Human2Human

Skip to content
Human2Human

Regulation

EU AI Act for business - what you need to know before August

A practical walkthrough of the EU AI Act obligations, mapped to provider, deployer, and importer roles. What changes the timeline, what changes the budget.

· Adrian Stavljenić· 8 min

The EU AI Act is no longer a draft - from August 2025 it phases in for every company that builds, uses, or distributes AI systems within the EU. If you use ChatGPT in marketing, Copilot in engineering, or run a customer-facing chatbot, this article is for you.

Who does it cover?

The Act defines four roles:

  • Provider - whoever trains or develops the AI system
  • Deployer - whoever uses it in their business
  • Importer - whoever brings it into the EU
  • Distributor - whoever sells it or makes it available

Most non-tech European companies will be deployers - but deployer obligations are not trivial.

Four risk tiers

Every AI system falls into one of four categories:

  1. Unacceptable risk - banned from February 2025 (social scoring, subliminal manipulation)
  2. High risk - strictest regime (HR, hiring, credit scoring, medical devices, critical infrastructure)
  3. Limited risk - transparency obligations (chatbots, deepfakes)
  4. Minimal risk - no obligations (spam filters, video games)

Key deadlines

  • February 2025 - ban on unacceptable-risk systems
  • August 2025 - obligations for general-purpose AI models
  • August 2026 - obligations for high-risk systems in embedded products
  • August 2027 - full obligations for other high-risk systems

What to do now

  1. AI inventory. List everything. Commercial (ChatGPT, Copilot) and internal. No exceptions.
  2. Risk mapping. Assign a risk tier to each system. For edge cases - get legal advice.
  3. Documentation. High-risk systems require technical documentation, a risk management system, data governance, and logging.
  4. Usage policy. Employees must know what they may and may not do with AI.
  5. Shadow AI audit. Whatever your employees do with personal ChatGPT accounts - that's your risk, not theirs.

What we do

At Human2Human we help companies reach compliance through a structured engagement. A typical project is one month: inventory, risk assessment, internal policy, documentation, and leadership training.

If you'd like to talk about where you are and what you need, get in touch.

Let's talk about your AI project

We're here for you