verified_user
Standardful
Homechevron_rightStandardschevron_rightEU AI Act
ActiveInternational Standardupdate Standard Updated: August 2025fact_check Fact checked: Jun 28, 2026

EU AI Act

Regulation (EU) 2024/1689 — Artificial Intelligence Act

apartmentPublishing Organization:European Union

Standard Introduction

The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) is the world's first comprehensive legal framework for artificial intelligence, adopted by the European Parliament in March 2024. The AI Act establishes a risk-based approach to AI regulation, categorizing AI systems into four risk levels: unacceptable (banned), high-risk (strictly regulated), limited risk (transparency obligations), and minimal risk (no specific requirements). It applies to providers and deployers of AI systems placed on the EU market, regardless of where they are established.

The AI Act prohibits AI practices considered an unacceptable risk, including social scoring by governments and real-time biometric surveillance in public spaces. High-risk AI systems — used in hiring, credit scoring, healthcare, education, and critical infrastructure — must meet strict requirements including risk management, data governance, transparency, human oversight, and accuracy. General-purpose AI models have additional obligations around transparency and copyright compliance. Fines reach up to €35 million or 7% of global annual turnover. The Act is implemented in phases, with prohibited practices banned from February 2025 and high-risk system rules applying from August 2026.

psychology

Risk-Based Classification

AI systems are classified into four risk levels — unacceptable (banned), high-risk (strict rules), limited risk (transparency), and minimal risk (no obligations).

block

Prohibited Practices

Bans social scoring by governments, real-time remote biometric identification in public spaces (with exceptions), and AI that manipulates or exploits vulnerabilities.

visibility

Transparency Requirements

AI-generated content must be labeled. Chatbots and deepfakes must be clearly identified as AI. General-purpose AI models must publish training data summaries.

list_alt Key Obligations

  • Prohibited AI practices (social scoring, manipulative AI)
  • High-risk AI system conformity assessments
  • Risk management system for high-risk AI
  • Data governance and quality requirements
  • Transparency and human oversight obligations
  • General-purpose AI model obligations
  • AI literacy requirements for deployers
  • Post-market monitoring and incident reporting

Who Needs to Comply?

groups

Providers (developers) and deployers (users) of AI systems placed on the EU market or whose output is used in the EU. Applies to companies worldwide if their AI systems affect people in the EU.

Key Requirements

1

Risk Classification

Determine whether your AI system falls under prohibited, high-risk, limited-risk, or minimal-risk categories. High-risk includes AI in critical infrastructure, education, employment, law enforcement, and migration.

2

Conformity Assessment (High-Risk)

High-risk AI systems must undergo conformity assessment before market placement. This includes risk management, data quality checks, technical documentation, and in some cases third-party audits.

3

Transparency Obligations

Ensure users know they are interacting with AI. Label AI-generated content including deepfakes. General-purpose AI providers must publish model cards and training data summaries.

4

Human Oversight

High-risk AI systems must be designed to allow effective human oversight. Deployers must assign competent persons to monitor operation and intervene when necessary.

5

Post-Market Monitoring

Providers of high-risk AI must establish post-market monitoring systems. Serious incidents and malfunctions must be reported to national authorities.

Implementation Roadmap

1
Phase 1schedule Duration: 3-5 weeks

Scope & AI system inventory

Map every AI system you develop, deploy, distribute, or embed, and confirm whether the EU AI Act applies through provider, deployer, importer, or distributor roles. Because the regulation has extraterritorial reach, include systems whose outputs are used in the EU even where your organization sits outside it. Classify each system against the risk-based tiers (prohibited, high-risk, limited-risk/transparency, minimal) and flag any general-purpose AI (GPAI) models you build or integrate.

2
Phase 2schedule Duration: 4-6 weeks

Gap analysis against obligations

For each classified system, compare current practice against the obligations that attach to its tier: risk management, data governance, technical documentation, logging, human oversight, accuracy and robustness for high-risk systems, and transparency duties for limited-risk uses such as chatbots and deepfakes. Assess GPAI documentation and copyright/training-data transparency where relevant, and record gaps against the phased compliance dates.

3
Phase 3schedule Duration: 3-6 months

Implement controls & documentation

Build the required measures: a risk-management system, quality management, technical documentation, event logging, human-oversight design, and conformity assessment leading to CE marking and EU database registration for high-risk systems. Implement transparency notices for limited-risk systems, and align GPAI models with documentation, acceptable-use, and systemic-risk obligations where thresholds are met.

4
Phase 4schedule Duration: Ongoing

Audit, monitor & maintain

Stand up post-market monitoring, incident reporting, and periodic review so systems stay compliant as they evolve or are retrained. Re-run conformity assessment after substantial modifications, keep documentation and logs current, and track regulatory guidance and harmonized standards as the phased obligations take full effect. Assign clear ownership so accountability is continuous rather than a one-off project.

Compliance Checklist

0 / 13

checklist Governance & classification

checklist High-risk technical requirements

checklist Transparency & GPAI

Penalties & Enforcement

warning

Fines up to EUR 35 million or 7% of global annual turnover for prohibited AI practices. Up to EUR 15 million or 3% of turnover for other violations. SMEs and startups face proportionally lower caps.

Frequently Asked Questions

Who does the EU AI Act apply to?

expand_more

It applies primarily to providers that develop or place AI systems on the EU market and to deployers that use them in a professional context, as well as importers and distributors. Its reach is extraterritorial: providers and deployers outside the EU are covered when the output of their AI system is used within the EU. This means many non-EU technology and enterprise organizations fall in scope even without an EU establishment.

What are the risk tiers under the EU AI Act?

expand_more

The regulation uses a risk-based approach with four levels. Unacceptable-risk practices are prohibited, high-risk systems face the most detailed obligations, limited-risk systems carry transparency duties, and minimal-risk systems are largely unregulated. General-purpose AI (GPAI) models are addressed under a separate dedicated set of rules.

What counts as high-risk AI?

expand_more

High-risk covers AI used as a safety component of regulated products, plus systems listed in Annex III for areas such as biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, and the administration of justice. These systems must meet requirements for risk management, data governance, documentation, logging, human oversight, and accuracy and robustness. They also require conformity assessment and CE marking before market placement.

What transparency obligations apply to limited-risk systems like chatbots and deepfakes?

expand_more

Users must be told when they are interacting with an AI system, such as a chatbot, unless it is obvious from context. AI-generated or manipulated audio, image, video, or text content, including deepfakes, must be clearly labelled as artificially generated. These duties aim to prevent deception while imposing lighter obligations than the high-risk regime.

What obligations apply to general-purpose AI (GPAI)?

expand_more

Providers of GPAI models must maintain technical documentation, provide information to downstream developers, comply with EU copyright law, and publish a summary of the content used for training. Models presenting systemic risk face additional duties such as model evaluation, adversarial testing, incident tracking, and cybersecurity measures. GPAI obligations began to apply from August 2025.

What are the key compliance dates?

expand_more

Prohibited practices have applied since February 2025, and GPAI obligations from August 2025. Most high-risk obligations apply from August 2026, with a later date of August 2027 for certain high-risk systems tied to regulated products. Organizations should map each system to the phase-in date that governs it.

What penalties can be imposed?

expand_more

Fines are tiered by severity. Breaches of the prohibited-practices rules can reach up to €35 million or 7% of global annual turnover, whichever is higher. Other infringements and the supply of incorrect information carry lower ceilings, and national authorities enforce these penalties across the EU.

How does the EU AI Act interact with the GDPR?

expand_more

The two frameworks are complementary and apply in parallel rather than replacing one another. The EU AI Act governs how AI systems are designed, tested, and deployed, while the GDPR continues to govern the processing of personal data those systems rely on. Where AI processes personal data you must satisfy both, coordinating documentation, risk assessments, and data-governance controls.

Official Documentation

View All

Implementation Timeline

description
April 2021
European Commission proposal published - First draft of comprehensive AI regulation presented
check_circle
March 2024
European Parliament approved final text - AI Act officially adopted by the European Parliament
gavel
Aug 2024
AI Act entered into force - Regulation entered into force 20 days after publication in Official Journal
block
Feb 2025
Prohibited AI practices ban effective - Social scoring, manipulative AI, and certain biometric uses banned
psychology
Aug 2025
General-purpose AI rules apply - Transparency and copyright obligations for GPAI models become enforceable
warning
Aug 2026
High-risk AI systems rules apply - Full compliance requirements for high-risk AI systems become mandatory

Related Categories