Regulation

The EU AI Act: what it means for European business – and how Od1n is built for it

What the law means for European organisations – and why sovereignty becomes a compliance requirement.

Published 6 July 2026

What does the EU AI Act mean for European business?

The EU AI Act is the world's first comprehensive law regulating artificial intelligence, and it applies to any company that develops, sells, or uses AI systems in the EU and EEA – including Norway. For most businesses it means one practical thing: you must know which AI you use, understand its risk category, and be able to document that it is transparent, well-governed, and used lawfully. The obligations scale with risk, so a chatbot and a credit-scoring model are not treated the same way.

In short, EU AI Act compliance is not a single certificate you buy – it is an ongoing duty to control your AI: know its data, its purpose, and its impact on people.

What is the EU AI Act?

The AI Act is an EU regulation that classifies AI by risk. It bans a small set of practices outright, places strict duties on "high-risk" uses, requires transparency for systems like chatbots and generated content, and sets separate rules for general-purpose AI (GPAI) models – the foundation models that power many downstream products.

The logic is proportionality. The higher the potential harm to people's rights, safety, or livelihood, the more documentation, oversight, and testing the law demands. Most everyday business AI falls into the lighter transparency tier, not the high-risk one.

What is the timeline – and what changed with the Digital Omnibus?

The AI Act entered into force in the EU on 1 August 2024, with obligations phasing in over several years:

Importantly, the postponement is targeted. Transparency and GPAI duties remain in force, and the rules are not retroactive. In Norway the AI Act is EEA-relevant and is being implemented as the Norwegian "KI-loven" during 2026, with Nkom as the coordinating supervisory authority.

What does the AI Act require of AI models?

Providers of general-purpose AI models carry specific GPAI obligations. In practice a GPAI provider must maintain:

A stricter tier applies to models posing "systemic risk," defined by training compute above 1025 FLOPs. This is a threshold measured in training compute, not parameter count, and only the largest frontier models cross it.

What does it mean for businesses that use AI?

If you deploy AI rather than build it, you are a "deployer," and you still have duties. You must use high-risk systems according to instructions, keep human oversight, and inform people where required – for example, telling users they are talking to a machine or viewing AI-generated content.

The higher bar applies to AI Act high-risk uses. These include AI used in recruitment and hiring, credit and creditworthiness decisions, and certain health, education, and essential-service contexts. If your AI helps decide who gets a job, a loan, or a benefit, expect closer scrutiny, record-keeping, and accountability.

And the AI Act does not replace existing law. GDPR still applies to every personal-data processing step, so data protection and AI governance must be handled together, not as separate projects. None of this is legal advice – treat it as a starting map, and confirm your specifics with qualified counsel.

How is Od1n built for the AI Act era?

Od1n, the sovereign Norwegian language model from EZ-Fix AS, is built with the transparency and data control the regulation points toward. That does not mean Od1n is "AI Act certified" – no such approval scheme exists. It means the model is designed so that the questions regulators and customers now ask have clear answers.

Od1n's training data is drawn mainly from openly licensed and public Norwegian sources, with a review of rights and licences. Its training grounds are documented rather than opaque, which supports the kind of data summary and provenance the law expects. On systemic risk, Od1n is trained with compute far below the 1025 FLOPs threshold, so it sits well outside the frontier-model tier.

Just as important is where the model lives. Od1n supports EEA hosting and on-premise deployment, so you keep data inside your own jurisdiction and infrastructure – a digital sovereignty concern that compliance and security teams increasingly raise. A sovereign model you own gives you the documentation, control, and auditability that regulated use demands. Learn more about Od1n for business and the underlying technology.

Frequently asked questions

Is the EU AI Act already in force?

Yes. It entered into force on 1 August 2024. Prohibited practices applied from 2 February 2025 and GPAI obligations from 2 August 2025. High-risk obligations were postponed to 2 December 2027 under the Digital Omnibus, but transparency and GPAI duties remain in effect.

Does the AI Act apply in Norway?

Yes. The AI Act is EEA-relevant and is being implemented as the Norwegian "KI-loven" during 2026, with Nkom acting as the coordinating supervisory authority.

Is my company's AI "high-risk"?

It depends on use, not just technology. High-risk categories include recruitment, credit decisions, and certain health, education, and essential-service uses. Many ordinary business tools fall under lighter transparency duties instead. This is general information, not legal advice.

Does using Od1n make my organisation AI Act compliant?

No single product can do that. Od1n is built with documented training grounds, EEA and on-premise hosting, and compute far below the systemic-risk threshold – features that support your compliance work. Your own obligations as a deployer, plus GDPR, still apply.

Interested in Od1n?

Talk to us about how a sovereign Norwegian language model can be adapted to your organisation.

Contact usSee Od1n V5