EU AI Act Compliance: AI Regulation Consulting
Regulation (EU) 2024/1689 on artificial intelligence is the world's first comprehensive AI law. KO‑MO‑TEL supports you with risk classification, documentation and compliance — from AI inventory to ongoing AI governance.
What is the EU AI Act?
The EU AI Act (Regulation EU 2024/1689 on artificial intelligence) is the world's first comprehensive law regulating AI systems. It entered into force on August 1, 2024 and becomes fully applicable in phases until August 2027. Prohibited AI practices have applied since February 2, 2025, foundation model obligations (GPAI) since August 2, 2025, and high-risk AI requirements from August 2, 2026. As an EU regulation, the AI Act applies directly in all 27 member states without national transposition.
The AI Act follows a risk-based approach: the higher the risk of an AI system to fundamental rights, health, safety and democracy, the stricter the requirements. KO‑MO‑TEL GmbH from Munich has been supporting companies since 1994 with responsible technology use — and since 2024 specifically with AI Act compliance. The regulation affects not only AI developers: deployers who use AI systems under their own responsibility must also comply.
EU Regulation
(EU) 2024/1689, published 13.06.2024
In force since
August 1, 2024 (phased until 2027)
Regulatory approach
Risk-based: 4 levels from prohibited to minimal
Scope
EU-wide + third-country providers with EU market presence
The 4 Risk Categories of the AI Act
The EU AI Act classifies AI systems into four risk levels. The classification determines which obligations providers and deployers must fulfill. The strictest requirements apply to high-risk AI systems in critical areas such as employment, education, biometrics and access to essential services.
Prohibited AI Practices (Art. 5)
Since February 2, 2025, four categories of AI systems are prohibited in the EU: manipulative techniques (dark patterns, subliminal influence), exploitation of vulnerabilities of vulnerable groups (age, disability, socioeconomic situation), social scoring by authorities, and real-time remote biometric identification in public spaces by law enforcement (with narrow exceptions).
High-Risk AI Systems (Art. 6-51)
AI systems in critical areas per Annex III: biometric identification, critical infrastructure, education, employment (AI recruiting, performance evaluation), access to essential services (credit scoring, insurance), law enforcement, migration, justice. Obligations: risk management, data governance, technical documentation, logging, transparency, human oversight, accuracy, cybersecurity, conformity assessment, CE marking.
Limited Risk AI — Transparency Obligations (Art. 50)
AI systems that interact with humans or generate content must comply with transparency obligations: chatbots must be labeled as AI, deepfakes must be marked as AI-generated, emotion recognition and biometric categorization require informing affected persons. Applicable from August 2, 2026.
Minimal Risk — No Obligations
Most AI applications fall into this category and are not regulated by the AI Act: spam filters, AI-powered video games, spell checkers, recommendation systems (without manipulation), productivity tools like GitHub Copilot or Microsoft Copilot for internal use. Voluntary codes of conduct are possible.
EU AI Act Implementation Timeline
The AI Act is being implemented in phases. Two deadlines have already passed; the most important deadline for high-risk AI is August 2026. Companies should start preparing now.
Prohibited AI Practices (Art. 5)
Since this date, manipulative AI techniques, exploitation of vulnerable groups, governmental social scoring, and real-time remote biometric identification in public spaces are prohibited. Violations are sanctioned with up to EUR 35M or 7% of global annual turnover.
GPAI Models / Foundation Models (Art. 51-56)
Obligations for providers of General Purpose AI models such as GPT-4, Claude, Llama and Gemini: technical documentation, copyright information, energy efficiency report. For systemic risk models (>10^25 FLOPs): additionally model evaluation, adversarial testing, incident reporting.
Main Part: High-Risk AI, Transparency, Governance (Art. 6-83)
The main part of the regulation becomes applicable: all requirements for high-risk AI systems (Annex III), transparency obligations for chatbots and deepfakes (Art. 50), governance structures and market surveillance. Companies must have completed AI inventory, risk classification and compliance measures by then.
Who needs to comply with the EU AI Act?
The AI Act covers the entire AI value chain — from developers and importers to companies that deploy AI under their own responsibility. SMEs are also affected if they use AI (not just develop it). The extraterritorial effect also captures third-country providers making AI systems available in the EU market.
Providers
Develop or place AI systems on the market. Bear primary responsibility for conformity: risk management, technical documentation, conformity assessment, CE marking. Also includes startups and SMEs developing AI products.
Deployers
Use AI systems under their own responsibility in business operations. Obligations: use according to instructions, human oversight, monitoring AI performance, reporting serious incidents, fundamental rights impact assessment (FRIA) where applicable.
Importers & Distributors
Bring AI systems from third-country providers into the EU market. Must ensure imported AI systems are compliant (CE marking, declaration of conformity, technical documentation available).
Affected Persons
Persons whose data is processed by AI systems or who are subject to AI decisions. Have rights to transparency, information about AI use and human review of automated decisions.
SMEs are also affected
Do you use HR software with AI candidate screening? Deploy chatbots? Use AI-based credit scoring? You may have obligations under the AI Act as a deployer of high-risk AI or limited-risk AI. The AI Act provides facilitated requirements for SMEs and startups (Art. 62), but no full exemption.
Penalties for AI Act Violations
The EU AI Act provides tiered fines based on the severity of the violation. The higher amount applies — fixed amount or percentage of global annual turnover. Additional consequences include product recalls, prohibition of the AI system, and reputational damage.
EUR 35M
or 7% turnover
Prohibited AI practices (Art. 5)
EUR 15M
or 3% turnover
High-risk AI violations (Art. 9-29)
EUR 7.5M
or 1.5% turnover
Transparency / false information
AI Act penalties are the highest AI-specific fines worldwide. For SMEs and startups, the AI Act provides for appropriate consideration of their situation, but early compliance is significantly cheaper than a fine proceeding. Act now — high-risk AI obligations apply from August 2026.
How KO‑MO‑TEL Supports AI Act Compliance
KO‑MO‑TEL GmbH supports companies with responsible AI use and AI Act compliance. Our structured consulting approach covers all phases — from initial assessment to ongoing AI governance. As an IT service provider since 1994, we combine regulatory know-how with technical implementation expertise.
AI Inventory & Risk Classification
Capture all deployed and developed AI systems. Classification according to the four AI Act risk categories (prohibited, high-risk, limited risk, minimal). Categorization by role (provider, deployer, importer). Documentation in an AI register with provider, purpose, legal basis and affected persons.
Compliance Gap Analysis
Systematic comparison of your AI usage with AI Act requirements. Identification of documentation gaps, missing processes and technical deficits. Prioritized action plan with quick wins (0-3 months) and medium-term measures (3-12 months). Gap report as decision basis for management.
Risk Management & Documentation for High-Risk AI
Building a risk management system per Art. 9 AI Act. Creating technical documentation (Annex IV): system architecture, training data, test procedures, performance metrics. Fundamental Rights Impact Assessment (FRIA) per Art. 27. Data quality checks and bias testing of training data.
Transparency Implementation & AI Governance
Implementing transparency labels: chatbot labeling, deepfake watermarks, AI-generated content marking. Building AI governance structure: AI policy, procurement process for AI systems, employee training. Human-in-the-loop processes for high-risk AI. Monitoring regulatory developments.
Conformity Assessment & CE Marking
Support with conformity assessment for high-risk AI (self-assessment per Annex VI or third-party assessment per Annex VII). Preparation of EU declaration of conformity. Registration in EU database (Art. 71). For deployers: verification that purchased AI systems are CE-marked and AI Act compliant.
Ongoing AI Compliance & Training
Annual update of AI inventory and risk classification. Monitoring delegated acts and implementing acts from the EU Commission. Workshop 'AI Act for Non-Lawyers' (4 hours, up to 20 participants). Due diligence on GPAI providers (OpenAI, Anthropic, Microsoft, Google). Support during regulatory inspections.
AI Act Quick Check
From EUR 2,000
Rough AI inventory, risk classification, initial recommendations. 1 day on-site or remote. Ideal entry point for SMEs.
AI Act Readiness Package
From EUR 8,500
Complete AI inventory, gap analysis, readiness report, action plan and 4-hour workshop. Duration: 3 weeks. For companies using or planning high-risk AI.
EU AI Act FAQ
Answers to the most important questions about the AI Regulation (EU 2024/1689) and its implementation.
Готови ли сте за следващата стъпка?
Нека заедно открием как можем да развием вашия IT.