The EU AI Act: What It Is, Why It Matters, and What You Need to Do

Regulation (EU) 2024/1689, known as the EU AI Act, is the world's first legally binding, comprehensive framework for artificial intelligence. It establishes a risk-based classification system for AI systems, with regulatory obligations that scale proportionally to the level of risk posed by the AI.

The Act applies to providers, deployers, importers, and distributors of AI systems that are placed on the EU market or used in the EU. Like GDPR, it has extraterritorial effect: a US, UK, or Asian company whose AI system is used by EU customers falls within scope.

The European Commission first proposed an AI regulation in April 2021. The proposal came in the context of rapid growth in AI deployment across sectors — from hiring algorithms to medical diagnostics — and increasing concern about the lack of accountability for AI-driven decisions.

The European Parliament significantly strengthened the Commission's original proposal, adding provisions for foundation models (later reframed as General Purpose AI, or GPAI), stricter rules on biometric identification, and more expansive definitions of high-risk AI.

The Act was formally adopted by the European Parliament on 13 March 2024 and entered into force on 1 August 2024. It is phased in over multiple years, with full obligations for high-risk AI systems applying from 2 August 2026.

The Act classifies AI systems into four tiers, with requirements proportional to risk:

• Unacceptable risk — ProhibitedAI systems in this category are banned outright. Examples include social scoring systems used by public authorities, AI that exploits cognitive vulnerabilities or subconscious behaviour to manipulate decisions, and (with narrow exceptions) real-time remote biometric identification systems in publicly accessible spaces.
• High risk — Full compliance obligationsThe most heavily regulated category. High-risk AI includes systems used in biometric identification, critical infrastructure management, educational assessment, employment screening, access to essential services (credit, insurance), law enforcement, migration, and administration of justice. These systems must satisfy a comprehensive set of requirements before deployment.
• Limited risk — Transparency obligationsAI systems that interact with users must disclose they are AI (chatbots, virtual assistants). Systems generating synthetic content (deepfakes, AI-generated images) must label their output as artificially generated.
• Minimal risk — No specific obligationsThe vast majority of AI applications. AI-enabled spam filters, recommendation systems, and productivity tools fall into this category under normal circumstances.

If your AI system falls into a high-risk category, you must establish and maintain a comprehensive compliance programme before the system can be placed on the EU market. The requirements include:

• —Risk management system: A documented, ongoing process for identifying, analysing, estimating, and mitigating risks associated with the AI system throughout its lifecycle.
• —Data governance: Training, validation, and testing datasets must meet quality requirements. Data used to train high-risk systems must be relevant, representative, and free of errors where possible.
• —Technical documentation: Comprehensive documentation demonstrating compliance, including model architecture, training methodology, performance metrics, and known limitations.
• —Logging and auditability: High-risk AI systems must automatically generate logs allowing for post-market monitoring. For some systems, records must be retained for specified periods.
• —Transparency and user information: Users (deployers) must be provided with instructions for use that allow them to understand the system's purpose, performance characteristics, and limitations.
• —Human oversight: Systems must be designed with mechanisms enabling human oversight, including the ability to monitor, interpret, intervene in, or stop the AI system's output.
• —Accuracy, robustness, and cybersecurity: Technical measures must ensure the system performs as intended across its operational lifetime.
• —EU conformity declaration and CE marking: Before market placement, high-risk AI systems must undergo a conformity assessment and bear CE marking.

The Act includes a specific chapter for General Purpose AI models — large-scale AI models (such as large language models) that can serve a wide range of purposes. Providers of GPAI models must:

• —Prepare and maintain technical documentation about the model.
• —Make information available to downstream providers integrating the model.
• —Comply with the EU's copyright law and publish a summary of training data.
• —For "systemic risk" GPAI models (those trained with over 10²⁵ FLOPs): conduct adversarial testing, notify serious incidents to the Commission, and implement cybersecurity protections.

The AI Act establishes three tiers of administrative fines:

• —€35 million or 7% of global annual turnover — for violations involving prohibited AI systems.
• —€15 million or 3% of global annual turnover — for violations of most other obligations, including high-risk AI requirements.
• —€7.5 million or 1.5% of global annual turnover — for providing incorrect, incomplete, or misleading information to authorities.

Enforcement is carried out by national market surveillance authorities, coordinated by the newly established European AI Office within the European Commission.

• 1 August 2024Act enters into force.
• 2 February 2025Chapter II (prohibited practices) becomes applicable. Operators must cease or modify any prohibited AI use cases.
• 2 August 2025GPAI model obligations and governance framework become applicable.
• 2 August 2026Full obligations for high-risk AI systems under Annex III apply.
• 2 August 2027Obligations for high-risk AI systems embedded in regulated products (Annex I) apply.