fbpx

The EU AI Act Comes into Force: What It Means for Compliance and Risk

On 2 February 2025, a significant development the European Union’s Artificial Intelligence Act (EU AI Act), with specific provisions now legally binding. The most immediate obligations concern prohibited AI practices and AI literacy requirements, setting a precedent for AI governance across the EU. These provisions have raised critical questions for businesses, AI developers, and regulators regarding compliance and enforcement.

Provisions Now in Force

The EU AI Act introduces a risk-based framework, classifying AI systems into four tiers: unacceptable, high-risk, limited risk, and minimal risk. As of February 2025, the following provisions have taken effect:

  • Prohibited AI Practices: Certain AI applications are outright banned due to their potential to violate fundamental rights. These include:
    • Subliminal Manipulation: AI systems designed to manipulate individuals beyond their conscious awareness in ways that may cause harm.
    • Exploitation of Vulnerable Groups: AI that targets children, disabled individuals, or economically disadvantaged people in a way that could cause harm.
    • Social Scoring: The use of AI to rank individuals based on behavior, socio-economic status, or personal characteristics, leading to discriminatory treatment.
    • Real-Time Biometric Identification in Public Spaces: Except in specific, narrowly defined law enforcement scenarios, the use of AI for biometric surveillance is now largely prohibited.
  • AI Literacy Requirements: Companies deploying AI in high-risk sectors must ensure that affected individuals understand how these systems function, their limitations, and how to challenge automated decisions.

Who Must Comply?

The provisions in force apply to AI developers, deployers, and service providers operating within the EU or offering AI-based services to EU citizens. This includes:

  • AI Developers: Companies creating AI tools, particularly in sensitive areas such as biometric surveillance, predictive policing, or automated decision-making.
  • Businesses and Public Sector Organizations: Those deploying AI in finance, healthcare, recruitment, public services, and law enforcement must align with the new obligations.
  • Non-EU Companies: The extraterritorial scope of the EU AI Act means that any company offering AI services within the EU must also comply, similar to the General Data Protection Regulation (GDPR).

Implications for Compliance

Organizations impacted by the new rules must take immediate steps to:

  • Conduct AI Risk Assessments: Businesses should audit their AI models to ensure compliance with the prohibitions and literacy requirements.
  • Implement AI Transparency Measures: AI deployers must provide clear information to end users about how AI decisions are made and their rights to contest them.
  • Enhance Internal Governance: Establishing AI ethics committees, compliance teams, and risk mitigation strategies is essential.

Non-compliance could result in severe financial penalties, with fines reaching up to €35 million or 7% of global annual turnover, reinforcing the EU’s strict stance on AI governance.

Challenges, Risks, and Legal Uncertainty

Despite the Act’s clear prohibitions, significant challenges remain:

  • Interpretation and Enforcement Gaps: Regulators must clarify how “subliminal manipulation” or “exploitation of vulnerabilities” will be assessed and enforced.
  • Impact on Innovation: The restrictions on biometric surveillance and AI-driven social scoring may impact AI development in security and financial technology sectors.
  • Enforcement Capacity: National regulators may struggle to monitor compliance effectively, particularly as AI technology evolves rapidly.
  • Diverging Global Regulations: The EU’s AI governance model differs from approaches in the United States and China, creating compliance complexities for multinational companies.

What Comes Next?

While the banned AI practices and literacy requirements are now binding, additional provisions for high-risk AI systems and general-purpose AI models will come into force in phases over the next few years. Organizations must remain proactive in monitoring legal updates and refining their AI governance strategies. The activation of these provisions signals the EU’s commitment to responsible AI development, but also introduces regulatory uncertainty. As enforcement mechanisms evolve and legal interpretations solidify, companies operating in the AI sector must remain agile in adapting to this changing regulatory landscape.

AI was used to generate part or all of this content - more information