EU AI Act Compliance: A Practical Guide for Businesses Deploying AI

A Deadline That Cannot Be Deferred

The EU AI Act is no longer a regulation on the horizon. It entered into force in August 2024 and is applying in phases — with the critical milestone for most organisations being 2 August 2026, when obligations for high-risk AI systems become fully enforceable. If your business deploys AI in hiring, credit scoring, essential service access, critical infrastructure, or law enforcement contexts, that date is your compliance deadline.

The pressure is compounded by the pace of AI adoption. Tools have been deployed across functions — customer service automation, fraud detection, HR analytics, contract review — often without any systematic review of whether those deployments fall under the Act's scope. The gap between what organisations are running and what they have assessed is, for many, significant.

This guide gives you a clear, grounded understanding of the framework: the risk tiers, the provider vs deployer distinction, core obligations, the GDPR interplay, and a practical roadmap for what to do now.

The essential principle: The EU AI Act does not prohibit AI. It creates a proportionate, risk-based framework where the obligations you face depend entirely on what your AI system does and who it does it to. Understanding your risk tier is the starting point for everything else.

The Four Risk Tiers

The EU AI Act organises AI systems into four categories based on the risk they pose to fundamental rights, health, and safety. Your obligations — and your exposure — flow directly from which tier applies to your systems.

Prohibited AI Practices

A small but important category of AI applications is outright banned as incompatible with EU values. Prohibited practices include: subliminal manipulation techniques exploiting cognitive vulnerabilities; exploitation of specific vulnerable groups to distort behaviour; social scoring by public authorities leading to discriminatory treatment; real-time remote biometric identification in publicly accessible spaces for law enforcement (save for narrowly defined exceptions); emotion recognition in workplace and educational settings; biometric categorisation to infer sensitive characteristics such as political views or sexual orientation; predictive policing based purely on individual profiling; and untargeted scraping of facial images to build recognition databases.

Violations carry fines of up to EUR 35 million or 7% of global annual turnover, whichever is higher. These provisions applied from 2 February 2025 — they are already in force.

High-Risk AI Systems

High-risk systems are not prohibited, but they are subject to the Act's most demanding obligations. Annex III of the Regulation sets out eight domains where AI is classified as high-risk:

1. Biometrics — remote biometric identification, emotion recognition, biometric categorisation used in ways not already prohibited
2. Critical infrastructure — AI used in management of water, gas, electricity networks, digital infrastructure, transport
3. Education and training — AI determining access to education, assessing students, or monitoring learners
4. Employment and workers management — AI used in recruitment, candidate screening, performance evaluation, work allocation, and termination
5. Essential private and public services — credit scoring, insurance risk assessment, social benefits eligibility, emergency services dispatch
6. Law enforcement — AI used for risk assessment of individuals, polygraph use, crime analysis, evidence evaluation
7. Migration, asylum, and border control — risk assessment tools, document verification, examination of applications
8. Administration of justice and democratic processes — AI supporting courts and arbitration bodies in applying law to facts

For businesses in Luxembourg, the practically significant categories are employment, essential private services (credit and insurance), and critical infrastructure. If your organisation uses algorithmic tools for hiring decisions, creditworthiness assessments, or fraud scoring that materially affects individuals, you are almost certainly operating a high-risk AI system.

Limited-Risk Systems: Transparency Obligations

Systems that do not qualify as high-risk but which interact directly with people — chatbots, deepfake-generating tools, AI-generated content systems — carry transparency obligations. Users must be informed that they are interacting with an AI, or that content has been AI-generated. Providers of general-purpose AI models with systemic risk also face additional obligations under Title VIII of the Act.

Minimal-Risk Systems

The large majority of AI applications — spam filters, recommendation engines, image classifiers used in non-sensitive contexts — fall into this category. No specific obligations apply beyond general product safety and consumer protection law. However, organisations deploying minimal-risk systems would still be well advised to maintain basic documentation in case of reclassification as the regulatory landscape develops.

Provider vs Deployer: Why the Distinction Matters

The EU AI Act establishes a supply-chain model with distinct roles and corresponding obligations. Understanding where your organisation sits is essential to knowing exactly what you must do.

A provider is any natural or legal person who develops an AI system or general-purpose AI model and places it on the market or puts it into service under their own name or trademark — whether for payment or for free. Providers of high-risk AI systems bear the heaviest obligations: conformity assessment, CE marking, registration in the EU database, and ongoing post-market monitoring.

A deployer is any natural or legal person who uses an AI system under their own authority in a professional context. If your business purchases an AI-powered HR screening tool from a vendor and uses it to filter job applicants, you are the deployer. Deployers have their own set of obligations, distinct from but complementary to those of the provider.

This distinction matters in practice because most Luxembourg businesses are deployers, not providers. You may not build AI — but if you use AI systems classified as high-risk, you are in scope and cannot simply rely on your vendor's compliance as a substitute for your own.

Key deployer obligations for high-risk systems include: implementing human oversight measures as specified by the provider; monitoring operation and reporting serious incidents; ensuring input data is appropriate for the system's intended purpose; maintaining operation logs where feasible; and informing individuals that they are subject to a high-risk AI system, with access to explanation and human review where applicable. Certain deployers in public-interest contexts must also conduct a fundamental rights impact assessment before deployment.

Core Obligations for High-Risk AI Systems

For providers of high-risk AI systems, the Act defines five interlocking pillars of compliance. Deployers are responsible for ensuring these are maintained in operation; providers must design for them from the outset.

Risk Management System (Article 9)

A continuous, iterative risk management system is required throughout the AI system's lifecycle — not a one-off pre-deployment review. It must cover identification and analysis of known and foreseeable risks, evaluation and mitigation, and residual risk assessment. The system must be documented, tested, and updated as deployment evidence accumulates.

Data and Data Governance (Article 10)

Training, validation, and testing datasets must be subject to governance practices addressing suitability for the intended purpose, potential biases, demographic diversity, and completeness. Organisations cannot train models on whatever data is conveniently available; they must demonstrate the data was fit for purpose and monitored for bias.

Technical Documentation and Record-Keeping (Articles 11–12)

Providers must prepare comprehensive technical documentation before placing a high-risk system on the market — covering intended purpose, architecture, data used in development, performance metrics, risk measures, and post-market monitoring plans. Deployers must maintain operation logs to the extent technically possible, which are essential for post-incident investigation and regulatory audit.

Transparency and Provision of Information (Article 13)

High-risk AI systems must be sufficiently transparent for deployers to interpret outputs correctly. Providers must supply instructions for use covering intended purpose, accuracy metrics, known limitations, oversight requirements, and validation conditions. Meaningful human oversight is impossible without this information.

Human Oversight (Article 14)

Arguably the most operationally demanding obligation. Oversight-assigned individuals must be able to understand the system's capabilities and limitations, monitor for anomalies, and — critically — be empowered to intervene, override, or halt the system. A rubber-stamp process by someone without the context or authority to challenge an output does not constitute meaningful human oversight under the Act.

Accuracy, Robustness, and Cybersecurity (Article 15)

High-risk AI systems must achieve appropriate accuracy for their intended purpose and be resilient against errors, faults, and adversarial manipulation. For cybersecurity teams, this creates a direct interface with AI governance: prompt injection, model poisoning, and evasion attacks are regulatory risks as well as security risks. Security testing of AI systems is not optional for high-risk applications.

The Phased Timeline: Where We Are Now

The EU AI Act applies in stages, not all at once. Understanding the timeline prevents both premature panic and dangerous complacency.

• 1 August 2024: The Act entered into force.
• 2 February 2025: Prohibited AI practices and governance obligations for general-purpose AI models became applicable.
• 2 August 2026: Main obligations for high-risk AI systems listed in Annex III become applicable — the primary deadline for most businesses.
• 2 August 2027: Obligations for high-risk AI systems embedded in products already covered by EU product safety legislation (Annex I) become applicable.

With August 2026 now imminent, building a compliant programme from scratch in the final weeks before enforcement is not a viable strategy.

The EU AI Act and GDPR: Complementary, Not Redundant

Many AI compliance questions sit at the intersection of the AI Act and GDPR, and understanding how the two frameworks interact is essential to avoid both gaps and duplicated effort.

GDPR and the EU AI Act are complementary frameworks, not alternatives. Both apply concurrently to AI systems that process personal data — the majority of high-risk AI systems in practice. In Luxembourg, both the national AI Act supervisory authority and the CNPD may have jurisdiction over the same deployment.

Three GDPR provisions have particular relevance:

• Article 22 gives individuals the right not to be subject to solely automated decisions with legal or similarly significant effects. Deployers of high-risk AI systems must ensure Article 22 safeguards — human review, right to explanation, right to contest — are operationally implemented, not just stated in a privacy policy.
• Article 35 (DPIA): Automated decision-making with significant effects and large-scale sensitive data processing both trigger DPIA requirements. If your AI system is high-risk, you will almost certainly need a DPIA. The two assessments share substantial analytical overlap — risk identification, necessity and proportionality, safeguards — and should inform each other rather than run as entirely parallel exercises.
• Data minimisation and purpose limitation (Articles 5–6) directly constrain the data governance required by AI Act Article 10. Training datasets containing excessive or repurposed personal data create simultaneous GDPR and AI Act exposure.

The implication for Luxembourg organisations: AI governance and data protection governance must be integrated. Your existing GDPR programme — DPIAs, Article 30 records, lawful basis assessments — is a foundation, but it is not sufficient on its own.

Penalties and Enforcement

The EU AI Act is enforced by the EU AI Office at EU level and by national competent authorities in each member state. Luxembourg has designated its national authority, operating alongside the CNPD where AI systems also process personal data.

Penalties are tiered by severity. Prohibited practice violations carry fines of up to EUR 35 million or 7% of global annual turnover. Non-compliance with high-risk system obligations can attract fines of up to EUR 15 million or 3% of turnover. Providing incorrect or misleading information to authorities can result in fines of up to EUR 7.5 million or 1% of turnover. For SMEs and start-ups, the Regulation provides for proportionate application, but the substantive obligations apply equally.

A Practical Roadmap: What to Do Now

For organisations that have not yet begun their AI Act compliance journey — or have begun but lack a structured programme — the following sequence provides a workable roadmap.

Step 1: AI Inventory

Conduct a structured inventory of all AI systems in use across the organisation. Go beyond IT-managed tools — AI is embedded in SaaS platforms, departmental tools, and vendor APIs. Capture what each system does, the provider, the data it processes, and the decisions it informs.

Step 2: Risk Classification

Apply the AI Act's classification framework to each system. Is it prohibited? Does it fall within an Annex III high-risk domain? Does it trigger transparency obligations? Many systems will fall into minimal-risk and require only basic documentation. High-risk systems demand a dedicated compliance workstream.

Step 3: Role Determination

For each high-risk system, confirm whether your organisation is the provider, the deployer, or both. If you are a deployer of a third-party system, obtain the provider's technical documentation and conformity assessment. A provider who cannot supply adequate documentation is itself a compliance risk.

Step 4: AI Governance Framework

Establish internal governance appropriate to your AI footprint: an AI policy articulating acceptable use and prohibited practices; a designated AI compliance role or committee with clear accountability; documented procedures for AI system onboarding, risk assessment, monitoring, and decommissioning; and an incident response process covering notification obligations under the Act.

Step 5: Vendor Due Diligence

Treat AI compliance as a standard vendor management question alongside cybersecurity and data protection. Ask vendors directly: Is this system high-risk under the AI Act? Has conformity assessment been completed? Can you supply Article 11 technical documentation? What are the validated accuracy conditions? Vendors who cannot answer with evidence represent a compliance risk.

Step 6: DPIA and AI Risk Assessment Integration

For high-risk AI systems that also process personal data — which is most of them — coordinate your AI Act risk management documentation with your GDPR DPIA process. Engage your DPO early. The overlap in data governance, necessity assessments, and rights safeguards makes integrated documentation both more efficient and more coherent.

Step 7: Human Oversight Implementation

Do not treat human oversight as a policy statement. Map each high-risk AI system to specific individuals with responsibility for oversight, ensure they have the training to interpret outputs and spot anomalies, and verify they have the authority and practical means to intervene or halt the system. Run test scenarios to confirm the oversight process actually functions.

Step 8: Ongoing Monitoring

AI Act compliance is not a project with an end date. High-risk AI systems must be monitored throughout their operational life. Establish a monitoring cadence, define what constitutes a reportable incident, and build a feedback loop between operational experience and risk management documentation.

The Luxembourg Dimension

Luxembourg's financial services hub — covering fund administration, banking, insurance, and payment services — means that several high-risk AI domains are directly relevant locally: credit scoring, insurance risk assessment, and fund management analytics. Organisations already navigating GDPR with the CNPD and working through DORA and NIS2 with the CSSF will find the structural foundations familiar. Risk assessment, documentation, governance, and third-party due diligence are consistent themes across all these frameworks. The compliance infrastructure you have already built is not wasted — it is the foundation on which AI governance must be constructed.

Where ObsidianCorps Can Help

ObsidianCorps works with Luxembourg and EU organisations navigating AI governance alongside their broader cybersecurity and compliance obligations. Our consulting practice covers AI Act applicability assessments, AI inventory and classification, AI risk management documentation, vendor due diligence frameworks, and the integration of AI governance with existing GDPR and information security programmes.

If you are facing the 2 August 2026 deadline with gaps in your AI compliance posture, the time for a structured assessment is now. Contact us to discuss where your organisation stands and what a proportionate, effective response looks like for your specific AI footprint.