Back to previous page

Using AI in your business? Ignoring the EU AI Act could cost you millions

Article_image
light

Artificial Intelligence (“AI”) is already embedded in everyday business operations. Companies use AI to screen job applicants, communicate with customers, generate marketing content, assess fraud, analyze transactions, prioritize leads, automate decisions and process personal data. But under Regulation (EU) 2024/1689, the Artificial Intelligence Act (“AI Act”), using AI is no longer solely a technology or productivity issue. It is also a compliance issue.

The AI Act applies not only to companies developing their own AI models. It may also affect businesses that integrate, deploy, distribute or use third-party AI systems in their operations.

And the consequences of getting it wrong are significant: depending on the infringement, fines may reach EUR 35 million or 7% of the company’s worldwide annual turnover.

Does the AI Act apply to your business?

Potentially, yes.

The AI Act covers several categories of operators, including:

  • providers developing an AI system or placing it on the European Union (“EU”) market under their name;
  • deployers using an AI system in the course of professional activities;
  • importers and distributors making AI systems available in the EU;
  • product manufacturers integrating AI into products sold under their name;
  • Certain non-EU providers and deployers whose AI systems or outputs are used in the EU.

This means the AI Act can apply even when the company that develops or operates the AI system is outside the EU.

Using ChatGPT, an AI-powered recruitment platform, or an automated customer support system does not automatically make your company non-compliant. However, it may make the company a deployer and trigger obligations depending on the system’s purpose, risk category and impact on individuals.

The first step, therefore, is not to prepare a generic AI Policy. The first step is to understand:

  1. which AI systems your business uses;
  2. What role does your company perform under the AI Act;
  3. how each system should be classified;
  4. Which obligations and deadlines apply?

We only use third-party AI” is not a compliance strategy.

Many companies assume that the AI provider bears all legal responsibility. That assumption can be dangerous. A business using a third-party AI system may still be responsible for:

  • following the provider’s instructions;
  • assigning appropriate human oversight;
  • monitoring the system’s operation;
  • controlling the quality and relevance of input data;
  • retaining logs where required;
  • informing employees or users about AI use;
  • reporting incidents or serious risks;
  • Ensuring that personnel have sufficient AI literacy.

A company may even become a provider itself if it substantially modifies an AI system, changes its intended purpose, or markets it under its own name or trademark. These role distinctions are therefore central to any AI Act assessment.

Not every AI system carries the same risk.

The AI Act uses a risk-based approach: the greater the potential impact on health, safety or fundamental rights, the stricter the obligations.

Prohibited AI Practices

Certain AI uses are prohibited, including harmful manipulation, exploitation of vulnerable persons, certain social-scoring and biometric practices, untargeted facial-image scraping, workplace or education emotion recognition, certain predictive-policing systems, and narrowly restricted real-time biometric identification.

A prohibited feature cannot be fixed with a disclaimer or policy alone. It may need to be removed, discontinued, or fundamentally redesigned.

High-Risk AI Systems

High-risk AI commonly includes systems used in recruitment and employee management, education, biometrics, critical infrastructure, creditworthiness and essential services, law enforcement, migration and justice.

Classification depends on the system’s intended purpose and actual use, not merely on the technology itself. Providers may need risk management, data governance, technical documentation, logging, human oversight, cybersecurity controls, conformity assessment, CE marking, registration and post-market monitoring. Deployers may also have monitoring, oversight, and impact-assessment obligations.

Limited-Risk AI Systems Subject to Transparency Rules

Transparency obligations apply to:

  • AI systems interacting directly with individuals;
  • AI-generated or manipulated text, images, audio, and video;
  • deepfakes;
  • emotion-recognition and biometric-categorization systems;
  • Certain AI-generated public-interest content.

Users may need to be clearly informed that they are interacting with AI, while generated content may require machine-readable marking or an express disclosure.

Minimal-Risk and Everyday Business AI

Many common AI tools will not be prohibited or high-risk. However, minimal risk does not mean no responsibility. Businesses may still need to address:

  • AI literacy;
  • GDPR and personal-data processing;
  • confidentiality and trade secrets;
  • copyright and intellectual property;
  • consumer protection;
  • misleading or discriminatory outputs;
  • internal responsibility and approval procedures;
  • Reassessment after material changes.

Even low-risk AI should therefore be inventoried, classified and governed through proportionate internal controls.

What are the penalties?

The AI Act provides for substantial administrative fines.

InfringementMaximum Penalty
Prohibited AI practicesEUR 35 million or 7% of total worldwide annual turnover
Breach of other operator or transparency obligationsEUR 15 million or 3% of worldwide annual turnover
Incorrect, incomplete or misleading information supplied to authoritiesEUR 7.5 million or 1% of worldwide annual turnover
Breaches by GPAI model providersEUR 15 million or 3% of worldwide annual turnover

Authorities must consider factors such as the infringement’s nature, gravity, duration, impact, level of responsibility, previous breaches, cooperation and remedial actions.

But regulatory fines are not the only risk. Poor AI governance may also lead to:

  • GDPR and employment-law exposure;
  • discrimination claims;
  • contractual disputes;
  • loss of confidential information;
  • failed investor or buyer due diligence;
  • blocked enterprise sales;
  • reputational damage;
  • Withdrawal or suspension of an AI system.

Do not wait for a regulator to classify your AI system.

The most expensive mistake is often not the absence of a single policy. It fails to recognize that the AI Act applies at all.

A company cannot determine its obligations merely by asking whether it “uses AI”. It must understand which system is used, for what purpose, in which market, by whom, and with what impact.

Take our free AI Act Risk Classification Tool to receive a preliminary assessment of:

  • whether the AI Act may apply to your business;
  • your potential role under the AI Act;
  • the likely risk category of your AI system;
  • the principal obligations that may apply;
  • The legal documents and compliance actions you may need.

Book a consultation or write directly to [email protected] / @ManimamaBot, and we will send our AI Act Risk Classification Tool.

At Manimama Law Firm

At Manimama Law Firm, we help businesses navigate this new reality effectively. We prepare documentation, manage application processes, and develop long-term crypto compliance strategies.

Our Contacts

If you would like to become our client or partner, please do not hesitate to contact us at [email protected].

Alternatively, you can use our Telegram @ManimamaBot, and we will respond to your inquiry.

We also invite you to visit our website.

Join our Telegram to receive news in a convenient way: Manimama Legal Channel.


The content of this article is intended to provide a general guide to the subject matter, not to be considered as a legal consultation.

Tags

Your global legal partner
for crypto & fintech success
Chat
Ready to move forward? Let's get started today

Tell us what you want to create. We will prepare a legal structure that ensures its implementation

Tokenization

Tokenization

Licensing

Incorporation

Other

Talk to our experts

By clicking the "Contact us" button, I confirm that I have read the Privacy Policy and agree to the collection and processing of my personal data in accordance with the General Data Protection Regulation (GDPR).