Defensive Intelligence
Defensive
Intelligence
← Insights/Intelligence Brief

What the EU AI Act Actually Requires of Your Organisation

Stripping away the noise: a practical breakdown of who it applies to, what the obligations are, and what you need to document.

nV

ninthLABS Ventures

Staff Writers

May 8, 20269 min read
SharePostLinkedIn

The EU AI Act has generated more heat than light in most boardroom conversations about AI compliance. On one side: commentary treating it as an existential regulatory burden that will reshape every AI deployment. On the other: commentary dismissing it as bureaucratic overreach that applies primarily to AI developers, not to the organisations using AI tools to do their work. Neither reading is accurate, and acting on either without understanding the specifics creates real exposure.

This post is an attempt to provide the practical middle ground: who the Act actually applies to, what it actually requires, what the phased timeline looks like, and what organisations that are not AI developers still need to do. It is written for the person in the organisation who has been handed this question and needs a working answer. Not a legal opinion, but an honest account of the landscape.

This is not legal advice

The EU AI Act is complex legislation with sector-specific provisions. The analysis below is intended to help you understand the framework and identify where specialist advice is needed, not to substitute for it. For specific compliance obligations in your sector and jurisdiction, engage qualified legal and compliance counsel.

The risk tier architecture

The Act organises AI systems into four tiers. Where a given system sits determines what obligations apply.

  • Unacceptable risk: prohibited outright. Social scoring by public authorities, real-time biometric surveillance in public spaces, systems designed to exploit psychological vulnerabilities. If your organisation is not a government and not in biometric identification, this tier is largely not your concern.
  • High risk: significant obligations. This is the tier that matters most for regulated enterprises. It covers AI used in employment decisions, credit and insurance underwriting, law enforcement, critical infrastructure, educational assessment, essential private services, and border control. If your AI program touches any of these domains, specific obligations apply.
  • General-purpose AI models (GPAI): obligations primarily for model providers. The foundation models underlying most enterprise AI tools (GPT-4, Claude, Gemini) sit here. The obligations fall on the providers, not the organisations using those models through a governed gateway.
  • Limited and minimal risk: transparency obligations or none. Most AI applications (chatbots, summarisation tools, writing assistants) sit here. The main obligation is disclosure: users should know they are interacting with AI.

Who it applies to

The Act draws a distinction between providers (organisations that develop or place an AI system on the market) and deployers (organisations that use an AI system in the course of their operations). Most enterprises are deployers, not providers. The compliance burden on deployers is substantially lighter, but it is not zero, and for high-risk use cases it is significant.

Geographic scope is also worth understanding clearly. The Act applies to AI systems placed on the EU market or used in the EU, regardless of where the provider is established. An Australian financial services firm running AI-assisted credit assessments for EU customers is within scope. An American legal firm using AI document review for EU litigation is within scope. The Act is intentionally extraterritorial for AI systems that affect EU residents.

2024

Act entered into force (August)

EU AI Act

2026

High-risk AI obligations apply

EU AI Act timeline

€35M

Max fine: prohibited AI systems

EU AI Act, Art. 99

€15M

Max fine: high-risk non-compliance

EU AI Act, Art. 99

What high-risk deployers actually need to do

If your organisation uses AI in a high-risk application (employment decisions, credit assessment, insurance underwriting, educational assessment), the Act imposes a set of obligations on you as a deployer, not just on the provider of the system you are using.

Human oversight

High-risk AI systems must be used with meaningful human oversight: not checkbox oversight, but oversight that is operationally capable of intervening when the system produces outputs that require human judgment. For employment AI tools, a human must be in the loop on decisions that materially affect individual employees or candidates. The oversight must be documented and demonstrable.

Fundamental rights impact assessment

Deployers of high-risk AI systems in public-sector and certain private-sector contexts are required to conduct a fundamental rights impact assessment before deployment. This is a structured evaluation of how the system's use might affect the rights of individuals, particularly in employment, access to services, and law enforcement contexts. The assessment must be documented and retained.

Technical documentation and record-keeping

Deployers must maintain technical documentation about the AI systems they use: what the system does, what data it processes, how decisions are made. They must also keep logs of the system's operation to the extent technically possible. This is where many organisations discover their AI governance infrastructure is inadequate. If the AI tool you are using does not provide operational logs, you cannot meet this obligation with that tool.

Transparency to affected individuals

Where decisions affecting individuals are made or materially influenced by a high-risk AI system, affected individuals must be informed. This is particularly relevant in employment contexts: employees subject to AI-assisted performance monitoring or assessment have a right to know.

Four things most organisations need to do right now

For organisations using AI primarily for productivity applications rather than high-risk decision-making, the immediate obligations are more limited. But 'more limited' is not 'none'. Four actions are worth taking regardless of where your AI use currently sits in the risk tiers.

  1. 1Map your AI systems. Before you can assess compliance obligations, you need to know what AI systems your organisation actually uses, including those adopted by individual employees or teams without central IT visibility. This is the shadow AI audit question, and it is also the EU AI Act compliance question.
  2. 2Classify your AI use cases by risk tier. For each system you identify, determine whether it is being used in a high-risk context as defined by the Act. Employment tools, credit tools, and health-related tools warrant close attention.
  3. 3Establish or verify your audit and logging capability. High-risk AI use requires operational logs. Even for non-high-risk use, having a record of what your AI systems are processing and producing is increasingly a baseline expectation across regulators, insurers, and clients.
  4. 4Review your AI vendor agreements. Your obligations as a deployer depend partly on what your providers are obligated to give you. Review what documentation, transparency, and logging capabilities your AI vendors provide, and whether those capabilities are sufficient for your obligations under the Act.

The audit trail question applies regardless of risk tier

Whether or not your AI use is classified as high-risk, the ability to produce a record of what your AI systems processed, including when and by whom, is increasingly a baseline expectation across regulatory frameworks, insurance requirements, and client contracts. The organisations discovering this at the worst possible moment are those that deferred the logging question until after an incident.

The Australian, UK, and US context

If your organisation operates primarily outside the EU, the Act's direct obligations may not apply. But the indirect effects are significant. The Act is establishing compliance benchmarks that are influencing regulatory frameworks in Australia, the UK, and the US. Enterprise procurement in those markets is already incorporating EU AI Act-aligned requirements into vendor and partner expectations.

Australia's Privacy Act amendments, the UK ICO's AI guidance, and the US NIST AI Risk Management Framework all point in a consistent direction: AI systems that process personal data require demonstrable governance controls, human oversight for consequential decisions, and some form of audit trail. The specific obligations differ. The underlying direction does not.

The AI Act compliance question and the AI governance question are the same question

The infrastructure that makes EU AI Act compliance demonstrable (logs, classification, scrubbing, human oversight, audit trails) is the same infrastructure that constitutes a defensible AI governance program under any regulatory framework. OBEL is built to provide that infrastructure. If this is a live question for your organisation, the conversation starts here.


References

  1. [1]European Parliament - "Regulation (EU) 2024/1689 of the European Parliament and of the Council" (AI Act)
  2. [2]European Commission - "AI Act: Obligations for Deployers" (2025)
  3. [3]NIST - "AI Risk Management Framework (AI RMF 1.0)" (January 2023)
  4. [4]UK ICO - "Guidance on AI and Data Protection" (2024)
SharePostLinkedIn

More in Intelligence Brief

Act before the incident does

Do you know what your AI program is sending out the door?

Most organisations do not - until they have to explain it to a regulator, an insurer, or a client. OBEL gives you the observability to see it and the enforcement to stop it. If this post has raised a question your current stack cannot answer, that is worth an urgent conversation.

Book an urgent briefingStart free trial