tolinax

The EU AI Act: what companies should know now

EU AI Act: the risk-based approach, staggered obligations and what mid-sized companies should do now. Not legal advice.

Since spring we have been getting the same question in different disguises. Do we have to do something now? The question is about the EU AI regulation, adopted by the European Parliament in March and approved by the Council in May. The short answer is yes, but without panic and not all at once.

What was actually decided

The regulation is in place, but its obligations phase in over time. There is no single morning when every requirement switches on at eight o clock. Anyone handing you a deadline right now, together with a consulting package, is mostly working with your nerves. Far more useful than a countdown is knowing where AI is actually running inside your company. In our experience that is more places than management assumes.

What the regulation is not: a ban on using AI at work. It is also not a reason to shut down projects that are already running. It puts guardrails where machine decisions seriously affect people.

The risk-based approach in one paragraph

Applications are sorted by risk, not by technology. At the top sit prohibited practices. Below them are high-risk applications with strict obligations, in sensitive areas such as hiring or critical infrastructure. Then comes a limited-risk tier where transparency is the core duty: a person has to be able to tell that they are talking to a machine or looking at generated content. Everything with minimal risk stays largely free. Most of what mid-sized companies actually use today, such as text drafting, translation or sorting incoming enquiries, sits in the lower tiers.

AI often hides in software you already bought

The blind spot is rarely a model you built yourself. It is the bought-in features. The CRM that scores leads. The recruiting tool that pre-sorts applications. The phone system that transcribes calls. The chat on your website. The bookkeeping software that reads receipts. You never approved any of these as an AI project, yet you are formally the party operating the system. Which is why the first step is not a legal question but an inventory.

Four things worth doing now

First, a plain list. Which system, which vendor, what purpose, what data goes in, who makes the final call. A spreadsheet is enough, nobody needs to buy a tool for this.

Second, a rough sorting of that list into the risk tiers. You do not need an expert opinion to see that a spell checker and an application pre-screening tool are not the same category. Where you are unsure, flag the row and get legal advice for that row later.

Third, transparency. If a chatbot answers on your website, visitors should know. If AI takes part in hiring, applicants and the works council should know. That is the stance that spares you awkward conversations afterwards anyway.

Fourth, data provenance. What was the system trained or enriched with, and were you allowed to use that data for it? This question will catch up with you regardless of the regulation, at the latest with the first information request.

Why rushing is the wrong reflex

My honest view: for most mid-sized companies the regulation is no reason to stop projects. It is a reason to run them properly. Companies that now have a clean overview, and know which data flows where, will get through the coming deadlines without drama. Companies that keep adopting tools on instinct will pay twice, once for the quick tool and once for cleaning up after it. In our AI consulting this kind of stocktaking usually takes two or three sessions.

One necessary note: this article does not replace legal advice. For a binding assessment of your specific situation, please talk to a lawyer.

Frequently asked questions

Does the regulation apply if we only use bought-in software?

Yes. The regulation places duties not only on providers but also on the parties operating an AI system. How far those duties go depends on the risk class. That is why the first step is stocktaking rather than a lawyer.

Do we have to label content created with AI?

For limited-risk applications the regulation foresees transparency duties, especially where people could not otherwise tell that they are dealing with an AI or with generated content. How far this reaches in your case belongs in a legal review.

Should we pause our running AI projects?

Usually not. It makes more sense to document the project properly and do the risk classification while it is still small and easy to change.

If you want to find out where AI is actually running in your company, we are happy to do that inventory with you. A first conversation is informal and free of sales pressure.

This article belongs to our knowledge hub AI and digitalisation in mid-sized companies.