EU AI Act: New Obligations for AI Providers and Users, Timelines and Fines

European regulation of artificial intelligence is no longer “something that will come at some point in the future”. AI in companies under EU oversight is a reality – some obligations already apply, and others will start being enforced in the coming months and years. This article explains how the AI Act and new European guidelines are changing the specific obligations of both providers and users of artificial intelligence, what sanctions may apply, and what business owners and managers actually need to do today if they want to use AI in their company safely and legally.

Why AI in companies is under EU oversight and what it means in practice

The European AI Act (Regulation (EU) 2024/1689) is the world’s first comprehensive legal framework for artificial intelligence, aiming both to support innovation and to protect health, safety, fundamental rights, and democratic values. Unlike softer ethical codes, it is a directly binding regulation that automatically applies in all Member States and creates harmonised rules for the development, placing on the market, and use of AI systems.

From a business perspective, this means AI is no longer an “unregulated space”, but an area subject to a level of regulation comparable to personal data protection (GDPR) or cybersecurity (NIS2). At the same time, the AI Act expressly seeks to prevent fragmentation of national rules and to ensure the free movement of AI products and services within the Single Market.

A key principle of the AI Act is a risk-based approach. The greater the impact an AI system may have on health, safety, or fundamental rights, the stricter the requirements for its design, testing, documentation, oversight, and transparency.

At one end of the spectrum are systems with minimal or no risk, for which the AI Act sets no specific obligations; these typically include ordinary spam filters or AI in computer games. At the other end are prohibited practices posing an “unacceptable risk”, which are simply banned in the EU without any standard exemption, with limited-risk and high-risk systems in between.

From a corporate perspective, it is crucial that the AI Act does not apply only to technology companies developing their own AI models, but also to a wide range of ordinary businesses that “only” implement AI in their processes. The regulation expressly applies to providers, importers, distributors, and so-called deployers, i.e., companies that use AI systems in the course of their professional activities, including public authorities.

Its extraterritorial reach means that obligations also arise for entities outside the EU if their AI systems, or their outputs, are used in the Union. In practice, this means that, for example, a US or Asian supplier of an AI solution deployed in the Czech Republic must comply with European rules and will often need to appoint an authorised representative in the EU.

It is also important that the AI Act does not exist in a vacuum. For companies, it overlaps with other regulations, in particular the GDPR, product liability and damages rules, sector-specific regulation (banking, healthcare, energy), and, more recently, rules on cybersecurity and the data economy. The legal reality is therefore more complex than simply “complying with the AI Act” – when designing and deploying AI, it is typically necessary to address personal data protection, contractual relationships with customers and suppliers, security standards, and tax implications at the same time.

In practice, the attorneys at ARROWS, a Prague-based law firm, often see companies focus on only one of these regulations (for example, the GDPR), while underestimating the specific obligations under the AI Act or the links to contractual liability, which can later lead to fines, disputes, and even the blocking of key projects.

Timeline: What already applies and what new EU guidance has been added

The AI Act does not apply “all at once”; its application is phased in over several stages, supplemented by secondary legislation, Commission guidance, and voluntary codes of practice. From a corporate planning perspective, it is essential to understand what is already enforceable today and what new obligations businesses will face in the coming years.

What applies from February 2025: Prohibited practices

From February 2025, the rules on “unacceptable” AI practices apply. First, across the EU there is a ban on eight types of AI practices considered incompatible with the Union’s values and fundamental rights.

These include, among other things, subliminal and manipulative techniques that materially undermine a person’s ability to make free decisions. They also include systems that exploit the vulnerabilities of persons due to age, disability, or socio-economic situation. Systems for social scoring of individuals and certain forms of predictive policing are also considered prohibited. 

This also includes untargeted collection of biometric data from the internet for the purposes of facial recognition. Emotion recognition in the workplace and in educational institutions is also prohibited. This category also covers biometric categorisation based on sensitive characteristics. In principle, it also includes the use of AI for real-time remote biometric identification of persons in public, outside narrowly defined exceptions. 

Breaches of these absolute prohibitions carry the highest penalties – up to EUR 35 million, or for undertakings up to 7% of total worldwide annual turnover for the preceding financial year, whichever is higher. For small and medium-sized enterprises, the lower of the two amounts is applied, but these can still be potentially business-ending fines.

In practice, the attorneys at ARROWS, a Prague-based law firm, encounter situations where companies are sometimes not even aware that certain HR tools, marketing technologies, or security systems may fall under prohibited practices – typically experimental emotion recognition of employees or students, aggressive behavioural marketing combining AI and psychometrics, or the use of untargeted scraping of photographs for facial recognition.

What applies from May 2025: Rules for general-purpose models (GPAI)

The second wave of obligations consists of rules for so-called general-purpose artificial intelligence models (General-Purpose AI, GPAI), which began to apply from May 2025. These are models trained using high computational power and capable of generating text, images, audio, or video for a wide range of uses – typically large language models, image generators, or multimodal models that companies now use via APIs or cloud services.

Providers of these models must now ensure technical documentation describing the model architecture, training methods, computational resources used, the model’s capabilities and limitations, and typical risks of use. They must also publish a summary of the training data used to train the model, following a template prepared by the Commission, and implement internal rules ensuring compliance with copyright law, including responding to so-called TDM opt-outs, i.e., the express exclusion of datasets from text-and-data mining.

For models with systemic risk (for example, the most powerful models above a certain FLOPs threshold), additional obligations apply, such as regular robustness testing, assessment and mitigation of systemic risks, incident reporting, and mandatory registration with the European Commission.

To help the industry meet these requirements, a voluntary version of the Code of Practice for GPAI was prepared, which the Commission has identified as an appropriate tool for demonstrating compliance with Article 53 of the AI Act. Providers that sign and comply with the code may benefit from a lower administrative burden and greater legal certainty, as compliance with the code is presumed to satisfy certain statutory obligations as well.

From the perspective of corporate users, this means it is advisable to ask the provider of a large model whether it is a signatory to this code and how exactly it complies with its obligations. The attorneys at ARROWS, a Prague-based law firm, help clients with vendor due diligence and with adjusting contractual documentation so that liability for AI is clearly allocated.

What’s coming: August 2026, July 2027 and other milestones

From August 2026, the AI Act will generally become fully applicable for most provisions, with the exception of certain high-risk systems for which a longer transitional regime has been agreed. It is precisely during this period that, in practice, the requirements for transparency of interactive AI systems and for labelling AI-generated content under Article 50 of the AI Act will start to “bite”.

Providers of AI systems intended for direct interaction with people will have to ensure that users are clearly informed that they are communicating with AI, unless this is obvious from the context, and that synthetic content (text, image, audio, video) is labelled as artificial at least in the form of a machine-readable identifier. Deployers of deepfake content will then have to ensure visible labelling for end users that the content is generated or manipulated.

At the same time, from August 2026 the regime of the central EU database of high-risk AI systems will be launched, in which providers and certain deployers will have to register their systems before placing them on the market or putting them into service. The obligation mainly concerns systems listed in Annex III to the AI Act (for example, AI for allocating social benefits, creditworthiness assessment, certain HR tools, biometric identification systems) and is intended to enable more transparent market oversight as well as mutual learning among regulators.

Another significant milestone will occur in July 2027, when the rules for high-risk AI systems integrated as a safety component of regulated products (for example, lifts, toys or medical devices) will gradually start to apply. From the perspective of companies in the Czech Republic, this will be particularly sensitive in sectors where AI is already gaining a significant foothold—such as banking, insurance, healthcare or transport infrastructure.

New Commission guidance from recent months

In addition to the text of the AI Act itself, so-called tertiary law is playing an increasingly important role in practice—implementing and delegated acts, guidance and codes of practice intended to harmonise the interpretation of key concepts and help companies meet the requirements of the AI Act. Over the last twelve months, several documents have been added that fundamentally affect the practice of both providers and users.

In May 2026, the Commission issued draft guidance on the classification of high-risk AI systems under Article 6 of the AI Act. This guidance seeks to explain when a system is considered high-risk either because it is a safety component of a regulated product or because it falls within one of the areas listed in Annex III. The document contains a number of practical examples of when a specific AI solution should be regarded as high-risk and when it should not, which is crucial especially for companies in HR, lending, healthcare or public services.

Another important document is the draft guidance and template for reporting serious incidents under Article 73 of the AI Act. Providers of high-risk systems will have to notify national authorities of serious incidents from August 2026 that have led or could have led to harm to health, significant property damage or a serious breach of fundamental rights. The draft guidance explains what is considered an incident, what information should be reported, and how this obligation links to other regimes (for example, the GDPR or sector-specific rules).

Even before that, the Commission issued guidance for providers of general-purpose AI models, which clarifies the scope of their obligations and interprets key concepts such as “substantial modification of the model”, “systemic risk” or “GPAI model”. This guidance complements the above-mentioned GPAI Code and together they give providers and users a relatively clear picture of when and how the rules apply to them.

In the area of transparency of AI-generated content, the Commission is preparing a Code of Practice for the detection and labelling of AI content, a draft of which was published in the first half of 2026 and the final version is expected in the summer of the same year. The Code is intended to define technical standards for watermarks, metadata and other identifiers and also recommend visual labelling of deepfake content.

From the perspective of corporate managers, this means that following the AI Act today no longer means just keeping an eye on “one law”, but that it is necessary to systematically monitor the follow-up guidance, templates and codes that gradually specify what the supervisory authority will actually require. 

The attorneys at ARROWS, a Prague-based law firm, therefore recommend that clients set up an internal process in which someone is responsible for “regulatory watch” in the AI area, similar to the approach taken for GDPR or NIS2, and regularly update both internal policies and contracts with suppliers and customers.

Obligations of AI providers: From defining the role to conformity assessment

The AI Act places strong emphasis on distinguishing roles in the AI value chain—providers, deployers, importers, distributors and other entities. A provider is the party that develops an AI system or has a system modified so that it is provided under its name or trade mark, regardless of whether it is established in the EU or outside it. In practice, this definition covers both large developers of their own models and integrators who substantially modify a system and place it on the market as their own solution.

For companies, it is critical to clarify this role correctly, because it is the provider to whom the AI Act assigns the most extensive set of obligations, especially for high-risk systems and for GPAI models. If a company mistakenly believes it is “only a user” but in fact significantly modifies the system, trains it on its own data and offers it to customers as its own product, it may bear the provider’s responsibility, including the obligation to carry out a conformity assessment and register in the EU database.

The attorneys at ARROWS, a Prague-based law firm, therefore recommend that clients clarify at an early stage of the project who is in which role—and reflect this allocation of roles and obligations in contracts and terms and conditions.

High-risk systems: Risk management system, data and documentation

For high-risk AI systems, the AI Act sets out detailed requirements that the provider must meet before placing the system on the market or putting it into service. These include, in particular, the obligation to implement a continuous risk management system ensuring the identification, analysis, evaluation and mitigation of risks associated with AI throughout the entire lifecycle. 

Closely related to this are the requirements for data and data governance—training, validation and testing datasets must be relevant, representative and of sufficiently high quality, taking into account the specific geographic, contextual and functional environment in which the system is intended to operate.

The AI Act also requires that, for these datasets, the provider applies robust data governance practices—having the origin of the data documented, as well as collection, annotation, cleaning and aggregation processes, examining the presence of possible biases and adopting measures for their detection, prevention and remediation. 

Exceptionally, it also allows the processing of special categories of personal data for the purposes of detecting and remedying bias, but only under strict conditions, including technical and organisational measures to minimise risks and strict access limitations. In practice, the provider of a high-risk system thus finds itself in a position where it must demonstrate that its AI is not only “technically functional”, but also non-discriminatory, safe and respectful of fundamental rights.

An integral part of these obligations is also maintaining technical documentation, which must describe in detail the system, its purpose, architecture, the data used, training and testing methods, and evaluation results. The documentation must enable supervisory authorities to assess the system’s compliance with the requirements of the AI Act, and therefore it must be updated on an ongoing basis rather than created once at the beginning of the project. Likewise, the system must automatically record events (logs) so that it is possible to trace back how a particular decision or incident occurred, and these logs must be retained for the period set by the Regulation.

Conformity assessment and the role of notified bodies

High-risk AI systems must undergo a conformity assessment before being placed on the market. The AI Act distinguishes whether it is a system that is a safety component of a product regulated by another harmonisation act (for example, a medical device), or a system falling into a standalone category under Annex III.

In the first case, the conformity assessment is usually carried out as part of the existing regime (for example, under the Medical Devices Regulation), with the notified body also assessing compliance with the requirements of the AI Act. In the second case, in most situations the provider may use the internal control procedure (without the involvement of a notified body), provided that it has applied harmonised standards or common specifications, if they exist.

If the provider does not apply harmonised standards or common specifications, or there are limitations on their use, it is required to use a conformity assessment involving a notified body under the relevant module. In the Czech Republic, the notifying authority responsible for designating notified bodies in the field of AI is the Czech Office for Standards, Metrology and Testing (ÚNMZ), which will oversee that notified bodies meet their obligations of independence, professional competence and impartiality.

In practice, this means providers must factor in the time and costs of conformity assessment, especially for more complex systems or where harmonised standards are not available. The conformity assessment process also includes drawing up the EU declaration of conformity and affixing the CE marking to the system, which signals that the relevant requirements have been met. Without a valid conformity assessment and registration in the EU database, a high-risk system may not be placed on the market or put into service, which in practice may mean suspending the entire project or being unable to access the EU market.

The attorneys at ARROWS advokátní kancelář assist businesses here both with setting up internal compliance processes and with coordinating with notified bodies and supervisory authorities to avoid major delays or costly rework of the system.

Sanctions and provider liability

As noted above, the AI Act introduces a tiered system of sanctions that is in some respects comparable to the GDPR. The highest fines (up to EUR 35 million or 7% of worldwide turnover) relate to breaches of the prohibition of banned practices under Article 5.

For breaches of other obligations, for example the obligations of providers for high-risk systems or GPAI, fines of up to EUR 15 million or 3% of worldwide turnover may be imposed. For providing false, incomplete or misleading information to supervisory authorities, fines of up to EUR 7.5 million or 1% of turnover may be imposed.

get in touch with us,
we’ll take care of it for you

We respond within 24 hours!

office@arws.cz

245 007 740

ARROWS

Law firm
for business and real estate

Schedule a consultation

The AI Act also emphasises the principle of proportionality, so the level of fines should take into account the nature, gravity and duration of the infringement, the number of affected persons, the financial benefit gained from the infringement, the degree of cooperation with supervisory authorities, and also whether the entity is an SME or a startup. In addition, the draft of the forthcoming AI Liability Directive envisages that breaches of obligations under the AI Act may lead to a reversal or easing of the burden of proof in damages disputes.

 If a company has failed to comply with certain obligations, it is presumed that this failure is linked to the damage incurred. This further increases the importance of proper documentation and demonstrable fulfilment of obligations.

In practice, this means that non-compliance with the AI Act may lead not only to high fines and a ban on placing the system on the market, but also to litigation and reputational damage. Many companies therefore now view the implementation of a robust AI compliance programme as an investment in product credibility, not merely a regulatory cost. The attorneys at ARROWS advokátní kancelář help clients in such situations both with preventive setup of a risk management system and with defending against sanctions and representing them before supervisory authorities and courts.

Obligations of users (deployers): AI literacy, transparency and oversight

Under the AI Act, a deployer (implementing entity) is anyone who uses an AI system in the course of their professional activity, regardless of whether they developed the system or purchased it from a third party. For most ordinary companies in the Czech Republic, the deployer role will be typical—they use AI in HR, marketing, data analytics, inventory management, customer service or other processes, but do not develop their own models.

A common mistake is the assumption that compliance with the AI Act is primarily the supplier’s responsibility. However, the Regulation imposes obligations on the deployer itself, especially for high-risk systems and for systems that directly interact with end users.

Deployers must, for example, ensure that they use AI systems in accordance with the intended purpose defined by the provider, and must not use them in a different context without further steps, especially if that would lead to increased risks. They must also ensure an appropriate level of AI literacy among persons who use the systems or evaluate their outputs. In the case of high-risk systems, they must implement human oversight, monitor the system’s performance, retain logs, and comply with other technical and organisational requirements, including data protection impact assessments under the GDPR.

Deploying high-risk AI within a company

If a company deploys high-risk AI, for example a tool for automated candidate screening, a system for assessing customers’ creditworthiness, AI for deciding on the allocation of public benefits, or AI supporting clinical decision-making in healthcare, its obligations are much broader. 

In addition to the obligation to ensure that the system has a valid conformity assessment and is registered in the EU database—which is the provider’s primary responsibility—the deployer must implement human oversight. It must also ensure proper handling of logs. It is also required to regularly evaluate the system’s performance in a real-world environment. At the same time, it must establish procedures for handling incidents and complaints. 

For example, a bank deploying AI to assess creditworthiness must not only verify the supplier and obtain technical documentation from it, but also ensure that its staff understand the principles of how the system works, can interpret its outputs, and have a process for correcting outputs where necessary. 

At the same time, it must carry out a data protection impact assessment (DPIA) under the GDPR and address any discriminatory impacts on different groups of clients. Similarly, an employer using AI in recruitment must involve the DPO, analyse discrimination risks, and clearly communicate to candidates that part of the process is supported by AI.

The attorneys at ARROWS advokátní kancelář often see that companies tend to rely on the supplier’s marketing statements (“our AI is compliant”) without deeper verification. In the context of the AI Act, however, it is essential to conduct your own due diligence, request specific documents (system description, purpose, limitations, test results), and set out the supplier’s responsibility and cooperation directly in the contract. Otherwise, the deployer exposes itself to the risk that, in the event of an incident, it will bear the main responsibility towards regulators and injured parties.

Transparency towards users and clients

Article 50 of the AI Act introduces general transparency obligations for providers and deployers of limited-risk systems that interact with people or generate content. A deployer that deploys a chatbot must ensure that the user is clearly informed from the very first interaction that they are communicating with AI, unless this is obvious. 

Likewise, if a company publishes AI-generated text, audio or video in order to inform the public about matters of public interest, it is required to disclose that the content was generated or significantly modified by AI, unless it has undergone full editorial review and is subject to human editorial responsibility.

A special regime applies to deepfake content – deployers (typically companies, institutions or professionals) that use deepfakes in the course of their business or professional activities will, from August 2026, be required to label the content in a visible manner so that an ordinary user can recognise that it is an artificial or manipulated recording. 

Exceptions are planned for clearly artistic, satirical or fictional works, where an appropriate notice at the beginning or in the credits will be sufficient, and for use in the detection and investigation of criminal offences. In practice, for example, a marketing agency that creates a deepfake video for a client campaign will, from August 2026, have to take into account the obligation of visible labelling; otherwise, it risks sanctions for breaching Article 50.

Record-keeping, monitoring and incident management

Deployers of high-risk systems will be required to keep records of the system’s deployment, retain logs of key operating parameters, and implement an incident monitoring process, including cooperation with the provider when reporting incidents to supervisory authorities. 

In practice, this is analogous to certain regimes in the field of medical devices or cybersecurity – a company must have a clear internal procedure for how to identify an incident, assess its severity, document it, and, where necessary, escalate it to the provider and regulatory authorities.

Many companies today do not have any centralised AI incident management – potential issues are dealt with ad hoc within individual departments. In the context of the AI Act, however, it will be necessary to unify these processes, define responsible roles (for example, an AI officer or an AI governance working group), and establish clear links to existing mechanisms for cybersecurity incidents or personal data breaches. 

The attorneys at ARROWS advokátní kanceláře often assist clients with creating a unified framework for AI incidents, covering the legal, technical and reputational aspects, including prepared communication scenarios towards regulators, partners and the public.

Most common questions on the basic obligations of providers and deployers

1. How do we know whether we are a provider or only a user (deployer)?
It depends on whether you develop the system or substantially modify it and place it on the market under your name, or whether you “only” use it in your activities. In practice, the situation may be more complex for companies that build their own solution on top of a supplied model. In such cases, it is advisable to carry out a legal analysis of the roles and adjust the contracts accordingly, with which the attorneys at ARROWS advokátní kanceláře can assist you.

2. Is it enough if the supplier confirms in writing that its AI is “compliant”?
A mere supplier statement is usually not sufficient, especially for high-risk systems. As a deployer, you must carry out your own verification, request technical documentation, information on conformity assessment, and clearly allocate responsibility for any incidents. The attorneys at ARROWS advokátní kanceláře help clients incorporate these arrangements into contracts so as to minimise the risk of one-sided transfer of liability.

3. Do we already have to train employees internally on AI?
The obligation to ensure AI literacy for deployers and providers of high-risk systems will apply from August 2026. However, it is already advisable to introduce internal rules for the use of AI tools and employee training so that you are prepared for the AI Act to become fully effective. The scope of training should correspond to the type of tools used and employees’ roles. ARROWS advokátní kancelář helps clients prepare both the training content and internal policies and documentation so that compliance with the obligation can be evidenced.

Transparency, labelling of AI content and deepfakes

Article 50 of the AI Act is one of the most visible provisions for many companies because it directly affects communication with customers and users. It imposes an obligation to inform individuals that they are interacting with an AI system, and to label AI-generated or manipulated content where necessary to maintain trust and protect users. 

The obligation to inform about interaction with AI applies to systems whose purpose is to communicate directly with people – typically chatbots, virtual assistants or voicebots in customer service. An exception applies where it is clear from the context that it is a machine, or where AI is used for the detection and investigation of criminal offences with specific safeguards.

For generative AI systems, providers must ensure that outputs are labelled at least in the form of a machine-readable marker enabling AI content to be detected, for example by social networks, search engines and fact-checking tools. Implementation will generally be technical – watermarks, metadata or cryptographic tags embedded in the file so that they are not easily removable. 

From August 2026, an additional obligation will apply to certain deployers, especially in the media, marketing and public communications sectors, to visibly label AI-generated content if it is used to inform the public about matters of public interest or if it is a deepfake.

Deepfake content: a stricter regime and exceptions

A deepfake is a specific category of AI-generated or modified content that imitates existing persons, places or events in such a way that it may be mistakenly considered authentic. The legal framework treats it more strictly because deepfakes can be misused for disinformation, fraud, blackmail or other forms of interference with personality rights and trust in public discourse.

The AI Act therefore imposes on deployers of deepfake content who use it in the course of business or professional activities an obligation to visibly label that the content was generated or manipulated by AI. In practical terms, this means that, for example, if a marketing agency creates a video in which a fictional likeness of a well-known person promotes a product, or if a political campaign uses a manipulated recording, the content must be clearly labelled as artificial.

The Commission is preparing a code of practice for labelling AI content, which is intended to recommend specific forms of labelling, such as a visual “AI” icon or a textual notice within a video. Exceptions apply to clearly artistic, satirical or fictional works, where the obligation of prominent labelling could disproportionately disrupt the user experience; here, an appropriate notice that the work uses AI will be sufficient. In practice, for example, a marketing agency that creates a deepfake video for a client campaign will, from August 2026, have to take into account the obligation of visible labelling; otherwise, it risks sanctions for breaching Article 50.

Technical standards and a transparency code

The technical details of AI content labelling will gradually be standardised through harmonised standards and codes of practice. The proposals envisage multi-layer labelling—a combination of watermarks, metadata and, where appropriate, publicly available tools for verifying AI content. Providers of AI systems will have to implement these technical solutions in their products, while deployers will be required to actively use them and not evade responsibility by disabling labelling in practice.

From a practical perspective, this opens up room for contractual arrangements between the provider and the deployer—for example, which labelling standards are implemented, what warranties the provider gives, and how any breaches of obligations are handled.

 In these situations, ARROWS, a Prague-based law firm, helps clients set up contracts so that the allocation of duties and liability corresponds to who has the technical and organisational control over how AI content is created and published.

Potential issues	How ARROWS can help (office@arws.cz)
Incorrect or missing labelling of AI content : a company publishes AI-generated texts, images or videos without clear labelling, even though the content is intended to inform the public.	Setting internal policies and processes for the use of generative AI and labelling outputs : the attorneys at ARROWS, a Prague-based law firm, will prepare rules for marketing, PR and internal communications to ensure they comply with the AI Act and other regulations and are realistically implementable.
Unlabelled deepfakes in a campaign : an agency creates a deepfake video featuring a real person’s likeness and the client uses it in advertising or political communications without a clear notice.	Legal and contractual structuring of cooperation with agencies : ARROWS, a Prague-based law firm, will help embed responsibility for labelling deepfake content in service/mandate agreements and ensure the client is not exposed to disproportionate penalties for a supplier’s failures.
Chaotic transparency for chatbots : different channels (website, app, call centre) inform users about the use of AI in different ways—or not at all—confusing clients and regulators.	Audit of interactive AI systems and design of a unified communication strategy : the attorneys at ARROWS, a Prague-based law firm, will review existing chatbots and voicebots and propose a consistent way of informing users in line with Article 50 of the AI Act.
Conflict with consumer protection : AI-generated content embellishes the features of a product or service and may be perceived as misleading advertising even if it is labelled as AI.	Combined legal assessment under the AI Act, consumer law and competition law : ARROWS, a Prague-based law firm, will assess marketing concepts under multiple legal regimes and propose a safe campaign format.
Insufficient records of what content is created by AI : a company cannot demonstrate where AI was used, complicating responses to incidents or regulators’ queries.	Implementing records and governance for AI content : the attorneys at ARROWS, a Prague-based law firm, will help create a practical register of AI tools and typical use cases so the company has oversight and can respond quickly to supervisory requests.

Risk classification: The boundary between “ordinary software” and AI and why it matters

The AI Act distinguishes four basic levels of risk: unacceptable (prohibited), high, limited and minimal or none. We have already described prohibited practices; high-risk systems are subject to detailed requirements for design, data, testing, documentation and oversight; limited-risk systems focus primarily on transparency towards users; and systems with minimal or no risk are not targeted by the AI Act with specific obligations.

The vast majority of standard corporate applications fall into the limited- or minimal-risk categories, but general legal regulations still apply—especially the GDPR, copyright law and consumer law.

For managers, it is crucial to understand that a system’s classification has a direct impact on the scope of obligations and potential penalties. For example, a limited-risk chatbot on a website will require relatively simple steps (inform users that it is AI, monitor content and handle complaints), whereas an automated credit allocation system will, as a high-risk system, require a comprehensive compliance regime.

Incorrect classification—for example, when a company treats a high-risk system as “ordinary software”—may result in the company failing to meet its obligations without realising it, exposing it to the risk of penalties and disputes.

How to distinguish AI from ordinary software

The AI Act seeks to distinguish “real AI” from traditional software mainly by the degree of autonomy and adaptivity—whether the system uses machine-learning techniques, optimises its behaviour based on data, and generates outputs that can influence the physical or virtual environment. Put simply, if it is a static program with fixed “if-then-else” logic, it is not an AI system within the meaning of the Regulation.

By contrast, models and algorithms that learn from data, adapt to new situations and independently generate recommendations or decisions fall within the definition of AI. In practice, the boundary may be unclear, for example with sophisticated expert systems or analytical tools with elements of statistical modelling. In such cases, it is advisable to consult not only the technical documentation but also the legal interpretation, including Commission guidance and future harmonised standards.

If there is reasonable doubt, a more conservative approach is preferable—i.e., assuming the AI Act applies—rather than risking that the supervisory authority later classifies the system as AI and criticises the company for non-compliance. The attorneys at ARROWS, a Prague-based law firm, assist clients with the technical-legal assessment of specific solutions and with placing them in the correct risk category.

How ARROWS, a Prague-based law firm, can help

Regulation of artificial intelligence and new European guidance present companies with a combination of legal, technical and organisational challenges. It is particularly demanding because the AI Act overlaps with a range of other regulations—GDPR, NIS2, sector-specific regulation, copyright law, consumer law, protection of personality rights, and competition rules. A layperson or an overburdened manager often sees only part of the picture and may underestimate less obvious risks, such as liability for damage caused by AI, the evidentiary position in a dispute, or the potential blocking of a transaction or project by regulators.

The attorneys at ARROWS, a Prague-based law firm, have long focused on digital law, personal data protection and the regulation of technologies and AI. In practice, they assist clients, among other things, with a comprehensive AI gap analysis, in which they identify AI systems in use, determine roles and risk categories, assess existing processes and documentation, and propose specific steps to achieve compliance.

They also prepare and review contracts with suppliers of AI solutions as well as with clients, so that they correctly allocate liability, reflect the requirements of the AI Act, GDPR and other regulations, and protect the client’s commercial interests. The services also include setting up internal governance—from preparing policies for the use of AI, through defining roles and responsibilities, to designing a process for approving new AI projects and handling incidents.

ARROWS law firm in Prague also provides expert training for management, IT, HR and other teams, so that AI literacy within the company is not merely a “tick-box” obligation, but a real tool for the responsible use of AI. In the event of inspections by supervisory authorities or in situations where sanctions are at risk, the firm’s lawyers represent clients, conduct an expert dialogue with the authorities, and prepare a defence strategy.

An important element is also liability insurance – ARROWS law firm in Prague is insured for professional liability up to CZK 400,000,000, which provides clients with an additional level of assurance when entrusting complex and high-risk projects. In international matters where AI systems operate across borders, the firm can, thanks to the ARROWS International network, coordinate legal support in various jurisdictions and ensure that the approach to AI regulation is consistent across markets.

If you are considering deploying AI in your company, or you already use AI and want to be sure you meet the growing requirements of the AI Act and related European guidance, now is the right time to begin systematic preparation. The attorneys at ARROWS law firm in Prague can help you both with an initial assessment of your situation and with the long-term setup of a compliance programme, so that your AI projects are technically innovative, legally safe, and commercially sustainable. If you are interested, you can contact office@arws.cz at any time.

Final summary

European regulation of artificial intelligence is already fundamentally changing the way companies develop and use AI. AI in companies under EU oversight is not just a slogan, but a legal reality that is gradually being reflected in the day-to-day practice of both providers and users of AI. From the ban on eight unacceptable practices and rules for providers of general-purpose AI models, to upcoming obligations in the area of transparency and labelling of AI content – all of these elements create the framework within which AI will operate in European business in the coming years.

For entrepreneurs, management and investors, this means not only new costs and administration, but also an opportunity to differentiate themselves as a trustworthy partner that uses AI responsibly and predictably. The risks arising from underestimating the AI Act are not limited to fines – there is also the risk of being denied market access, projects being suspended, court disputes over damages, loss of negotiating leverage vis-à-vis partners, or reputational harm in the eyes of clients and the public. On the other hand, companies that prepare for the regulation in time can use AI with less legal uncertainty and more easily convince customers, investors and regulators of the safety of their solutions.

The reality of AI regulation is also more complicated than it may seem at first glance. In addition to the AI Act itself, it is necessary to take into account follow-up guidance and codes from the Commission, national implementing laws, harmonised standards, and parallel regimes such as the GDPR, NIS2 or sector-specific regulations. Many steps that look simple – for example deploying a chatbot, using generative AI in marketing, or introducing AI in HR – conceal a range of legal and practical details that a layperson typically does not see.

That is why it pays not to improvise, but to work with experts who combine a legal and business perspective. If you do not want to risk mistakes, damage, delays or fines, and at the same time want to use AI in your company to its full potential and safely, you can confidently entrust this area to the lawyers at ARROWS law firm in Prague. They will help you set up processes, contracts and internal rules so that they reflect the current legal framework while also supporting your business objectives. For a non-binding consultation, you can contact us at office@arws.cz.

FAQ: Most common questions about AI in companies under EU oversight

1. Do we have to deal with the AI Act even if we only use AI “lightly” in office software?
Yes, the AI Act applies to all entities that use AI systems as part of their professional activities, although for most common tools this will fall under a limited- or minimal-risk regime. In practice, this means you will mainly need to address AI literacy (from August 2026), transparency towards users, and basic internal rules for using AI. If you are not sure whether your tools fall within the scope of the regulation and to what extent, the lawyers at ARROWS law firm in Prague can carry out a quick assessment and propose proportionate steps – just contact office@arws.cz.

2. We are a startup developing an AI product – when do we become a “provider” and what exactly does that mean?
As soon as you develop an AI system or substantially modify an existing model and place it on the market under your own name or brand, you act as a provider. This entails an obligation to ensure the system’s compliance with the AI Act, including conformity assessment for high-risk systems, maintaining technical documentation, record-keeping and possible registration in an EU database. The lawyers at ARROWS law firm in Prague will help you set up a compliance programme so that it does not slow innovation down, while also protecting you from major risks – contact us at office@arws.cz.

3. We use large language models provided by a global player – does the GPAI regime apply to us as well?
The primary obligations under the rules for GPAI apply to model providers, but a deployer should know whether its supplier is meeting these obligations, for example whether it provides a summary of training data, technical documentation, and respects copyright. If you build your own solution on top of the model and place it on the market, you may yourself become a provider and some of the obligations will shift to you. ARROWS law firm in Prague can help you assess exactly where you stand in the chain and set up contracts and internal processes so that it is clear who is responsible for what – contact office@arws.cz.

get in touch with us,
we’ll take care of it for you

We respond within 24 hours!

office@arws.cz

245 007 740

ARROWS

Law firm
for business and real estate

Schedule a consultation

Notice: The information contained in this article is of a general informational nature only and serves for basic orientation in the matter according to the legal framework as of 2026. Although we take maximum care to ensure the accuracy of the content, legal regulations and their interpretation evolve over time. We are ARROWS law firm in Prague, an entity registered with the Czech Bar Association (our supervisory authority), and for maximum client security we are insured for professional liability with a limit of CZK 400,000,000. To verify the current wording of regulations and their application to your specific situation, it is necessary to contact ARROWS law firm in Prague directly (office@arws.cz). We accept no liability for any damage arising from the independent use of information from this article without prior individual legal consultation.

Read also:

• Who Is Liable When AI Decides to Attack?
• GDPR Compliance Without Red Tape: Protect Data and Keep Business Moving
• Defending Managers and Owners in Economic and Tax Crime Investigations
• How to Respond to a Damages Claim for Breach of Due Managerial Care
• Legal Duties and Personal Liability of Managerial Employees in Czechia