This Isn't Optional. This Is Law.
The EU AI Act entered into force in August 2024. By August 2026, the most impactful provisions become fully enforceable. Unlike a directive that requires national transposition, this is a regulation with direct applicability across all 27 EU member states - including every company that serves EU customers, regardless of where the company is headquartered.
If your business uses AI in any way - even if you just integrate third-party AI tools into your workflow - you need to read this article. The fines are designed to be painful even for the largest corporations:
•Prohibited AI practices: Up to 35 million EUR or 7% of global annual revenue (whichever is higher)•High-risk AI non-compliance: Up to 15 million EUR or 3% of global revenue•Incorrect information to authorities: Up to 7.5 million EUR or 1.5% of global revenueFor context, a company with 100 million EUR in annual revenue faces up to 7 million EUR in fines for a single non-compliant AI system. This makes GDPR fines look like parking tickets.
The Risk Categories - In Detail
Unacceptable Risk (BANNED)
These practices have been prohibited since February 2025:
•Social scoring by governments: Systems that evaluate citizens based on social behavior patterns (the Chinese model)•Real-time biometric identification in public spaces: Facial recognition in marketplaces, metro stations, shopping centers (with very limited exceptions for counter-terrorism)•Emotion recognition in workplaces and schools: AI analyzing facial expressions of employees or students to assess emotional state•Predictive policing based on profiling: Systems predicting criminal behavior based on personal characteristics rather than actual evidence•AI that manipulates human behavior: Systems exploiting cognitive vulnerabilities to influence decisions (e.g., AI-powered dark patterns targeting vulnerable groups)High Risk (Heavy Regulation)
This is the category that affects the most businesses:
•HR and recruiting AI: Resume screening, candidate evaluation, job-candidate matching. If your company uses an ATS with AI features, you are likely in this category.•Credit scoring: Loan approval algorithms, insurance risk pricing, fraud detection systems that impact customers•Critical infrastructure: AI systems in energy, water, transport, telecommunications•Education: Automated grading, student assessment, AI-based admission systemsMandatory requirements for high-risk AI:
•Risk management system maintained throughout the AI system's lifecycle•Data governance with specific requirements for quality, completeness, and representativeness•Detailed technical documentation (per Annex IV requirements)•Automatic logging of all AI decisions for a minimum retention period•Clear, intelligible information for end users•Effective human oversight - not just formal, but functional•Accuracy, robustness, and cybersecurity testing•Conformity assessment (self-assessment or by notified body, depending on the domain)Limited Risk (Transparency Obligations)
•Chatbots: Any AI chatbot must clearly inform the user that they are interacting with an automated system, not a human•Deepfakes: Any AI-generated or AI-manipulated audio, video, or image content must be visibly labeled•AI-generated content: AI-produced text must be identifiable as suchMinimal Risk (No Special Requirements)
Spam filters, AI-powered search engines, recommendation systems (Netflix, Spotify), translation tools. These have no specific obligations under the AI Act, but must still comply with existing legislation (GDPR, consumer protection).
Your Compliance Checklist - Step by Step
Step 1: AI Inventory (Weeks 1-2)
List every AI system your company uses, develops, or commercializes. For each, document:
•System name and provider•Purpose and functionality•Types of data processed•Who uses it and who is affected by its decisions•Risk category under the AI ActStep 2: Risk Assessment (Weeks 3-4)
For each system classified as high-risk, document:
•Potential harms (discrimination, diagnostic errors, incorrect decisions)•Probability and severity of each harm•Existing mitigation measures and additional ones needed•Impact on fundamental rightsStep 3: Technical Compliance (Weeks 5-12)
•Draft technical documentation per Annex IV requirements•Implement data quality procedures with bias testing•Configure logging systems and audit trails with appropriate retention•Design human oversight mechanisms that are practical, not just cosmetic•Test accuracy across diverse demographics and edge-case scenarios•Test robustness against adversarial attacks and input perturbationsStep 4: Transparency (Weeks 5-8)
•Add AI disclosure notices on all chatbots and virtual assistants•Implement opt-out mechanisms where applicable•Document AI decision-making processes in plain language•Create intelligible explanations for end users affected by AI decisionsStep 5: Organizational Measures (Ongoing)
•Appoint an AI compliance officer with adequate authority and resources•Organize periodic training for teams that develop or use AI systems•Establish incident reporting procedures with clear escalation paths•Schedule regular internal audits of all high-risk systems•Monitor legislative changes and updates to harmonized standardsKey Deadlines
| Date | What Happens |
|---|
| February 2025 | Prohibited AI practices banned - already in force |
| August 2025 | Rules for general-purpose AI models (GPAI) |
| August 2026 | Full enforcement of high-risk AI rules |
| August 2027 | Rules for AI embedded in regulated products |
We are HERE - the August 2026 deadline for high-risk system compliance is NOW.
How This Affects Your Business AI - Concrete Examples
Customer Support Chatbot
Risk: Limited. Action: Add a clear notice that users are talking to AI. Provide the option to speak with a human agent. Document that the chatbot does not make decisions with significant impact on customers.
AI-Powered Hiring Tool
Risk: HIGH. Action: Full compliance required - bias audits across gender, age, and ethnicity. Transparency reports documenting how decisions are made. Mandatory human oversight for every hire/reject decision. Training data quality assessment. Regular testing and monitoring.
Predictive Analytics
Risk: Depends on domain. Financial applications (credit scoring, fraud detection) = High risk. Marketing applications (product recommendations, customer segmentation) = Minimal risk. The distinction matters enormously for compliance costs.
AI Content Generator
Risk: Limited. Action: Label AI-generated content clearly. Implement digital watermarking where technically feasible.
The GPAI Model Provider Obligations
If your company develops or deploys general-purpose AI models (like fine-tuned LLMs), additional obligations apply from August 2025:
•Technical documentation: Model architecture, training methodology, data sources•Copyright compliance: Documented measures to comply with EU copyright law during training•Training data summaries: Publicly available summary of training data•Systemic risk assessment: For models with significant capabilities, additional safety testing and incident reportingHow Dacosoft Helps You Stay Compliant
Every AI solution we deliver includes compliance-ready components from day one:
•Risk classification documentation: following EU AI Act methodology•Technical documentation: structured per Annex IV requirements•Logging and monitoring: with complete audit trail and long-term retention•Transparency mechanisms: with user notifications and decision explainability•Human oversight design: with monitoring dashboards and intervention mechanisms•Bias testing and fairness audits: across demographics relevant to Romanian and European markets•ISO 27001 certification: that already covers many of the AI Act's security requirementsDo not wait until regulators come knocking. Book a free EU AI Act compliance assessment. We will classify your AI systems and create a personalized compliance roadmap.
