The EU AI Act: A Complete Guide to the World's First AI Regulation

Regulation (EU) 2024/1689 — the EU AI Act — is the world's first comprehensive, legally binding AI framework. It entered into force on 1 August 2024 and is being phased in across multiple years, with the most significant obligations landing in August 2026. Understanding what the Act requires, who it applies to, and when the various deadlines fall is the starting point for any compliance programme.

Why the EU AI Act exists

The European Commission first proposed an AI regulation in April 2021. The proposal responded to growing deployment of AI systems in high-stakes contexts — hiring algorithms, credit scoring, predictive policing, medical diagnostics — without any regulatory accountability framework. Unlike GDPR, which regulates the data used by AI systems, the Act regulates the AI systems themselves.

The legislative process was extended significantly by two developments. First, the rapid rise of large language models (GPT-3, then GPT-4) in 2022–2023 required the Parliament to substantially revise its approach to general-purpose AI. Second, significant disagreement between member states about the treatment of biometric identification systems and AI in law enforcement delayed the trilogue negotiations.

The Act was finally adopted by the European Parliament on 13 March 2024 and entered into force on 1 August 2024.

Scope and extraterritorial effect

Like GDPR, the AI Act applies beyond EU borders. It covers: providers placing AI systems on the EU market; deployers using AI systems within the EU; importers and distributors of AI systems placed on the EU market; and providers whose AI systems' outputs are used in the EU. A US company whose AI system is used by EU customers is within scope.

The Act defines an "AI system" broadly: a machine-based system that infers, from inputs, how to generate outputs such as predictions, recommendations, or decisions that can influence real or virtual environments. This captures most production AI software, including systems using classical machine learning, not just large language models.

The four risk tiers

The Act's risk-based approach creates four categories with proportionate requirements:

• Unacceptable risk (prohibited): AI systems in this category are banned outright. Examples: social scoring by public authorities, AI that manipulates individuals through subliminal techniques or exploits vulnerabilities, real-time remote biometric identification in public spaces (with narrow law enforcement exceptions), emotion recognition in workplace and educational settings, and untargeted scraping of facial images for biometric databases. These prohibitions applied from 2 February 2025.
• High risk (full compliance): Subject to the most demanding requirements before market placement. Includes AI used in biometric identification, critical infrastructure, educational assessment, employment and worker management, access to essential services (credit, insurance, benefits), law enforcement, migration and border control, and administration of justice. The majority of compliance attention should focus here.
• Limited risk (transparency obligations): AI systems that interact directly with users must disclose they are AI. Systems generating deepfakes or synthetic media must label that content. Chatbots must disclose their AI nature unless the context makes it obvious.
• Minimal risk (no specific obligations): The vast majority of AI applications. AI-enabled spam filters, recommendation engines, grammar correction tools, and most enterprise productivity software fall here under normal circumstances.

High-risk AI: the compliance requirements

Providers of high-risk AI systems must satisfy a comprehensive set of requirements before the system can be placed on the EU market or put into service. These requirements apply from 2 August 2026 (for Annex III systems) and 2 August 2027 (for AI embedded in Annex I regulated products).

• Risk management system (Art. 9): A continuous process for identifying, analysing, estimating, evaluating, and mitigating risks throughout the AI lifecycle. Must be documented and reviewed at least annually.
• Data governance (Art. 10): Training, validation, and testing datasets must be subject to data governance practices. Datasets must be relevant, representative, and as free of errors as possible. Bias examination is required.
• Technical documentation (Art. 11): Comprehensive documentation demonstrating compliance, prepared before market placement and maintained throughout the lifecycle. Specific content requirements are set out in Annex IV.
• Record-keeping (Art. 12): High-risk systems must automatically log events during operation, to the extent technically feasible. Log retention requirements vary by system type.
• Transparency (Art. 13): Deployers must receive instructions for use sufficient to understand the system's purpose, performance characteristics, limitations, and human oversight requirements.
• Human oversight (Art. 14): Systems must be designed to allow human oversight, including the ability to understand outputs, monitor operations, intervene or override, and stop the system.
• Accuracy, robustness, and cybersecurity (Art. 15): Systems must perform as intended under foreseeable conditions, including adversarial inputs where relevant.
• Conformity assessment: Most Annex III systems require a self-assessment conformity procedure. Some (e.g. biometric identification) require third-party assessment. Conformity must be demonstrated through a declaration and, in many cases, CE marking.

General Purpose AI models

The Act creates a specific framework for General Purpose AI (GPAI) models — AI models trained on large data volumes using self-supervision that can be used for diverse tasks. All GPAI model providers must prepare technical documentation, provide usage information to downstream providers, and comply with EU copyright law including publishing training data summaries.

Models trained with more than 10²⁵ FLOPs are presumed to present systemic risk and face additional obligations: adversarial testing, systematic risk assessment, incident reporting to the European AI Office within two weeks of awareness, and cybersecurity measures. This captures the largest foundation models currently available.

Key enforcement dates

• 1 August 2024: Act enters into force.
• 2 February 2025: Prohibited AI practices (Chapter II) become applicable. Operators must have eliminated or modified any prohibited AI applications by this date.
• 2 August 2025: GPAI model obligations and governance provisions become applicable.
• 2 August 2026: Full obligations for high-risk AI systems under Annex III (including employment, credit, biometrics, law enforcement, border control, justice).
• 2 August 2027: Full obligations for AI systems embedded in Annex I regulated products (medical devices, machinery, vehicles, etc.).

Fines

The AI Act establishes three fine tiers: up to €35 million or 7% of global turnover for prohibited practice violations; up to €15 million or 3% for most other obligation breaches; and up to €7.5 million or 1.5% for providing incorrect information to the European AI Office. For SMEs and startups, lower absolute caps apply.

The August 2026 deadline is not distant when you account for what high-risk compliance actually requires: risk classification analysis, technical documentation preparation, data governance review, conformity assessment, and — for some systems — third-party audits. Companies in scope that have not started this process are already behind.