Regulation
EU AI Act for business - what you need to know before August
A practical walkthrough of the EU AI Act obligations, mapped to provider, deployer, and importer roles. What changes the timeline, what changes the budget.
The EU AI Act is no longer a draft - from August 2025 it phases in for every company that builds, uses, or distributes AI systems within the EU. If you use ChatGPT in marketing, Copilot in engineering, or run a customer-facing chatbot, this article is for you.
Who does it cover?
The Act defines four roles:
- Provider - whoever trains or develops the AI system
- Deployer - whoever uses it in their business
- Importer - whoever brings it into the EU
- Distributor - whoever sells it or makes it available
Most non-tech European companies will be deployers - but deployer obligations are not trivial.
Four risk tiers
Every AI system falls into one of four categories:
- Unacceptable risk - banned from February 2025 (social scoring, subliminal manipulation)
- High risk - strictest regime (HR, hiring, credit scoring, medical devices, critical infrastructure)
- Limited risk - transparency obligations (chatbots, deepfakes)
- Minimal risk - no obligations (spam filters, video games)
Key deadlines
- February 2025 - ban on unacceptable-risk systems
- August 2025 - obligations for general-purpose AI models
- August 2026 - obligations for high-risk systems in embedded products
- August 2027 - full obligations for other high-risk systems
What to do now
- AI inventory. List everything. Commercial (ChatGPT, Copilot) and internal. No exceptions.
- Risk mapping. Assign a risk tier to each system. For edge cases - get legal advice.
- Documentation. High-risk systems require technical documentation, a risk management system, data governance, and logging.
- Usage policy. Employees must know what they may and may not do with AI.
- Shadow AI audit. Whatever your employees do with personal ChatGPT accounts - that's your risk, not theirs.
What we do
At Human2Human we help companies reach compliance through a structured engagement. A typical project is one month: inventory, risk assessment, internal policy, documentation, and leadership training.
If you'd like to talk about where you are and what you need, get in touch.