The EU Artificial Intelligence Act is now the world’s first comprehensive AI law — and it applies to any company deploying AI in Europe, regardless of where they’re headquartered. For Indian IT giants like Infosys, TCS, Wipro, and HCL, and for global tech firms serving UK, Spanish, or Italian markets, compliance is no longer optional.
Whether you build AI products, integrate AI into client solutions, or operate AI-powered platforms that European end-users access, this regulation affects you. Here’s everything you need to know.
Why the EU AI Act Matters for Non-EU Companies
Like GDPR, the EU AI Act follows a market-reach principle: if your AI system is used by people within the EU, you must comply — even if your company is based in Bengaluru, Hyderabad, Mumbai, or New York. For Indian IT outsourcing firms building AI tools for European clients, this creates direct liability.
Non-compliance fines are steep: up to €35 million or 7% of global annual turnover for the most serious violations. For mid-sized Indian IT firms with global revenues, this is not a hypothetical risk.
Any provider, importer, or deployer of AI systems that places products on the EU market or affects persons in the E1U falls under the scope of this Act — regardless of the country of establishment."
— EU AI Act, Article 2
Key Milestones: The Compliance Timeline (2025–2027)
| Date | What Applies | Action Required |
|---|---|---|
| February 2025 | Prohibited AI practices banned | Audit all AI systems for banned use cases immediately |
| August 2025 | GPAI model obligations active | Publish transparency disclosures, copyright policies, usage summaries |
| August 2026 | High-risk AI system rules enforced | Complete conformity assessments, register in EU AI database |
| August 2027 | Full Act in effect — all provisions | Full compliance required across all AI categories and sectors |
The Four Risk Tiers: Where Does Your AI Sit?
The EU AI Act classifies all AI systems into four risk categories. Your compliance obligations depend entirely on which tier your AI falls into.
| Risk Level | Examples | Obligation |
|---|---|---|
| Unacceptable Risk | Social scoring, mass biometric surveillance, emotion recognition at work | Banned outright — cannot be deployed |
| High Risk | CV screening tools, credit scoring AI, border control systems, medical devices | Conformity assessments, human oversight, EU database registration |
| Limited Risk | Chatbots, deepfake generation tools, AI-generated content | Transparency obligations — must disclose AI involvement to users |
| Minimal Risk | Spam filters, AI in video games, recommendation engines | Voluntary codes of conduct only — no mandatory requirements |
What This Means for Indian IT & Global Tech Firms
India is Europe’s largest IT services partner. Firms like TCS, Infosys, Wipro, HCL, and Tech Mahindra collectively serve hundreds of European enterprises. With AI embedded in everything from HR automation to fraud detection platforms, a large portion of Indian IT’s European deliverables now fall under the high-risk or limited-risk categories of the EU AI Act.
This means Indian IT companies must now act as both providers (if they build the AI) and deployers (if they integrate it into client workflows) — each role carrying distinct legal responsibilities under the Act.
For companies serving the UK market specifically: post-Brexit, the UK is not adopting the EU AI Act directly. The UK’s own AI governance approach is sector-led and principles-based. However, firms operating across both UK and EU markets must maintain parallel compliance frameworks — a dual burden that requires careful planning.
In Spain and Italy, national AI supervisory authorities are being established to enforce the Act locally. Both countries have active digital economy sectors, making them priority enforcement markets for the European AI Office.
GPAI Models: A Special Obligation for AI Builders
If your company develops or fine-tunes a General Purpose AI (GPAI) model — such as a large language model, image generation model, or multimodal AI — additional obligations applied from August 2025. These include publishing a summary of training data, maintaining a copyright compliance policy, and reporting on energy consumption and systemic risks if the model exceeds a certain capability threshold.
Indian IT firms increasingly building proprietary AI models for global deployment must assess whether their models qualify as GPAI under the Act’s definitions.
Compliance preparation is essential for IT firms operating across EU markets
Your EU AI Act Compliance Checklist
- Classify all AI systems your company builds or deploys by EU AI Act risk tier
- Identify whether any AI falls under the banned (unacceptable risk) category and remove it immediately
- For high-risk AI: complete technical documentation and conformity assessments before August 2026
- Register high-risk AI systems in the EU AI public database
- Implement human oversight mechanisms for all high-risk AI deployments
- Update client contracts and service agreements to reflect compliance responsibilities
- Add transparency disclosures for all limited-risk AI tools (chatbots, AI-generated content)
- Assess whether any proprietary AI models qualify as GPAI and meet August 2025 obligations
- Train HR, legal, and product teams on prohibited AI use cases
- Establish an internal AI Act compliance function or appoint a qualified EU representative
Need expert guidance on EU AI Act compliance for your multilingual, cross-border AI deployments in the UK, Spain, and Italy?
Visit eu.conveyuall.com