Book a call
Book a call

AI compliance for tech companies using AI in their products

The EU AI Act is here. Here's what it means for your company and how to get ahead of it.

By Julian Gage Last reviewed: 3 February 2026

Last updated: April 2026

The EU AI Act is here. Here’s what it means for your company and how to get ahead of it.

If your product uses AI or machine learning, you have new compliance obligations under the EU AI Act, and these interact with your existing GDPR requirements in ways that most companies haven’t fully mapped out yet.

Key takeaways

  • The EU AI Act entered into force August 2024 with obligations phased in through 2027 (some high-risk system obligations extend beyond August 2026)
  • Common tech company AI use cases range from “high risk” (employment, healthcare, credit scoring) to “limited risk” (certain chatbots, generative AI) to “minimal risk” (internal analytics, basic automation)
  • AI compliance integrates with your existing GDPR DPIAs and privacy governance
  • Your DPO has led AI compliance programs across 100+ organizations including companies at the forefront of AI development

EU AI Act risk levels

Unacceptable risk (banned): AI that manipulates behavior to cause harm, social scoring by governments, real-time biometric identification in public spaces for law enforcement (with limited exceptions). These prohibitions took effect February 2025.

High risk: AI used in employment (recruitment, performance evaluation), education, credit scoring, healthcare diagnostics, law enforcement, and critical infrastructure. These require conformity assessments, risk management systems, transparency, human oversight, and documentation. Transparency obligations (Article 50) apply from 2 August 2026. High-risk AI system obligations are being revised under the May 2026 Digital Omnibus provisional agreement: stand-alone systems to 2 December 2027, systems embedded in regulated products to 2 August 2028, pending formal adoption.

Limited risk: AI systems that interact with users (chatbots), generate synthetic content (deepfakes, AI-generated text/images), or present as human when they are not. These primarily require transparency obligations (telling users they’re interacting with AI or that content is AI-generated). Transparency obligations under Article 50 apply from 2 August 2026.

Minimal risk: Most other AI applications. No specific obligations, but good practice to follow AI governance principles.

EU AI Act Status as of mid-2026

Under the Digital Omnibus provisional agreement (7 May 2026, pending formal adoption), the high-risk deadline moves to 2 December 2027 (stand-alone systems) and 2 August 2028 (embedded systems). Until formal adoption, the original 2 August 2026 date remains in law.

Prudent compliance planning should treat the provisional dates as the likely outcome while remaining aware that the original 2 August 2026 date technically remains in force until formal adoption is complete. Obligations already in effect since August 2, 2025 include the General Purpose AI model requirements covering transparency, copyright compliance, technical documentation, and downstream provider support. Providers of GPAI models placed on the market before August 2, 2025 must achieve full compliance by August 2, 2027.

Penalties: up to €35 million or 7 percent of global annual turnover for prohibited AI practices, up to €15 million or 3 percent for high-risk system violations.

How to determine your risk level

The classification depends on what your AI does, not how it works technically. Key questions:

  • Does your AI make decisions about employment, credit, education, or healthcare? → Likely high risk
  • Does your AI interact with users directly (chatbot, virtual assistant)? → Likely limited risk
  • Does your AI generate synthetic content? → Likely limited risk
  • Does your AI power internal analytics without directly affecting individuals? → Likely minimal risk

Most tech companies have AI that falls into multiple categories. A SaaS company might have a minimal-risk internal analytics tool AND a limited-risk customer-facing chatbot AND a high-risk AI feature used in HR decisions. Each gets classified separately.

What we do for AI compliance

  • AI risk classification: determining where your AI systems fall in the framework
  • AI risk assessments: evaluating the risks of your AI processing activities
  • AI governance frameworks: policies, procedures, and accountability structures
  • Documentation: technical documentation required for high-risk AI systems
  • Transparency implementation: user-facing disclosures and explanations
  • Data quality and bias assessments
  • Human oversight mechanisms
  • Integration with existing GDPR DPIAs (AI processing often triggers DPIA requirements)

EU AI Act timeline

  • 1 August 2024: AI Act entered into force
  • 2 February 2025: Prohibited practices and AI literacy obligations apply
  • 2 August 2025: General-purpose AI (GPAI) obligations and governance rules apply
  • 2 August 2026: Transparency obligations (Article 50) apply; high-risk deadlines revised under the May 2026 Digital Omnibus provisional agreement to 2 December 2027 (stand-alone) and 2 August 2028 (embedded), pending formal adoption.
  • 2 August 2027: Extended deadline for certain high-risk AI in regulated products
  • 2 August 2028: Extended deadline for certain additional high-risk systems
  • Same-business-day response
  • Professional indemnity and cyber insurance
  • Named DPO notified to the supervisory authority
Book a free intro call Free risk assessment

FAQ

Frequently asked questions

When does the EU AI Act take effect?

The EU AI Act entered into force on 1 August 2024, with obligations phased in: prohibited practices from 2 February 2025, general-purpose AI obligations from 2 August 2025, transparency obligations (Article 50) from 2 August 2026. High-risk AI system deadlines are being revised: stand-alone systems to 2 December 2027, embedded-in-regulated-product systems to 2 August 2028, pending formal adoption of the Digital Omnibus agreement.

Does the EU AI Act apply to US companies?

Yes, if your AI systems are used in the EU or the output of your AI affects people in the EU. Similar to how GDPR applies based on where your users are, not where your company is based.

Do I need a separate AI compliance engagement?

Not necessarily. If you're already a DPO client, AI compliance is covered within your retainer. AI assessments integrate with existing DPIAs and privacy governance. For standalone AI compliance projects, we offer project-based pricing.

What about AI and GDPR?

GDPR already regulates AI in several ways: automated decision-making rights, DPIAs for high-risk processing, data minimization, purpose limitation, and transparency. The EU AI Act adds additional obligations on top. We cover both.

Is there an AI equivalent of a DPO?

Not a formal legal requirement yet, though some companies are appointing AI governance officers. We handle AI compliance as part of our DPO role, which is the most practical approach for most tech companies.

What industries are most affected?

Healthcare (AI diagnostics classified as high-risk), HR Tech (AI recruitment classified as high-risk), Fintech (credit scoring classified as high-risk), and any company using customer-facing AI (chatbots, recommendations classified as limited risk). See our industry pages: HealthTech, HR Tech, Fintech, AI Companies.

Related

ServiceOutsourced DPO servicesPricingOutsourced DPO cost guideServiceFractional DPOServiceHire a DPO