Regulation (EU) 2024/1689 · Art. 4 in force since Feb 2, 2025 Supervision starts · August 3, 2026
EU AI Act · Supervision starts Aug 3, 2026

Your company already uses AI.
And has been out of compliance for several months.

If your team uses ChatGPT, Copilot or Gemini, Article 4 of the EU AI Act has applied to you since February 2025. Supervision starts August 3, and combining AI Act, GDPR and civil claims, your real exposure can exceed 4% of annual turnover.

Countdown · AESIA supervision start
99days
00hours
00minutes
00seconds
Calculate my exposure Request information
4%RGPD
Sanction already applicable today
15months
Your obligation has been active
100%online
Active teams · no travel
Self-identification

Art. 4 applies to you if any of these statements is true.

You don't need to develop AI. The literacy obligation applies to anyone who uses AI systems too. That is, essentially any company with a digital footprint today.

  • Any employee uses ChatGPT, Claude, Gemini or Copilot, even occasionally.
  • You have a chatbot on your website, WhatsApp or customer support, in-house or third-party.
  • HR uses AI to screen CVs, evaluate candidates or performance, even as support.
  • Marketing or sales use AI to generate content, do scoring or automate communications.
  • Your CRM, ERP or any SaaS has activated an "AI feature" in the last 18 months.

A single check makes you a "deployer" under the EU AI Act. And the obligation has been active for several months.

The legal definition is deliberately broad. No size threshold, no exempt sector. Since February 2025, you're already non-compliant if you don't have auditable literacy.

What no one tells you

The AEPD is already sanctioning companies for misuse of AI under GDPR, without waiting for the AI Act.

Public cases in HR, healthcare, banking and digital advertising. Real fines between €30,000 and €1.2M. August 3 supervision adds an additional channel — it does not replace the current one.

Your real exposure

You're not facing one sanction. You're facing three accumulated vectors.

The simplistic "€7.5M fine" narrative misses reality. Real exposure combines the already-active GDPR regime, the EU AI Act as an aggravating factor in other infractions, and a growing civil-labor-commercial front. The sum is what matters.

Vector 01
Applicable today

RGPD

4%
Global turnover · cap €20M

The AEPD already sanctions personal data processing with AI systems lacking legitimate basis, adequate information or security measures. Using ChatGPT with customer data is already punishable today.

Real case
80K – 1,2M €
Recent average AEPD sanction for shadow AI with personal data
Regulation (EU) 2016/679 · Art. 83(5)
Vector 02
Supervision starts Aug 3, 2026

AI Act

+50%
Aggravator on base sanction

Non-compliance with Art. 4 amplifies sanctions already applicable (GDPR, sectoral) as an aggravating factor. Spain will publish its own sanction regime under Art. 99(1) in the coming months.

Added risk
25K – 250K €
Civil litigation for non-auditable algorithmic decisions (SCHUFA case, ECJ)
Regulation (EU) 2024/1689 · Art. 4, 99(1), 99(7)
Vector 03
Active and growing

Civil + RFP

No predefined legal cap

Employee claims for automated evaluations, civil litigation for algorithmic decisions, and above all lost B2B RFPs: increasingly, procurement processes require compliance attestation as a vendor clause.

Estimated annual cost
200K – 2M €
A single RFP excluded for not signing the AI Act compliance clause
EU Court · SCHUFA, Uber Spain · LRJSP
Exposure calculator

Calculate your potential accumulated exposure. In 30 seconds.

Indicative model based on GDPR caps, AI Act aggravating factor, and public estimates of litigation and RFPs. Not a substitute for legal advice. Gives a realistic magnitude of what's at stake.

Your potential accumulated exposure
Annualized estimate combining the three vectors
GDPR applicable today4% turnover, cap €20M
AI Act as aggravatorAmplifier factor on infractions
Civil claimsEmployees, algorithmic decisions
Lost B2B RFPsAnnual contract loss estimate
Recommendation

Your profile fits the Professional tier.

Request information

Indicative calculation. GDPR caps per Art. 83 of Regulation (EU) 2016/679. The AI Act aggravating factor is an internal estimate; the specific Spanish sanction regime is pending publication. Civil and RFP figures are market estimates. This calculator does not constitute legal advice.

The program

CenteIA AI Act Seal. An auditable program, a methodology, a seal you can show.

Designed to arrive at August 3 with auditable training evidence, documented internal policy, and legal co-signing by leading firms. We don't promise guaranteed compliance: we promise a serious program, no shortcuts, with real legal backing.

Essential

Companies of 20-80 employees or a specific department that needs to cover the regulatory flank without over-engineering.

Investment
Custom scope · Auditable adequacy to Art. 4
Includes
  • Base training 4-6h on LMS platform
  • Synchronous opening and closing sessions
  • AI maturity diagnosis
  • Internal responsible-use guide
  • Individual certificate with verifiable code
  • 90-day automation roadmap
Request information →
★ Recommended
Professional

Companies of 50-250 employees or SMBs with multiple areas using AI. The sweet spot: full coverage with legal co-signing.

Investment
Custom scope · Legal co-signing included
Everything in Essential, plus
  • Modules by role: management, marketing, sales, HR, legal
  • Risk workshop: shadow AI, bias, sensitive data
  • Tailored internal AI usage policy
  • Art. 4 + GDPR interaction module
  • Documentation with legal partner co-signing
  • Executive closing session with C-level
Request information →
Enterprise

250+ employees, regulated sectors, multi-entity or multi-country. Immediate availability, no waiting, with signed legal opinion.

Direct route
Prior diagnosis · Signed legal opinion
Everything in Professional, plus
  • Inventory and classification of AI systems in use
  • Per-system regulatory exposure assessment
  • Legal opinion signed by the partner
  • Documented human-oversight protocols
  • Update sessions at close and +3 months
  • Optional retainer for continuous maintenance
Schedule diagnosis →
How we work with you

A defined process. No surprises.

We arrive at August 3 without diverting the team's time from current projects. Four clear milestones, auditable evidence at each step.

Initial diagnosis

30-minute call to map your current AI use, regulatory exposure and team roles. We come out with a preliminary scope and clear next step.

Tailored program

We adapt content, role-based modules and legal depth to your case. We send a closed proposal with timeline, deliverables and legal partner co-signing.

Auditable execution

LMS platform, synchronous sessions, role-based workshops. Every step is logged as auditable evidence: records, assessments and signed policies.

Certification + seal

Documentation pack with legal partner co-signing and verifiable individual certificates. What you show an inspector. What a B2B client signs if required.

Start with the diagnosis Free initial diagnosis · Reply in under 24 business hours
Request information

One conversation. Your spot.

Fill in the form and we receive it directly at info@centeiaconsulting.com. We reply within 24 business hours with a concrete tier, dates and conditions proposal.

  • Free initial diagnosis on the first call
  • Fixed, custom proposal based on real scope
  • Priority slot with calendar adapted to your availability
  • Access to exclusive webinar with the legal partner
  • No commitment · No upfront payment · Your data is used only for this program
Request program information
We receive your request directly at info@centeiaconsulting.com.
Your request goes directly to info@centeiaconsulting.com. We reply in under 24 business hours.
Why CenteIA

The one thing you cannot improvise before August.

We're not an academy selling generic courses. We're a boutique consultancy with cases in production and partnerships with leading digital-law firms.

Unique triangle: auditable training, real diagnosis and legal seal.

No boutique competitor in Spain packages these three elements together today. That's why the seal has institutional weight and why it appears in conversations with large accounts.

Active CenteIA Consulting clients
ESADE · Sodeca · Tecma · Heroturfs · MS Group · Dona Secret
  • 01
    Real cases in production
    We work with ESADE, Sodeca, Tecma, Heroturfs, MS Group and Dona Secret. Measurable results, not slide decks.
  • 02
    Real legal alliance
    Legal co-signing in Professional and signed legal opinion in Enterprise. A seal for an inspector, not a marketing PDF.
  • 03
    Linguistic discipline
    We don't sell "guaranteed compliance". We sell an auditable, serious program with clear liability clauses.
  • 04
    Real operational cap
    Limited capacity per quarter. We don't manufacture scarcity: we prioritize delivery quality over aggressive growth.
Frequently asked

Everything you need to know.

Yes. Article 4 applies to "providers and deployers" of AI systems. If your team uses Copilot, ChatGPT, Gemini, a third-party chatbot or any system with an AI component in production, you are a deployer and the obligation applies. You don't need to develop anything in-house.
The obligation has been in force since February 2, 2025. Supervision and enforcement by national authorities (in Spain, AESIA) start August 3, 2026. But GDPR exposure is already real: the AEPD already sanctions misuse of AI with personal data.
It appears in Art. 99(4) of the AI Act and applies to infringements of other articles (5, 16, 22, 23, 24…), not Art. 4 standalone. For Art. 4, the sanction regime is pending development by each Member State under Art. 99(1). In practice, real combined exposure (GDPR + AI Act aggravator + civil + RFP) can exceed that figure for many companies. That's why we prefer to be exact: the real danger is the sum, not a single fine.
By professional discipline, we don't use the expression "guaranteed compliance" except in Enterprise tier, which includes a legal opinion signed by our legal partner. In Essential and Professional we offer an auditable Article 4 compliance program with auditable evidence. The distinction is deliberate: no training program 100% eliminates a deployer's liability. But an auditable program significantly changes how sanctions are graded when an infringement occurs.
Essential: 4-6 asynchronous hours + 2 one-hour synchronous sessions. Professional: 8-12 hours + role-based sessions + C-level closing. Enterprise: custom according to scope. Designed for active teams, not training retreats.
Free initial diagnosis in a 30-minute call. If it fits, we send a closed proposal in 48h with timeline and deliverables. Start dates adapt to your availability and to the goal of reaching August 3 with all evidence issued. For Enterprise, immediate availability.

August 3 doesn't wait for your calendar.

Less than 14 weeks remain until supervision starts. Arriving late is not an option: it's an aggravator counted if an inspector comes.

Request information Calculate my exposure first