While on one hand, there are loud complaints about overregulation, on the other hand, the European AI regulation is hailed as a milestone. Our overview clarifies whether you need to deal with the "bureaucratic monster" and where particular hurdles lie.
The core of the AI regulation consists of the extensive provisions for high-risk AI—what falls under this?
Dr. Andreas Lober is a lawyer and partner at Advant Beiten in Frankfurt am Main and leads the IP/IT/Media practice group. Dr. Peggy Müller is a lawyer and partner at Advant Beiten in Frankfurt am Main.
In his keynote speech honoring his Nobel Prize in Physics, Geoffrey Hinton in 2024 enthused about how artificial intelligence (AI) could boost productivity in almost all industries; however, he also warned that the rapid development carries risks. AI could potentially be used to create terrible new viruses and horrifyingly deadly weapons that decide whom to kill on their own, he cautioned.
The EU bodies have addressed the potential risks associated with AI with the necessary attention and, after three years of discussions, finally adopted the AI regulation, also known as the AI Act, last summer. It came into force on August 1, 2024, and its regulations will be applied gradually until August 2027.
Unlike directives, the regulation with its 113 articles applies directly in all EU member states. At its core, it is a special product safety law. The AI regulation is essentially based on four regulatory approaches:
the prohibition of certain AI systems;
the regulations for so-called high-risk AI;
the transparency obligations;
the promotion of innovation.
What is Meant By AI?
The AI regulation initially includes a definition of an AI system, which will be of significant importance in the future. At its core, it refers to software generated using artificial intelligence or machine learning methods. The legislator is attempting to distinguish between AI systems and conventionally programmed software.
Provider Or Operator?
Every company intending to use AI will have to consider whether the AI regulation is relevant for them.
The AI regulation primarily obligates providers and operators of AI systems. The provider is squarely at the center of the regulation, bearing most of the obligations. The provider is the one who develops or has an AI system developed and markets it in their own name, similar to a manufacturer with products. Conversely, the operator is the one who uses an AI system under their own responsibility. This is not the individual user or application of AI but rather the company that provides AI to its employees.
Under certain conditions, an operator of AI can also become a provider, for example, if they label a third-party AI system with their name or trademark or if they make a significant change to it. Therefore, the precise classification into different roles is crucial in determining whether one might be subject to the much more extensive set of obligations for providers.
Where Does the AI Regulation Apply?
Interesting is the concept already known from the General Data Protection Regulation (GDPR) that the AI regulation applies to all companies that place their AI on the market or put it into operation within the EU. This applies regardless of where they are established. Thus, the AI regulation claims a global reach.
What Penalties are Foreseen?
The AI regulation provides a framework for high fines: up to 35 million euros or 7 percent of the worldwide annual turnover are possible.
What is Prohibited?
The AI regulation includes a catalog of eight prohibited practices. This includes, for example, the prohibition of social scoring, the prohibition of AI systems for manipulating or deceiving people, and the prohibition of real-time biometric identification in public spaces. The prescribed prohibitions have been in effect since February 2, 2025.
What is Considered High-Risk AI?
The heart of the AI regulation is the provisions on high-risk AI, which are also exceptionally extensive. The AI regulation focuses on establishing the obligations for providers and operators as well as the elements of risk management. It is important to note that the regulations on risk management apply only to such high-risk AI that poses significant risks. Here, two fundamentally different concepts must be distinguished:
On one hand, an AI system is considered high-risk if it is a product or a safety component of a product that falls under the regulations listed in Annex I of the EU, such as machinery, toys, vehicles of all kinds, and medical devices, and if a conformity assessment is required. Mechanical engineering is thus inherently affected. For embedded AI systems, it is crucial whether the AI system is a safety component. This will be the case, for example, for cameras in highly automated vehicles. In contrast, AI systems used for the optimal exchange of non-safety-related wear parts for cost optimization purposes are unlikely to fall under this category. Therefore, precise delineation of the AI's application area is required on a case-by-case basis.
Date: 08.12.2025
Naturally, we always handle your personal data responsibly. Any personal data we receive from you is processed in accordance with applicable data protection legislation. For detailed information please see our privacy policy.
Consent to the use of data for promotional purposes
I hereby consent to Vogel Communications Group GmbH & Co. KG, Max-Planck-Str. 7-9, 97082 Würzburg including any affiliated companies according to §§ 15 et seq. AktG (hereafter: Vogel Communications Group) using my e-mail address to send editorial newsletters. A list of all affiliated companies can be found here
Newsletter content may include all products and services of any companies mentioned above, including for example specialist journals and books, events and fairs as well as event-related products and services, print and digital media offers and services such as additional (editorial) newsletters, raffles, lead campaigns, market research both online and offline, specialist webportals and e-learning offers. In case my personal telephone number has also been collected, it may be used for offers of aforementioned products, for services of the companies mentioned above, and market research purposes.
Additionally, my consent also includes the processing of my email address and telephone number for data matching for marketing purposes with select advertising partners such as LinkedIn, Google, and Meta. For this, Vogel Communications Group may transmit said data in hashed form to the advertising partners who then use said data to determine whether I am also a member of the mentioned advertising partner portals. Vogel Communications Group uses this feature for the purposes of re-targeting (up-selling, cross-selling, and customer loyalty), generating so-called look-alike audiences for acquisition of new customers, and as basis for exclusion for on-going advertising campaigns. Further information can be found in section “data matching for marketing purposes”.
In case I access protected data on Internet portals of Vogel Communications Group including any affiliated companies according to §§ 15 et seq. AktG, I need to provide further data in order to register for the access to such content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here. This does not apply to data matching for marketing purposes.
Right of revocation
I understand that I can revoke my consent at will. My revocation does not change the lawfulness of data processing that was conducted based on my consent leading up to my revocation. One option to declare my revocation is to use the contact form found at https://contact.vogel.de. In case I no longer wish to receive certain newsletters, I have subscribed to, I can also click on the unsubscribe link included at the end of a newsletter. Further information regarding my right of revocation and the implementation of it as well as the consequences of my revocation can be found in the data protection declaration, section editorial newsletter.
In addition, the European legislator has defined certain areas as high-risk AI due to their particular risks to personal rights. In other words, the intended use is decisive here, and an AI is classified as high-risk if it poses risks to the health, safety, or fundamental rights of natural persons. This includes a total of eight areas, such as general and vocational education, personnel management and HR, as well as law enforcement.
The classification of AI as high-risk also depends on a specific risk assessment. For example, AI that aims to improve the results of a previously completed human activity or perform preparatory tasks for an assessment poses no risk. While AI used in predictive maintenance to analyze production facilities and provide insights into potential wear in non-safety-critical areas may not be classified as high-risk, the use of AI for managing the recruitment process is likely to be considered high-risk due to its impact on employment decisions. In general: caution in product safety and personnel areas.
If AI is classified as high-risk, it is subject to extensive requirements: for instance, the provider must establish a risk management system with obligations for data governance and technical documentation. Another cornerstone is registration in the EU database for high-risk AI. In contrast, the obligations imposed on operators of high-risk AI are limited: they must keep records and take technical and organizational measures to ensure the AI is used according to the operating instructions.
Transparency Obligations
Another central element of the AI regulation is the transparency obligations for providers and operators of certain AI systems.
Initially, AI that communicates with natural persons must inform the person concerned that they are interacting with an AI system, unless it is already obvious. This regulation only obligates providers. However, operators of AI are also held accountable, albeit in a more basic manner. For example, they must label so-called Deepfakes and texts that inform the public about matters of public interest. Given the vague terms, there are currently significant uncertainties here. Therefore, we believe it is advisable to label all AI-generated content.
Innovation Promotion Through the Establishment of Real-World Laboratories
Another focus of the AI regulation is to promote and protect innovation and consider the interests of SMEs that offer or use AI. For this purpose, the establishment of so-called AI real labs, or experimental environments, is planned, where AI systems can be tested and further developed under real but simplified regulatory conditions. Currently, the EU Commission is also reviewing whether some reporting obligations represent too high a hurdle for startups and may consider adjusting the regulations.
AI Regulation Manageable for Operators
The technical development of AI is progressing inexorably and does not stop at national borders. In this respect, it is commendable that the EU has prevented a patchwork of national regulations with the AI regulation. Such a patchwork would have posed far greater hurdles for internationally operating companies, as they would have had to comply with 27 national regulations within the EU alone.
The AI regulation contains a wide array of provisions for high-risk AI that may not fully reflect the practical significance of such systems. In practice, most AI systems will not fall into this category. Currently, AI applications in mechanical engineering are mostly used in less risky areas such as manufacturing and process automation, within supply chain management, or in marketing. However, special attention should be paid to AI in the personnel sector, which is classified as high-risk. Therefore, those who use AI in this area must exercise caution.
To ensure the correct categorization of the AI being used, a so-called AI regulation compliance matrix should first be created, systematically analyzing all systems and establishing the resulting obligations.
Since the majority of the regulations primarily obligate AI system providers rather than operators, the overall impact of the AI regulation is likely to be manageable. The regulatory obligations for operators are generally well manageable. However, there are a few points that should be on the to-do list of every mechanical engineering company: all AI processes should be documented in detail and recorded in the previously mentioned matrix. In this context, contracts with suppliers and service providers should also be reviewed for the use of AI and renegotiated if necessary. Furthermore, drafting an AI policy that regulates the use of AI within the company is highly recommended. Additionally, the AI regulation provides for regular training of employees. Finally, processes should be established for the ongoing monitoring and adjustment of any AI systems to ensure they continually meet the established standards. Those who heed this should be able to deploy AI in a legally compliant manner.
Future-Proof Authentication with Universal RFID Readers
:quality(80)/p7i.vogel.de/wcms/33/ab/33abf15b4b5625a8904cb57c51597709/0129982307v1.jpeg "This is a new development from Fraunhofer IFAM and partners: an automated adhesive splitting system for the reliable and more productive bonding of composite parts. Here, a frame for an airplane window is measured in real time and a precise amount of adhesive is applied. (Image:Fraunhofer IFAM)")
:quality(80)/p7i.vogel.de/wcms/df/26/df26e72a2f7c890171a1059b48eef68e/0129962397v1.jpeg "The Swedish cutting tool manufacturer Sandvik Coromant now has two additional geometries for its Corodrill DE10 replaceable head drilling system, which it says will further expand the already wide range of applications - for example for cast materials ... (Image:Sandvik Coromant)")
:quality(80)/p7i.vogel.de/wcms/81/c6/81c6f01476cd66350d1a6467efede21d/screenshot-202026-01-28-20174921-783x440v1v1.png "Vacuum-brazed probes. (Image:iew inductive heating systems)")
:quality(80)/p7i.vogel.de/wcms/40/c5/40c5051cebdb10fdee9a283303434d9d/0129881741v1.jpeg "3D-printed tools and other components contribute to energy-saving, precise processes. (Image:Gerhard Schubert GmbH)")
:quality(80)/p7i.vogel.de/wcms/92/5e/925ee98ea36ad9bd574fa1cea11d0e53/0129964352v1.jpeg "The production of hardware components for humanoid robots offers great market potential. (Image:Fraunhofer IPA)")
:quality(80)/p7i.vogel.de/wcms/08/72/0872dd2dd119a54824c41e0e580e45a8/0129576591v1.jpeg "The Rose enclosure systems can be customized on request. (Image:Rose Systemtechnik GmbH)")
:quality(80)/p7i.vogel.de/wcms/73/17/7317794432521bf911711b91287cfc28/0129961259v1.jpeg "ABB Robotics and Nvidia are enabling the widespread use of physical AI in the world of robotics. This means that systems can be created virtually and with high precision and optimized much more cost-effectively. In the large image the virtual system, next to it the real robot cell ... (Image:ABB)")
:quality(80)/p7i.vogel.de/wcms/09/a2/09a2e832b1c0271d299fc130201e5717/adobestock-1767409934-4191x2360v1.jpeg "(Source: © ImageFlow - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/9e/98/9e984afbf9c6f2bcc8963bd13465b180/26-02-pi-fraunhofer-iws-41300-ultragrain-project-closing-pic-02-1562x878v1v1.png "The process of laser wire build-up welding (DED-LB) with pulse laser-induced plasma, which contributed to the success of the Ultra Grain project, is shown at high speed. (Image:Fraunhofer IWS)")
:quality(80)/p7i.vogel.de/wcms/28/00/28008d9477bb07daa3b28ce4ac0ae907/newsimage418436-1536x864v1v1.jpeg "Researchers have produced elastic ear cartilage from human cells in the laboratory, which remains dimensionally stable in animal models. (Image:ETH Zurich)")
:quality(80)/p7i.vogel.de/wcms/1e/7d/1e7d6a316cdd7a7ba5e84d7c9a3efb80/newsimage418837-3000x1687v1v1.jpeg "Driverless shuttles can strengthen public transport, especially in rural areas. (Image:ZF Friedrichshafen)")
:quality(80)/p7i.vogel.de/wcms/85/e8/85e89606edeeec55feac9ab5617e2440/newsimage418885-3500x1969v1v1.jpeg "Flexible: The solid electrolyte based on silicone is expandable and thus compensates for the cavities that form in solid-state batteries during charging and discharging. (Image:Empa)")
:quality(80)/p7i.vogel.de/wcms/c5/d2/c5d2655e427c7cbfe2f537dccfbd06e3/0129971639v1.jpeg "Volkswagen Group Charging, Elli, has connected its first electricity storage system to the grid. (Image:Elli)")
:quality(80)/p7i.vogel.de/wcms/b4/fc/b4fc9420fca6915b291eca0ae2532688/0129978040v1.jpeg "MAN has completed winter tests with nine buses. (Image:Bulent Camci)")
:quality(80)/p7i.vogel.de/wcms/a7/22/a722a06c823b5d7405eb9fb15a0b4e7d/0129931201v1.jpeg "The company offers access to its charging network, which now has more than 1,000,000 charging points across Europe, via the Elli app. (Image:Elli | Volkswagen)")
:quality(80)/p7i.vogel.de/wcms/89/5d/895dfb4fb9a90c33ddd287c7d09c9ffd/0129938355v1.jpeg "Ganfeng Lithium has developed semi-solid batteries for eVTOLs together with Geely subsidiary Aerofugia. (Image:Aerofugia)")
:quality(80)/p7i.vogel.de/wcms/aa/4c/aa4cd2c6c10199015d47caf72eca2115/0129962687v1.jpeg "Bosch Rexroth and AMD are working together on Software-Defined Automation: ctrlX OS now also supports AMD Embedded x86 CPUs and adaptive SoCs, promising even greater hardware design flexibility, seamless scalability and a secure, modular operating system foundation. (Image:Bosch Rexroth AG)")
:quality(80)/p7i.vogel.de/wcms/7b/10/7b108d8ec7bf09cb1a20998364483525/0129923685v1.jpeg "The concept of the blade battery. (Image:BYD Europe B.V.)")
:quality(80)/p7i.vogel.de/wcms/64/97/6497d264fcf62cf4325443498b3826f3/0129930890v1.jpeg "Switching without mechanical contacts (Image:Endrich)")
:quality(80)/p7i.vogel.de/wcms/f3/c0/f3c0040f2b655e91b80158029c65b0cc/0127314142v1.jpeg "Nexperia's assembly and testing fab in Guangdong, China. (Image:Nexperia)")
:fill(fff,0)/images.vogel.de/vogelonline/companyimg/76800/76895/65.jpg "FAULHABER_120mm.jpg ()")
:fill(fff,0)/p7i.vogel.de/companies/69/88/69882c428938e/tmts2026-ticec-banner-en-2000px.png "tmts2026-ticec-banner-en-2000px (https://www.tmts.tw/en)")
:fill(fff,0)/p7i.vogel.de/companies/67/eb/67eba621ef6ea/logo2.png "logo2 (Wuxi InfiMotion)"){kind=logo}
:quality(80):fill(efefef,0)/p7i.vogel.de/wcms/67/ae/67ae0b9ac31f8/elatec-wp-universal-reader.png "Elatec WP Universal Reader")
:quality(80)/p7i.vogel.de/wcms/48/3b/483bf2210f6160df5b2ff1ff895ec228/0124197821v1.jpeg "The \"Connected Vehicles Final Rule\" presents challenges for automakers and suppliers. (Image:Dall-E / AI-generated)")
:quality(80)/p7i.vogel.de/wcms/0f/f9/0ff9c4e5808dbd20e70b234d083f72b0/0125727239v1.jpeg "What exactly does the Data Act regulate, and how does it relate to GDPR? We have summarized answers to these and other questions for you in this article. (Image:freely licensed)")