EU AI Act
Regulation (EU) 2024/1689 — Artificial Intelligence Act
Standard Introduction
The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) is the world's first comprehensive legal framework for artificial intelligence, adopted by the European Parliament in March 2024. The AI Act establishes a risk-based approach to AI regulation, categorizing AI systems into four risk levels: unacceptable (banned), high-risk (strictly regulated), limited risk (transparency obligations), and minimal risk (no specific requirements). It applies to providers and deployers of AI systems placed on the EU market, regardless of where they are established.
The AI Act prohibits AI practices considered an unacceptable risk, including social scoring by governments and real-time biometric surveillance in public spaces. High-risk AI systems — used in hiring, credit scoring, healthcare, education, and critical infrastructure — must meet strict requirements including risk management, data governance, transparency, human oversight, and accuracy. General-purpose AI models have additional obligations around transparency and copyright compliance. Fines reach up to €35 million or 7% of global annual turnover. The Act is implemented in phases, with prohibited practices banned from February 2025 and high-risk system rules applying from August 2026.
Risk-Based Classification
AI systems are classified into four risk levels — unacceptable (banned), high-risk (strict rules), limited risk (transparency), and minimal risk (no obligations).
Prohibited Practices
Bans social scoring by governments, real-time remote biometric identification in public spaces (with exceptions), and AI that manipulates or exploits vulnerabilities.
Transparency Requirements
AI-generated content must be labeled. Chatbots and deepfakes must be clearly identified as AI. General-purpose AI models must publish training data summaries.
list_alt Key Obligations
- Prohibited AI practices (social scoring, manipulative AI)
- High-risk AI system conformity assessments
- Risk management system for high-risk AI
- Data governance and quality requirements
- Transparency and human oversight obligations
- General-purpose AI model obligations
- AI literacy requirements for deployers
- Post-market monitoring and incident reporting
Who Needs to Comply?
Providers (developers) and deployers (users) of AI systems placed on the EU market or whose output is used in the EU. Applies to companies worldwide if their AI systems affect people in the EU.
Key Requirements
Risk Classification
Determine whether your AI system falls under prohibited, high-risk, limited-risk, or minimal-risk categories. High-risk includes AI in critical infrastructure, education, employment, law enforcement, and migration.
Conformity Assessment (High-Risk)
High-risk AI systems must undergo conformity assessment before market placement. This includes risk management, data quality checks, technical documentation, and in some cases third-party audits.
Transparency Obligations
Ensure users know they are interacting with AI. Label AI-generated content including deepfakes. General-purpose AI providers must publish model cards and training data summaries.
Human Oversight
High-risk AI systems must be designed to allow effective human oversight. Deployers must assign competent persons to monitor operation and intervene when necessary.
Post-Market Monitoring
Providers of high-risk AI must establish post-market monitoring systems. Serious incidents and malfunctions must be reported to national authorities.
Implementation Roadmap
Scope & AI system inventory
Map every AI system you develop, deploy, distribute, or embed, and confirm whether the EU AI Act applies through provider, deployer, importer, or distributor roles. Because the regulation has extraterritorial reach, include systems whose outputs are used in the EU even where your organization sits outside it. Classify each system against the risk-based tiers (prohibited, high-risk, limited-risk/transparency, minimal) and flag any general-purpose AI (GPAI) models you build or integrate.
Gap analysis against obligations
For each classified system, compare current practice against the obligations that attach to its tier: risk management, data governance, technical documentation, logging, human oversight, accuracy and robustness for high-risk systems, and transparency duties for limited-risk uses such as chatbots and deepfakes. Assess GPAI documentation and copyright/training-data transparency where relevant, and record gaps against the phased compliance dates.
Implement controls & documentation
Build the required measures: a risk-management system, quality management, technical documentation, event logging, human-oversight design, and conformity assessment leading to CE marking and EU database registration for high-risk systems. Implement transparency notices for limited-risk systems, and align GPAI models with documentation, acceptable-use, and systemic-risk obligations where thresholds are met.
Audit, monitor & maintain
Stand up post-market monitoring, incident reporting, and periodic review so systems stay compliant as they evolve or are retrained. Re-run conformity assessment after substantial modifications, keep documentation and logs current, and track regulatory guidance and harmonized standards as the phased obligations take full effect. Assign clear ownership so accountability is continuous rather than a one-off project.
Compliance Checklist
checklist Governance & classification
checklist High-risk technical requirements
checklist Transparency & GPAI
Penalties & Enforcement
Fines up to EUR 35 million or 7% of global annual turnover for prohibited AI practices. Up to EUR 15 million or 3% of turnover for other violations. SMEs and startups face proportionally lower caps.
Frequently Asked Questions
Who does the EU AI Act apply to?
expand_more
It applies primarily to providers that develop or place AI systems on the EU market and to deployers that use them in a professional context, as well as importers and distributors. Its reach is extraterritorial: providers and deployers outside the EU are covered when the output of their AI system is used within the EU. This means many non-EU technology and enterprise organizations fall in scope even without an EU establishment.
What are the risk tiers under the EU AI Act?
expand_more
The regulation uses a risk-based approach with four levels. Unacceptable-risk practices are prohibited, high-risk systems face the most detailed obligations, limited-risk systems carry transparency duties, and minimal-risk systems are largely unregulated. General-purpose AI (GPAI) models are addressed under a separate dedicated set of rules.
What counts as high-risk AI?
expand_more
High-risk covers AI used as a safety component of regulated products, plus systems listed in Annex III for areas such as biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, and the administration of justice. These systems must meet requirements for risk management, data governance, documentation, logging, human oversight, and accuracy and robustness. They also require conformity assessment and CE marking before market placement.
What transparency obligations apply to limited-risk systems like chatbots and deepfakes?
expand_more
Users must be told when they are interacting with an AI system, such as a chatbot, unless it is obvious from context. AI-generated or manipulated audio, image, video, or text content, including deepfakes, must be clearly labelled as artificially generated. These duties aim to prevent deception while imposing lighter obligations than the high-risk regime.
What obligations apply to general-purpose AI (GPAI)?
expand_more
Providers of GPAI models must maintain technical documentation, provide information to downstream developers, comply with EU copyright law, and publish a summary of the content used for training. Models presenting systemic risk face additional duties such as model evaluation, adversarial testing, incident tracking, and cybersecurity measures. GPAI obligations began to apply from August 2025.
What are the key compliance dates?
expand_more
Prohibited practices have applied since February 2025, and GPAI obligations from August 2025. Most high-risk obligations apply from August 2026, with a later date of August 2027 for certain high-risk systems tied to regulated products. Organizations should map each system to the phase-in date that governs it.
What penalties can be imposed?
expand_more
Fines are tiered by severity. Breaches of the prohibited-practices rules can reach up to €35 million or 7% of global annual turnover, whichever is higher. Other infringements and the supply of incorrect information carry lower ceilings, and national authorities enforce these penalties across the EU.
How does the EU AI Act interact with the GDPR?
expand_more
The two frameworks are complementary and apply in parallel rather than replacing one another. The EU AI Act governs how AI systems are designed, tested, and deployed, while the GDPR continues to govern the processing of personal data those systems rely on. Where AI processes personal data you must satisfy both, coordinating documentation, risk assessments, and data-governance controls.
Official Documentation
EU AI Act (EU) 2024/1689
EUR-Lex • Full Regulation Text • All EU Languages
European Commission AI Policy
External Link • digital-strategy.ec.europa.eu • Regulatory Framework
AI Act Explorer
External Link • artificialintelligenceact.eu • Interactive Guide