EU AI Act: Key Compliance Challenges Ahead

The EU AI Act Comes into Force: Implications for Compliance and Risk

On 2 February 2025, the European Union enacted significant provisions of its Artificial Intelligence Act (EU AI Act), which are now legally binding. This landmark legislation introduces critical obligations regarding prohibited AI practices and AI literacy requirements, setting a precedent for AI governance throughout the EU. The Act raises essential questions for businesses, AI developers, and regulators about compliance and enforcement.

Provisions Now in Force

The EU AI Act establishes a risk-based framework that categorizes AI systems into four tiers: unacceptable, high-risk, limited risk, and minimal risk. As of February 2025, the following provisions have been activated:

• Prohibited AI Practices: Certain AI applications are banned due to their potential to violate fundamental rights. These include:
• Subliminal Manipulation: AI systems designed to manipulate individuals beyond their conscious awareness, potentially causing harm.
• Exploitation of Vulnerable Groups: AI targeting children, disabled individuals, or economically disadvantaged people in harmful ways.
• Social Scoring: The use of AI to rank individuals based on behavior, socio-economic status, or personal characteristics, leading to discriminatory treatment.
• Real-Time Biometric Identification in Public Spaces: Except in specific law enforcement scenarios, the use of AI for biometric surveillance is largely prohibited.
• AI Literacy Requirements: Companies deploying AI in high-risk sectors must ensure that affected individuals understand how these systems function, their limitations, and how to challenge automated decisions.

Who Must Comply?

The provisions in force apply to AI developers, deployers, and service providers operating within the EU or offering AI-based services to EU citizens. This includes:

• AI Developers: Companies creating AI tools, particularly in sensitive areas such as biometric surveillance, predictive policing, or automated decision-making.
• Businesses and Public Sector Organizations: Those employing AI in sectors like finance, healthcare, recruitment, public services, and law enforcement must align with the new obligations.
• Non-EU Companies: The extraterritorial scope of the EU AI Act means that any company offering AI services within the EU must also comply, similar to the General Data Protection Regulation (GDPR).

Implications for Compliance

Organizations affected by the new rules must take immediate steps to:

• Conduct AI Risk Assessments: Businesses should audit their AI models to ensure compliance with prohibitions and literacy requirements.
• Implement AI Transparency Measures: AI deployers must provide clear information to end users about how AI decisions are made and their rights to contest them.
• Enhance Internal Governance: Establishing AI ethics committees, compliance teams, and risk mitigation strategies is essential.

Non-compliance could lead to severe financial penalties, with fines reaching up to €35 million or 7% of global annual turnover, underscoring the EU’s strict stance on AI governance.

Challenges, Risks, and Legal Uncertainty

Despite the Act’s clear prohibitions, significant challenges remain:

• Interpretation and Enforcement Gaps: Regulators must clarify how “subliminal manipulation” or “exploitation of vulnerabilities” will be assessed.
• Impact on Innovation: Restrictions on biometric surveillance and AI-driven social scoring may hinder AI development in security and financial technology sectors.
• Enforcement Capacity: National regulators may struggle to monitor compliance effectively, especially as AI technology evolves rapidly.
• Diverging Global Regulations: The EU’s AI governance model differs from approaches in the United States and China, complicating compliance for multinational companies.

What Comes Next?

While the banned AI practices and literacy requirements are now binding, additional provisions for high-risk AI systems and general-purpose AI models will come into force in phases over the next few years. Organizations must remain proactive in monitoring legal updates and refining their AI governance strategies. The activation of these provisions signals the EU’s commitment to responsible AI development, but also introduces regulatory uncertainty. As enforcement mechanisms evolve and legal interpretations solidify, companies operating in the AI sector must remain agile in adapting to this changing regulatory landscape.