The European AI Act: Understanding Compliance in a Risk-Based Regulatory Framework

In a recent Platforum9 session, Professor Andrej Savin, an expert in information technology law, provided valuable insights into the European AI Act, its global context, and what organizations need to know to navigate this complex regulatory landscape. Drawing from his experience researching how EU legislation affects business strategy and organizational structures, Savin offered a comprehensive overview of what makes the European approach distinct and how companies can adapt.

The European Approach vs Global Regulatory Models

The European Union has adopted a horizontal approach to AI regulation, meaning the AI Act covers all artificial intelligence applications through a single comprehensive framework. This contrasts sharply with approaches elsewhere:

  • United Kingdom: Moving toward sector-specific laws, believing this offers more flexibility and will attract companies
  • United States: Taking a “wait and see” approach, acting only when specific problems emerge
  • China: Competing with the US while focusing on maintaining control over Chinese AI companies

What distinguishes the EU approach is its foundation in product safety rather than rights-based law. “When you look at the AI Act, it looks very impressive and it’s huge,” Savin explained, “but it isn’t a rights-based law, so it isn’t something you can litigate in court. It’s a product safety approach.”

A Complex Regulatory Landscape

The AI Act doesn’t exist in isolation but interacts with numerous other regulations, creating a complex compliance environment. Organizations must navigate:

  • GDPR and privacy regulations
  • Labor laws (particularly when using AI in hiring)
  • Constitutional issues and fundamental rights
  • Copyright legislation
  • Cybersecurity requirements

This regulatory intersection creates significant challenges. For example, when training AI models, different data sources fall under different GDPR requirements: “If you’re purchasing a dataset, you have indemnity clauses. If you’re scraping from the web, you need a valid legal basis. If you’re using customer information, you may have consent, but does that consent cover AI training?”

Surprisingly, according to Savin, many companies report that “at the moment it’s not the AI Act compliance that’s the problem. It’s the GDPR compliance.”

Global Reach of EU Regulation

The AI Act’s scope extends beyond EU borders, applying to any organization:

  • Located in Europe
  • Targeting European users
  • Producing AI that enters the European market

“If you’re in any way connected with Europe and using, producing, or deploying AI, you simply assume that you’re covered,” Savin noted. While this extraterritorial approach follows the GDPR model, Savin doubts the AI Act will have the same “Brussels effect” of influencing global standards: “GDPR was very clear to understand and it was easy for people to see the value. With this complicated risk-based network of intertwining rules, I think it’s much more difficult for people to see the value and adopt that model.”

Risk-Based Compliance: Understanding Your Obligations

The AI Act establishes a tiered approach to regulation based on risk categories, with different compliance requirements for each level:

  1. Prohibited AI – completely banned applications
  2. High-risk AI – subject to extensive requirements
  3. Large language models – specific obligations for these systems
  4. Lower-risk applications – fewer requirements

Your position in the AI value chain significantly impacts your compliance burden. Producers of AI face the most extensive requirements, while users and deployers have fewer obligations.

“If you are not a producer of AI, the set of obligations that apply to you is relatively narrow,” Savin explained. “As a user or deployer, you have a significantly smaller set of obligations than if you’re a producer.”

Organizations must conduct continuous risk assessments for high-risk AI and large language models, forcing companies to evaluate their AI systems and mitigate potential harms. This represents a shift from a litigation mindset to a compliance-oriented approach.

Management and Cross-Functional Responsibility

One of Savin’s most crucial points concerned organizational structure and leadership responsibility. AI compliance cannot be delegated solely to IT or legal departments but requires board-level engagement and cross-functional teams.

“All digital laws require in one way or another that management be involved,” Savin emphasized. “You have to have compliance-oriented culture from the top. If the top isn’t into this, and it’s not just a phrase like ‘our mission and vision’, it has to be ‘we need to understand what’s happening, who’s in charge of what.'”

Companies often mistakenly assign AI compliance solely to their IT departments, only involving legal counsel when problems arise—by which point, it’s too late. Instead, Savin recommends:

  • Board-level understanding of AI risks
  • Cross-functional compliance teams
  • Integration of risk assessment into business processes before launching new digital products
  • Product teams using compliance checklists
  • Involving lawyers early in the development cycle

Third-Party AI Tools and Modification Thresholds

For organizations using third-party AI tools, major providers like Microsoft generally offer compliance-ready versions. “If you go to Microsoft, they would give you the version that is GDPR compliant, that has the right liability clauses, the right indemnity built in,” Savin noted.

However, companies need to be cautious about modifications to existing models. The AI Act contains thresholds where customizations may reclassify a company as a producer rather than merely a user: “If you modify it, and if that modification goes above a certain mathematical threshold, which I think at the moment is 10 to the value of 22 flops, then you are assumed to be the producer.”

Practical Challenges: Limited Guidance and Emerging Case Patterns

Organizations face significant practical challenges implementing AI Act compliance due to limited guidance. While the legislation is in effect, supporting materials like the code of practice for large language models haven’t been finalized. “There’s very little guidance,” Savin acknowledged. “There’s been a lot of debate because it seems they’ve watered it down after the Americans pressured them.”

Despite this uncertainty, case patterns are emerging in specific domains:

  • Copyright: Large language models facing lawsuits over training data
  • Employment: Issues with AI in hiring processes and workplace monitoring
  • Product liability: Concerns around AI in vehicles and other products

Compliance as a Business Advantage

Rather than viewing AI regulation as merely a burden, Savin suggests organizations adopt “bespoke compliance”—tailored approaches that add business value rather than checking generic boxes.

“Good compliance is also good business,” Savin argued. “Compliance by design where you have to work out what your compliance pattern is and see value in it. Then you compete on the idea that you are compliant and people will go to you because they know you respect GDPR and other regulations.”

Looking Forward

While the EU approach is demanding, Savin believes most requirements are reasonable. “I can’t really point to anything in the AI Act where I have a good case to say, ‘this is a disastrous approach that will slow things down dreadfully.’ A lot of the things it suggests are relatively reasonable.”

The challenge lies not in any specific requirement but in navigating the complexity of the overall system, particularly for smaller organizations without extensive compliance resources. For those seeking help, Savin recommends AI compliance checkers that provide initial direction through simple questionnaires, as well as professional networks where experts share insights.

As AI regulation continues to evolve globally, organizations must develop compliance strategies that balance innovation with responsibility. Those that embrace “compliance by design” may find themselves with not just reduced legal risk, but also a competitive advantage in a marketplace increasingly concerned with AI ethics and safety.

Related

Redefining the Lawyer’s Professional Identity

Legal Tech Literacy for Law Firms: Building Foundations for the Future

Coaching in Legal

AI Integration for In-House Legal Teams

Non-Lawyers in Arbitration

Related

Redefining the Lawyer’s Professional Identity

Legal Tech Literacy for Law Firms: Building Foundations for the Future

Coaching in Legal

AI Integration for In-House Legal Teams

Non-Lawyers in Arbitration

Bridging the Gap Between Academia and Practice in the Age of AI

Breaking the Taboo Around Money In Legal

Smart Tech for Smart Holidays

From Big Law to Building My Law

How to Make the Right Legal Tech Choices?

Beyond the Hype: AI Agents in Legal Practice

Sanctions and Arbitration: Navigating the New Reality

AI Literacy for Law Firms: What Legal Practitioners Need to Know

Southeast Europe M&A: Investment Opportunities in a Dynamic Region

Trust Me, I’m a Coach: The Opportunity for Coaching in Legal Practice

Lawyer Wellbeing When Handling Legal Tech Implementation

English Arbitration Act 2025 Reforms: Modernising London’s Arbitration Framework

Latest in Legal Tech Innovation: The U.S. Perspective

Collaborating to Build Effective Legal Tech:

The Italian Legal Connection: An Evolving Market Overview 

Commercial Skills: The Missing Piece in Legal Education

The European AI Act: Understanding Compliance in a Risk-Based Regulatory Framework

Business Development Support: A Catalyst for Legal Career Progression

International Arbitration Forum: Major Trends Revealed

Navigating Your Career in Big Law: Insights from Perkins Coie’s Ian Bagshaw and Natalie Thomas

Essential Legal Tech Skills for Today’s Lawyers

What Law Firms Are Really Looking For When Recruiting Trainees: Insights from Julian Yarr

Embracing AI in Legal Recruitment: How Candidates Can Leverage Technology for Success

Building Your LinkedIn Professional Presence

Navigating the SQE: Expert Insights on Preparation for Aspiring Solicitors

Interview Prep Techniques

Securing Your Training Contract in the UK & Ireland

Mastering Your Elevator Pitch: Tips & Tricks for Law Students and Early Career Lawyers

Reskilling for the Future: New Skills for Lawyers to Succeed

Building an Effective AI Strategy for Legal Teams: Insights from Jonathan Williams

Building a Lean Legal Enterprise

How Legal Operations Can Elevate Law Firm Performance: Insights from Vadym Kuzmenko

Selecting and Implementing Legal AI: Lessons from Bird & Bird

Developing an Effective CRM Strategy for Modern Law Firms

Legal News & Views | Law Firm Consolidation and Trade Tensions: Reshaping the Global Legal Landscape

How Delegation Can Accelerate Your Legal Career

The Spiritual Dimension of Peak Performance for Lawyers

Human Capital Trends 2025: Navigating the Future of Talent in the Legal Industry

Branding Yourself as a Lawyer: Building an Authentic Professional Identity

How to Streamline Your BD Activity to Be More Effective

Legal Hiring Trends: Insights from a UK Based Veteran Recruiter

How to Turn Your Network Into New Clients

The Division of Human and AI Roles in Legal Document Drafting

Everyday Leadership in Law: Why Everyone Needs to Be a Leader Now

Legal News and Views

Peak Performance Lawyer: Mastering Emotional Energy

How To Be Successful by Building Strategic Relationships in Law

Open Mic Arbitration: Launching a New Forum on Arbitration Trends

Why Pro Bono Still Matters in Legal

How to Leverage Global Connections to Grow Your Business

Get early access
to our community

Shape the future of legal

Apply as a moderator by filling and submitting this form.
We will use the information you provide on this form to be in touch with you. You can change your choice at any time by using the Manage consent link in this widget or by contacting us. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with our Terms.

Get Early Access to our app

We will use the information you provide on this form to be in touch with you. You can change your choice at any time by using the Manage consent link in this widget or by contacting us. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with our Terms.

Please fill out your details

We'll get back to you within 5 working days