What an AI solution for business use must fulfil today is no longer just a question of features. With the EU AI Act, the European Union has created the world's first comprehensive regulatory framework for artificial intelligence – and businesses face the task of systematically assessing their AI use and adapting it where necessary.
What a compliant AI solution for businesses must deliver today: GDPR compliance, demonstrable data separation, audit logs, no training with business data, European partners and a DPA under Art. 28 GDPR. This guide shows you what the EU AI Act means in concrete terms, which deadlines apply and how to systematically align your business with compliance.
Key facts at a glance
- 1 August 2024: EU AI Act enters into force
- 2 February 2025: Prohibited practices apply
- 2 August 2026: Full applicability
- Fines: up to €35 million or 7% of annual turnover
What Is the EU AI Act?
The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive AI regulation. It classifies AI systems according to their risk potential and sets different requirements for developers and users depending on the risk category. The aim is to make the use of AI in the EU safe, transparent and in conformity with fundamental rights, without excessively hindering innovation.
The Act applies to all companies that offer or use AI systems in the EU – regardless of where they are based. This also affects US and Asian providers as soon as their systems are used in the EU.
Timeline of applicability
The EU AI Act entered into force on 1 August 2024 but is being applied in phases:
- From February 2025: Prohibitions on unacceptable AI risks apply.
- From August 2025: Codes of conduct for general-purpose AI models (GPAI) take effect.
- From August 2026: Full applicability for most high-risk AI systems.
- From August 2027: Remaining high-risk systems (Annex I) must be compliant.
The Four Risk Categories
The EU AI Act distinguishes AI systems into four risk categories. The classification determines which obligations apply to providers and deployers.
Unacceptable Risk
Prohibited AI practices: social scoring, manipulative AI, real-time biometric surveillance in public spaces (with narrow exceptions).
Prohibited – immediate cessation required
High Risk
AI in sensitive areas: HR decisions, credit granting, critical infrastructure, education, law enforcement, migration control.
Strict requirements: documentation, audit, human oversight
Limited Risk
AI systems with transparency obligations: chatbots, deepfake-generating systems, AI-generated content must be labelled as such.
Transparency obligation towards users
Minimal Risk
AI spam filters, AI-supported video games, simple recommendation systems without sensitive data. No special requirements under the Act.
No special obligations
Which Businesses Are Affected?
The EU AI Act applies to two categories of actors. The key is which role your business plays in the AI ecosystem:
Providers
Providers develop AI systems and place them on the market. They bear the greatest responsibility: they must create technical documentation, conduct conformity assessments and – for high-risk AI – affix a CE marking. Providers from third countries who deploy their systems in the EU must appoint an EU representative.
Deployers
Deployers use AI systems within their own organisation. Their obligations are less extensive than those of providers, but should not be overlooked: they must ensure that the system is used only for its intended purpose, guarantee human oversight and – for high-risk AI – maintain logs and train their employees.
Practical note: A business that uses a standard AI tool like Lurus as an assistance tool for internal tasks generally acts as a deployer with manageable obligations. Responsibility for the technical compliance of the platform lies with the provider.
Prohibited AI Practices (since February 2025)
Since 2 February 2025, certain AI applications are completely prohibited in the EU. These prohibitions apply without a transitional period and affect all companies that offer or use such systems:
- Social scoring by public authorities: AI systems that evaluate and disadvantage people based on their social behaviour.
- Manipulative AI techniques: Systems that use subliminal influence or exploit the vulnerabilities of individuals to control their behaviour against their will.
- Real-time remote biometric identification: Facial recognition in public spaces by public authorities (with very narrow exceptions for law enforcement).
- Biometric categorisation by sensitive characteristics: Classification of individuals by political opinion, religious belief, sexual orientation or ethnic origin.
- Predictive policing of individuals: Predicting future crimes by individual persons solely based on personality traits.
Obligations for High-Risk AI Systems
High-risk AI systems are subject to the strictest requirements of the EU AI Act. AI is classified as high-risk when used in the following areas:
- Personnel decisions (hiring, dismissal, assessment)
- Credit granting and creditworthiness assessment
- Critical infrastructure (energy, water, transport)
- Education and vocational training
- Law enforcement and administration of justice
- Migration control and asylum procedures
- Medical devices with an AI component
Operators of such systems must, among other things:
- Conduct a risk and impact assessment
- Ensure comprehensive logging of all relevant interactions
- Guarantee human oversight and intervention capabilities
- Use the system only for its intended purpose
- Train employees in the use of the system
- Provide information to competent authorities on request
Important: A standard AI assistant used for general tasks such as text creation, research or internal communication is generally not a high-risk system. It becomes critical when AI outputs flow directly and without human review into personnel decisions or credit assessments.
EU AI Act vs. GDPR: What Applies When?
Many businesses wonder how the EU AI Act and the GDPR relate to each other. Both frameworks exist side by side and complement each other.
| Criterion | DSGVO | EU AI Act |
|---|---|---|
| Subject matter | Protection of personal data | Safe use of AI systems |
| Scope | Any processing of personal data | AI systems by risk category |
| Actors concerned | Controllers, processors | Providers, deployers, importers, distributors |
| Core requirement | Lawful, purpose-bound processing | Risk-based conformity requirements |
| Enforcement authority | National data protection authorities | National market surveillance authorities |
| Maximum fine | €20 million or 4% of turnover | €35 million or 7% of turnover (for prohibition violations) |
In short: being GDPR-compliant does not automatically fulfil the requirements of the EU AI Act – and vice versa. For businesses that process personal data using AI, both frameworks apply simultaneously.
Compliance Checklist: 10 Steps for Businesses
The following checklist helps you assess your current status and identify necessary measures. For each point, it is indicated how Lurus supports businesses in this area.
Create an inventory of all AI systems in use
Document which AI tools are being used in your organisation and which risk category they belong to.
Lurus: Lurus is classified as a general AI assistance tool and typically falls into the limited or minimal risk category.
Clarify your role as provider or deployer
Determine whether you develop AI systems (provider) or merely use them (deployer). Both roles carry different obligations.
Lurus: When using Lurus, you act as a deployer. As the provider, Lurus takes responsibility for the technical compliance of the platform.
Conclude a data processing agreement (DPA)
A DPA under Art. 28 GDPR is required for any processing of personal data by an external AI provider.
Lurus: Lurus provides a DPA under Art. 28 GDPR. Please contact us.
Ensure no data is used for model training
Can you demonstrate that your business data is not used for training AI models?
Lurus: Lurus does not process user data for training AI models.
Review logging and audit functions
For high-risk AI, comprehensive logging of all relevant interactions is required. Transparency is also recommended for general AI use.
Lurus: Lurus provides complete audit logs for all AI interactions within the organisation.
Ensure human oversight
AI decisions must not remain without human control, particularly in sensitive areas. Define processes for reviewing AI outputs.
Lurus: Lurus is designed as an assistance tool that supports people, not replaces them. All outputs remain under your control.
Raise awareness and train employees
The EU AI Act requires deployers to ensure responsible use of AI. Training on AI risks and limitations is recommended.
Ensure data processing in Europe
Check where your AI providers process data. Data transfers to third countries are subject to special requirements.
Lurus: Lurus relies on European partners for its infrastructure.
Meet transparency obligations towards users
If your customers or employees interact with an AI system, they generally need to be informed that they are communicating with AI.
Adopt an internal AI policy
Define in writing which AI systems may be used and how, which data must not be entered, and how to handle AI outputs.
How Lurus Supports Businesses with Compliance
Lurus has been designed from the outset for transparency, traceability and data protection. The requirements that the EU AI Act places on AI deployers are reflected in the features that Lurus already offers businesses.
Audit logs for complete traceability
Can you demonstrate which AI interactions have taken place within your organisation? Lurus logs all AI interactions comprehensively and makes them available as audit logs. This enables transparency towards authorities, internal compliance teams and – where required – towards data subjects.
No training with business data
Are your inputs used to train AI models? With Lurus, the answer is clear: no. Lurus does not process user data for training AI models. This is a central aspect for businesses working with sensitive data.
Local storage without server transmission
Lurus offers the option of storing chat histories exclusively locally in the browser – without transmission to external servers. This minimises the scope of processing and supports privacy-friendly AI use.
European partners and DPA
Lurus relies on European partners for its infrastructure and provides a data processing agreement under Art. 28 GDPR on request. This allows businesses to fully document their processing activities.
Conclusion
The EU AI Act is not a bureaucratic obstacle, but an opportunity: businesses that systematically organise their AI use now create trust with customers, partners and authorities – and avoid costly remediation under time pressure.
The key areas for action are clear: create an inventory of AI systems, determine risk categories, ensure logging, conclude a DPA and adopt internal guidelines. Those who implement these steps consistently will be well prepared for August 2026.
Lurus supports businesses in using AI in a transparent, traceable and compliant manner – with audit logs, local storage, European partners and a clear commitment to data protection.
FAQ
When does the EU AI Act become fully applicable?
Which businesses are affected by the EU AI Act?
What are the four risk categories of the EU AI Act?
What are the prohibited AI practices under the EU AI Act?
What is the difference between the EU AI Act and the GDPR?
What fines does the EU AI Act provide for?
What must operators of high-risk AI systems observe?
How does Lurus help businesses comply with the EU AI Act?
Related Articles
GDPR-Compliant AI for Businesses: Checklist & Requirements 2026
What businesses must consider for GDPR-compliant AI use
AI from Germany: Why Businesses Choose German AI Platforms
Data sovereignty and European standards in focus
Implementing AI in Business: The Complete Guide 2026
From needs analysis to scaling in 7 steps
Use AI compliantly and securely?
Lurus offers audit logs, local storage, European partners and a DPA under Art. 28 GDPR. Start for free.
Try Lurus for freeNo credit card required · Ready to use immediately · Permanently free plan