SECURITYSQUAD
Back to the blog

EU AI Act: What companies need to know now

2026-07-15 · by SECURITYSQUAD

The EU AI Act (Regulation (EU) 2024/1689) is the first comprehensive legal framework for artificial intelligence. It follows a risk-based approach: the higher the risk of an AI system, the stricter the obligations. For decision-makers, compliance and IT leadership, AI governance therefore becomes a mandatory task.

What is the AI Act?

The EU AI Act is a directly applicable EU regulation – it applies in all member states without national transposition. Its goal is to foster trustworthy AI while protecting fundamental rights, safety and health. Its scope is broad: it covers not only AI providers based in the EU but also companies from third countries, provided their AI systems are used in the EU or their output is used within the EU.

The four risk classes

The EU AI Act sorts AI systems into four classes – obligations rise with the risk:

  • Prohibited practices (unacceptable risk): Certain applications are banned in principle – such as social scoring by public authorities, manipulative techniques, exploitative assessment of vulnerable groups, untargeted scraping of facial images to build databases, and – with narrow exceptions – real-time remote biometric identification in public spaces.
  • High-risk AI: AI in sensitive areas such as critical infrastructure, education, employment and recruitment, credit scoring, law enforcement, or as a safety component of regulated products (e.g. medical devices). The most extensive obligations apply here.
  • Limited risk (transparency obligations): Systems with direct user contact – such as chatbots – or systems that generate content. Users must be able to recognise that they are interacting with an AI; AI-generated or manipulated content (deepfakes) must be labelled.
  • Minimal risk: The majority of today's applications (such as spam filters or AI in video games) face no specific obligations. Voluntary codes of conduct are encouraged.

What obligations apply per class?

For high-risk AI, the regulation requires in particular a risk management system across the entire lifecycle, requirements for data quality and data governance, technical documentation, automatic logging, transparency towards deployers, effective human oversight, and an appropriate level of accuracy, robustness and cybersecurity. Before being placed on the market, the system must undergo a conformity assessment, is registered, and carries a CE marking.

For limited risk, transparency and labelling obligations are central. General-purpose AI models (GPAI, such as large language models) have their own obligations: technical documentation, information on training content and copyright, and – for models with systemic risk – additional evaluation and reporting duties.

Provider or deployer – who is affected?

The EU AI Act distinguishes roles. Providers develop an AI system, or have it developed, and place it on the market under their own name – they carry the bulk of the obligations. Deployers use an AI system under their own authority; they too have duties, such as intended use, human oversight and informing affected individuals. Important: anyone who substantially modifies a purchased system or distributes it under their own name can themselves become a provider. Most companies are deployers first – but the roles should still be clarified deliberately.

Timeline and application phases (as of July 2026)

The EU AI Act entered into force on 1 August 2024 and applies in stages:

  • 2 February 2025: Prohibited practices and AI literacy obligations already apply.
  • 2 August 2025: Obligations for providers of GPAI models are in effect; the governance structure (including the EU AI Office) has taken up its work.
  • 2 August 2026: The transparency obligations under Article 50 and large parts of enforcement take effect.
  • High-risk AI: Originally scheduled for August 2026. Under the so-called Digital Omnibus, EU legislators reached political agreement in May 2026 on a postponement: high-risk systems under Annex III are set for 2 December 2027, and AI in regulated products (Annex I) for 2 August 2028.

Note: The Digital Omnibus postponement was politically agreed in mid-2026 but not yet finally published in the Official Journal. For legally binding deadlines, always rely on the official text – and plan with a buffer rather than counting on further delays.

Relation to information security and governance

Cybersecurity is explicitly anchored in the EU AI Act: high-risk AI must be robust against manipulation, data poisoning and attacks on the model. This places AI within the same governance framework as classic information security. Organisations that already run an ISMS have a head start – risk management, role concepts, documentation, supplier management and incident handling can be extended to AI systems. Interlocking with NIS2 and the GDPR also matters, so that obligations are not met twice or in contradiction.

The bridge to ISO 42001

ISO/IEC 42001 is the international standard for AI management systems (AIMS). It provides a structured framework to manage AI risks, roles and controls systematically – analogous to ISO 27001 for information security. A management system built on ISO 42001 is not an automatic proof of AI Act conformity, but it is a strong means of evidence: it shows regulators and customers that AI governance is organised in a traceable, auditable way rather than ad hoc.

First concrete steps

  1. Build an AI inventory: Which AI systems are developed, purchased or used – including "shadow AI" in business units?
  2. Clarify roles: Are you a provider or a deployer? Who owns AI governance at management level?
  3. Perform risk classification: Assign each system to a risk class and derive the obligations.
  4. Ensure AI literacy: Train your staff – an obligation that already applies.
  5. Anchor governance: Establish policies, approval processes and controls, ideally aligned with ISO 42001.

How SECURITYSQUAD supports you

As an information security consultancy with expertise in ISO 27001, IT-Grundschutz (BSI) and NIS2, we support you in building AI governance. We help with AI inventory and risk classification, interlock the AI Act with your ISMS, and prepare the path to a management system per ISO 42001 – pragmatic, risk-based and audit-proof. This turns regulatory requirements into resilient governance.

Read more: ISO 42001 – AI Management System · NIS2 for Mid-Sized Companies · Expertise & Services · Knowledge Hub