EU AI Act enters into law: Businesses face "potentially lethal" compliance risks, expert warns

"Astronomical fines, sweeping scope, and unclear definitions. The scariest thing about AI is now, unequivocally, AI regulation itself."

The EU's AI Act has officially entered into law and European businesses will have to start complying with the new rules in less than three weeks.

The EU wrote that the Act "is the first of its kind in the world and can set a global standard for AI regulation."

Today, the Act was published in the EU journal, which is one of the final stages in its journey through the Parliament's legislative process.

This means the Act will come into force in 20 days on August 1 and be fully applicable within 36 months.

As businesses prepare to work under the new law, one AI expert claimed that the legislation represents a "potentially lethal risk" to every organisation running AI on the Continent.

The Act follows a "risk-based’ approach, which means "the higher the risk to cause harm to society, the stricter the rules."

It bans AI applications including “emotion recognition” systems, which can no longer be used for "identifying or inferring emotions or intentions in the workplace and schools."

The rules also outline cybersecurity requirements and establish strict rules on biometric use (with concessions for cybersecurity and authentication providers).

They place a particularly high regulatory burden on makers of "high risk AI systems". These include AI models which offer services that are already regulated or those used in safety measures.

Any company that deploys high-risk AI systems must "keep the logs automatically generated by that high-risk AI system (to the extent such logs are under their control) for... at least six months." Read the full text of the law here.

READ MORE: Europe’s AI Act demands extensive "logs" - targets biometrics, bias, black boxes

The law applies to "biometrics, critical infrastructure, education, employment, access to essential public and private services, law enforcement, immigration, administration of justice and democratic processes."

When the Act was approved in May 2024, Mathieu Michel, Belgian secretary of state for digitisation, administrative simplification, privacy protection, and building regulation, said: "The adoption of the AI act is a significant milestone for the European Union. This landmark law, the first of its kind in the world, addresses a global technological challenge that also creates opportunities for our societies and economies.

"With the AI act, Europe emphasizes the importance of trust, transparency and accountability when dealing with new technologies while at the same time ensuring this fast-changing technology can flourish and boost European innovation."

AI systems presenting only limited risk will be subject to "very light transparency obligations," while high-risk AI systems would be authorised but "subject to a set of requirements and obligations to gain access to the EU market," the European Council has written.

AI systems such as "cognitive behavioural manipulation and social scoring" will be banned from the EU because their risk is deemed "unacceptable". The law also "prohibits the use of AI for predictive policing based on profiling and systems that use biometric data to categorise people according to specific categories such as race, religion, or sexual orientation."

You have 20 days to comply...

Dr Kjell Carlsson, Head of AI Strategy at the enterprise-AI platform Domino Data Lab, told The Stack that "every organisation operating in the EU now runs a potentially lethal risk in their AI, ML, and analytics-driven activities."

He said: "The scariest thing about AI is now, unequivocally, AI regulation itself. Between the astronomical fines, sweeping scope, and unclear definitions. It is more important than ever for companies to build their Responsible AI capabilities by implementing the processes and platforms to efficiently govern, validate, monitor and audit the entire AI lifecycle at scale.

"These capabilities are the best protection not only against EU regulation and future regulation in the US and elsewhere, but are also critical for minimising business risk and ensuring the fair and ethical use of AI – something these new regulations will not be able to accomplish on their own.”

How should businesses prepare for the AI Act?

Roch Glowacki, AI law specialist and Managing Associate at Lewis Silkin, told The Stack companies should continue working on establishing effective AI governance programs.

"This often means going back to the drawing board and taking time to understand a company's culture, engaging the relevant stakeholders, getting C-suite buy-in, and identifying and integrating AI deployments within the organisation’s workflow," he said.

"Enforcement action by regulators is, as is often the case with new legislation, likely to be limited to the largest companies or most egregious breaches. Securing the resources and specialist AI expertise required to monitor and enforce these new AI rules will pose an immense challenge. Combined with a staggered implementation of the provisions over a 36-month period, we won’t feel the full impact of the AI Act for a while.

"One thing to remember is that there are still a lot of unknowns and plenty to come. The European Commission is expected to issue over 20 delegated acts under the EU’s AI Act. The newly created EU AI Office will, no doubt, be very busy issuing guidance on the application of the various provisions of the Act. "

The rules are likely to have a similarly global effect to the GDPR.

Curtis Wilson, staff data scientist at the Synopsys Software Integrity Group, told The Stack: "I see regulatory frameworks like the EU AI Act as an essential component to building trust in AI. The strict rules and punishing fines will deter careless developers and help customers be more confident in trusting and using AI systems.

"Similar to GDPR, any UK business that sells into the EU market will need to concern themselves with the EU AI Act. However, even those that don’t can’t ignore it. Certain parts of the AI Act, particularly those in relation to AI as a safety component in consumer goods, might also apply in Northern Ireland automatically as a consequence of the Windsor Framework."

The UK government is also moving to regulate AI, and a whitepaper released by the government in 2024 highlighted the importance of interoperability with EU (and US) AI regulation. UK companies aligning themselves to the EU AI Act will not only be able to maintain access to the EU market, but also get ahead of the curve for the upcoming UK regulation.

Read more: Less than a fifth of European companies will use AI by 2030, Digital Decade report reveals