The AI Act Unfolded: A 7 Minute Briefing on Why it Matters to Your Business

New technologies create new regulatory needs. Just as data storage capabilities necessitated GDPR, AI's expanding role in critical sectors like healthcare and finance demands governance. The EU's AI Act is the first comprehensive regulatory framework for AI in the world, positioning itself as a global standard much like GDPR shaped data protection internationally.

If your business operates in or sells into the EU, this regulation applies to you. Here's what you need to know.

The Four Core Elements

1. Risk-Based Classification System

The Act categorises AI by its potential to harm health, safety, or fundamental rights. High-risk systems like autonomous vehicles face strict requirements, while low-risk applications like spam filters require only basic transparency measures. Where your product falls on this spectrum determines your compliance obligations.

2. Risk Management Requirements

Organisations deploying high-risk AI must conduct thorough testing, document data quality, maintain human oversight, and establish clear accountability frameworks. This isn't optional documentation — it's a legal requirement with teeth.

3. Innovation Support Mechanisms

The Act includes provisions designed to encourage competitive AI development among smaller organisations within the EU, including regulatory sandboxes that allow testing under supervision before full compliance is required.

4. Generative AI Provisions

Specific rules apply to tools like ChatGPT, requiring disclosure of copyrighted training materials and documentation of unmitigated risks. If you're building on top of foundation models, these provisions affect your products too.

Who Does This Apply To?

Broader than many expect. The regulation applies globally to providers or users of AI systems located outside the EU if the output produced by those systems is used within the EU. In practice, this means most AI-enabled products sold to European customers fall under its scope.

Non-compliance carries penalties of up to 6% of global annual turnover or €30 million, whichever is higher.

Timeline

Parliamentary approval came in May 2023, but full implementation likely extends to 2025 and beyond, allowing time for standardisation processes and member-state alignment. That window is shorter than it sounds — organisations that wait will find themselves scrambling.

Key Challenges to Watch

• Ambiguous categorisation criteria for what counts as "high-risk"
• Potential inconsistencies in enforcement across EU member states
• Integration with existing regulations like GDPR
• The need for early preparation despite an uncertain final timeline

What to Do Now

Start with an inventory of every AI system your organisation uses or builds. Classify each by risk level. Identify where you have gaps in documentation, oversight, or governance. The organisations that start this work now will be ahead when enforcement begins.