Artificial Intelligence (“AI”) is already embedded in everyday business operations. Companies use AI to screen job applicants, communicate with customers, generate marketing content, assess fraud, analyze transactions, prioritize leads, automate decisions and process personal data. But under Regulation (EU) 2024/1689, the Artificial Intelligence Act (“AI Act”), using AI is no longer solely a technology or productivity issue. It is also a compliance issue.
The AI Act applies not only to companies developing their own AI models. It may also affect businesses that integrate, deploy, distribute or use third-party AI systems in their operations.
And the consequences of getting it wrong are significant: depending on the infringement, fines may reach EUR 35 million or 7% of the company’s worldwide annual turnover.
Does the AI Act apply to your business?
Potentially, yes.
The AI Act covers several categories of operators, including:
- providers developing an AI system or placing it on the European Union (“EU”) market under their name;
- deployers using an AI system in the course of professional activities;
- importers and distributors making AI systems available in the EU;
- product manufacturers integrating AI into products sold under their name;
- Certain non-EU providers and deployers whose AI systems or outputs are used in the EU.
This means the AI Act can apply even when the company that develops or operates the AI system is outside the EU.
Using ChatGPT, an AI-powered recruitment platform, or an automated customer support system does not automatically make your company non-compliant. However, it may make the company a deployer and trigger obligations depending on the system’s purpose, risk category and impact on individuals.
The first step, therefore, is not to prepare a generic AI Policy. The first step is to understand:
- which AI systems your business uses;
- What role does your company perform under the AI Act;
- how each system should be classified;
- Which obligations and deadlines apply?
We only use third-party AI” is not a compliance strategy.
Many companies assume that the AI provider bears all legal responsibility. That assumption can be dangerous. A business using a third-party AI system may still be responsible for:
- following the provider’s instructions;
- assigning appropriate human oversight;
- monitoring the system’s operation;
- controlling the quality and relevance of input data;
- retaining logs where required;
- informing employees or users about AI use;
- reporting incidents or serious risks;
- Ensuring that personnel have sufficient AI literacy.
A company may even become a provider itself if it substantially modifies an AI system, changes its intended purpose, or markets it under its own name or trademark. These role distinctions are therefore central to any AI Act assessment.
Not every AI system carries the same risk.
The AI Act uses a risk-based approach: the greater the potential impact on health, safety or fundamental rights, the stricter the obligations.
Prohibited AI Practices
Certain AI uses are prohibited, including harmful manipulation, exploitation of vulnerable persons, certain social-scoring and biometric practices, untargeted facial-image scraping, workplace or education emotion recognition, certain predictive-policing systems, and narrowly restricted real-time biometric identification.
A prohibited feature cannot be fixed with a disclaimer or policy alone. It may need to be removed, discontinued, or fundamentally redesigned.
High-Risk AI Systems
High-risk AI commonly includes systems used in recruitment and employee management, education, biometrics, critical infrastructure, creditworthiness and essential services, law enforcement, migration and justice.
Classification depends on the system’s intended purpose and actual use, not merely on the technology itself. Providers may need risk management, data governance, technical documentation, logging, human oversight, cybersecurity controls, conformity assessment, CE marking, registration and post-market monitoring. Deployers may also have monitoring, oversight, and impact-assessment obligations.
Limited-Risk AI Systems Subject to Transparency Rules
Transparency obligations apply to:
- AI systems interacting directly with individuals;
- AI-generated or manipulated text, images, audio, and video;
- deepfakes;
- emotion-recognition and biometric-categorization systems;
- Certain AI-generated public-interest content.
Users may need to be clearly informed that they are interacting with AI, while generated content may require machine-readable marking or an express disclosure.
Minimal-Risk and Everyday Business AI
Many common AI tools will not be prohibited or high-risk. However, minimal risk does not mean no responsibility. Businesses may still need to address:
- AI literacy;
- GDPR and personal-data processing;
- confidentiality and trade secrets;
- copyright and intellectual property;
- consumer protection;
- misleading or discriminatory outputs;
- internal responsibility and approval procedures;
- Reassessment after material changes.
Even low-risk AI should therefore be inventoried, classified and governed through proportionate internal controls.
What are the penalties?
The AI Act provides for substantial administrative fines.
| Infringement | Maximum Penalty |
| Prohibited AI practices | EUR 35 million or 7% of total worldwide annual turnover |
| Breach of other operator or transparency obligations | EUR 15 million or 3% of worldwide annual turnover |
| Incorrect, incomplete or misleading information supplied to authorities | EUR 7.5 million or 1% of worldwide annual turnover |
| Breaches by GPAI model providers | EUR 15 million or 3% of worldwide annual turnover |
Authorities must consider factors such as the infringement’s nature, gravity, duration, impact, level of responsibility, previous breaches, cooperation and remedial actions.
But regulatory fines are not the only risk. Poor AI governance may also lead to:
- GDPR and employment-law exposure;
- discrimination claims;
- contractual disputes;
- loss of confidential information;
- failed investor or buyer due diligence;
- blocked enterprise sales;
- reputational damage;
- Withdrawal or suspension of an AI system.
Do not wait for a regulator to classify your AI system.
The most expensive mistake is often not the absence of a single policy. It fails to recognize that the AI Act applies at all.
A company cannot determine its obligations merely by asking whether it “uses AI”. It must understand which system is used, for what purpose, in which market, by whom, and with what impact.
Take our free AI Act Risk Classification Tool to receive a preliminary assessment of:
- whether the AI Act may apply to your business;
- your potential role under the AI Act;
- the likely risk category of your AI system;
- the principal obligations that may apply;
- The legal documents and compliance actions you may need.
Book a consultation or write directly to [email protected] / @ManimamaBot, and we will send our AI Act Risk Classification Tool.
At Manimama Law Firm
At Manimama Law Firm, we help businesses navigate this new reality effectively. We prepare documentation, manage application processes, and develop long-term crypto compliance strategies.
Our Contacts
If you would like to become our client or partner, please do not hesitate to contact us at [email protected].
Alternatively, you can use our Telegram @ManimamaBot, and we will respond to your inquiry.
We also invite you to visit our website.
Join our Telegram to receive news in a convenient way: Manimama Legal Channel.
The content of this article is intended to provide a general guide to the subject matter, not to be considered as a legal consultation.




