New EU rules on AI 2026: What IT teams need to implement now
Regulatory change in Europe: focus on the EU AI Regulation
With the AI Act, which was adopted in 2024 as the EU AI Regulation, the European Union has set a new standard for the responsible use of artificial intelligence. From 2026, the requirements will be mandatory for companies and authorities in the European Economic Area. IT teams in companies of all sizes are therefore facing fundamental changes: Innovation and progress remain desirable, while at the same time the requirements for transparency, security and ethically safe use of AI systems are increasing.
The regulation follows a risk-based model: AI applications are categorised into risk categories based on their area of application and potential impact. Depending on the risk, the spectrum ranges from barely regulated applications to explicit bans on dangerous technologies. This results in a flexible set of rules that takes into account a wide variety of application scenarios.
This article also provides a structured overview of the content of the regulation, highlights practical implications for IT departments and explains which requirements must be met by 2026 at the latest. Specific instructions support IT teams in making the right preparations in good time.
Risk classes and compliance obligations: Key aspects of the EU AI Act
The EU AI Regulation essentially distinguishes between four risk categories, each of which is subject to specific requirements:
- Prohibited AI applications: These include social scoring or manipulative systems whose use can lead to individual disadvantages. These technologies are generally prohibited within the EU.
- High-risk AI systems: Applications for critical infrastructures, medical diagnoses, credit selection or personnel decisions fall into this class. They are subject to strict documentation, transparency and continuous monitoring requirements.
- Low risk: AI applications with manageable risks - such as chatbots - are subject to an explicit transparency obligation. For example, the user must be able to recognise that they are interacting with an AI system.
- Minimal or no risk: The law practically does not apply to classic automation; there are no documentation or reporting obligations here.
Noteworthy for IT managers: The EU AI Regulation explicitly includes not only developers, but also operators and integrators of AI systems. This applies, for example, to the purchase of external solutions - compliance checks and, if necessary, adjustments are mandatory.
Concrete consequences for IT: where organisations should take action
The challenges posed by the regulation will vary depending on the company structure and digital strategy. AI solutions already in use today will be subject to stricter processes in future. The requirements are growing, particularly in risk-sensitive areas. Three typical areas of application:
- AI-supported applicant selection in the company: The algorithms used must be systematically tested for fairness and regularly audited. Comprehensive documentation is mandatory.
- Cancer detection using AI in hospitals: Such systems are considered high-risk and require ongoing risk management as well as technical and organisational control instances.
- Chatbots in customer service: There is a transparency obligation for such AI applications, meaning that users must be clearly informed about the use of AI.
This results in implementation: IT departments require processes for risk assessment, logging, quality assurance and emergency management as soon as AI solutions are used in critical domains.
Implementation roadmap for IT teams: how to position yourself now
Even before the 2026 deadline, it is advisable to introduce structured steps to efficiently implement the requirements of the regulation. The following measures are recommended:
- Systematic inventory of AI systems: Where are AI technologies being used? Who is responsible for development or operation? Which risks need to be evaluated?
- Risk categorisation based on the EU classification: Involve data protection, compliance and, if necessary, specialist departments for correct classification.
- Check documentation and transparency obligations: Especially for high-risk systems: What data is processed and how? How are automated decisions made?
- Implement minimum technical requirements: Implement monitoring, logging, standardised maintenance processes and troubleshooting routines for all relevant AI applications.
- Targeted information and training: IT staff and users require sensitisation to specific risks and the correct use of AI tools.
For large companies, it is advisable to set up dedicated teams for AI governance. For small and medium-sized companies, pragmatic management processes or targeted external consulting are recommended.
Technical adjustments to existing and new AI systems
Some of the upcoming changes also require substantial technical interventions in AI infrastructures. Typical focal points here:
- Duty of explanation and traceability: In the high-risk segment, opaque models ("black box") are coming under increasing pressure. Explainable AI tools - such as
SHAPandLIME- provide a basis for decision-making
import shap import xgboost model = xgboost.train(...) explainer = shap.Explainer(model) shap_values = explainer(X_test) shap.plots.waterfall(shap_values[0])- Technical protective measures: Monitoring for bias, data leaks or malfunctions, supplemented by fine-grained logging, is essential.
- Security strategy for data and models: access control, anonymisation of training data and regular security tests are becoming increasingly important.
- Documentation and auditing: Automated logging of all modelling processes and results to ensure audit readiness at all times.
These requirements apply to both in-house developments and purchased SaaS products. IT managers should therefore carefully check the technical documentation of any external solution and emphasise compliance with EU requirements.
EU AI law in global comparison: where Europe leads the way
In an international comparison, the European regulations are much more detailed and stringent. A look at other regions shows:
- USA: Regulatory measures there are primarily taken on a sector-specific basis, with a lack of consistent nationwide requirements as in the EU.
- China: Detailed requirements exist for deepfakes or recommendation systems, for example, but the transparency requirements are less comprehensive than in the EU context.
- UK: The focus is on voluntary guidelines and technical standards without a binding legal framework.
Companies with branches in several regions will therefore have to develop different compliance strategies in the future. The requirements are increasing significantly, especially for EU locations - global harmonisation has yet to be achieved.
Implementation in practice: how IT teams avoid typical hurdles
Companies can run into organisational or technical difficulties during the implementation phase in particular - for example due to unrecognised documentation or testing obligations. Recommended practical approaches are:
- Involving legal and ethical expertise at an early stage when initiating AI projects
- Testing and piloting governance processes on individual systems in order to develop scalable solutions
- Ongoing review of the status quo through regular gap analyses between existing infrastructure and regulatory requirements
- Automated compliance checks in CI/CD processes, e.g. via
pre-commit scriptsand policy engines
Teams that establish an overarching framework in which aspects such as security, data protection and accountability are systematically anchored are successful in the long term. Emergency procedures - such as a controlled shutdown in the event of malfunctions - should also be considered from the outset.
Outlook and strategic recommendations for a future-proof AI strategy
The implementation of the EU AI Regulation requires a continuous willingness to adapt - selective measures are not enough. The following are considered a sustainable basis:
- Establishment of AI readiness centres: Interdisciplinary teams accompany AI projects throughout the entire life cycle and promote institutional anchoring.
- Test operation of new tools: MLOps frameworks, monitoring solutions and automated audit mechanisms should be integrated and organised at an early stage.
- Critically review SaaS and cloud: Providers must provide binding proof of compliance - include corresponding testing processes in purchasing guidelines today.
- Carefully evaluate open source: Many common open source libraries are only prepared for EU requirements to a limited extent - a centralised review is recommended.
Conclusion: The EU AI regulation as a driver for responsible AI use
The European AI Act requires companies and organisations to use artificial intelligence more transparently and responsibly. Organisations that proactively invest in governance, documentation and compliance will gain the trust of customers, partners and regulators in the medium to long term.
IT teams will need to provide comprehensive processes, knowledge and basic technological structures for risky AI applications as early as 2025. The next few years will determine whether AI solutions not only fulfil regulatory requirements, but also establish themselves as trustworthy drivers of innovation. Experiences from the European context could increasingly become a global role model.
