Blog - AI Act

The AI Act is becoming reality

What businesses need to know now

Naomi Oba

15th of June, 2026 9-minute read

When you talk to business leaders about AI today, ignorance is rarely the issue. Many are already using AI in their daily work. But with the AI Act, European businesses face a challenge and rightfully ask themselves: what do we need to change, and how do we bridge the apparent gap between bureaucracy and productivity without sacrificing ROI.

In our webinar on June 3rd we were joined by Ann-Kathrin Zierau, EU Policy Manager at the German AI Association (KI-Bundesverband), and Sascha Scheffler, AI Officer at VARY.FY to provide answers.

What's missing isn't awareness. It's a clear direction.

Slide arguing companies face a governance problem, not an AI awareness problem, comparing three options: banning AI, letting it run uncontrolled, or managing it professionally.

AI has long established itself in organizations, and many have at least heard of the AI Act. What they are missing is not awareness, but a practical framework for meeting the regulatory requirements.

According to Gartner, 65% of employees were already using AI at work last year — a number that has certainly grown since then, regardless of whether clear frameworks exist within the organization or not.

This makes legal compliance with the AI Act more than just a compliance team challenge. Establishing the right governance and steering AI usage productively is, above all, a management challenge.

Shadow AI as a risk

The biggest problem that arises when companies fail to establish clarity around AI usage is shadow AI. When employees prefer private tools because they work better and more productively with them — or use AI despite no processes existing for it within the organization — several risks emerge:

Data leakage
Influence of hallucinations that are not flagged as such
Unclear accountability
It becomes impossible to remove data once it has been fed into LLMs

It's worth noting that employees typically just want to do their jobs better and use the tools they find most helpful. The first reflex — banning such tools — therefore tends to backfire.

"A ban only works once the officially approved offering is so good that employees have no reason to resort to private tools." — Sascha Scheffler

What the AI Act actually changes

Preventing shadow AI is only one requirement the AI Act places on businesses. The AI Act entered into force on August 1, 2024, but most obligations become obligatory over time.

EU AI Act timeline with three milestones: entry into force (Aug 2024), prohibited practices and AI literacy (Feb 2025), and high-risk obligations (Aug 2026).

The original plan was to introduce new obligations for high-risk applications in August of this year. However, the Digital Omnibus has shifted these deadlines, leading businesses to wonder whether this is a reason to wait.

What is the impact of the Digital Omnibus

"Omnibus" refers to a legislative shortcut for reforming multiple laws simultaneously without going through the standard multi-year procedures. The "Digital Omnibus," which entails several changes for the AI Act, has already been finalized in substance, and is expected to enter into force before August 2, 2026.

The three key changes for businesses:

Deadline extension for high-risk systems (Annex 3): Compliance is required from 2027 onward, rather than from August 2026 as originally planned
Relief for SMEs: Companies with up to 750 employees and up to €150 million in annual revenue benefit from simplified documentation requirements and lower fines
Mechanical engineering carve-out: Machine products with safety-relevant AI components remain classified as high-risk AI under the AI Act. The planned adjustment aims to avoid duplicate conformity assessment procedures between the AI Act and the new EU Machinery Regulation (2023/1230, applicable from January 2027). This does not mean a complete exemption from the AI Act. Since deadlines have been pushed to 2027/2028, interpretive uncertainty lingers during the transition period.

What the Digital Omnibus means for businesses

The deadline changes are not a reason to wait. The central elements of the Omnibus are finalized, and businesses should not wait for formal legalization to begin their preparations.

The deadline extensions are real, but they are no reason to defer compliance indefinitely. Businesses working with high-risk systems in particular should start planning now to meet the deadline.

At the same time, it's worth clarifying already which role your organization holds in order to organize accordingly (provider vs. deployer vs. end user — see next section).

If you're unsure where your organization currently stands, you can use the free KI-Kompass from the Bundesnetzagentur (German Federal Network Agency) for a quick self-assessment.

Roles, risks, and use case classification

Slide comparing three EU AI Act roles — provider, deployer, and end-user — highlighting that most companies are deployers with the most obligations.

One of the first steps for businesses to ensure AI Act compliance is understanding which role they occupy. The AI Act distinguishes between three roles:

Provider: Develops AI systems or adapts existing ones to market them under their own name or use them internally. Anyone who fine-tunes existing models and implements them within their own company qualifies as a provider.
Deployer: Licenses or purchases finished systems. Most companies using Copilot or similar tools fall into this category.
End user: Employees who use various AI tools. They need clear guidelines, a secure environment, and AI literacy.

Most companies fall into the deployer category and are obligated primarily to ensure human oversight and train their personnel.

The 4 risk classes of the AI Act

Beyond roles, the AI Act primarily regulates what organizations are obligated to do for different use cases. It's not the system that determines whether AI usage is critical — it's the specific use case.

Consequently, the AI Act distinguishes four risk classes:

Unacceptable risk: Systems that violate fundamental rights, such as social scoring, emotion recognition in the workplace, biometric categorization
High risk: Use of AI that influences access to employment, credit, education, or other critical services. Requires extensive documentation, risk management, human oversight, and CE marking (Annex 3 and 1)
Limited risk: Use of chatbots, AI-generated content. Requires transparency obligations to inform users that they are seeing synthetic content.

Minimal risk: AI use for productivity purposes such as summarizing, researching, creating meeting notes. Largely unrestricted, but establishing a unified framework is recommended.

Once use cases are classified, businesses can take practical measures to meet their obligations.

When is AI use permitted and when is it Risky?

Using the risk classes, businesses can quickly identify which activities allow largely unrestricted AI use and where they need to scale up their oversight.

The key question is: Does the AI use influence decisions about other people or their access to services, or not? Is sensitive data involved?

Most productivity applications are minimal risk, but it still depends on how the tools are used.

A concrete example makes this clear: nuwacom is a general-purpose AI platform that can be used in many ways. The same system falls into different categories depending on its application.

Traffic-light chart classifying AI use cases as green (productivity), yellow (sensitive data), or red (critical/high-risk like recruiting and credit scoring).

Using nuwacom to document meetings means minimal risk. If nuwacom is used in the hiring process to pre-sort applicants, however, it constitutes high-risk use with corresponding obligations.

If nuwacom were used to capture biometric data, it would even be a prohibited practice.

This illustrates once more that the use case matters, not the platform.

In practice, this means that after classifying use cases, several questions need to be addressed and responsibilities need to be assigned.

Governance: what businesses need to organize

To establish the right governance structure, businesses typically need to deal with six major topics:

Documentation: Which AI systems are being used, for what purpose, and what data do they work with?
Transparency: When and how is AI usage made visible, both internally and externally?
Human oversight (Human in the Loop): Where human oversight is required — how are veto rights and review processes defined?
Data quality and data protection: What data is being processed, how is it stored, and is pseudonymization or anonymization necessary?
AI literacy: How are employees trained and kept up to date?
Vendor assessment: Which provider is being used, what does the respective tool do with data, which models does it use, and what audit rights exist?

Ann-Kathrin Zierau describes the process in five steps: create visibility, assign risk classes, define rules, clarify responsibilities and anchor AI literacy as an ongoing task, not a one-time measure.

AI Literacy: what does it look like in practice?

The AI Act also obliges businesses to foster AI competence and ensure AI literacy. Yet there is often confusion about what exactly this means.

Providers: must ensure under Article 17 (quality management) that personnel understand the system and use it correctly.

Deployers: must guarantee human oversight and train personnel appropriately for the respective use case.

A violation of the AI literacy obligation does not automatically trigger the maximum penalty. The fine depends on the specific obligations violated and the risk class. Yet it will always be true that:

"Knowledge and skills are always better and also cheaper than compliance" — Ann-Kathrin Zierau

What makes AI as a technology particularly challenging is that even tech-savvy employees don't necessarily understand what it does in the backend. That is exactly where businesses should start educating to promote responsible usage.

Foundational knowledge about tokenization, vector spaces, hallucination causes, and bias is a prerequisite for responsible use" — Sascha Scheffler

AI literacy is not a one-time task but requires long-term commitment.

Implementing AI compliantly and productively

Slide listing five building blocks for AI Act readiness: AI inventory, use case classification, data rules, roles & responsibilities, and AI literacy.

For businesses starting to prepare for the AI Act now, here is an exemplary implementation plan for the first 90 days.

Day 1–30: Create visibility. Build a comprehensive inventory of all AI tools (including unofficial ones). Classify use cases, determine data categories, and clarify who currently holds responsibility.

Day 31–60: Sort risks. Assign each use case to a risk class and determine roles (provider vs. deployer). Identify where human oversight is missing and bring all relevant stakeholders on board (IT, Legal, HR, Data Protection, and business units).

Day 61–90: Enable scaling. Define clear guidelines for each system, document responsibilities, and start training. Select or validate the right AI platform or tools.

The easiest approach is to start with a single concrete use case and iterate from there. Ann-Kathrin also confirms that the organizations most successful in their AI usage start small and scale systematically.

Conclusion: the AI Act as an opportunity

Europe is the first jurisdiction in the world that doesn't wait for damage to occur before regulating, but proactively requires safety evidence before deployment. The regulation follows sectoral law principles that have proven effective over decades in industries like automotive and pharmaceuticals.

While many businesses initially view the AI Act as yet another burden, both our experts see it clearly as an opportunity for European companies.

Those who properly understand the AI Act and build the necessary structures to support it can turn it into a market advantage. Sascha Scheffler sees parallels to the GDPR, which was initially perceived as a burden but has since gained relevance worldwide in establishing data protection standards.

"The AI Act is not an obstacle, it's an invitation to professionalize AI usage within the organization" — Ann-Kathrin Zierau

Companies that understand this don't have a burden to bear — they have a framework to build. Those who shape that framework now set the standard and use regulation to their advantage.

The AI Act doesn't stop AI, it ends the blind flight.

If you'd like to learn how nuwacom can support your organization with compliant AI usage, we'd love to hear from you.

FAQ

Does the AI Act apply to our company, even if we don't develop our own AI?

Even if your company doesn't develop its own AI, the AI Act applies as soon as you deploy ready-made systems like Copilot or ChatGPT. In this case, you qualify as a deployer and are obligated to: ensure human oversight, train personnel, and clearly classify use cases by risk level.

Can we continue using tools like Copilot or ChatGPT?

You can continue to use general-purpose AI tools, but depending on the application they require fulfillment of various obligations. Most productivity applications constitute minimal risk, but as soon as a tool influences decisions that affect people, it becomes risky — and requires fulfillment of extensive documentation obligations as well as human oversight.

How do I know if my AI usage is high risk?

AI use becomes critical when it influences decisions that affect people or their access to services, or when sensitive data is being processed. All such use cases are classified as high risk under the AI Act.

What happens if we're already using AI tools but haven't documented anything yet?

You're not alone — many organizations are in this position. The key is to start now. Begin with a complete inventory of all AI tools in use (including unofficial ones employees may have adopted on their own), then classify each use case by risk level. The AI Act does not retroactively penalize past usage, but going forward, documented governance is required.

Do we need to appoint a dedicated AI officer or create a new team?

The AI Act does not prescribe a specific organizational structure. What matters is that responsibilities are clearly assigned: someone needs to own AI governance, risk classification, and training oversight. For smaller organizations, this can be an additional responsibility for an existing role (e.g., Data Protection Officer, CTO, or Head of Legal). Larger organizations with multiple high-risk use cases will likely benefit from a dedicated role or cross-functional team. What is important is ensuring accountability.

AI Act Glossary (A–Z)

A

AI Act — Regulation (EU) 2024/1689 on the regulation of AI. The first comprehensive AI law worldwide. It governs the conditions under which AI systems may be developed, deployed, and operated in the EU. In force since August 1, 2024.

AI Governance (KI-Governance) — The organizational framework within which companies deploy AI securely, compliantly, and productively: responsibilities, access rights, policies, risk assessment, control, and traceability.

AI Literacy — Obligation for providers and deployers to ensure AI competence among their employees. In effect since February 2, 2025 for all AI systems regardless of risk level. Anyone deploying AI bears responsibility for ensuring that employees who use it understand what they are doing.

AI Regulatory Sandbox (KI-Reallabor) — Controlled testing environment for innovative AI systems under regulatory supervision. Mandatory in every EU member state from August 2026, designed as a space where companies can test new applications.

AIC4 (AI Cloud Service Compliance Criteria Catalogue) — Criteria catalogue from the BSI (German Federal Office for Information Security) for assessing the security of AI-based cloud services. Builds on C5 and adds AI-specific requirements on robustness, data quality, explainability, and bias. A relevant benchmark when selecting AI providers.

AIMS (AI Management System) — Structured AI management system governing the planning, operation, and continuous improvement of AI deployment. Often established according to ISO/IEC 42001 and frequently used as compliance evidence for regulators or clients.

B

BSI Criteria Catalogue for Generative AI — Assessment framework for generative AI systems developed by the German Federal Office for Information Security. Supplements the AIC4 with requirements specifically relevant to large language models: protection against prompt injection, output control, and abuse prevention. A practical orientation framework for organizations evaluating LLM-based services.

C

C5 (Cloud Computing Compliance Criteria Catalogue) — BSI criteria catalogue with minimum requirements for secure cloud computing. Forms the basis for AIC4 and serves cloud providers as security evidence for their clients.

CLOUD Act (Clarifying Lawful Overseas Use of Data Act) — US federal law from 2018 that enables US authorities to access data stored by US companies, regardless of which country the servers are located in. For organizations considering AI providers with US parent companies, this means: the physical location of a data center alone is not a guarantee of data sovereignty.

D

Deepfake — Synthetically generated or manipulated content in image, audio, or video. Subject to labeling requirements under Art. 50 AI Act, with the goal of making deception identifiable.

Digital Omnibus on AI (Digitaler Omnibus) — Amending regulation (COM(2025) 836) adjusting the AI Act: deadline extension for high-risk AI (until August 2028 at the latest), relief for SMEs, graduated AI literacy obligations, stronger centralization of enforcement at the AI Office. The Omnibus provides businesses more time but changes nothing about the strategic direction.

DSK Guidance on AI (DSK-Orientierungshilfe KI) — Guidelines from the Data Protection Conference (DSK) — the body of data protection authorities at federal and state level on data protection-compliant use of AI. Not legally binding norms, but provides reliable insight into how supervisory authorities assess data protection in specific scenarios.

F

FRIA (Fundamental Rights Impact Assessment) — Mandatory fundamental rights impact assessment before deploying certain high-risk AI systems. Documents which fundamental rights could be affected by a system and how this is addressed.

G

GPAI (General-Purpose AI) — AI models trained for general purposes covering a broad range of tasks, including GPT models or Llama. From August 2, 2025, GPAI will be subject to its own rules under the AI Act, distinct from high-risk requirements.

GPAI CoP (Code of Practice) — Practice guide with concrete implementation guidance for providers of GPAI models. Not law, but a guide showing what compliance should look like in practice.

H

Human Oversight — Obligation under Art. 14 AI Act ensuring that humans effectively supervise high-risk AI systems and can intervene when necessary. This presupposes that those responsible are also capable of assessing outputs.

Human-in-the-Loop — Design principle where a human must actively approve high-risk AI actions before they are executed. The human is part of the process.

I

ISO/IEC 42001 — International standard for AI management systems. Defines requirements for planning, operation, and continuous improvement and is frequently used as structured compliance evidence for regulators and business partners.

IT-Grundschutz — Framework developed by the BSI for building an Information Security Management System (ISMS). Provides a practical catalogue of concrete security measures and forms the basis in Germany for ISO 27001 certifications.

N

NIST AI RMF — AI risk management framework developed by the US National Institute of Standards and Technology. An internationally recognized complementary standard, particularly relevant for companies with transatlantic operations.

O

Omnibus (lat. "for all") — Legislative technique where a single legal act amends multiple existing laws simultaneously. In the AI context, the term refers to the Digital Omnibus on AI (see above).

S

Shadow AI (Schatten-KI) — AI tools that employees use without the knowledge or approval of IT or compliance managers. The risk of shadow AI arises from the lack of control over where data flows and a lack of transparency in output.

As of: June 2026