verified_user
Standardful
AI Governance

The EU AI Act Explained: What Regulation (EU) 2024/1689 Means in 2026

The EU AI Act is Regulation (EU) 2024/1689, the world's first comprehensive AI law. Here's its risk tiers, timeline, and who it applies to, in plain English.

calendar_today Juneschedule 12 min readperson Standardful Team
The EU AI Act Explained: What Regulation (EU) 2024/1689 Means in 2026

If you build, sell, or even just deploy AI in your product, there is now one law that matters more than any other: the EU AI Act. It is the world's first comprehensive, horizontal regulation of artificial intelligence, and despite being an EU law, it reaches well beyond Europe's borders. If you have EU users, EU customers, or your AI's output lands in the EU, you are likely in scope.

The problem is that almost everything written about the Act is either a law-firm memo nobody can read or a vague "AI is being regulated now" think piece. This is the plain-English version. We'll cover the actual regulation number, the risk tiers, the timeline, who's on the hook, the fines, and a practical checklist you can act on.

First, the Regulation Number

The EU AI Act is officially Regulation (EU) 2024/1689 of the European Parliament and of the Council. That's the citation auditors, lawyers, and procurement teams will ask for, and it's the one to drop into your compliance documentation.

A few key dates to anchor on:

  • Published in the Official Journal of the EU on 12 July 2024.
  • Entered into force on 1 August 2024.
  • Applies in phases through 2025, 2026, and 2027 (more on the timeline below).

Because it's a regulation and not a directive, it applies directly across all EU member states without needing each country to pass its own implementing law. That's the same mechanism that made GDPR bite immediately rather than trickling in country by country. There's a single EU AI Act rulebook, and it's already law.

The Core Idea: A Risk-Based Pyramid

The Act doesn't regulate "AI" as one undifferentiated thing. Instead, it sorts AI systems into tiers based on the risk they pose to health, safety, and fundamental rights. The higher the risk, the heavier the obligations. There are four tiers.

1. Unacceptable Risk (Prohibited)

Some uses of AI are simply banned in the EU. These are practices the legislators decided are incompatible with EU values, and there's no compliance path that makes them legal. The prohibited list includes:

  • Social scoring by public authorities that leads to detrimental treatment.
  • Manipulative or deceptive techniques that materially distort behavior and cause harm.
  • Exploiting vulnerabilities of specific groups (age, disability, socioeconomic situation).
  • Untargeted scraping of facial images from the internet or CCTV to build facial recognition databases.
  • Emotion recognition in workplaces and educational institutions (with narrow exceptions).
  • Biometric categorization to infer sensitive attributes like race, political views, or sexual orientation.
  • Real-time remote biometric identification in public spaces for law enforcement, except in tightly defined cases.

If your product does any of these, the answer isn't "add controls," it's "stop." These prohibitions have been in force since February 2025.

2. High-Risk

This is the tier most regulated businesses will care about, because it carries the bulk of the obligations without being banned outright. High-risk AI falls into two buckets:

  • AI used as a safety component of products already regulated under EU law (medical devices, machinery, vehicles, toys, and similar).
  • AI used in specific sensitive areas listed in Annex III: biometrics, critical infrastructure, education and vocational training, employment and worker management (think resume-screening and hiring tools), access to essential private and public services (including credit scoring and insurance pricing), law enforcement, migration and border control, and the administration of justice.

If you sell an AI hiring tool, a credit-decisioning model, or an ed-tech grading system into the EU, this is you. High-risk systems must satisfy a substantial set of requirements before they can be placed on the market, including a risk management system, data governance and quality controls, detailed technical documentation, logging, transparency to deployers, human oversight, and appropriate accuracy, robustness, and cybersecurity. Providers must also run a conformity assessment and register the system in an EU database.

This is exactly the operational work that an AI management system is built to produce, which is why so many teams pair AI Act readiness with ISO/IEC 42001.

3. Limited Risk (Transparency Obligations)

Some AI doesn't carry deep risk but does require honesty. The Act imposes transparency duties so people know when they're interacting with or consuming AI:

  • Chatbots must make clear that users are talking to a machine, not a human.
  • AI-generated or manipulated content (deepfakes, synthetic images, audio, video) must be labeled as artificially generated.
  • AI-generated text published to inform the public on matters of public interest must be disclosed.

For most SaaS products with a support chatbot or a generative feature, this tier is the practical baseline: clear, honest disclosure.

4. Minimal Risk

Everything else, the vast majority of AI in use today, spam filters, recommendation engines, AI in video games, falls here. The Act imposes no mandatory obligations on minimal-risk systems, though it encourages voluntary codes of conduct. If your AI is genuinely low-stakes, you mostly carry on as before, but you should still confirm that classification deliberately rather than assume it.

General-Purpose AI (GPAI): A Separate Track

Foundation models didn't fit neatly into the risk pyramid, so the Act added a dedicated regime for general-purpose AI (GPAI) models, the large, broadly capable models (think the families behind today's leading chatbots and copilots) that get adapted for countless downstream uses.

Every GPAI provider has baseline obligations:

  • Maintain technical documentation of the model and its training process.
  • Provide information and documentation to downstream providers who integrate the model.
  • Put in place a policy to comply with EU copyright law.
  • Publish a sufficiently detailed summary of the training data used.

On top of that, models deemed to carry systemic risk (very roughly, the largest and most capable frontier models, identified partly via training-compute thresholds) face extra duties: model evaluations and adversarial testing, systemic risk assessment and mitigation, serious-incident reporting, and cybersecurity protections.

If you're not training your own foundation model and instead build on an API from a major provider, most of these GPAI obligations sit with that upstream provider, not you. But you still need to understand what you're inheriting, what documentation they pass down, and where their responsibility ends and yours begins as a deployer or downstream provider.

The Phased Timeline

This is the part teams most often get wrong, because "the AI Act is in force" and "the AI Act applies to me yet" are two different statements. Here's the phased rollout.

DateWhat applies
1 Aug 2024Regulation (EU) 2024/1689 enters into force
2 Feb 2025Prohibitions on unacceptable-risk AI apply; AI literacy obligations begin
2 Aug 2025GPAI model obligations apply; governance bodies and penalties provisions kick in
2 Aug 2026Most high-risk AI obligations apply (Annex III systems); transparency rules apply
2 Aug 2027High-risk obligations for AI as a safety component in regulated products (Annex I) apply

A practical reading for 2026: the bans and GPAI rules are already live, and the big one for most regulated businesses, high-risk obligations, lands on 2 August 2026. If you're shipping an Annex III high-risk system, that deadline is the one to plan backward from now. Note that GPAI models already on the market before August 2025 were given additional time to come into full compliance.

Who's in Scope (Including Non-EU Companies)

The Act assigns obligations by role, and you can hold more than one role at once:

  • Providers develop an AI system (or GPAI model) and place it on the EU market or put it into service under their own name. Providers carry the heaviest load for high-risk systems.
  • Deployers use an AI system under their own authority in a professional context. Deployers of high-risk AI have their own duties: human oversight, monitoring, and using the system per the instructions.
  • Importers and distributors make a non-EU system available in the EU and must verify the provider met its obligations.

The critical point for readers outside Europe: the Act has extraterritorial reach. You're in scope if you're a provider placing a system on the EU market regardless of where you're established, or if you're a provider or deployer whose system's output is used in the EU. A US startup with no EU office can absolutely be on the hook. This mirrors the GDPR pattern, and the same lesson applies, "we're not an EU company" is not a defense.

The Penalties

The fines are tiered to match the severity of the breach, and they're calculated as the higher of a fixed amount or a percentage of global turnover:

  • Up to 35 million euros or 7% of total worldwide annual turnover for violating the prohibitions on unacceptable-risk AI.
  • Up to 15 million euros or 3% of turnover for breaching most other obligations (including high-risk and GPAI requirements).
  • Up to 7.5 million euros or 1% of turnover for supplying incorrect, incomplete, or misleading information to authorities.

For smaller companies and startups, the caps are generally applied as the lower of the amount or percentage, a proportionality nod, but the headline 7% figure tells you how seriously the EU is treating this. It's deliberately set above GDPR's 4% ceiling.

A Practical Compliance Checklist

Whatever tier you fall into, the path to readiness follows a similar shape. Here's what actually moves the needle.

  1. Inventory your AI systems. You can't classify what you haven't catalogued. List every AI system and model you build, embed, or deploy, including third-party APIs and features you might not think of as "AI."
  2. Classify each system by risk tier. For each one, ask: Is it prohibited? Does it fall under an Annex III high-risk use case? Does it have transparency duties? Is it minimal risk? Document the reasoning, an auditor will want to see it.
  3. Determine your role(s). Provider, deployer, importer, distributor, or some combination. Your obligations flow from this.
  4. Map GPAI dependencies. If you build on a foundation model, identify the provider and collect the documentation, copyright, and training-data summaries they're now required to pass down.
  5. For high-risk systems, build the technical file. Risk management process, data governance, documentation, logging, human oversight design, accuracy and robustness testing, and post-market monitoring. This is the heaviest lift, start early against the August 2026 deadline.
  6. Implement transparency measures. Label AI-generated content, disclose chatbots, and document where and how you inform users.
  7. Establish AI governance and literacy. Assign clear ownership, train relevant staff (the AI literacy obligation is already live), and get leadership sign-off, the same accountability discipline regulators now expect everywhere.
  8. Adopt a recognized framework to operationalize all of this. Don't reinvent the wheel, map your work to ISO 42001 and the NIST AI RMF (next section).

How the AI Act Connects to ISO 42001 and NIST AI RMF

Here's the relationship that confuses people most: the AI Act is the law, but it doesn't hand you a step-by-step methodology for complying. That's where standards come in.

ISO/IEC 42001 is the international standard for an AI management system, the certifiable, operational framework that produces exactly the artifacts the Act demands: risk assessments, technical documentation, human oversight mechanisms, and post-market monitoring. Its legal status is worth being precise about, though: ISO 42001 is a voluntary international standard, not a harmonized standard under the AI Act. The Act's presumption of conformity (Article 40) flows only from harmonized standards published in the EU's Official Journal, and those are being developed separately by CEN-CENELEC's JTC 21 committee. So adopting ISO 42001 doesn't automatically satisfy the Act. What it does do is give you a well-structured way to build the governance the law expects, and most of that work will carry straight over to the EU's harmonized standards once they're published. In plain terms: ISO 42001 is the most structured way to get AI Act-ready — just not a legal shortcut. We've written a full operational guide on it, how to stand up an ISO 42001 AI management system, which is the natural companion to this article. This post tells you what the law requires; that one tells you how to build the system that satisfies it.

The NIST AI Risk Management Framework is the US counterpart, a voluntary framework organized around four functions (Govern, Map, Measure, Manage). It isn't a substitute for AI Act compliance, but it shares the same DNA, transparency, accountability, and systematic risk management, so work toward one tends to prepare you for the other. For global teams, building once against ISO 42001 and the NIST AI RMF covers a lot of ground on both sides of the Atlantic.

It's also worth watching the US state landscape. The Colorado ADMT Act, a leading US state automated-decision law, takes a risk-based, anti-discrimination approach that rhymes with the EU's high-risk regime. If you're building AI governance for the EU, you're laying the foundation for these emerging US rules too.

The Bottom Line

The EU AI Act, Regulation (EU) 2024/1689, is no longer a future concern. It's in force, it's phasing in on a fixed schedule, and the high-risk obligations that affect most regulated AI products land on 2 August 2026. The smart move is to inventory and classify your AI systems now, figure out your roles, and start building the documented, systematic governance the Act requires, using ISO 42001 as your operational backbone.

Companies that treat this as a box-ticking exercise at the last minute will find it expensive and stressful. Companies that build the governance discipline early will find it turns into a sales advantage, the same way SOC 2 and ISO 27001 did before it. The Act isn't asking you to do anything a responsible AI team shouldn't already be doing. It's just making it the law.

For the full standard breakdown, see the EU AI Act standard page.

FAQ

What is the EU AI Act regulation number?

The EU AI Act is officially Regulation (EU) 2024/1689 of the European Parliament and of the Council. It was published in the Official Journal of the European Union on 12 July 2024 and entered into force on 1 August 2024. When people search for the "AI Act EU regulation number," this is the citation they need.

When does the EU AI Act take effect?

The Act entered into force on 1 August 2024 but applies in phases. Bans on prohibited AI practices applied from 2 February 2025. Rules for general-purpose AI models applied from 2 August 2025. Most high-risk AI obligations apply from 2 August 2026, with certain high-risk categories extended to 2 August 2027.

Who does the EU AI Act apply to?

It applies to providers, deployers, importers, and distributors of AI systems. Crucially, it has extraterritorial reach: a company based outside the EU is in scope if its AI system is placed on the EU market or if the system's output is used in the EU. US and UK companies serving EU users are commonly affected.

What are the penalties under the EU AI Act?

Fines reach up to 35 million euros or 7 percent of total worldwide annual turnover, whichever is higher, for prohibited AI practices. Other breaches carry lower caps, such as up to 15 million euros or 3 percent of turnover for most obligations, and lower amounts for supplying incorrect information to authorities.

What is high-risk AI under the EU AI Act?

High-risk AI includes systems used in areas like employment and hiring, education, credit scoring, essential services, biometrics, critical infrastructure, and law enforcement, plus AI used as a safety component in regulated products. These systems must meet requirements for risk management, data governance, documentation, human oversight, and accuracy before they can be sold in the EU.

How does the EU AI Act relate to ISO 42001 and NIST AI RMF?

The AI Act is the law; ISO 42001 and the NIST AI RMF are the operational frameworks that help you meet it. ISO/IEC 42001 gives you a certifiable AI management system that produces many of the artifacts the Act requires, but it is not currently a harmonized standard under the AI Act and does not by itself create a presumption of conformity — the dedicated harmonized standards are being developed separately by CEN-CENELEC. The NIST AI RMF is a complementary US framework covering the same risk-management concepts.

References

  1. Regulation (EU) 2024/1689 (the AI Act) — Official Journal of the European Union (2024)
  2. AI Act overview — European Commission, Shaping Europe's Digital Future
  3. AI Act implementation timeline — EU AI Act explorer
  4. ISO/IEC 42001:2023 — Artificial Intelligence Management Systems — ISO (2023)
  5. NIST AI Risk Management Framework (AI RMF 1.0) — NIST (2023)

Related Topics

EU AI ActAI RegulationRegulation (EU) 2024/1689AI GovernanceHigh-Risk AIGPAIAI compliancefoundation models