The EU AI Act (Regulation (EU) 2024/1689) is the European Union's comprehensive law governing artificial intelligence. It takes a risk-based approach: the more risk an AI system poses to health, safety, or fundamental rights, the stricter the obligations. Some practices are banned outright, high-risk systems face detailed requirements, and general-purpose AI (GPAI) models have their own transparency rules.

The Act entered into force on 1 August 2024 and applies in stages through 2027 (with some product-embedded high-risk rules to 2028). It applies across the AI value chain — providers, deployers, importers, and distributors — and reaches organisations outside the EU where an AI system's output is used in the Union.

What is the EU AI Act?

The EU AI Act is the first comprehensive horizontal regulation of artificial intelligence. It sets harmonised rules for placing AI systems on the EU market, putting them into service, and using them, plus separate rules for general-purpose AI models.

Key points:

  • Instrument: Regulation (EU) 2024/1689 — directly applicable in all Member States.
  • Approach: Risk-based — obligations scale with potential harm to health, safety, and fundamental rights.
  • Who it covers: Providers, deployers, importers, and distributors of AI systems, and providers of GPAI models.
  • Extraterritorial reach: Applies to non-EU actors where the AI system's output is used in the EU.

What are the four risk tiers?

The Act classifies AI by level of risk:

  • Unacceptable risk: A small set of practices banned outright (see Article 5).
  • High risk: Systems that can significantly threaten health, safety, or fundamental rights — e.g. AI in critical infrastructure, education, employment, essential services and credit scoring, certain biometrics, law enforcement, and migration. Subject to strict requirements.
  • Limited risk (transparency): Systems that interact with people or generate content must meet disclosure duties — e.g. telling users they are dealing with an AI and labelling AI-generated content and deepfakes.
  • Minimal or no risk: The vast majority of systems (e.g. spam filters, AI in video games). No mandatory obligations under the Act.

Which AI practices are prohibited?

Article 5 bans practices deemed an unacceptable risk, including:

  • Harmful manipulation using subliminal or deceptive techniques that materially distort behaviour and cause significant harm.
  • Exploiting vulnerabilities based on age, disability, or socio-economic status to distort behaviour harmfully.
  • Social scoring that leads to unjustified or disproportionate detrimental treatment.
  • Predictive policing based solely on profiling or personality traits.
  • Untargeted scraping of facial images from the internet or CCTV to build facial-recognition databases.
  • Emotion inference in the workplace or educational settings (narrow medical/safety exceptions).
  • Biometric categorisation to infer sensitive attributes such as race, political views, religion, or sexual orientation.
  • Real-time remote biometric identification in public spaces for law enforcement, except in narrowly defined, authorised situations.

These prohibitions have applied since 2 February 2025.

What must high-risk AI systems do?

Before a high-risk system is placed on the market or put into service, the provider must put in place mandatory controls, including:

  • A risk management system to identify and mitigate risks across the lifecycle.
  • Data governance — high-quality, relevant datasets that minimise bias and discrimination.
  • Technical documentation and automatic logging for traceability.
  • Transparency and clear information to deployers on appropriate use.
  • Human oversight measures.
  • An appropriate level of accuracy, robustness, and cybersecurity.

High-risk systems also undergo conformity assessment and registration. Deployers carry their own duties, such as using systems per instructions and ensuring human oversight.

How does the Act treat general-purpose AI (GPAI)?

GPAI models (the foundation models behind many downstream applications) have a dedicated regime that began applying on 2 August 2025.

  • All GPAI providers: Maintain technical documentation, provide information to downstream developers, put a copyright compliance policy in place, and publish a sufficiently detailed summary of training content.
  • GPAI with systemic risk: Additional duties — model evaluation, systemic-risk assessment and mitigation, serious-incident tracking and reporting, and adequate cybersecurity.

The Commission has published guidelines and a voluntary General-Purpose AI Code of Practice to support compliance. Models already on the market before 2 August 2025 must comply by 2 August 2027.

When do the rules apply (timeline)?

The Act applies in phases:

  • 1 August 2024 — Entered into force.
  • 2 February 2025 — Prohibited practices and AI literacy obligations apply.
  • 2 August 2025 — GPAI model obligations and governance rules apply.
  • 2 August 2026 — General application date; most high-risk (Annex III) and transparency obligations apply.
  • 2 August 2027 — High-risk rules for AI that is a safety component of regulated products apply; pre-existing GPAI models must be compliant.
  • 2 August 2028 — Extended transition for certain product-embedded high-risk systems.

What are the penalties, and how should organisations prepare?

Fines are tiered by severity (whichever is higher of the amount or turnover percentage):

  • Prohibited practices: up to EUR 35 million or 7% of total worldwide annual turnover.
  • Other obligation breaches (e.g. provider, deployer, transparency duties): up to EUR 15 million or 3%.
  • Incorrect, incomplete, or misleading information to authorities: up to EUR 7.5 million or 1%.

For SMEs and startups, the fine is capped at the lower of the amount or percentage.

Preparing:

  • Inventory AI systems and classify each by risk tier.
  • Confirm none fall under prohibited practices.
  • Identify high-risk uses and build the required controls (risk management, data governance, documentation, oversight).
  • Check GPAI obligations if you develop or fine-tune models.
  • Implement transparency labelling and AI-literacy measures across staff.

Frequently asked questions

Does the EU AI Act apply to companies outside the EU?

Yes. It can apply to providers and deployers established outside the EU where the output of the AI system is used within the Union, as well as to those placing systems or GPAI models on the EU market.

When did the prohibitions take effect?

The bans on unacceptable-risk practices under Article 5, along with AI literacy obligations, have applied since 2 February 2025.

What counts as a high-risk AI system?

Broadly, systems used as safety components of regulated products, and systems in listed areas such as critical infrastructure, education, employment, access to essential services and credit, certain biometrics, law enforcement, migration, and administration of justice.

What are the maximum fines under the Act?

Up to EUR 35 million or 7% of total worldwide annual turnover (whichever is higher) for prohibited practices; up to EUR 15 million or 3% for other breaches; and up to EUR 7.5 million or 1% for supplying misleading information.

What obligations apply to general-purpose AI models?

All GPAI providers must keep technical documentation, inform downstream providers, follow a copyright policy, and publish a training-content summary. Models with systemic risk face added evaluation, risk-mitigation, incident-reporting, and cybersecurity duties.

When does the Act become fully applicable?

It applies in stages; the general application date is 2 August 2026, with high-risk rules for certain regulated products extending to 2 August 2027 and some product-embedded high-risk systems to 2 August 2028.

Official sources