Summarise this page with your favorite AI assistant
The EU AI Act (Regulation 2024/1689) is no longer a future concern it began producing concrete effects in February 2025. For organizations using AI-powered learning platforms, the implications are significant and largely misunderstood. This article is for L&D leaders, HR managers, and Instructional Designers who want to understand what the AI Act means for their daily toolset, and what questions they should be asking their vendors before their next contract renewal.
The AI Act classifies AI systems by risk level. AI used in employee assessment—adaptive quizzes, automated competency evaluations, AI-driven recommendations that influence hiring or promotion decisions—falls under the high-risk category when used in professional settings. For high-risk AI systems, the organizations deploying them (not just the platform vendors) are responsible for ensuring:
An AI tutor that suggests learning paths, or an assessment engine that scores competency gaps, can easily qualify as a high-risk system in an enterprise context. If your platform vendor hasn't addressed this, the liability falls on you.
Most major international eLearning platforms—including popular US-based solutions widely used in Europe—run their AI features on cloud infrastructure outside the EU. This creates three concrete problems for European organizations:
A genuinely compliant eLearning platform needs to meet a higher bar than just "GDPR-compliant" (a claim that has become nearly meaningless through overuse). Specifically, EU-hosted AI means:
These are not optional features. For organizations subject to the AI Act—which includes any EU company using AI in HR and training processes—these are compliance requirements. Noncompliance can result in fines up to 3% of global annual turnover.
Before your next contract renewal, ask your platform vendor these five questions in writing:
1. Where are your AI servers physically located?
"Cloud EU" or "European data centers" is not sufficient. Ask for the specific data center name and its certifications. Azure Sweden Central is different from AWS us-east-1.
2. Which AI model powers your features?
The vendor should answer with a specific model name and version (e.g., "GPT-4o via Azure OpenAI"), not marketing language. If they refuse to disclose this, treat it as a red flag.
3. Is user conversation data used for model training?
This must be contractually excluded, not just stated in a FAQ. Request a written DPA (Data Processing Agreement) that explicitly addresses AI training data.
4. Can I export AI interaction logs for my users?
An acceptable answer: yes, via API or CSV export. An unacceptable answer: "no" or silence. If you cannot access this data, you cannot demonstrate compliance.
5. Do you publish an AI transparency page?
It should exist, be publicly accessible, and be updated every time the underlying model changes. If it doesn't exist, your vendor is not prepared for the AI Act.
Here is the counterintuitive opportunity: the AI Act is not a threat to innovation in corporate learning—it is a differentiator for organizations that take it seriously.
Being able to demonstrate to employees, clients, and auditors that "our training programs use AI that is fully EU Act compliant, with zero data leakage outside the EU" is a concrete reputational advantage in regulated sectors—financial services, healthcare, public administration—where such requirements are not optional extras but baseline expectations.
The solutions exist. EU-native platforms with self-hosted AI infrastructure and full transparency are available today. The choice is no longer between "AI or no AI"—it is between "compliant AI or risky AI."
The organizations that will struggle with the AI Act are not those using AI—they are those using AI without asking any questions.