AI Act in Practice: Don’t Panic, But Don’t Wait Either

I’ll admit it—when I first came across the term "AI Act," my gut reaction was to groan. Another EU regulation, another GDPR-style avalanche of red tape. More energy wasted on compliance instead of business growth.

But after talking it over with Miro (our DPO) and thinking about who this might actually help and why, I calmed down. Sooner or later, we do need some rules of the game. Just imagine the wild west we’d have with personal data if there were no restrictions at all. 

For context: I’ve had the same mobile number since 1996. I don’t know a single American who hasn’t had to change theirs at least once in the past 30 years. 

So What Is the AI ActAnd Why Should Marketers Care? 

In short: the AI Act is a new EU regulation that’s been in force since August 2024, with the first binding requirements kicking in in February 2025. It will be fully enforceable by August 2027.

It regulates how companies can use artificial intelligence—especially where AI significantly impacts users. Think: customer segmentation, personalized targeting, product recommendations, automated decision-making, or credit scoring.

Yes, you read that right: marketing, e-commerce, CRM—everything we use AI for—is absolutely on the radar. 

Why the AI Act Might Actually Be a Good Thing

At FrodX, we know regulations usually mean a few extra hoops to jump through. But I genuinely believe the AI Act could turn out to be a step forward. Not immediately—but in the medium term, once we get used to it and adapt accordingly. 

Why? Because it brings clarity. And clarity leads to stability. Right now, companies we work with—those adopting AI-driven CX solutions and AI agents to automate customer-facing processes—are hesitating. In fact, I think they’re being overly cautious with tech we’ve already brought into their business. Fear is everywhere. 
And I’ve seen this before, every single time a new technology enters the enterprise world. 

Honestly, it’s easier for a serious company to roll out direct marketing today than it was in, say, 2012 when we first started building marketing automation systems. Why? Because GDPR gave them a clear framework to operate within. 
I expect the AI Act to do something similar for CX solutions involving AI-based personalization and segmentation: defining the line between “acceptable” and “too far.”

It’ll give us practical guardrails, especially around responsible AI use and how to design systems that won’t keep you up at night come August 2026 or 2027, when the full obligations kick in. 

Who Does This Apply To? 

The regulation applies to any company using AI to interact with customers in the EU. Size doesn’t matter much here—though, yes, smaller companies may face smaller fines in case of violations (not exactly comforting, but there you go). 

So if your company uses AI for things like automatic customer segmentation, product or action recommendations, dynamic pricing, AI chatbots, or other types of AI agents—then yes, the AI Act absolutely applies to you. On the other hand, if your AI use is limited to internal process optimizations that don’t affect users, you’re on much safer ground. 

Fines? Let’s Call Them “Motivators” 

The penalties are steep—up to 7% of annual revenue or €35 million—but the real point is this: they’re meant to motivate timely and effective adaptation. Just like GDPR did. 

In practice, the AI Act means you’ll need to: 

  • Clearly disclose where and how you use AI
  • Give users the option to opt out of AI-driven processes
  • Maintain transparent records of AI operations (audit trails)
  • Include a mechanism for human intervention or override
  • Regularly check for bias in your AI models 

What exactly will be “good enough”? Honestly, no one knows for sure yet. Best practices will evolve. Personally, I’m placing my bet on the global software providers—HubSpot and SAP (Emarsys) in our case. Most likely, we’ll overdo it at first (like we did with GDPR), locking everything down… then relax a bit and find a more practical rhythm. That’s how these things always go. I don’t see any reason why this time would be much different. 

What Should Companies Do to Prepare? 

Here’s how I see it: Start by mapping out all the AI solutions you already use—including those handled by external vendors. 
This step alone can be surprisingly complex if you’re doing it properly. Then, assess the risk level of each one and set up the right documentation and monitoring systems. 

Risk Level 

Typical Use Cases 

Classification Criteria 

User Impact 

Required Measures 

Minimal 

Spam filters, basic automation with no user-facing impact 

Does it affect user experience or rights? → No 

No user impact 

No specific action required 

Limited 

Personalized emails, segmentation, recommender systems, chatbots 

Does it influence user behavior or decisions? → Yes, but without direct consequences 

Indirect influence 

Clear labeling, opt-out option, basic documentation, transparency 

High 

Dynamic pricing, auto-approval of loans, AI-based credit scoring 

Does it affect user rights or legal/financial status? → Yes 

Direct impact 

Detailed documentation, audit trail, quarterly testing, kill switch, human-in-the-loop 

At FrodX, we’re implementing audit logs and kill switches for our custom-built AI agents. 
We’re also carefully considering how to introduce a meaningful human-in-the-loop without killing the economic value of automation. 

Things are simpler when you're working within platforms like Emarsys or HubSpot—both vendors already address compliance in their design, especially since Emarsys is European. 

Open Mic: Ask Miro—Before the Inspectors Come Knocking 

We know this is just the beginning of the AI Act conversation. But time to deal with it is running out. So we’re hosting an open mic session with Miroslav Ekart, our DPO. No slides. No PR fluff. Just real questions, honest dilemmas, and hands-on answers from someone who knows this stuff inside out. 

How will regulators actually audit AI use? What does “bias” mean in the context of your system? Will your AI agent still be compliant in August 2026 or 2027—or will you have to pull the plug? 

If any of this concerns you, email me at igor.pauletic@frodx.com. We’re collecting interest so we can finalize the time and place. Your response will shape the format of the event—and help you get ahead of the curve. 

Because the last thing you want to hear in August 2026 is: “Why didn’t you do something a year earlier?” 

📩 igor.pauletic@frodx.com