AI regulation is not just an IT issue—sustainability departments are also affected by the EU AI Act. In this talk from the “Sustainability x AI” series, Janika Ofterdinger (Nextra Consulting GmbH) and Bengt Petersen (Partner and Lawyer, Front Wing Litigation) discuss what the AI Act specifically means, which misconceptions frequently arise in practice, and how companies can take a structured approach.
What the AI Act regulates—and why it also affects non-tech companies
The EU AI Act is the world’s first comprehensive AI regulation and applies directly as an EU regulation in all member states without national implementation. Unlike the GDPR, which regulates the handling of personal data, the AI Act focuses on the AI system itself: which system may be used for what purpose and under what conditions. Obligations apply not only to developers of AI models but also to operators—meaning companies and, in some cases, even individual employees who use AI applications in a professional context.
Four risk classes—and where sustainability teams should pay attention: Typical misconceptions in practice
The AI Act follows a risk-based approach with four categories: prohibited applications, high-risk AI, limited-risk AI, and minimal risk. For sustainability teams, two areas are particularly relevant: the use of AI in an HR context—such as automated applicant screening or performance appraisal—falls into the high-risk category. AI-supported creditworthiness assessments based on ESG criteria could also fall under this, as the corresponding annex of the AI Act is not limited to natural persons. Furthermore, a transparency obligation applies to chatbots in a stakeholder context: it must be clearly recognizable that no natural person is responding.
Typical misconceptions in practice
A common misconception is the assumption that only specifically procured AI systems fall under the AI Act. In fact, common Large Language Models such as ChatGPT, Copilot, or Claude can also be classified as high-risk AI depending on the use case. Another risk is so-called shadow AI: if employees use AI applications without the knowledge of company management, they can become operators of high-risk AI themselves—with corresponding obligations and risks of fines. One should not blindly rely on provider assurances regarding AI Act compliance.
Timeline and concrete preparation
The AI Act has been in force since mid-2024; the obligation for AI literacy has already applied since February 2025 and affects every company that uses AI. The extensive obligations for high-risk AI (Annex 3) have been postponed to December 2027. Bengt Petersen recommends starting now with an AI inventory: which applications are in use, and which risk class do they fall into? Compliance structures should be linked with existing data protection processes to avoid duplication of work. New AI applications should be categorized into this system from the start, and provider contracts should be checked for operator obligations.
What you will learn in this talk
- categorize the AI Act by its basic approach—risk-based, directly applicable, parallel to the GDPR
- which risk classes exist and which use cases can specifically affect sustainability teams
- recognize typical misconceptions: shadow AI, provider compliance, and the definition of an operator
- what has already been in effect since February 2025 and what the timeline looks like until December 2027
- what an initial preparation plan looks like: AI inventory, risk classification, governance, and contract checks
You can find all future and past webinars at: nextra-consulting.com/webinare. Find out more about our AI services here.
