EU AI Act is in force: what providers and deployers need to do now

On August 1, 2024, the EU AI Act officially entered into force. Most of its requirements apply after 12 or 24 months, but some obligations take effect earlier, and there is preparatory work that it makes sense to start immediately.

For those building AI products or deploying AI systems in organizations that operate in the European market - this is not a distant document. It is an operational reality to prepare for.

The structure of the regulation: what to work from

The AI Act classifies systems by risk level. Unacceptable risk - prohibited from development and use immediately. High risk - permitted, but subject to strict requirements for documentation, risk assessment, transparency, and human oversight. Limited risk - transparency obligations toward users. Minimal risk - no specific obligations.

Most AI systems in ordinary business land in limited or minimal risk. But systems that affect people's rights - credit scoring, personnel selection, medical decision support, critical infrastructure management - are high risk.

An important distinction: the regulation separates "providers" (those who develop the system) from "deployers" (those who deploy and operate it). Both sides have obligations, but different ones.

What applies earlier than the rest

Bans on unacceptable-risk systems apply after 6 months - from February 2025. This covers manipulative AI systems, social scoring, real-time biometric identification in public spaces, and several others. If any of these appear in your product portfolio or plans - they require legal assessment immediately.

Obligations for providers and deployers of general-purpose AI (GPAI) systems apply after 12 months - August 2025.

The full regime for high-risk systems applies from August 2026.

What "high risk" means in practice

For a high-risk system you will need: technical documentation in a prescribed format, a risk management system, data quality assurance for training data, event logging, a human oversight mechanism, a declaration of conformity, and registration in the EU database.

None of these elements can be built in a week. Technical documentation and the risk assessment process in particular require methodology, time, and the involvement of both technical and legal sides.

What to do right now

The first step for any organization is inventory. Make a list of all AI systems you develop or operate that are directed at a European audience. For each one, identify whether you are the provider or the deployer, and which risk level corresponds to its application.

The second step is prioritization. Systems with characteristics of high risk need a dedicated compliance project. Start that project now, not in 2025.

The third step - for deployers: review your contracts with AI component suppliers. The AI Act requires providers to pass the necessary information to deployers to allow them to fulfill their obligations. If your contracts do not cover this - that is a gap to close.

Four questions worth asking your team:

1. Do we have a complete inventory of all AI systems we use or develop?
2. Have we checked whether any of them falls into the high-risk category?
3. What does our documentation for each such system look like - would it survive a regulatory review?
4. Who in the organization owns AI Act compliance - or does nobody own it yet?

The AI Act is not the last regulation of this kind. It is the beginning of a regulatory regime that will grow. Companies that start preparing now gain not only compliance, but operational maturity that will serve them for a long time.