EU AI Act: What IT managers need to know now

Artificial intelligence has long since evolved from an innovation topic to an integral part of day-to-day operations within companies. Generative AI assists with text creation, copilots accelerate development processes, search and knowledge systems are becoming semantically smarter, and specialist departments are increasingly integrating AI functions directly into their applications. At the same time, however, the regulatory framework is expanding. With the EU AI Act, the European Union has established a comprehensive legal framework for artificial intelligence, which is already in force and is being phased in. For IT managers, this means that AI can no longer be viewed solely from the perspective of efficiency and innovation, but must be treated as a governance, risk and compliance issue.

The key point here is that the AI Act does not regulate ‘AI’ across the board, but instead follows a risk-based approach. The higher the risk a system poses to safety, fundamental rights or affected individuals, the stricter the regulatory requirements. This is precisely where the operational relevance for IT departments lies: not every AI application is automatically highly critical, but every organisation must classify and document its systems and incorporate them into a robust governance framework.

Why the AI Act is particularly relevant for IT managers

Although the legal department, data protection and compliance are formally closely involved, in many companies the practical implementation issues are handled by IT. It is there that decisions are made regarding which AI tools to procure, which models to integrate into products or processes, which data to process, what logging takes place, and how human oversight is ensured from both a technical and organisational perspective. The AI Act uses roles such as ‘provider’ and ‘deployer’, but in practice the technical implementation of the requirements very often falls to IT, information security, data governance and enterprise architecture.

Furthermore, many companies do not develop AI in-house, but instead use SaaS platforms, copilots, foundation models or embedded manufacturer functions. As a result, part of the compliance issue shifts to supplier and contract management. Anyone using external AI services must be able to ascertain which model class underlies them, what evidence is available, and which transparency or security requirements the provider meets. It is precisely this point that is often underestimated in practice, because AI functions are now ‘included’ in standard software. •

The timetable: What requirements are already in place?

The AI Act came into force on 1 August 2024. However, not all parts of it apply immediately; instead, they are being phased in according to a staggered timetable. The rules on prohibited AI practices, as well as the requirement for AI literacy – that is, ensuring that employees and others working with AI systems have a sufficient level of competence – have been in force since 2 February 2025. Regulations on general-purpose AI models have also been in force since 2 August 2025. The legal framework will generally apply across the board from 2 August 2026, whilst transitional periods until 2 August 2027 apply to certain high-risk systems in regulated products. Artificial intelligence has long since evolved from an innovation topic to an integral part of day-to-day operations within companies. Generative AI assists with text creation, copilots accelerate development processes, search and knowledge systems are becoming semantically smarter, and specialist departments are increasingly integrating AI functions directly into their applications. At the same time, however, the regulatory framework is expanding. With the EU AI Act, the European Union has established a comprehensive legal framework for artificial intelligence, which is already in force and is being phased in. For IT managers, this means that AI can no longer be viewed solely from the perspective of efficiency and innovation, but must be treated as a governance, risk and compliance issue.

The key point here is that the AI Act does not regulate ‘AI’ across the board, but instead follows a risk-based approach. The higher the risk a system poses to safety, fundamental rights or affected individuals, the stricter the regulatory requirements. This is precisely where the operational relevance for IT departments lies: not every AI application is automatically highly critical, but every organisation must classify and document its systems and incorporate them into a robust governance framework.

Why the AI Act is particularly relevant for IT managers

Although the legal department, data protection and compliance are formally closely involved, in many companies the practical implementation issues are handled by IT. It is there that decisions are made regarding which AI tools to procure, which models to integrate into products or processes, which data to process, what logging takes place, and how human oversight is ensured from both a technical and organisational perspective. The AI Act uses roles such as ‘provider’ and ‘deployer’, but in practice the technical implementation of the requirements very often falls to IT, information security, data governance and enterprise architecture.

Furthermore, many companies do not develop AI in-house, but instead use SaaS platforms, copilots, foundation models or embedded manufacturer functions. As a result, part of the compliance issue shifts to supplier and contract management. Anyone using external AI services must be able to ascertain which model class underlies them, what evidence is available, and which transparency or security requirements the provider meets. It is precisely this point that is often underestimated in practice, because AI functions are now ‘included’ in standard software. •

The timetable: What requirements are already in place?

The AI Act came into force on 1 August 2024. However, not all parts of it apply immediately; instead, they are being phased in according to a staggered timetable. The rules on prohibited AI practices, as well as the requirement for AI literacy – that is, ensuring that employees and others working with AI systems have a sufficient level of competence – have been in force since 2 February 2025. Regulations on general-purpose AI models have also been in force since 2 August 2025. The legal framework will generally apply across the board from 2 August 2026, whilst transitional periods until 2 August 2027 apply to certain high-risk systems in regulated products. Der AI Act ist am 1. August 2024 in Kraft getreten. Er gilt jedoch nicht in allen Teilen sofort, sondern nach einem gestaffelten Zeitplan. Bereits seit 2. Februar 2025 gelten die Regeln zu verbotenen KI-Praktiken sowie die Pflicht zur AI Literacy, also zum Aufbau eines ausreichenden Kompetenzniveaus bei Mitarbeitenden und anderen Personen, die mit KI-Systemen arbeiten. Seit 2. August 2025 gelten außerdem Regelungen zu General-Purpose-AI-Modellen. Die breite Anwendbarkeit des Rechtsrahmens folgt grundsätzlich ab 2. August 2026, während für bestimmte Hochrisiko-Systeme in regulierten Produkten Übergangsfristen bis 2. August 2027 bestehen.

For businesses, this means that the actual implementation must not be postponed until 2026. Those who are already using AI in a productive capacity must ensure, as of now, that prohibited practices are ruled out, that training measures are in place, and that relevant AI systems are at least inventoried and broadly classified. A common misconception is to take the AI Act seriously only once all detailed obligations are fully in force. From an operational perspective, however, it makes sense to establish governance structures at an early stage, as subsequent rectifications in heterogeneous IT landscapes are significantly more expensive and organisationally more complex. •

The framework of the EU AI Act: Four risk levels

The AI Act uses four risk categories: unacceptable risk, high risk, limited risk and minimal risk. This classification is crucial for IT managers because it determines operational priorities. It is not the mere existence of an AI function that matters, but its specific purpose, the context in which it operates, and its potential impact on people, rights and security.

Prohibited AI practices

Certain applications are generally prohibited under the AI Act. These include, amongst other things, certain manipulative or deceptive AI practices, the exploitation of vulnerable individuals, social scoring, and other particularly intrusive forms of use. The European Commission has published supplementary guidelines on the definition of an AI system and on the initial deployment phase to facilitate clarification. For businesses, it is particularly important here that sensitive use cases are not only scrutinised once the system is in production, but are excluded as early as the architecture and approval phase.

High-risk AI

The most extensive requirements apply to high-risk AI. Depending on the context, this includes AI systems in sensitive areas such as employment, education, critical infrastructure or access to essential services. For such systems, the Commission sets out requirements relating to risk management, data and data governance, technical documentation, logging, transparency, human oversight, accuracy, robustness and cybersecurity. In addition, depending on the role, conformity assessment, registration and ongoing monitoring are relevant.

For IT managers, this has a clear implication: high-risk AI cannot simply be integrated into existing operational processes as an afterthought. It requires documented responsibilities, defined control mechanisms, robust audit trails and close integration with data protection, information security and business process ownership. Anyone who focuses solely on technical functionality is missing the point of the regulation.

Limited risk

For businesses, this means that the actual implementation must not be postponed until 2026. Those who are already using AI in a productive capacity must ensure, as of now, that prohibited practices are ruled out, that training measures are in place, and that relevant AI systems are at least inventoried and broadly classified. A common misconception is to take the AI Act seriously only once all detailed obligations are fully in force. From an operational perspective, however, it makes sense to establish governance structures at an early stage, as subsequent rectifications in heterogeneous IT landscapes are significantly more expensive and organisationally more complex. •

The framework of the EU AI Act: Four risk levels

The AI Act uses four risk categories: unacceptable risk, high risk, limited risk and minimal risk. This classification is crucial for IT managers because it determines operational priorities. It is not the mere existence of an AI function that matters, but its specific purpose, the context in which it operates, and its potential impact on people, rights and security.

Prohibited AI practices

Certain applications are generally prohibited under the AI Act. These include, amongst other things, certain manipulative or deceptive AI practices, the exploitation of vulnerable individuals, social scoring, and other particularly intrusive forms of use. The European Commission has published supplementary guidelines on the definition of an AI system and on the initial deployment phase to facilitate clarification. For businesses, it is particularly important here that sensitive use cases are not only scrutinised once the system is in production, but are excluded as early as the architecture and approval phase.

High-risk AI

The most extensive requirements apply to high-risk AI. Depending on the context, this includes AI systems in sensitive areas such as employment, education, critical infrastructure or access to essential services. For such systems, the Commission sets out requirements relating to risk management, data and data governance, technical documentation, logging, transparency, human oversight, accuracy, robustness and cybersecurity. In addition, depending on the role, conformity assessment, registration and ongoing monitoring are relevant.

For IT managers, this has a clear implication: high-risk AI cannot simply be integrated into existing operational processes as an afterthought. It requires documented responsibilities, defined control mechanisms, robust audit trails and close integration with data protection, information security and business process ownership. Anyone who focuses solely on technical functionality is missing the point of the regulation.

Limited risk

Systems classified as low-risk are primarily subject to transparency requirements. This applies in particular to scenarios where users need to be able to recognise that they are interacting with AI or that they are viewing AI-generated or AI-manipulated content. This is of practical relevance to businesses, particularly in the case of chatbots, virtual assistants, content generators and synthetic media. The EU is also working on a code of practice for the labelling and marking of AI-generated content.

Minimal risk

Many everyday AI applications are classified as posing minimal risk. Whilst this reduces the regulatory burden, it does not eliminate the need for internal governance. This is because, even for AI functions subject to minimal regulation, issues relating to data usage, access rights, output quality, model transparency, logging and secure integration into the existing IT landscape remain. The AI Act therefore does not replace sound IT governance, but rather makes it more binding in critical areas.

AI Literacy: The urgent need that many underestimate

One particularly relevant point is Article 4 of the AI Act on AI literacy. Under this provision, providers and operators of AI systems must ensure that staff and other relevant individuals possess a sufficient level of knowledge, skills and understanding. The Commission expressly emphasises that there is no rigid standard framework in this regard. Key factors include prior technical knowledge, experience, training, the specific context of use and the individuals affected by the use of AI. •

For businesses, this means that a one-off basic training course is unlikely to be sufficient. What is needed is a role-based training approach. Developers require different content to administrators, procurement staff to business users, and managers to data protection or security officers. At the same time, AI literacy must go beyond mere tool training. It is also about understanding risk, the limitations of systems, potential errors, human oversight and clear escalation procedures. This is precisely why AI literacy is not just an HR issue, but a governance component with a direct link to the IT organisation. •

General-purpose AI: Why LLMs and foundation models need to be considered separately

With the widespread use of LLMs, multimodal models and other foundation models, the field of general-purpose AI is becoming increasingly important. The European Commission has published guidelines, Q&A documents and a voluntary General-Purpose AI Code of Practice on this subject. This Code addresses, in particular, transparency, copyright and security and safety issues; additional requirements apply to models posing systemic risk. •Systems classified as low-risk are primarily subject to transparency requirements. This applies in particular to scenarios where users need to be able to recognise that they are interacting with AI or that they are viewing AI-generated or AI-manipulated content. This is of practical relevance to businesses, particularly in the case of chatbots, virtual assistants, content generators and synthetic media. The EU is also working on a code of practice for the labelling and marking of AI-generated content.

Minimal risk

Many everyday AI applications are classified as posing minimal risk. Whilst this reduces the regulatory burden, it does not eliminate the need for internal governance. This is because, even for AI functions subject to minimal regulation, issues relating to data usage, access rights, output quality, model transparency, logging and secure integration into the existing IT landscape remain. The AI Act therefore does not replace sound IT governance, but rather makes it more binding in critical areas.

AI Literacy: The urgent need that many underestimate

One particularly relevant point is Article 4 of the AI Act on AI literacy. Under this provision, providers and operators of AI systems must ensure that staff and other relevant individuals possess a sufficient level of knowledge, skills and understanding. The Commission expressly emphasises that there is no rigid standard framework in this regard. Key factors include prior technical knowledge, experience, training, the specific context of use and the individuals affected by the use of AI. •

For businesses, this means that a one-off basic training course is unlikely to be sufficient. What is needed is a role-based training approach. Developers require different content to administrators, procurement staff to business users, and managers to data protection or security officers. At the same time, AI literacy must go beyond mere tool training. It is also about understanding risk, the limitations of systems, potential errors, human oversight and clear escalation procedures. This is precisely why AI literacy is not just an HR issue, but a governance component with a direct link to the IT organisation. •

General-purpose AI: Why LLMs and foundation models need to be considered separately

With the widespread use of LLMs, multimodal models and other foundation models, the field of general-purpose AI is becoming increasingly important. The European Commission has published guidelines, Q&A documents and a voluntary General-Purpose AI Code of Practice on this subject. This Code addresses, in particular, transparency, copyright and security and safety issues; additional requirements apply to models posing systemic risk.

The AI Act regulates GPAI models at the model level, regardless of the specific business context in which they are subsequently deployed. At the same time, a general model may give rise to AI systems which, depending on their use, may also fall under other provisions of the AI Act. In practical terms, this means that simply referring to a known model provider does not exempt companies from assessing the specific business use case themselves.

What IT managers should be doing right now

The first essential step is a comprehensive AI inventory. Organisations need to know which AI systems are in production, which pilot projects are underway, which third-party functions incorporate AI, and which departments are using AI tools independently. Without this inventory, any discussion of compliance remains abstract. On this basis, an initial risk triage should be carried out: Which applications are non-critical, which require transparency, which are potentially high-risk, and which should be excluded altogether? This assessment does not need to be perfect straight away, but it must be documented, traceable and repeatable. •

The second step is to establish AI governance. This includes defined roles, approval processes, architectural guidelines, minimum requirements for suppliers, control mechanisms for input data, logging concepts, rules for human oversight, and processes for dealing with incidents or system malfunctions. It also makes sense to integrate this with existing structures from ISMS, data protection management, supplier risk management and change management. The AI Act should not be treated as an isolated project, but rather as an extension of existing governance structures. •

The third step is the practical implementation of AI literacy. Employees must not only be aware that AI is being used, but also know what data may be entered into systems, how results are validated, when human review is essential, and what escalation procedures apply in cases of uncertainty. This is particularly crucial when it comes to generative AI, as incorrect or hallucinated outputs can quickly find their way into operational processes without clear control mechanisms.

Conclusion

For IT managers, the EU AI Act is no longer a matter for the future, but an ongoing transformation project. Key obligations are already in force today, with further ones to follow in 2026 and 2027. What matters is not whether a company uses AI, but where, in what capacity and with what risk profile. Those who take stock now, classify their systems, take training obligations seriously, review suppliers and establish governance structures will reduce regulatory risks whilst gaining greater control over the productive use of AI. This is precisely where the real added value of engaging with the AI Act at an early stage lies: not just compliance, but robust governance.

Interested in this topic? – Get in touch!

Get in touch