On February 2, 2025, the first hard deadline of the European Union's AI Act arrives. From that date, the Act's prohibited-practice rules and its AI-literacy obligations become legally applicable—the opening move in a phased rollout that began when the regulation entered into force on August 1, 2024. For most businesses this is not a fire drill; the heavy obligations for high-risk systems land later. But February 2 is the moment "we should look at the AI Act eventually" stops being a defensible position. As the founder of Softechinfra, I field a version of the same question from clients every week: does this apply to us, and what do we actually have to do? This is the durable answer—an inventory-classify-document checklist that holds up long after the February headline fades, whether you buy AI tools, embed them in a product, or build your own.
What the Act Actually Regulates (and What It Doesn't)
The single most important thing to understand about the EU AI Act is that it is a risk-tiered product-safety regulation, not a blanket AI ban. It sorts AI systems into bands and applies obligations proportional to the risk each band carries. The vast majority of business software—spam filters, recommendation engines, inventory forecasting—sits in the lowest tier and carries almost no new duties at all.
A second point that trips people up: the Act has extraterritorial reach. It applies if your AI system's output is used in the EU, regardless of where your company sits. An Indian or US firm selling a SaaS product to European customers is in scope. So is a European subsidiary using a tool built elsewhere. Geography of incorporation does not get you out.
The Four Risk Tiers
Every AI system you touch falls into one of four bands. Place each one correctly and the rest of compliance becomes a checklist rather than a guessing game.
| Risk Tier | What It Covers | Core Obligation |
|---|---|---|
| Unacceptable (prohibited) | Social scoring, manipulative or exploitative systems, untargeted facial-image scraping, certain biometric categorisation | Banned outright from Feb 2, 2025 |
| High-risk | AI in hiring, credit scoring, education access, critical infrastructure, certain medical and safety contexts | Conformity assessment, risk management, human oversight, documentation |
| Limited-risk | Chatbots, AI-generated content, emotion-recognition interfaces | Transparency: tell people they are interacting with AI |
| Minimal-risk | Spam filters, recommendation engines, most everyday AI features | No mandatory obligations |
The two tiers that demand attention right now are the bookends. The prohibited list is small but absolute, and it is the part that bites on February 2. The high-risk list is where the serious engineering and paperwork live, but its obligations phase in over the following years—giving you time to prepare if you classify honestly today.
A Three-Step Compliance Process
Reduce the noise and the work resolves into three durable steps: inventory what you have, classify each system, and document the decisions. Run it once thoroughly, then revisit it whenever you adopt a new tool or ship a new feature.
The inventory step is the one teams skip and the one that pays off most. You almost certainly use more AI than you think: the resume-screening feature in your ATS, the lead-scoring model in your CRM, the support chatbot on your site, the AI assistant baked into your office suite. None of these are exotic, and several may carry transparency or high-risk implications you have never examined.
The Prohibited-Practices Quick Check
Because the prohibitions are the part with teeth on February 2, run this short screen across your inventory before anything else. If any line gives you pause, get specialist legal advice—these are bright lines, and the penalties for crossing them are the steepest in the Act.
- Do we run any system that scores or ranks people's trustworthiness from unrelated social behaviour? (social scoring)
- Do we use AI that exploits age, disability, or economic vulnerability to distort behaviour?
- Do we scrape facial images from the web or CCTV to build or expand a recognition database?
- Do we infer emotions of employees or students, outside narrow safety or medical exceptions?
- Do we use biometric categorisation to deduce sensitive traits like race, political views, or sexual orientation?
Transparency: The Obligation Almost Everyone Has
Even if every system you run is minimal-risk, the limited-risk transparency duties likely apply to you, because chatbots and AI-generated content are everywhere. The rule is simple and humane: people have a right to know when they are dealing with a machine or consuming machine-made content.
In practice that means a chatbot should disclose it is an AI rather than impersonate a human agent, AI-generated or substantially-altered images and text aimed at the public should be marked as such, and deepfakes carry explicit labelling duties. None of this requires heroics—it is mostly interface copy and a content policy. We build these disclosures into client products by default now; the same disclose-and-document instinct runs through how we approach building AI features responsibly, where being honest about what the model is and isn't doing is a design principle, not a legal afterthought.
How This Plays Out in Real Projects
The Act rewards teams that treated AI governance as an engineering concern before a lawyer forced the issue. When we built the corporate training and assessment platform for ASNIT Corporates, AI-assisted scoring touched decisions about people—exactly the territory where a deployer needs to think hard about human oversight and contestability. The right move was not to bolt compliance on at the end but to design for it: keep a human in the loop on consequential outcomes, log how scores are produced, and make the AI's role transparent to the people being assessed.
That is the same posture we bring to every AI automation engagement. On TalkDrill, our in-house English-speaking practice app, AI evaluates spoken responses—so we are deliberate about telling users their speech is machine-scored and about keeping the scoring explainable. These are not heavy lifts when they are part of the design brief from day one. They become expensive only when retrofitted under deadline.
Don't Forget AI Literacy
The other obligation taking effect on February 2 is quieter but broad: organisations must ensure staff who deal with AI systems have a sufficient level of AI literacy. There is no certificate to chase and no template the regulation hands you—the duty is to take reasonable measures so the people operating, configuring, or relying on AI understand what it does and where it fails.
For most businesses this is satisfied by deliberate, lightweight training: what the tools can and cannot do, how to spot a confidently wrong answer, when a human must review the output, and how to handle the personal data that flows through these systems. Our CTO Hrishikesh Baidya frames internal AI rollouts around exactly this—pairing any new tool with a short briefing on its limits—because a team that understands a model's failure modes makes better use of it regardless of what any regulator requires.
A Durable Posture, Not a One-Time Scramble
The AI Act is the first comprehensive AI law of its kind, and it will not be the last. India's data-protection regime, sectoral US rules, and other regional frameworks are all moving in the same direction: know what AI you run, classify its risk, keep humans accountable for consequential decisions, and be transparent with the people affected. A team that builds those habits now is ready for whatever the next jurisdiction asks—a point worth keeping in view alongside the broader operational shifts in our guide to enterprise AI transformation.
So treat February 2, 2025 as a useful forcing function rather than a finish line. Run the inventory. Classify honestly. Write the rationale down. Add the transparency notices and the literacy briefing. Most businesses will discover the work is smaller than the headlines suggested—and that the discipline of governing your AI deliberately pays dividends far beyond compliance.
Need Help Mapping Your AI Footprint?
We help businesses inventory, classify, and document their AI systems—and build automation that's transparent and audit-ready by design, not as an afterthought.
Talk to Our AI Team →
