EU AI Act: What Businesses Need to Know About the New AI Rules
- by Ilona K.

Table of contents
As Artificial intelligence (AI) proliferates, new regulations are emerging that define how companies can develop and use AI technologies. One of the key documents is the EU AI Act (a European Union law regulating AI systems development and use that, in some cases, also applies to companies outside the EU). Let’s explore what it regulates, who it applies to, and how businesses can prepare for it.
What is the EU AI Act
The EU AI Act is the first comprehensive European Union law regulating the use of artificial intelligence.
Its goal is to create uniform rules for the development and use of AI, while supporting technological advancement and mitigating potential risks to society. The Act is just one component of a broader EU strategy for developing trustworthy and human-centered artificial intelligence, including the AI Continental Action Plan, the AI Innovation Package, and the launch of AI Factories (infrastructure for the development and deployment of artificial intelligence). Together, these initiatives aim not just to ensure safety and protect fundamental rights but also to stimulate investment, innovation, and the wider adoption of AI in the EU.
The Act is based on a risk-based approach, which means that the higher the likelihood that an AI system could impact the safety, rights, or interests of individuals, the more stringent the requirements imposed on it. Therefore, the AI Act doesn’t establish uniform rules for all AI systems. Instead, they are divided into four risk categories, each with its own requirements:

1. Unacceptable Risk
This category includes AI systems whose use is prohibited because they pose a threat to security or fundamental human rights, such as social rating systems; technologies that use AI to manipulate human behavior or exploit their vulnerabilities; emotion recognition in the workplace and educational institutions; and certain types of biometric identification in public spaces. The ban on such practices took effect in February 2025.
2. High Risk
This category includes AI systems that could significantly impact people’s lives, such as solutions used in education, healthcare, employment, critical infrastructure, law enforcement, migration, and credit assessment.
The AI Act establishes the most stringent requirements for such systems. These include risk management, the use of high-quality data, maintaining technical documentation, ensuring human oversight, and meeting reliability, accuracy, and cybersecurity requirements.

3. Limited Risk
This category focuses on transparency in the use of AI. For instance, users should understand when they are interacting with an AI system, such as a chatbot. Additionally, certain content created using AI, including deepfakes, should be labeled accordingly. Most transparency requirements will apply starting in August 2026.
4. Minimal or No Risk
Most AI applications fall into this category. This includes spam filters, AI in video games, and many other everyday tools. The AI Act doesn’t establish additional mandatory requirements for these applications.
This approach allows for unfettered development of technologies where potential risks are minimal, while simultaneously establishing stricter requirements for AI use cases that could impact security or fundamental human rights.
Who Does the EU AI Act Apply to?

The requirements of the AI Act do not apply exclusively to companies creating LLMs or other AI systems. In practice, the law may affect a much wider range of organizations, as AI has already become a part of many digital products and business processes.
Companies can use AI both in-house and through third-party solutions integrated into websites, products, or internal systems. This could include a customer support chatbot that answers customer questions, a recommendation system that helps users find the right product or service, a content generation tool, or a solution for analyzing suspicious activity.
The mere use of AI doesn’t automatically mean that a company falls under all the requirements of the EU AI Act. Responsibilities depend on the role that the organization plays in using AI, the specific tool used, and whether it falls within categories regulated by the law.
Why This Matters for International Businesses
The key feature of the EU AI Act is its extraterritorial application.
If an organization offers goods or services to users in the European Union, or the results of its AI systems are used in the EU, certain provisions of the law may apply to such a company regardless of its country of incorporation.
That’s why the AI Act is already generating interest far beyond the European market.
An international company may use AI to automate customer support, handle customer inquiries, or personalize services. If customers in EU countries utilize these capabilities, the company should evaluate which legal requirements may apply specifically to these AI use cases.
This doesn’t mean that any business working with European customers should automatically comply with all provisions of the AI Act. However, ignoring the new law simply because the company is registered outside the European Union is no longer an option.
Why This Matters for the Domain Industry
The domain industry is also actively implementing AI.
Today, AI helps users find available domain names, suggests alternatives based on keywords or project descriptions, automates customer support, and analyzes customer requests.
Artificial intelligence is also used to improve security. Algorithms can identify suspicious registrations, analyze atypical activity, or help detect domains potentially used for phishing and other abuses.
Scenarios like these demonstrate how closely AI has already been integrated into the modern domain industry.
If such services are available to users in the European Union, companies should evaluate in advance whether certain requirements of the EU AI Act apply to the AI tools they use.
What Companies Should Do Now
Companies should thoughtfully evaluate how they utilize AI in their operations. Such analysis can help them understand which legal provisions may be relevant to their organization and what steps may be required going forward:
- Compile a list of AI tools used in the company, including built-in functions of third-party services, chatbots, automation tools, and data analytics solutions.
- Determine the company’s role in relation to each AI solution, i.e., whether it’s developing its own AI system, integrating an existing tool into its product, or using it only for internal processes.
- Evaluate the purpose of the AI systems used and determine whether they fall into categories for which the AI Act establishes additional requirements.
- If the company falls under the AI Act, review which employees work with AI tools and ensure they have the required level of AI literacy as required by the law.
- Monitor regulatory updates, including potential changes to deadlines and requirements under the Digital Omnibus initiative.
This preliminary assessment can help the company understand which provisions of the AI Act may be relevant to it and prepare for future application of the law’s requirements.
The use of AI is becoming a standard part of digital business. Companies are implementing AI to speed up customer service, automate routine tasks, improve security, and make their services more convenient.
At the same time, the requirements for using such technologies are also changing.
When the EU AI Act Requirements Come into Force

Although the EU AI Act officially entered into force in 2024, its provisions are being implemented gradually. This is to allow companies time to adapt to the new requirements. Currently, five key stages can be identified:
February 2025: First Prohibitions and AI Literacy Requirements
The first provisions of the law came into effect on February 2, 2025.
First, a ban on the use of AI systems classified as unacceptable risks came into effect. These include social rating systems, technologies based on the manipulation of human behavior, certain types of biometric identification in public spaces, and a number of other practices that the EU considers incompatible with the protection of fundamental human rights.
Second, companies covered by the AI Act should ensure an adequate level of AI literacy among employees working with artificial intelligence. This doesn’t imply mandatory certification or a uniform course. However, organizations should ensure that employees understand the capabilities and limitations of the AI systems they use, are aware of the associated risks, and are able to use such tools responsibly. The assessment takes into account the employee’s role, the specifics of the AI solutions used, and the context in which they are used.
August 2025: Rules for General-Purpose Models
The next stage began on August 2, 2025, when requirements began to apply to providers of general-purpose artificial intelligence (GPAI) models, for example, large language models (LLMs) that can be used for a wide range of tasks.
For providers of such models, the law establishes obligations to prepare technical documentation, comply with copyright requirements, ensure sufficient transparency, and, for the most powerful models, manage systemic risks.
For most companies that simply use ready-made AI services, this stage is of rather indirect significance. However, these requirements apply to developers and providers of the core AI models on which many modern services are built.
August 2026: Key Requirements for Businesses
The most important milestone for most companies will be August 2, 2026.
This is the date on which a significant portion of the AI Act’s provisions will apply, including requirements for high-risk AI systems, market participant responsibilities, transparency rules, and supervisory authority powers.
Specifically, requirements for high-risk AI systems will come into effect, including:
- risk management throughout the system’s lifecycle;
- ensuring the quality of data used for AI training and operation;
- maintaining technical documentation;
- logging events to ensure traceability of system operation;
- human oversight of AI operation;
- compliance with accuracy, reliability, and cybersecurity requirements.
Many transparency requirements will also apply during this period. For example, users should be informed when interacting with an AI system, such as a chatbot, and certain AI-generated content, including deepfakes, must be labeled accordingly.
August 2027: AI in Regulated Products
The next stage of the AI Act’s implementation will begin on August 2, 2027. From then on, the law will apply to AI systems that are safety components of products already regulated by EU law. This applies, for instance, to medical devices, machinery, vehicles, and other products where artificial intelligence affects the safety of use.
End of 2030: End of the Transition Period
The final stage of the AI Act’s implementation will end on December 31, 2030. By this date, certain large information systems of the European Union listed in Annex X of the AI Act (a list of certain major EU information systems for which the law provides for a longer transition period until full compliance with the Act) will be required to comply with the law’s requirements.
This date won’t entail any new obligations for most businesses, but it does complete the phased implementation of the law. The European Commission is currently discussing the Digital Omnibus initiative (a package of legislative amendments aimed at simplifying and harmonizing digital regulation in the EU and reducing the administrative burden on businesses), which proposes postponing the entry into force of certain requirements for high-risk AI systems, tentatively until the end of 2027.
However, these changes haven’t yet been adopted. Therefore, companies are advised to refer to the current AI Act implementation schedule and not delay preparations in anticipation of possible changes.
Preparing for new requirements doesn’t necessarily mean making large-scale changes today. However, understanding where and how AI is used within a company can help you promptly assess potential risks, avoid unexpected complications in the future, and adapt more confidently to new regulations.
FAQs
Does the EU AI Act apply to companies outside the European Union?
Yes. The Act has extraterritorial application. In certain cases, its requirements may apply to companies registered outside the EU if they offer products or services to users in the EU or if the results of their AI systems are used within the EU.
Are all companies required to comply with the EU AI Act?
No. Obligations depend on the role the company plays in the use of AI, the AI systems involved, and the risk category they fall into. Using AI alone doesn’t automatically entail the application of all the laws requirements.
Which AI systems are most strictly regulated?
The most stringent requirements apply to high-risk AI systems. These include solutions used in healthcare, education, employment, critical infrastructure, law enforcement, and credit assessment. For such systems, the AI Act sets requirements for risk management, data quality, documentation, human oversight, and cybersecurity.
When will most of the EU AI Act’s requirements come into effect?
Although the law entered into force in 2024, its provisions are being implemented in stages. One of the key dates is August 2, 2026, when a significant portion of the requirements for businesses will come into effect, including rules for high-risk AI systems and transparency requirements. However, certain provisions have already been in effect since February and August 2025.
What should a company do now?
Start with an internal assessment of its use of AI, such as determining which AI tools are used within the company, where they are used, what role the organization plays in relation to these systems, and whether they may fall under the AI Act. This analysis can help understand in advance what obligations may arise as the law comes into force.
Want to stay on top of tech industry trends? Visit it.com Domains’ blog and contact us on social media.

Read also


