Q: Does the EU AI Act apply to my company if we're based outside the EU?
Yes, if your AI system is placed on the EU market, outputs are used within the EU, or services are provided to EU residents, the Act applies regardless of your organization's headquarters location. This extraterritorial reach mirrors GDPR's scope. UK, US, and Asian companies serving European customers must comply.[abv]
Q: How do I know if my AI system is "high-risk"?
An AI system is high-risk if it either (1) serves as a safety component in a regulated product requiring third-party assessment (Article 6(1)), or (2) its intended use falls within one of eight Annex III categories: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, or justice. Review the detailed use cases in Annex III and consult the EU database once operational for classification guidance[16-20].[ai-act-service-desk.ec.europa]
Q: What's the difference between the AI Act and GDPR?
The AI Act is a product safety regulation focused on AI system design and deployment, while GDPR is a data protection law focused on personal data processing[74-78]. The AI Act applies even when no personal data is involved. However, when AI systems process personal data, both regulations apply concurrently, requiring integrated compliance.[privacymatters.dlapiper]
Q: Can SMEs comply with the AI Act given resource constraints?
Yes. The Act includes specific SME support measures: priority access to free regulatory sandboxes, proportional assessment fees, simplified documentation templates, reduced penalties, and targeted training programs. However, there is no blanket size-based exemption—SMEs must comply if they provide or deploy high-risk AI systems.[artificialintelligenceact]
Q: What are the consequences of non-compliance?
Financial penalties up to €35 million or 7% of global annual turnover for prohibited practices, €15 million or 3% for high-risk system violations, plus potential market withdrawal, operational suspension, reputational damage, and civil liability exposure. Penalties are calculated at group level, not just EU operations.[dlapiper]
Q: When do different parts of the AI Act become enforceable?
Prohibited practices have been banned since February 2, 2025. GPAI model obligations took effect August 2, 2025. High-risk AI system requirements become fully enforceable August 2, 2026. High-risk AI embedded in regulated products (medical devices, machinery) have until August 2, 2027.[digital-strategy.ec.europa]
Q: Do I need to register every AI system in the EU database?
Only high-risk AI systems listed in Annex III require EU database registration before market placement[117-121]. Systems claiming Article 6(3) exemption from high-risk classification must also register with justification. Minimal and limited risk systems do not require registration.[bakermckenzie]
Q: What if harmonized standards aren't published by August 2026?
Organizations can demonstrate compliance through alternative means: (1) common specifications if the Commission issues them due to standards delays, (2) comprehensive legal analysis with technical expert opinions, or (3) documented adherence to international standards (ISO/IEC 42001, ISO/IEC 27001) supplemented with AI Act-specific measures. Conformity assessment is still possible without harmonized standards, though potentially more complex.[resolve.cambridge]
Q: Can we continue using our current HR AI systems after August 2026?
Only if they comply with AI Act requirements. Immediately audit all HR technology for prohibited practices (emotion recognition in workplace is banned). For high-risk HR systems (recruitment screening, performance evaluation, promotion decisions), you must implement risk management, human oversight, bias monitoring, documentation, and conformity assessment before August 2026. Non-compliant systems must be modified or discontinued.[eyreact]
Q: How does the AI Act affect our contracts with AI vendors?
Review vendor agreements to ensure compliance responsibilities are clearly allocated. If you deploy vendor-provided high-risk AI, you are the deployer with specific obligations (human oversight, monitoring, FRIA). However, if you substantially modify the vendor's system or use it for purposes it wasn't designed for, you may become the provider with full provider obligations. Contracts should require vendors to provide technical documentation, conformity certificates, and notification of updates affecting compliance.[dpo-consulting]
About the Author: This analysis synthesizes regulatory intelligence from the European Commission, national competent authorities across Germany, France, Netherlands, and other Member States, early conformity assessment experiences, and industry implementation data. Research conducted January 2026.