Skip to content
Noxys
Back to Noxys

Compliance Guide

EU AI Act Compliance: A Practical Guide for Enterprise Security Teams

The EU AI Act entered into force on August 1, 2024, with enforcement beginning February 2, 2025. According to the European Commission, organizations face fines up to 3% of global annual turnover for non-compliance. This guide explains what matters for enterprises using AI tools — not building them.

EU AI ActComplianceShadow AICISO Guide2025 Enforcement

What is the EU AI Act?

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive legal framework for artificial intelligence. Adopted by the European Parliament on March 13, 2024, it establishes harmonized rules for the development, deployment, and use of AI systems within the European Union.

Unlike sector-specific regulations such as the GDPR (data protection) or NIS2 (cybersecurity), the EU AI Act addresses AI across all industries. It categorizes AI systems by risk level: unacceptable, high-risk, limited risk, and minimal risk. Most enterprise AI usage — ChatGPT, Claude, Gemini, Copilot — falls into the limited or minimal risk categories, but specific obligations still apply.

Key Timeline

August 1, 2024EU AI Act enters into force
February 2, 2025Prohibited AI practices enforceable; AI literacy obligations begin (Article 4)
August 2, 2025Governance rules and obligations for general-purpose AI models apply
August 2, 2026Full enforcement of all provisions, including high-risk AI system requirements

Which Articles Matter for AI Users (Not Builders)?

Most compliance guides focus on AI developers. But 90% of European enterprises are AI deployers or users — they use third-party AI tools, not build them. Here are the articles that apply to you:

Article 4 — AI Literacy

Organizations must ensure that staff using AI systems have sufficient AI literacy. This means knowing which AI tools employees use, how they use them, and what risks are involved.

How Noxys helps: Shadow AI discovery provides a complete inventory of AI tools in use across your organization, giving you the visibility required by Article 4.

Article 9 — Risk Management

A risk management system must be established and maintained throughout the AI system's lifecycle. For deployers, this means continuously monitoring how AI tools are used and assessing risks such as data leakage, bias, and compliance gaps.

How Noxys helps: Automated risk scoring per interaction and per platform. Real-time PII detection flags sensitive data exposure (IBANs, emails, credentials) before it reaches third-party AI providers.

Article 13 — Transparency

High-risk AI systems must be designed to be sufficiently transparent. For deployers, this translates to maintaining audit trails and documentation of AI interactions within the organization.

How Noxys helps: Immutable audit trail of every AI interaction. Full reporting dashboard with department-level drill-down satisfies transparency obligations.

Article 14 — Human Oversight

AI systems must be designed to allow effective human oversight. Organizations must implement controls that enable humans to review, intervene, and override AI decisions.

How Noxys helps: Policy engine enforces human-in-the-loop controls. Admins can block, coach, or log AI interactions in real time based on configurable rules per department.

The Shadow AI Problem

Research from Gartner indicates that 85% of AI usage in enterprises goes unmonitored. Employees use ChatGPT, Claude, Gemini, DeepSeek, and dozens of other AI tools daily — often pasting sensitive data including customer records, financial data, credentials, and internal documents into prompts.

This creates a dual compliance problem: data protection violations under GDPR (unauthorized transfer of personal data to third-party processors) and AI governance gaps under the EU AI Act (no visibility, no risk management, no audit trail).

Key statistic: According to a 2024 Cyberhaven study, 11% of data pasted into ChatGPT by employees is confidential. The average enterprise has 23 unsanctioned AI tools in active use.

Penalties for Non-Compliance

Fines under the EU AI Act are structured by severity:

Up to 35M EUR or 7% of turnoverUse of prohibited AI practices
Up to 15M EUR or 3% of turnoverNon-compliance with AI system obligations
Up to 7.5M EUR or 1% of turnoverSupplying incorrect information to authorities

Getting Started: 5-Step Compliance Checklist

  1. Inventory — Discover all AI tools in use across your organization (sanctioned and shadow).
  2. Classify — Map each AI tool to the EU AI Act risk categories.
  3. Policy — Define acceptable use policies per department, per tool, per risk level.
  4. Monitor — Implement real-time monitoring with PII detection and audit logging.
  5. Report — Maintain compliance documentation and audit trails for regulators.

Noxys covers steps 1, 3, 4, and 5 out of the box. Browser-based discovery is operational in under 10 minutes with no infrastructure changes required.

Start Your EU AI Act Compliance Journey

Deploy Noxys in under 10 minutes. Free plan for up to 10 users. No credit card required.

Get Started FreeRequest a Demo

Related Content

Blog

EU AI Act Compliance Checklist

Blog

Shadow AI Risks

Blog

AI TRiSM Guide

Use Case

AI Governance for Legal