AI Transparency and the EU AI Act: What Businesses Need to Know Now

Barbashyn Law Team Barbashyn Law Team
3 July, 2026 10 min read
3 July, 2026 10 min read

In August 2024, the EU Artificial Intelligence Act (EU AI Act, Regulation (EU) 2024/1689) entered into force, becoming the world’s first comprehensive law regulating the development and use of AI systems. Although the AI Act entered into force on 1 August 2024, its provisions apply gradually.

The prohibitions on certain AI practices and the AI literacy requirements apply from 2 February 2025, the rules for general-purpose AI (GPAI) apply from 2 August 2025, and the main transparency obligations apply from 2 August 2026. Following the political agreement on the AI Omnibus / Digital Omnibus, the application of the rules for certain high-risk AI systems is expected to be postponed until 2 December 2027 for standalone high-risk systems covered by Annex III, and until 2 August 2028 for high-risk AI systems integrated into regulated products.

These changes will become legally binding only after the relevant EU legislative act is formally adopted and published.

For businesses, this means one thing: the time to prepare is now, not when the regulator comes knocking.

AI Act as the “New GDPR Moment” for Business

The AI Act has the potential to become for artificial intelligence what the GDPR became for personal data. The GDPR required companies to understand what data they collect, why they collect it, who they share it with, and how they protect it. The AI Act introduces a similar approach—but this time with respect to the use of AI systems.

For businesses, this means it is no longer enough to simply use AI tools. Companies need to understand where AI systems are being used, which decisions they support or automate, what risks they create, and how users are informed about their use.

AI Act Compliance Timeline

The AI Act’s Risk-Based Approach

The AI Act classifies AI systems according to their level of risk, and the applicable obligations depend on that classification:

  • Unacceptable risk (prohibited): AI systems used for social scoring, manipulative AI practices, and real-time remote biometric identification (such as facial recognition in public spaces), subject to limited exceptions.
  • High risk: AI systems used in areas such as employment (e.g., CV screening and employee performance evaluation), education, credit scoring, healthcare, and critical infrastructure. These systems are subject to strict requirements, including registration, conformity assessment, technical documentation, risk management, and human oversight.
  • Limited risk (transparency obligations): Chatbots and other AI-generated content. Users must be informed when they are interacting with AI, and AI-generated or manipulated content must be appropriately disclosed or labeled.
  • Minimal risk: Most other AI applications, such as spam filters and recommendation systems in video games. These systems are not subject to specific AI Act obligations, although general legal principles and applicable laws still apply.

What AI Transparency Means

AI transparency refers to the transparent use of artificial intelligence. Individuals should understand when they are interacting with AI, when content has been generated or modified by AI, and when AI may influence decisions affecting them.

This does not mean that companies must disclose their source code, algorithms, or trade secrets. Instead, it requires clear communication, appropriate documentation, internal governance, and the responsible use of AI.

What the AI Act Specifically Requires Regarding Transparency

  • Disclosure of AI interaction: If a user is interacting with a chatbot or AI assistant, they must be informed of this, unless it is obvious from the context.
  • Labeling AI-generated content: Deepfakes, as well as AI-generated or AI-manipulated images, audio, and video, must be appropriately labeled or disclosed.
  • Notification of automated decision-making: If an AI system makes or significantly influences a decision affecting an individual (for example, rejecting a loan application or screening out a job candidate), the individual must be informed and have the right to receive an explanation.
  • Documentation for high-risk AI systems: Providers and deployers of high-risk AI systems are required to maintain technical documentation, keep logs, and carry out risk assessments.

Transparency vs. Explainability: What’s the Difference?

Transparency and explainability are closely related but distinct concepts.

Transparency means: “We inform you that AI is involved in this process.”

Explainability means: “We explain why the AI reached this particular decision.”

The AI Act requires both concepts to varying degrees, depending on the risk level of the AI system.

Why It Matters for Businesses

AI can affect customers, employees, business decisions, and a company’s reputation. When AI is used without proper oversight, it can lead to errors, discriminatory outcomes, violations of users’ rights, customer complaints, and increased regulatory scrutiny.

Transparency helps businesses reduce legal risks, maintain customer trust, and demonstrate that AI is being used responsibly rather than as a “black box.”

Key Business Risks

  • Legal liability: Penalties under the AI Act can reach €35 million or 7% of global annual turnover for the use of prohibited AI practices; €15 million or 3% for non-compliance with requirements for high-risk AI systems and other obligations; and €7.5 million or 1% for providing incorrect, incomplete, or misleading information to regulators.
  • Reputational risks: Public exposure of discriminatory or non-transparent AI practices can significantly damage a company’s brand, particularly in B2C businesses and HR-related processes.
  • Operational risks: Having to redesign or replace AI systems after compliance failures are identified is significantly more costly than implementing compliance measures proactively.
  • Risk of losing contracts: Enterprise customers in the EU are increasingly including AI compliance as part of their vendor due diligence requirements.

Interaction with the GDPR

The AI Act and the GDPR will often apply in parallel. If an AI system processes personal data, a company must also comply with the GDPR, including requirements relating to the lawful basis for processing, transparency, data minimization, data subject rights, security, and risk assessments.

Therefore, AI compliance does not replace GDPR compliance—it complements it. Companies that have already completed a GDPR compliance or audit process can build on a similar approach: mapping AI-related processes, assessing risks, maintaining documentation, adopting internal policies, and assigning responsible personnel.

What Business Owners Should Focus On

Business owners should start with a few fundamental questions to understand the actual extent of their company’s AI footprint:

  • Where is AI already being used across the company?
  • Does AI interact directly with customers or employees?
  • Does the company create AI-generated content (text, images, or videos)?
  • Does AI make or support decisions that may affect individuals (e.g., recruitment, credit decisions, recommendations, etc.)?
  • What personal data is processed by AI systems?
  • Who within the company is responsible for overseeing AI tools?
  • Are there internal rules governing employees’ use of AI?

Conducting this assessment will help identify which AI solutions present minimal risk and which may require additional attention, documentation, or specific compliance procedures.

Minimum Preparation Package for the AI Act

  • AI inventory: A comprehensive list of all AI tools and systems used within the company, including their purpose and areas of application.
  • Risk classification: Determining which AI Act risk category each system falls into (prohibited, high-risk, limited-risk, or minimal-risk).
  • AI Use Policy: An internal policy defining who may use AI tools, how they may be used, and for what purposes within the organization.
  • Transparency notices: Public disclosures informing customers and users about the use of AI in the company’s products or services.
  • Responsible person: Appointment of an individual or function responsible for AI compliance, similar to the role of a Data Protection Officer (DPO) under the GDPR.

Liability for Non-Compliance with the AI Act

The AI Act provides for significant penalties in cases of non-compliance, including the use of prohibited AI practices, failure to comply with requirements applicable to high-risk AI systems, and breaches of transparency obligations.

For businesses, however, the risks go beyond financial penalties. They also include reputational damage, customer claims, regulatory investigations, the suspension of certain business processes, and the need to urgently redesign AI solutions after compliance issues have been identified.

Who Is Subject to the AI Act?

The AI Act applies not only to companies established in the European Union. It also covers, among others:

  • Providers: Companies that develop AI systems or AI models, even if they are established outside the EU, where their AI systems or models are placed on the EU market or their output is used within the EU.
  • Deployers: Companies that use AI systems in the course of their activities within the EU, including through APIs or SaaS platforms.
  • Importers and distributors: Companies that place AI systems developed by third parties on the EU market.

For Ukrainian IT companies that serve clients in the EU or provide AI-enabled products or services to the EU market, the AI Act is directly relevant. Like the GDPR, it has extraterritorial effect, meaning that compliance obligations may apply regardless of where the company is established.

Conclusion

AI transparency is not only a legal requirement—it is also a key element of trust in today’s business environment. Companies should start now by identifying where AI is being used, understanding the risks it creates, and implementing the governance measures needed to ensure responsible use.

Just as the GDPR transformed the way organizations handle personal data, the AI Act will gradually reshape how businesses develop, deploy, and use artificial intelligence. Companies that begin preparing early will have a significant advantage: they will reduce compliance risks, maintain customer trust, and be better prepared for regulatory scrutiny.

A practical rule of thumb is simple: if your company has already completed a GDPR compliance or audit process, you already know the methodology. Apply the same approach to AI—conduct an AI inventory, classify risks, maintain appropriate documentation, adopt internal policies, and designate a person responsible for AI compliance.

Share

FAQ Answers to the questions we most frequently receive from business owners and IT companies about the EU AI Act.

Does the AI Act apply to a Ukrainian company without an office in the EU?

What is a high-risk AI system, and how can we determine whether we have one?

Do we have to label all AI-generated content?

If we use ChatGPT or Microsoft Copilot through an API, are we considered a provider or a deployer?

Do we need to appoint a dedicated AI Officer, similar to a Data Protection Officer (DPO)?

How does the AI Act interact with data subjects' rights under the GDPR?

What does "human oversight" mean for high-risk AI systems?

Does the AI Act apply to internal AI use, such as HR analytics?

What are the first steps businesses should take to prepare for the AI Act?

What are the consequences of using prohibited AI practices?

Does the AI Act apply to a Ukrainian company without an office in the EU?

Yes. If your company develops an AI system or an AI-enabled product that is used on the EU market, or provides AI-powered services to customers or users in the EU, the AI Act may apply. Like the GDPR, the AI Act has extraterritorial effect. The place where your company is incorporated is not decisive; what matters is where the AI system is placed on the market, put into service, or where its output is used. Ukrainian IT companies providing B2B or B2C services to the EU market should therefore assess whether they fall within the scope of the Regulation.

What is a high-risk AI system, and how can we determine whether we have one?

High-risk AI systems are those used in areas where they may significantly affect people's rights, health, or safety. The AI Act includes, among others, AI systems used for recruitment and employee performance evaluation, credit scoring, medical devices and clinical decision support, critical infrastructure, and student assessment in education. If your company develops or deploys AI in these areas, it is likely to be subject to the AI Act's most stringent requirements. In any case, conducting a comprehensive AI compliance assessment is strongly recommended.

Do we have to label all AI-generated content?

No, but a significant portion of AI-generated content is subject to transparency requirements. Under the AI Act, certain AI-generated or AI-manipulated content—including deepfake images, audio, and video—must be appropriately disclosed. Users interacting with chatbots or AI assistants must also be informed that they are communicating with AI, unless this is already obvious from the context. The objective is to ensure that users understand when AI is involved and receive appropriate transparency notices.

If we use ChatGPT or Microsoft Copilot through an API, are we considered a provider or a deployer?

In most cases, your company will be considered a deployer, not a provider. The provider is the organization that develops the AI model, such as OpenAI or Microsoft. Your company becomes the deployer when it integrates that model into its own products, services, or internal processes and uses the resulting output. Although deployers are subject to fewer obligations than providers, they must still comply with relevant AI Act requirements, including transparency obligations, human oversight for high-risk AI systems where applicable, and compliance with the provider's terms of use. Depending on how extensively you modify or integrate AI functionality into your own solution, your regulatory role may require further assessment.

Do we need to appoint a dedicated AI Officer, similar to a Data Protection Officer (DPO)?

The AI Act does not require organizations to appoint a dedicated AI Officer. However, organizations deploying high-risk AI systems must ensure appropriate governance, oversight, and compliance responsibilities. For many businesses, assigning AI compliance responsibilities to an existing role—such as legal counsel, a Chief Technology Officer (CTO), or a compliance officer—and documenting these responsibilities in an AI Use Policy will be sufficient. Organizations with extensive AI development or deployment activities may benefit from establishing a dedicated AI governance function.

How does the AI Act interact with data subjects' rights under the GDPR?

The two regulations complement one another. The GDPR already grants individuals the right not to be subject solely to automated decisions that produce legal or similarly significant effects (Article 22 GDPR). The AI Act expands this framework by introducing additional transparency obligations and governance requirements for AI systems. Where AI systems process personal data and make or significantly influence decisions affecting individuals, organizations should assess compliance with both the GDPR and the AI Act simultaneously.

What does "human oversight" mean for high-risk AI systems?

Human oversight means that a qualified person must be able to understand, supervise, and, where necessary, intervene in or override the operation of a high-risk AI system. It does not require every AI-generated decision to be manually reviewed. Instead, organizations should ensure that appropriate oversight mechanisms exist, such as providing explanations for AI-assisted decisions, enabling human intervention or override, continuously monitoring system performance, and documenting exceptions or incidents.

Does the AI Act apply to internal AI use, such as HR analytics?

Yes. This is one of the less obvious but highly important aspects of the Regulation. AI systems used for CV screening, candidate ranking, employee performance evaluation, or predicting employee turnover may qualify as high-risk AI systems in the employment context. As a result, organizations may need to maintain technical documentation, comply with applicable registration requirements, implement human oversight, and inform employees when AI significantly influences decisions affecting them.

What are the first steps businesses should take to prepare for the AI Act?

Recommended approach: (1) Conduct an AI inventory by compiling a comprehensive list of all AI tools and systems used within your company. (2) Classify each system according to the AI Act risk categories—prohibited, high-risk, limited-risk, or minimal-risk. (3) Determine whether your AI systems process personal data and, if they do, assess GDPR compliance in parallel. (4) Develop or update an internal AI Use Policy. (5) Implement transparency notices wherever AI interacts directly with customers or users. (6) Designate a person responsible for AI compliance.

What are the consequences of using prohibited AI practices?

The use of prohibited AI practices constitutes the most serious category of AI Act violations. Administrative fines may reach €35 million or 7% of the company's total worldwide annual turnover, whichever is higher. In addition to financial penalties, regulators may order the withdrawal of AI systems from the market, prohibit certain activities, or impose other corrective measures. Criminal liability, where applicable, remains governed by the national laws of individual EU Member States.

We use cookies to improve the performance of the site and enhance your user experience.

More information can be found in our Privacy Notice