The EU AI Act: where the red zone starts for business

On 2 February 2025, the first binding provisions of the EU AI Act came into force - the rules on prohibited AI practices. This is not an academic event. It is the start of working regulation that sets boundaries for companies operating in Europe or serving European users.

I am not a lawyer, and this is not legal advice. But I work with companies deploying AI, and I see that many have not yet asked themselves the basic questions about where their products and processes carry regulatory risk.

What ended up on the prohibited list

The AI Act's prohibited practices chapter targets several specific areas. Banned are systems that:

• use subliminal techniques to influence people's behaviour in ways that bypass their conscious choice;
• exploit the vulnerabilities of specific groups - children, the elderly, people with disabilities - to alter their behaviour;
• create social scoring of citizens based on behaviour in unrelated contexts;
• conduct real-time biometric identification in public spaces (with narrow exceptions for law enforcement).

None of these categories is abstract. They describe real architectural decisions in products that already exist on the market.

Where business risks missing the line

The problem is not only that someone deliberately builds prohibited systems. The problem is that some prohibited patterns can emerge in a product unintentionally - as a side effect of optimising for an engagement or conversion metric.

A few scenarios I discuss with clients:

Recommendation systems. If a recommendation algorithm is optimised for engagement and in doing so shapes user behaviour in ways the user has not noticed or consented to - that is a borderline zone. Not automatically prohibited, but it requires careful assessment.

Personalisation in financial and insurance products. AI scoring that uses behavioural data from contexts unrelated to finance is a potentially problematic area.

HR systems with AI. Automated candidate screening without transparent logic and without the ability to challenge a decision falls into the high-risk zone under the AI Act (this is not the prohibited practices section, but the high-risk systems section - which comes into force later).

What companies should do now

The regulation works by phased introduction: prohibitions from February 2025, requirements for high-risk systems later. This means there is time to prepare, but less than it might seem.

Practical steps worth taking in the coming months:

First - run an inventory of AI systems in the product and in operational processes. Many companies do not have a current list of exactly where AI or ML is working inside their product.

Second - for each system, answer the question: what is its purpose, what data does it rely on, what is the mechanism of influence on the user?

Third - check whether users have the ability to receive an explanation of a decision and challenge it where the regulation requires this.

Fourth - document this in a form that can be presented to a regulator.

How to think about AI regulation as a permanent context

The AI Act is not a one-time requirement that can be closed with a single compliance project. It is a framework that will evolve. In 2025 and 2026, new requirements will enter into force in stages.

Companies that treat this as administrative burden will be permanently in reactive mode. Companies that embed risk assessment into their product development process gain a durable advantage: fewer surprises and lower cost of change.

The question for a manager: is there a person or function in the company that tracks how regulatory changes affect AI products? If not - that is a gap worth closing before it becomes a problem.