European AI Act
who does it really affect?

Abstract European flag with 'EU AI Act' text and Volcanic Minds logo

Sure, that's OpenAI and Anthropic's problem

It's the first thing we hear when we bring up the EU AI Act with a business owner. It's also the most dangerous misconception. Regulation (EU) 2024/1689 doesn't only hit those who build the models: it mainly hits those who use them in their own processes. If you've embedded an assistant in customer care, an agent that reads your ERP, or a system that triages cases, you're most likely a deployer. And the obligations around oversight, logging and compliant use fall on you, not on the model's vendor.

Provider or deployer: a difference that matters

The Regulation separates whoever develops the model (the provider) from whoever puts it into operation under their own authority (the deployer). The second group is far more crowded than the first: it includes practically every company that has taken AI beyond the demo stage. You don't need to have trained an LLM to carry responsibility. Using one to decide, filter or automate a process that affects people, customers or employees is enough.

The deadline almost no one is preparing for

From 2 August 2026, the bulk of the European obligations apply, including those for high-risk systems. In Italy the picture is already shifting: Law 132/2025 is in force, and the implementing decrees on the way are building a regime of liability — criminal and corporate too — for those who ship AI without control. The precise dates, the penalties and the exact legal references, with all the official sources, are collected on our dedicated EU AI Act page.

You can't buy your way to compliance

Here's the uncomfortable part. AI Act compliance isn't solved by filling in an 80-page PDF or buying a compliance dashboard licence. The theoretical obligations have to be translated into concrete technical choices inside the software: deterministic validation around LLM calls, immutable traceability of operations, human checkpoints on high-risk decisions. This is what we call Compliance by Design: a non-functional requirement of the architecture, not paperwork bolted on at the end of the project. Every non-architectural shortcut is debt you pay back during an inspection.

What we've prepared for you

We've put two things in writing. The first is a hands-on EU AI Act guide built for decision-makers, not lawyers: what changes, who's involved, and the four technical pillars — guardrails, observability, human-in-the-loop and data sovereignty — that real compliance hinges on. The second is a set of frequently asked questions that clears up the most concrete doubts: who's liable, how to bring existing systems into compliance, and why "easy compliance" is a bluff.

And if you want to know where you're genuinely exposed, we offer a free assessment: we map your AI systems against the four pillars and hand you the priority gaps against the Regulation's obligations. No strings attached, and no 80-page PDF nobody reads.

One necessary note: ours is an engineering contribution, not legal advice. For an assessment of your specific case, we bring a qualified professional to the table, together with you.

red circle left decoration violet circle right decoration

Find out where your AI is exposed

Adopting AI shouldn't turn into a legal gamble. Book a conversation: we start from your real systems and work out what you actually need, well before 2 August 2026.

Book a meeting
Share the article

Tag: ComplianceAI

Publication date: June 29, 2026

Latest revision: June 29, 2026