When the GDPR came into effect, many companies thought it was “just an IT issue.” Three years later, fines and investigations proved that it was everyone's business.
With the EU’s Artificial Intelligence Regulation, history is repeating itself. And this time, there’s even less time to catch up.
The good news: if you act now, you can turn compliance into a real advantage over competitors who are winging it.
“What does my company need to do to comply with the AI Act?”
- Determine your legal role (deployer vs. provider): if you use AI tools in your operations (CRM, chatbot, HR), you are responsible for their use; and if you modify them or change their intended purpose, you assume the obligations of a provider.
- Train the team on AI (required): Implement and document training programs (6–10 hours) on responsible use, biases, limitations, and data protection in AI tools.
- Audit the AI systems you use: understand exactly what each tool does, what it is used for, and whether its use aligns with the provider’s intended purpose.
- Avoid prohibited practices: Do not use systems that involve emotion recognition, social scoring, sensitive biometric categorization, or subliminal manipulation in the workplace.
- Prepare ongoing compliance and documentation: especially if you use AI in high-risk areas (HR, education, credit, etc.), with audit trails, technical documentation (up to 10 years), and a willingness to respond to inquiries from authorities.
“I'm just buying the software” — the most expensive mistake of the year
The AI Act distinguishes between those who create AI and those who deploy it. If your company uses AI tools in its day-to-day operations—such as a CRM that segments customers, a system that screens candidates, or a customer service chatbot—you are legally considered a deployer. And that comes with specific obligations that do not disappear simply because you have signed a license agreement.
In other words: the responsibility doesn't lie solely with the software manufacturer. You are the one responsible for ensuring that the tool works properly in your specific context.
There is one point that needs to be made very clear:
If you substantially modify the system or use it for a purpose other than the one intended (for example, if you use commercial voice analysis software to assess your employees’ moods), you are no longer considered an implementer and become, legally speaking, a provider.
With all that entails.
Does your company use AI in HR, customer service, or sales processes? Do you know exactly what you're using it for?
Mandatory training — and right away
As of February 2025, there is a requirement to promote AI literacy among staff. This is not a recommendation or a mid-term goal: it is already in effect.
What does this mean in practice for a Spanish SME? Training programs lasting between 6 and 10 hours that must be documented, covering at least the following: what generative models are and their limitations, how to manage biases, what corporate data should never be entered into open AI tools, and how to detect when a system produces erroneous results.
The fact that surprises my clients the most when I tell them: in Spain, this training is often 100% reimbursable through Fundae. The cost of not complying far exceeds the cost of doing so.
A team that doesn't understand the tool it uses isn't just a productivity issue. It's an auditable compliance gap.
The red lines you can no longer cross
As of February 2025, certain practices are expressly prohibited. Some of these are built into commercial software that is currently sold without any special notice:
- Emotion recognition in work or educational settings. If your tool “analyzes the team's atmosphere” using computer vision or voice analysis, it needs to be reviewed immediately.
- Social scoring: classify people based on their behavior or personal characteristics.
- Biometric categorisation: to infer ethnic origin, religion, or political opinion.
- Systems that manipulate decisions by subliminal techniques or techniques that exploit psychological vulnerabilities.
Do you know exactly what the “productivity” or “engagement” software you use internally does?
Fines: astronomical, but there is protection for small and medium-sized businesses
The penalty system is not intended to be merely symbolic. The maximum fines can reach 35 million euros or 7% of total revenue for the most serious violations. There is a third category that often goes unnoticed: providing incorrect information to the authorities can result in a fine of up to 7.5 million euros or 1% of revenue.
However, for SMEs and startups, there is a principle of proportionality (Article 99.6): the lower of the fixed amount and the percentage is always applied. And the competent Spanish authority (AESIA) has specific mechanisms in place to make things easier for small businesses: regulatory sandboxes, simplified compliance templates, and a reduction in the administrative burden.
Transparency with the authorities is not just an ethical stance. It is a financial strategy.
The actual schedule (and what's still to come)
What is already in effect cannot be put off. And the changes coming in 2026 and 2027 will affect far more companies than you might imagine: any AI system used in recruitment, training, credit, essential services, or education falls into the high-risk category, with technical documentation requirements that must be retained for 10 years.
Compliance isn't a one-time audit. It's an ongoing process.
Why is this important to you beyond just avoiding fines?
In a market saturated with opaque tools, demonstrating that your company uses AI in an ethical, auditable, and transparent manner is becoming a key selling point. Your clients—especially those in the B2B sector or in healthcare, education, or finance—are going to start asking questions.
Companies that take the initiative will not only avoid penalties; they will also have a seal of quality that their competitors who wing it will not be able to match.
Where does your company stand? Have you already audited the AI software you use? Do you have documentation of your team’s training?
At Veltis Digital, we help companies implement digital solutions that work and deliver results. If you have questions about how the AI Act affects your specific operations, we can conduct an initial review together.
Would you like us to help you comply with AI regulations?
Schedule a free exploratory call with us
No strings attached. No exaggeration. Just an honest conversation.