The EU AI Act introduces concrete obligations for developers and deployers of AI systems operating in the European Union. EU-based organizations are directly subject to the regulation; those operating in the European market while headquartered elsewhere are equally bound. Penalties follow a progressive scale reaching up to 7% of global annual turnover for the most serious violations, with the possibility of facing both AI Act and GDPR sanctions for the same breach.
The Act builds on the GDPR: many risk assessment processes already implemented for privacy compliance overlap with what the new law requires, which is an advantage for organizations that already have a structured privacy function.
Compliance activities are organized into four areas.
1. Governance and oversight
The board and senior leadership must be fully informed of the obligations introduced by the Act and must ensure enhanced oversight on two fronts: preventing the implementation of prohibited AI uses, and ensuring that the organization's use of AI meets the Act's standards on transparency, fairness, safety and privacy.
Operationally, this requires integrating the Act into existing risk management and reporting frameworks -- legal, enterprise, privacy, security -- and clearly assigning roles and responsibilities for approving or blocking use cases, including escalation criteria for controversial cases. Policies must be updated to include examples of prohibited uses and to precisely define what the EU considers high-risk use cases, along with the related obligations.
The AI governance committee -- whatever form it takes within the specific organizational structure -- is the coordination point between legal, compliance, risk, audit and business unit functions.
2. Risk assessment
The Act establishes high-risk use categories and specific assessment requirements for those who adopt or develop them. Among the obligations: identifying and tracking high-risk AI uses within the organization, assessing control compliance with the Act's standards for each high-risk use case, and conducting a Fundamental Rights and Algorithms Impact Assessment (FRAIA) to verify that systems do not compromise privacy rights, non-discrimination and human dignity of European citizens.
The starting point is a gap assessment of existing risk frameworks against the Act's requirements, followed by building an AI use case inventory linked to critical dependencies -- applications, processes, data. Organizations that already have an ML model inventory, a data inventory or an application inventory can adapt existing resources instead of starting from scratch.
Integrating the FRAIA-required questions into the Data Protection Impact Assessments (DPIAs) already in use for high-risk AI is an efficient choice: it reduces process duplication and leverages expertise already available within the privacy function.
3. Continuous monitoring, mitigation and audit
The Act imposes ongoing control requirements to demonstrate that the organization maintains oversight of high-risk systems. This includes monitoring and periodically reassessing use case compliance with the Act's standards, documenting assessment and testing procedures, and ensuring human oversight of high-risk systems with regular testing for bias and errors.
In practical terms: establish a "human review" requirement for outputs of high-risk or high-exposure use cases -- particularly those supporting decisions in sensitive scenarios such as personnel selection -- verifying both individual cases and aggregate outcomes. Maintain up-to-date documentation of testing procedures and their results. Update vendor monitoring to include the Act's requirements in periodic reviews.
4. Policy, procedures and training
The Act requires organizations to inform users when they interact with chatbots, notify users of the AI origin of generated content, and update internal policies to define roles and responsibilities regarding prohibited and high-risk uses.
Employee-facing policies must be updated to outline acceptable uses, establish controls and assessment obligations for high-risk cases, and include clear guidelines on prohibited uses and related scenarios. Consumer-facing policies and automated systems must be updated to inform users of AI interaction and offer the option to speak with a human operator. Training materials must reflect the new requirements at all levels of the organization.
How to distribute responsibilities
The cross-functional nature of AI Act requirements is one of the main operational obstacles: it involves legal, compliance, privacy, risk management, audit, IT, data & analytics and individual business units simultaneously. The assurance map -- a tool that defines who is responsible for what and where responsibilities overlap -- is the most effective way to eliminate gaps and redundancies in AI risk management.
The choice is not between managing compliance internally or fully outsourcing it: the most structured organizations use combinations of internal staff, law firms and regulatory intelligence tools, balancing costs, depth of analysis and the ability to respond quickly to regulatory changes. 47% of legal leaders plan to strengthen their regulatory tracking processes within the next 12-18 months. Those who start first build a structural advantage that is difficult to recover.
