Comply AI by CJ&Co

💸 The answer is B — €56 million (7% of global annual turnover).

This is the one that makes boards pay attention.

The EU AI Act's penalty structure has three tiers based on the type of violation. Breaches of the prohibited practices rules — the most serious category — carry fines of up to 7% of total worldwide annual turnover.

Not EU revenue. Not local revenue. Global turnover.

On €800 million in global revenue, 7% is €56 million. That's the ceiling for a single violation.

The common confusion is assuming a fixed maximum fine of €35 million applies. €35 million is the floor for prohibited practice violations — the minimum in cases where the percentage calculation produces a lower number.

For a company of any meaningful size, the percentage calculation will be far higher.

This penalty structure is deliberate. It's designed to ensure fines are proportionate to the economic power of the entity — so that compliance isn't simply cheaper than non-compliance.

Know the numbers before your clients get surprised by them.

📚 ComplyAI covers the full penalty framework — link in bio.

🏦 The answer is B — Deployer duties apply.

A lot of organisations think that using a third-party AI tool off the shelf, without modifying it, means they carry no regulatory responsibility.

The EU AI Act doesn't work that way.

The Act draws a clear distinction between providers (who develop and place AI systems on the market) and deployers (who use those systems in a professional context). The bank in this scenario is a deployer — and deployers have real, concrete obligations.

These include conducting fundamental rights impact assessments for certain high-risk systems, ensuring human oversight measures are in place, logging and monitoring system use, and maintaining transparency with the individuals affected by AI-driven decisions.

Credit scoring is explicitly listed as a high-risk AI application in Annex III of the Act. That means the bank can't treat this as a passive technology purchase — it carries accountability that comes with the deployment, not just the development.

"We didn't build it" is not a compliance strategy.

📚 ComplyAI covers the provider/deployer split in depth — link in bio.

⛔ The answer is C — Now. This practice is already banned.

This is arguably the most urgent misconception in the market right now.

Companies building or deploying AI that falls under the prohibited practices provisions think they have until August 2026 — or following the Omnibus agreement — December 2027. They don't.

The prohibited practices chapter of the EU AI Act has been in force since February 2025. There is no compliance runway for banned practices. You don't get a transition period for something that is simply not allowed.

Emotion recognition systems used to assess candidates in employment contexts fall squarely within Article 5. If a tool is scoring facial expressions in job interviews, it is operating illegally in the EU right now — not in 18 months.

The Omnibus agreement extended deadlines for high-risk AI obligations. It did not give prohibited systems more time. Those are two completely different parts of the regulation.

If you are using this kind of tool, the conversation needs to happen today, not next year.

📚 ComplyAI covers prohibited practices in full — link in bio.

✅ The answer is B — No. A pure rule-based system without adaptive capability or inference is generally not an AI system under the EU AI Act.

This one trips up a lot of compliance teams — and understandably so. "Automated" and "AI" feel like the same thing. They're not.

The EU AI Act has a specific technical definition. The key question is whether the system infers outputs from inputs — learning, adapting, or using machine-based techniques.

A system running fixed IF-THEN logic written by engineers, with no learning or inference happening, doesn't meet that bar.

The Act explicitly excludes simple rule-based systems from its definition of an AI system. This matters enormously in practice — it determines whether your system is in scope at all, before you even get to risk classification.

The confusion is understandable. But conflating "automated decision-making" with "AI system" can cause organisations to either over-comply (wasting resources) or misclassify actual AI tools (real risk).

📚 ComplyAI covers the full definition and how to apply it — link in bio.

🚨 The answer is B — No, the EU AI Act applies if your AI is sold or used in the EU, regardless of where you're based.

This is one of the most common and costly misconceptions we see.

Companies assume that because they're headquartered outside the EU, the regulation doesn't reach them. It does.

The EU AI Act follows the same extraterritorial logic as the GDPR — what matters is where your users are, not where you are. If you're placing an AI system on the EU market, you're a provider under the Act. Full stop.

So that US startup? Their lawyers are wrong. If their hiring software screens EU job applicants, they're in scope, they have obligations, and they could face penalties calculated on global turnover — not just EU revenue.

The "we're not EU-based" defence doesn't exist under this regulation.

📚 Want to understand exactly what extraterritorial scope means for your clients or your business? ComplyAI breaks it down — see Gumroad link in bio.

Module 1 of the ComplyAI EU AI Act Compliance Course is now live. 🎓

If you work in legal, compliance or AI — this is where you start.

Module 1 covers:

✅ What the EU AI Act actually is
✅ Who it applies to — including non-EU companies
✅ The key definitions: AI system, provider, deployer
✅ The full implementation timeline
✅ What's already in force RIGHT NOW

The prohibited practices ban has been enforceable since February 2025. Most teams still haven't audited their AI portfolio against it.

Founding member pricing is still open. Lifetime access. Free updates as the law evolves and prompts to build your own AI compliance system in-house.

Link in bio 👆

The EU AI Act just had a plot twist on 7th May 2026.

After months of “wait… but what does this actually mean?”, Europe finally dropped the Omnibus agreement — and things make way more sense now.

Clearer rules. Clearer risks. Fewer guessing games.

Time to start the real compliance hustle.

I asked compliance professionals on Reddit what's been the hardest part of EU AI Act compliance so far.

The answers were unanimous, and they weren't what most people expect.

Nobody said the regulation is too hard to understand. The text is dense but parseable. The real blocker is operational.

Shadow AI came up in almost every response.

Teams are adopting AI tools without central oversight. One commenter described finding AI embedded in vendor SaaS tools and legacy systems that nobody documented, then scrambling to retrofit compliance onto something deployed two years ago.

Another said they helped a company discover tools across marketing, sales, customer service, and engineering that compliance had no visibility into.

The second biggest pain point: the provider vs deployer distinction.

On paper it sounds clean. In practice, the line blurs fast. If you're using an API to build a product, you're a deployer. But the moment you start customising the model, fine-tuning, or making decisions about how outputs get used, you start taking on provider obligations. Nobody talks about that grey zone enough.

And the most honest answer about AI inventories: "we have a spreadsheet that's already out of date."

The gap between knowing the regulation exists and actually operationalising it is where most organisations are stuck right now. August 2026 is only a few weeks away.

Where is your organisation in this process?