly, and exit โ leaving structure behind.
Conclusion โ From Risk to Readiness
This isnโt just another regulation. Itโs a reset button for how companies handle AI โ across tech, product, compliance, and leadership.
The AI Act doesnโt ask for perfection. It asks for ownership. For visibility. For readiness.
Start by mapping what you already use. Define whoโs responsible. Show how the risk is being controlled.
Start small. Keep it real. Build momentum from there.
Start this week โ and stay ahead.

