Key takeaways:
- The AI Act applies to any company using an AI system, even through third-party software: using a chatbot, an HR tool, generative AI, or a CRM with integrated AI is enough to classify you as a "deployer" under the regulation.
- Compliance is based on a practical 6-step approach: mapping your AI tools, classifying them by risk level, identifying your regulatory role, listing your obligations, building an action plan, and maintaining compliance over time.
- The August 2, 2026 deadline marks the general application of the regulation: companies that have not yet begun their compliance process are already falling behind schedule.
- Compliance goes beyond legal obligation: it represents a competitive advantage in B2B tenders, a signal of trust for investors, and a lever for managing risks related to bias and data protection.
Fines of up to €35 million or 7% of global annual turnover. The AI Act, the European Union’s pioneering regulation on artificial intelligence, sets this level of penalties for the most serious non-compliance. If you manage a SME (Small and Medium-sized Enterprise) or a mid-cap company, this topic already affects you: chatbots, HR tools, generative AI, customer scoring, or assistants integrated into business software are now common in most organizations.
AI Act compliance is therefore not a theoretical issue, but a concrete project of governance and risk management. The challenge: understanding the scope of the regulation, prioritizing your actions, and securing your business without slowing down innovation.
What is the AI Act and Why Your Company is Concerned
Definition of the AI Act in 3 Sentences
The AI Act is the first European regulation to govern the use and development of artificial intelligence within the European Union. It entered into force on August 1, 2024, and is being implemented progressively until August 2027. Its objective: to create a trusted regulatory framework that protects citizens’ fundamental rights, while enabling organizations to innovate responsibly.
This text does not solely target major tech players. It organizes compliance around actual use cases and risk levels.
Which Companies Are Affected by the AI Act?
All companies that develop, provide, distribute, or use artificial intelligence systems within the European Union are affected. An SME using a third-party AI tool becomes a deployer, even if it does not develop the technology itself. Common use cases include:
- CV screening or recruitment assistance tools.
- Customer service chatbots.
- Generative AI used by teams.
- Customer scoring or rating software.
- AI integrated into third-party solutions: SaaS, ERP, CRM.
The 4 Risk Levels Defined by the AI Act
The regulation is based on a pyramid structure: the higher the risk, the heavier the obligations.
Unacceptable Risk
Social scoring systems, real-time facial recognition in public spaces, and behavioral manipulation have been banned since February 2, 2025. These use cases cannot be brought into compliance: they are excluded from the European market.
High Risk
These artificial intelligence systems cover eight domains: employment, education, essential services, biometrics, healthcare, justice, migration, and critical infrastructure. They require comprehensive technical documentation, human oversight, and a rigorous compliance assessment.
Limited Risk
Chatbots and automatically generated content fall into this category. The main obligation is to clearly inform users that they are interacting with an AI system.
Minimal Risk
Spam filters and video game AI. The majority of business use cases fall into this category, but this does not exempt companies from remaining vigilant regarding data quality and system security.
The 6 Steps to Successfully Achieve AI Act Compliance for Your Company
Map all AI systems currently in use
- Step 1
Map out all AI tools, including those integrated into third-party software. An incomplete mapping creates a false sense of security. Ask yourself these questions:
- Which teams are using which artificial intelligence systems?
- What data is being processed?
- Who is the technical owner of each tool?
- Is the tool developed in-house or provided by a third-party vendor?
Classify each system according to its risk level
- Step 2
Position each system within the European regulation’s pyramid.. An HR tool for recruitment assistance is classified as high-risk, while a customer chatbot is classified as limited risk. This distinction completely changes the level of regulatory requirement. The sector, the use case, and the data processed can alter the analysis: never classify a tool in an abstract manner.
Identify your role in the value chain
- Step 3
The AI Act defines five roles: provider, deployer, distributor, importer, and authorized representative. For the majority of French SMEs and mid-caps, the central role is that of deployer. Many organizations believe they are outside the scope of the regulation, even though they use AI systems daily in their business processes.
List your specific obligations
- Step 4
Obligations vary based on two criteria: your risk level and your role in the value chain. A deployer of high-risk AI, for instance, must maintain a log of the systems used, ensure human oversight of automated decisions, guarantee cybersecurity, and train its users. Once your obligations are identified, translate them into concrete actions: who documents, who approves, who controls, and at what frequency.
Please note:
training all employees who use AI is a universal obligation that entered into force in February 2025, regardless of the tool’s risk level.
Build and deploy your action plan
- Step 5
Your action plan must be prioritized, budgeted, and scheduled:
- Designate a lead: business leader, compliance officer, or DPO (Data Protection Officer).
- Produce the technical documentation for each AI system.
- Train teams on the regulation’s requirements.
- Set up monitoring and reporting tools.
- Draft an internal charter for the ethical use of AI.
Start with the highest-risk use cases to limit legal exposure, then address limited-risk tools in a second phase.
Maintain compliance over time
- Step 6
AI Act compliance is managed for the long term: regular audits, regulatory monitoring, and continuous updates of your AI mapping. For a company without a DPO or a dedicated legal department, external support provides a framework, priorities, and a methodology to transition from intent to robust implementation.
What Are the Sanctions for Non-Compliance?
National supervisory authorities, including the CNIL in France, will be responsible for enforcing the regulation.
- Up to €35 million or 7% of global annual turnover for the most serious violations.
- Up to €15 million or 3% of global annual turnover for other regulatory violations.
- Up to €7.5 million or 1.5% of turnover for providing false information.
Beyond the fines, non-compliance can lead to a loss of customers, concern among investors, and being barred from certain calls for tenders.
Implementation timeline: key dates
| Date | Événement |
|---|---|
| 1er août 2024 | Entrée en vigueur du règlement |
| 2 février 2025 | Interdiction des IA à risque inacceptable + obligation de formation |
| 2 août 2025 | Règles pour les systèmes d'IA à usage général |
| 2 août 2026 | Application générale du règlement |
| 2 août 2027 | Application complète |
Organizations can no longer afford to wait. The earlier you start, the more you reduce the cost and complexity of implementation.
The Benefits beyond mere obligation
Compliance is also a strategic investment and a sign of maturity. Here are the advantages:
- Competitive advantage in B2B tenders.
- Increased trust from investors.
- Anticipation of the upcoming regulatory framework.
- Risk management: controlling bias, hallucinations, and ensuring data protection.
- Stronger employer brand among talent who value the ethical use of AI.
Why Seek External Support?
Achieving compliance requires a blend of three types of expertise that are rarely found together in-house: legal, governance, and operational. External support secures your decision-making and structures a tailored action plan. To manage your daily obligations, solutions like Themio, a regulatory compliance tool, allow you to centralize monitoring and automate part of the management process. You can also rely on an AI Act compliance consulting firm capable of bridging the gap between regulatory requirements and practical implementation.
Eterra Partners supports businesses with their European governance and compliance challenges. Looking to secure your company’s AI Act compliance? Speak with an expert at Eterra Partners.
