Compliance fatigue or strategic edge? The EU AI Act decides.

In 2025, the EU AI Act moves from legislative text to day-to-day reality. Medium-sized and large European organisations that treat the regulation purely as a legal hurdle will struggle to keep pace with shifting client expectations and partner due-diligence checks. Those that embed its logic into product design and governance will position themselves as trusted suppliers in a global market that prizes accountability as highly as performance.

1. The Pyramid of Risk

The Act classifies artificial-intelligence systems by societal risk and introduces staggered entry dates that merit careful diary-tracking:

• Prohibited practices (in force from 2 February 2025). Social scoring of citizens, untargeted scraping of facial images for databases, and workplace emotion recognition must be switched off or never deployed [1].
• High-risk systems (full obligations by 2 August 2027). Credit scoring, medical-diagnostic support, recruitment filtering, and education-assessment tools fall here. Providers must document data provenance, run pre-launch risk assessments, enable effective human oversight, and keep activity logs for at least ten years [2].
• General-purpose AI models (GPAI) (requirements start 2 August 2025). Model providers must publish summaries of copyrighted material used for training, disclose energy usage, and implement state-of-the-art safety testing. Models deemed to present “systemic risk” face even stricter evaluation and red-teaming duties [3].
• Limited- and minimal-risk applications. Chatbots and recommendation engines must make it clear that users interact with an automated system and explain the main parameters shaping outputs.

2. Scope and Extraterritorial Reach

Coverage is broad. The Act applies to providers, importers, distributors, and professional users whenever an AI system is placed on the EU market or affects people located within the Union. A British software vendor whose SaaS platform embeds a third-party model still carries responsibility for ensuring upstream compliance. Contractual clauses with overseas partners are therefore necessary but not sufficient; robust supply-chain audits will be the norm.

3. The 2025 Window

Three developments make 2025 critical:

1. Prohibition enforcement begins in February. Supervisory authorities can impose fines of up to seven per cent of global turnover for the most serious infringements [4].
2. GPAI transparency and governance obligations bite in August. The Commission’s AI Office will publish a voluntary Code of Practice in the first half of the year, yet companies should not rely on its timing. Several industry coalitions are already drafting self-regulatory benchmarks [5].
3. National implementation ramp-up. Member States must designate market-surveillance authorities and launch AI sandboxes. Early engagement with these bodies can ease conformity-assessment journeys, especially for novel use cases that do not match legacy CE-marking regimes.

4. Leveraging Trust as a Market Differentiator

By 2027, adherence to the Act is likely to become the baseline for public-sector procurement and B2B tenders, replicating the contractual status of GDPR today. Forward-looking organisations are embedding risk controls directly in their machine-learning operations pipelines, training product managers in AI literacy, and assigning board-level accountability for model governance. The return on investment is twofold: lower enforcement risk and stronger brand equity built on verifiable trust.

5. Immediate Actions for 2025

6. Experiences from Polaris

At Polaris Management, through our work on ethics protocols and applied AI governance, we have observed a widening gap between theory and practice during the past three quarters, particularly inside large corporations. There is a clear tension: organisations try to impose rigid boundaries to reduce perceived AI chaos yet frequently ignore the cultural realities of adoption. When AI is available it will be used, whether officially sanctioned or not. Denying this behavioural truth breeds frustration and inefficiency, especially among middle managers, where restrictions on automation collide with unspoken workarounds. The outcome is disempowerment, opaque decision-making, and a silent rebellion through unofficial tools.

In contrast, among SMEs and start-ups the struggle is not containment but survival. It feels like being thirsty while surrounded by more water than you can drink and still at risk of drowning. The velocity of change is overwhelming, and the EU AI Act, though ambitious, lacks structural nuance for smaller entities. Many are caught between the need to innovate quickly and the fear of failure. Without an internal compliance team or regulatory buffer, decision paralysis and creeping disorientation take hold precisely when agility should be a competitive asset.

7. Strengths and Shortcomings of the AI Act for Mid- and Large-Sized Firms

While public debate often frames the AI Act around compliance and control, a less-obvious yet potentially more strategic dimension is the opportunity to lead. For mid-sized and large organisations, the regulation creates space to position themselves not merely as adopters of technology but as stewards of responsible innovation. The real value lies not only in obeying the rules but in shaping expectations: inside the business, in the way teams collaborate with AI; and outside, in how customers perceive AI-enabled services.

The Act’s most compelling strength is its ambition to standardise trust. In a digital economy where data is currency and automated decision-making is routine, trust becomes a hard differentiator. The regulation forces organisations to operationalise their values: what data they collect, how they process it, who reviews outputs, and what happens when systems fail. For firms in highly regulated sectors such as healthcare, financial services, and public administration, the framework provides an immediate lens to audit AI maturity and strengthen governance. It also arms procurement teams with clear criteria for vetting external vendors, especially those based outside the EU.

Yet the Act is not without shortcomings. The administrative load may stretch internal resources, and the timeline for high-risk obligations leaves a gap during which inconsistent national-level guidance could emerge. For smaller corporate subsidiaries, fixed compliance costs may bite hardest. Moreover, the regulation’s treatment of GPAI is still evolving, leaving creative-content firms uneasy about liability boundaries. Companies that treat these limitations as design constraints rather than blockers will be best placed to adapt swiftly when guidance clarifies.

8. Conclusion

The AI Act is more than a checklist; it is a strategic environment that rewards organisations able to demonstrate safety, transparency, and respect for fundamental rights. By acting decisively in 2025, medium- and large-sized European businesses can convert regulatory diligence into commercial advantage and prepare for a future in which trustworthy AI is the default expectation rather than a premium feature.

References

1. European Commission, “Regulatory framework on Artificial Intelligence: next steps and timeline”, Digital Strategy portal, https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
2. Ropes & Gray, “EU AI Act published in the Official Journal”, https://www.ropesgray.com/en/insights/viewpoints/2024/EU-AI-Act-Published
3. European Commission, “General-Purpose AI Models in the AI Act – Questions & Answers”, https://digital-strategy.ec.europa.eu/en/faqs/general-purpose-ai-models-ai-act-questions-answers
4. Baker McKenzie InsightPlus, “AI Act provisions applicable from February 2025”, https://insightplus.bakermckenzie.com/bm/data-technology/european-union-ai-act-provisions-applicable-from-february-2025
5. Reuters, “Will the EU delay enforcing its AI Act?” (3 July 2025), https://www.reuters.com/business/media-telecom/will-eu-delay-enforcing-its-ai-act-2025-07-03/