The first comprehensive regulation on AI by a major regulator anywhere, the EU’s AI Act endeavors to ensure better conditions for the development and use of this innovative technology.
Regulation (EU) 2024/1689 on artificial intelligence, also known as the AI Act, constitutes a milestone in the regulation of emerging technologies. It ensures that AI is developed and used in a safe and ethical manner within the European Union, while at the same time encouraging technological innovation without imposing unnecessary restrictions.
Who does it apply to?
The AI Act applies to all organizations within the EU, as well as foreign entities outside the EU that intend to use, develop, or market AI products in the EU market.
Only certain areas are excluded, such as military, defense, national security, scientific research, and purely personal activities, among others.
What is meant by AI?
An AI system is defined as any machine-based system that operates autonomously and learns from its environment.
Companies can assume one of the following roles in relation to an AI system:
- Developer/Provider of the system: the company or individual who develops and offers the AI system.
- Deployer: the entity that uses or implements an AI system within its organization.
What obligations does the AI Act impose?
The AI Act classifies AI systems according to their level of risk. High-risk systems must comply with stricter requirements, while low-risk systems are subject to more flexible obligations.
The Act also includes a list of prohibited practices to be banned within the EU six months after it enters into force.
Obligations vary depending on the company’s role regarding the AI system (provider or deployer) and include: notifying and registering AI systems, conducting conformity assessments, drafting and approving internal use policies, informing users about the AI system, ensuring product and data security, creating supervisory authorities and regulatory sandboxes, among others.
How does the AI Act affect companies?
To assess their obligations, all companies must understand the risk level of the AI systems they develop or use.
It is essential for companies to be prepared to meet the relevant requirements and to protect both users and employees.
Companies developing AI must: carry out risk assessments to ensure systems meet safety requirements; demonstrate compliance with the Act and submit products for audits as needed; and implement ethical and transparency principles from the outset.
Companies deploying AI must: train staff to properly oversee AI usage; ensure data used is representative and
appropriate for the tasks carried out by the AI; and monitor the system and report incidents to the relevant authorities.
Implementation timeline
Although the general deadline for compliance is two years from the AI Act’s entry into force (2 August 2026), some key dates precede this and should be noted:
2 February 2025
- Prohibited practices: unacceptable risk AI practices banned from this date
2 August 2025
- Rules for general-purpose AI models
- AI-related sanctions (excluding fines for general-purpose model providers)
- Appointment of competent authorities in member states
- Establishment of EU governance bodies for AI and their confidentiality obligations
2 August 2027
- Obligations concerning AI systems that are part of safety components in products regulated by EU harmonization legislation and subject to third-party conformity assessments
Consequences of non-compliance: Sanctioning regime
The AI Act establishes a penalty regime to ensure compliance with AI rules.
- For prohibited practices, fines can reach up to €35 million or 7% of the company’s annual global turnover, whichever is higher.
- For other breaches, fines may go up to €15 million or 3%.
- For providing misleading information, penalties may reach €7.5 million or 1%.
For small and medium-sized enterprises, including startups, the lower of the monetary amounts or percentages applies.
How can BDO Legal help?
BDO Legal supports companies in adapting efficiently to the new regulations by offering assistance in key areas.
- Defining scope, roles, and legal obligations: Determine whether your systems fall under the AI Act and clarify your organization’s role—provider, deployer, or user—along with associated legal responsibilities.
- Registration and compliance checks: Expert assistance with system registration where required, plus verification of regulatory compliance and identification of any gaps or shortcomings.
- Risk, rights, and impact assessments: Assessments of high-risk AI systems’ impact on individual rights, combined with proactive risk management to reduce exposure to bias, data misuse, and sanctions.
- GDPR and confidentiality compliance: Ensure alignment with GDPR while protecting intellectual property and safeguarding confidential information across the AI lifecycle.
- Transparency and ethical use: Fulfil transparency obligations with clear and understandable explanations of the role of AI in decisionmaking, reinforcing ethical and responsible use.
- Governance and internal policies: BDO Legal supports the development of internal AI policies, establishes governance frameworks, and helps define responsibilities for oversight and compliance.
- Contractual support: Drafting and reviewing AI-related agreements, including service contracts, licenses, terms of use, and technology partnerships.
- Quality management documentation: Preparation and review of the required QMS documentation, including procedures and written controls for high-risk systems.
- Strategic AI integration: Identify business areas where AI can enhance operations and support the seamless implementation of suitable AI tools.
- Executive training and awareness: Training programs tailored for leadership teams to build awareness of AI’s regulatory, ethical, and strategic dimensions.
- Compliance and maturity assessments: BDO Legal evaluates your organization’s readiness for AI regulation, providing a roadmap for reaching full compliance and operational maturity.
- Leveraging compliance for growth: Transform regulatory alignment into a competitive edge by positioning your business as a trusted, ethical innovator in AI-driven markets.
This edition is intended for general information purposes only. It should not be relied upon without specialized professional advice.
