EU AI Act Goes Fully Live — What Japanese (and Any Non-EU) Companies Should Do Now

The EU AI Act became law in August 2024 and reaches full application with penalties in August 2026. As with GDPR, this is not just an EU story. Here's the work non-EU (especially Japanese) companies should be doing now.

Risk tiering is the core

The Act sorts AI systems into four tiers:

1. Unacceptable Risk (social scoring, subliminal manipulation, real-time public face recognition with limited exceptions) → banned
2. High Risk (hiring, credit, education evaluation, medical, critical infrastructure) → conformity assessment + registration + monitoring
3. Limited Risk (chatbots, deepfakes, emotion recognition) → transparency obligations (disclose AI use)
4. Minimal Risk (spam filters, game AI) → unregulated

Maximum penalty: €35M or 7% of global annual revenue (stricter than GDPR's 4%).

The Brussels effect doesn't spare you

Just as GDPR did, EU regulation becomes a de facto global standard:

1. Selling into the EU at all puts you in scope
2. Unifying a global AI policy at HQ is more practical than regional variants
3. Japan's "AI Promotion Act" and "Important AI System" framework are expected to follow EU patterns around 2027

Translation: work done on EU compliance now lowers your eventual Japan compliance cost.

Five things Japanese companies should do now

1. AI inventory

List every AI/LLM/ML system in production: who, where, why, which vendor. OpenAI API, Claude API, Copilot, Gemini Workspace — all of it. Listed companies usually find 100+ touchpoints once they look.

2. Self-tier each use

Map each item to the EU AI Act's four tiers. If you have High Risk uses (hiring, credit, medical), start preparing conformity assessments.

HR Tech is the immediate red flag: AI resume screening, interview video analysis, personality/aptitude scoring — all high risk.

3. Transparency obligations

• Customer chatbots → display "This is AI"
• AI-generated text/image/video → machine-readable identifiers (C2PA, etc.)
• AI used in significant decisions → notify the user

4. Data governance

High-risk AI training data requires representativeness, accuracy, bias verification. Fine-tuning on internal data demands records of PII handling and bias testing.

5. Standing AI policy committee

Monthly meeting between "departments using AI" and compliance/legal/infosec. Through 2027 at minimum, all new AI projects should go through review.

Mid-market and SMBs

"We don't sell to the EU" doesn't work either:

• Major Japanese customers are starting supplier audits asking for EU AI Act compliance
• Banks and insurers are running AI use surveys
• Job listings are full of "AI ethics lead" and "responsible AI" roles

Companies over 500 employees should draft an AI policy this year. Sub-200-person teams can follow industry association guidelines.

When does Japan move?

METI, MIC, and the Cabinet Office are targeting 2027 for an "Important AI System Framework." Expect the EU "High Risk" concept to migrate, with a softer penalty model (guidelines + industry self-regulation).

Sector-specific regulation is already moving faster — medical AI, autonomous driving, financial AI all have their own ministry-driven tightening.

What this means for end users

• Outputs from ChatGPT, Claude, Gemini will increasingly carry "AI-generated" labels (started in EU, spreading globally)
• AI-using interview processes will require disclosure ("AI is involved, a human reviews")
• Japan likely sees similar rules from 2027 onwards

The "overregulation" critique exists, but the goal — correcting information asymmetry — is sound. Companies that start six months early will be better off.

Related

• Anthropic's new services summary
• Music AI and copyright