EU AI Act: a compliance guide for Luxembourg firms

The Artificial Intelligence (AI) Act is now in force across the European Union, establishing a harmonised legal framework for the development and use of trustworthy AI. While its entry into force was in August 2024, the regulation introduces a phased rollout of obligations. For companies in Luxembourg, this presents a critical window to prepare for full compliance, which becomes mandatory for most AI systems in the coming months. Understanding your obligations now is essential to turning this regulatory challenge into a competitive advantage.

What is your AI's risk level?

The AI Act classifies systems into four tiers based on the risk they pose. This classification determines your compliance burden.

• Unacceptable Risk: Systems considered a clear threat to fundamental rights are banned. This includes government-led social scoring and AI designed to manipulate human behaviour in harmful ways.
• High-Risk: AI used in sensitive areas is permitted but must meet strict obligations. This category includes systems for recruitment, credit scoring, educational evaluation, and medical diagnostics. Requirements are extensive, demanding robust risk management frameworks, high-quality data governance to prevent bias, continuous human oversight and detailed technical documentation.
• Limited Risk: These systems, such as chatbots or AI-generated media, are subject to transparency obligations. Users must be clearly informed that they are interacting with an AI.
• Minimal Risk: The vast majority of AI systems, like spam filters or inventory optimisation tools, fall into this category and face no new legal obligations, though voluntary codes of conduct are encouraged.

Your first steps towards AI Act compliance

The compliance journey begins with internal due diligence. First, create a comprehensive inventory of all AI systems your organisation uses, including third-party tools. Second, classify each system according to the risk-based framework by evaluating its purpose and potential impact. An AI tool for analysing CVs, for instance, is high-risk due to its significant impact on people’s opportunities. Finally, document everything. Detailed records of your classification decisions, risk assessments and compliance measures are not optional—they are a core requirement for demonstrating compliance to regulators.

Luxembourg AI Factory: your partner for the AI Act

Navigating these requirements can be complex, but Luxembourg businesses are not alone. RE.M.I. (Regulation Meets Innovation) is a joint initiative of the Luxembourg AI Factory and the Commission nationale pour la protection des données (CNPD) designed to help organisations (from local SMEs to larger enterprises) prepare for the AI Act.

This initiative invites all Luxembourg-based organisations to take part in the ‘Luxembourg AI readiness and compliance survey 2026’. This survey is a practical tool designed to help you assess your organisation’s preparedness in key areas like risk classification, vendor management, data governance, and bias testing. In return for participating, firms gain early access to consolidated findings and may benefit from a compliance assessment to strengthen their alignment with the AI Act.

The findings will also help the Luxembourg AI Factory and CNPD identify emerging trends and gaps, enabling them to better tailor their guidance and support to local needs.

By taking proactive steps now, Luxembourg's businesses can build the necessary governance frameworks to ensure their AI is not only innovative but also safe, transparent and fully compliant with EU law.

Further support is also on the horizon, as the European Commission prepares an 'Omnibus' proposal to simplify compliance. Look for our upcoming analysis on how this new legislation will impact businesses in the Grand Duchy.