Why 2 August 2025 matters—even if you never write a line of code
The EU AI Act is already law, but on 2 Aug 2025 two things switch on that touch any organisation operating in—or selling to—the EU:
- General-purpose AI (GPAI) transparency duties—vendors must hand over a technical dossier that explains training data, energy use and testing. Customers can (and should) demand it. (digital-strategy.ec.europa.eu, artificialintelligenceact.eu)
- A new enforcement plumbing—national AI authorities and the EU AI Office gain power to ask you for logs or risk assessments, even if the model came from a third-party supplier. Fines start at €7.5 m or 1 % of global revenue, and rocket to €35 m / 7 % for using a system on the prohibited list (e.g. social scoring, real-time biometric tracking). (holisticai.com, artificialintelligenceact.eu)
A recent survey found that two-thirds of European firms still don’t understand their obligations. (reuters.com)
Here’s a one-month plan that keeps you out of that statistic—no engineering degree required.
30-Day AI-Act Readiness Calendar
| Week | Goal | Key actions |
|---|---|---|
| 1 — Take Stock | See where AI hides | 1) List every tool or service that claims to use AI—HR screeners, chat-bots, analytics, even grammar checkers.2) Mark where personal data flows in or decisions are automated. |
| 2 — Rank the Risks | Sort into tiers | Apply the Act’s four risk buckets:• Banned (walk away).• High-risk (extra controls due 2027).• Limited-risk (add disclaimers).• Minimal-risk (monitor). |
| 3 — Vendor & Insurer Talks | Push paperwork uphill | • Send the Vendor Cheat-Sheet (next section).• Ask cyber-insurer how AI incidents affect premiums.• Draft contract addendum: supplier pays if dossiers/ logs are missing. |
| 4 — Document & Brief | Prove diligence | • Fill in the Board Brief Template (see end).• File your inventory and risk ranking with compliance.• Book a 30-minute slot at the next board or exec meeting. |
Ask-Your-Vendor Cheat-Sheet
Copy-paste these five questions into every RFP or renewal email:
- Show the last bias or robustness test report for this model.
- Where is the training data stored and for how long?
- How can we access the technical dossier if regulators ask?
- What logging is available to trace individual outputs?
- If the model is re-trained, how will you alert us and ship a new dossier?
If a supplier balks, mark the tool High-risk by default and escalate.
Spotlights: High-Risk Triggers by Business Function
| Function | Trigger | Do | Don’t |
|---|---|---|---|
| HR | Automated résumé scoring | Keep a human override and record when it’s used | Infer emotions from video interviews (banned) |
| Marketing | Personalised ad targeting | Ensure consents match GDPR profiles | Use algorithms that rank customers by “credit worthiness” without audit |
| Customer Support | Chat-bots that give legal or medical advice | Post a clear “AI-generated” label and escalation path | Let bots make binding contract changes |
| Physical Security | CCTV analytics | Limit to object detection (e.g. intrusion) | Deploy real-time face ID in public spaces (prohibited social scoring) |
Red-Flag Playbook for Executives
Walk away—or set aside a big compliance budget—if you tick two or more of these:
- No data lineage: supplier can’t trace training data → impossible to defend in audit.
- Zero log retention: can’t reproduce an output within seven days → liability ↑.
- Shadow IT: critical AI tool on a personal cloud account → insurance may refuse cover.
- Unreal timeline: “Go live next month” but no budget for risk assessment → fines risk.
- Sector landmines: hiring, credit, border control or biometric security with no legal review → maximum penalty zone (€35 m/ 7 %). (holisticai.com)
One-Page Board Brief Template
| Field | Fill in |
|---|---|
| Top 3 AI Uses | e.g. Résumé filter, CRM chatbot, CCTV analytics |
| Risk Tier | High / Limited / Minimal |
| Mitigation Owner | Dept lead or vendor |
| Budget Needed (2025-26) | € |
| Evidence on File | Inventory, risk screen, vendor dossiers, logs |
| Next Review Date | dd/mm/2025 |
Print it, attach supporting docs, and the board can see at a glance whether the company is ready—or at risk.
Closing: Keep It Boring
The EU AI Act is long, but compliance is 80 % sensible process: know what you use, ask suppliers tough questions, keep proof on file, and steer clear of the banned fringe. Do that, and 2 August 2025 becomes just another Friday—no drama, no seven-figure fines.
For ongoing updates, bookmark the European Commission’s AI Act page and the independent implementation timeline—they publish fresh guidance almost weekly. (digital-strategy.ec.europa.eu, artificialintelligenceact.eu)
Leave a Reply