Last updated: March 29, 2026
Reading time: 24 min read
Want to align your AI systems with the EU AI Act? Browse our compliance courses for AI governance and regulatory training.
Executive Summary
The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive, horizontal legal framework for artificial intelligence. It classifies AI systems into four risk categories—unacceptable, high, limited, and minimal—and imposes obligations proportionate to the level of risk each system poses to health, safety, and fundamental rights. It applies to any organisation that develops, deploys, imports, or distributes AI systems affecting persons in the EU, regardless of where that organisation is established.
As the EU AI Act enters full effect and enforcement deadlines approach—with prohibited AI already banned since February 2025 and high-risk requirements due August 2026—AI governance has evolved from a voluntary best practice to a core compliance obligation.
"The AI Act is not about slowing down innovation. It is about creating the conditions for trustworthy AI that Europeans can rely on. Organisations that classify their systems correctly and act early will have a competitive advantage—not just a compliance advantage."
— Thierry Breton, former European Commissioner for Internal Market, speaking at the EU AI Act signing ceremony, June 2024
This guide provides an executive-level analysis of the four risk categories, who is in scope, and what you need to do before enforcement deadlines hit.
The Golden Rule of EU AI Act Compliance
Success in AI Act compliance is not just about having an AI policy; it is about the alignment of your AI systems with the correct risk classification, documented conformity, and appropriate governance (risk management, data governance, human oversight). Misclassification or delayed action is one of the most common causes of avoidable exposure.
Why the EU AI Act Matters in 2026
The AI regulatory landscape is facing a decisive shift. The EU has adopted the world's first comprehensive horizontal AI law; other jurisdictions are following with sectoral or cross-cutting rules. Non-compliance triggers substantial fines and market access restrictions—not only in the EU but increasingly in supply chains and customer expectations globally.
Strategic AI governance serves as the bridge between innovation and regulation. For providers (developers and those placing AI on the market), it enables lawful deployment and reduces liability. For deployers (users of AI), it ensures that systems they rely on are compliant and that their own obligations (e.g. human oversight, monitoring) are met.
Key Numbers: The EU AI Act in Context
| Metric | Figure | Source |
|---|---|---|
| Global AI market size (2024) | $184 billion | IDC Worldwide AI Spending Guide, 2024 |
| EU companies using AI (2024) | 13.5% | Eurostat, ICT Usage Survey 2024 |
| AI systems in minimal-risk category | ~85% | European Commission AI Act FAQ |
| Prohibited AI ban | In force since Feb 2, 2025 | EU AI Act, Art. 113 |
| High-risk compliance deadline | August 2, 2026 | EU AI Act, Art. 113 |
| Max fine (prohibited AI) | €35M or 7% global turnover | EU AI Act, Art. 99 |
"AI regulation is no longer a theoretical debate—it is an operational reality. Companies that treat the EU AI Act as a compliance exercise rather than a governance opportunity will find themselves perpetually catching up."
— Anu Bradford, Professor of Law at Columbia University and author of The Brussels Effect, speaking at the World Economic Forum 2025
What Is the EU AI Act?
The EU Artificial Intelligence Act is a risk-based regulatory framework that classifies AI systems by the level of risk they pose to health, safety, fundamental rights, and democracy. It applies to AI systems placed on the market, put into service, or used in the EU—regardless of where the provider or deployer is established.
Mechanisms & Rationale
The Act imposes stricter obligations for higher-risk AI. Unacceptable-risk (prohibited) AI is banned. High-risk AI must meet requirements on risk management, data governance, transparency, human oversight, accuracy, and conformity assessment. Limited-risk AI is subject mainly to transparency obligations. Minimal-risk AI has no specific AI Act obligations beyond general product safety and consumer law.
Risk-Based Structure
| Risk level | Typical obligations | Key deadline |
|---|---|---|
| Unacceptable (prohibited) | Banned | February 2, 2025 |
| High-risk | Full compliance (risk management, data, documentation, oversight, conformity) | August 2, 2026 |
| Limited-risk | Transparency (disclosure, labelling) | August 2, 2025 |
| Minimal risk | None (general law only) | — |
The Classification Checkpoint
During compliance planning, "correct classification" matters more than having generic AI guidelines. Many organisations assume recruitment tools, credit scoring, or diagnostic support are "just software"—under the AI Act they are high-risk use cases with mandatory obligations. Misclassification leads to under-preparation and enforcement risk.
Who Does the EU AI Act Apply To?
The Act covers all actors in the AI value chain that operate in the EU market or whose AI output is used in the EU.
Providers
Organisations that develop or commission AI systems for placement on the market or putting into service. This includes in-house development, customisation for commercial use, and (under conditions) open-source providers. Obligations include risk management, data governance, technical documentation, conformity assessment, and registration for high-risk AI.
Deployers
Organisations that use AI systems under their authority. Deployers of high-risk AI must use systems in accordance with instructions, ensure human oversight, monitor operation, and report serious incidents. They may also have obligations regarding fundamental rights impact assessments in certain sectors.
Importers and Distributors
Entities that place non-EU AI on the EU market or distribute AI systems must ensure that providers have complied with applicable requirements and that documentation and conformity are in place.
Geographic Scope
The Act applies if:
- The AI system is placed on the market or put into service in the EU, or
- The output of the AI system is used in the EU (e.g. a US company using AI for its European workforce or customers).
Example: A US company using AI recruitment tools for its European office is a deployer in scope. A Canadian provider selling AI chatbots to EU businesses is a provider in scope.
The Four Risk Categories Explained
Your obligations depend on how each AI system is classified under the Act and its annexes.
1. Unacceptable Risk (Prohibited AI)
Status: Banned from February 2, 2025
These AI practices are illegal in the EU:
- Behavioural manipulation: Subliminal or manipulative techniques that materially distort behaviour and cause harm.
- Exploitation of vulnerabilities: Exploiting age, disability, or socio-economic vulnerability.
- Social scoring: Government-run scoring of natural persons based on behaviour or characteristics (with narrow exceptions).
- Real-time remote biometric identification in publicly accessible spaces for law enforcement (with limited exceptions).
- Emotion recognition in the workplace and in education (except medical or safety).
- Biometric categorisation using sensitive characteristics (e.g. race, political opinion, sexual orientation).
- Facial recognition database expansion by scraping or untargeted collection (with narrow exceptions).
Penalty: Up to €35 million or 7% of global annual turnover (whichever is higher).
Action required: Audit all AI systems immediately. Discontinue any prohibited uses; document discontinuation and, where relevant, notify affected persons.
2. High-Risk AI Systems
Status: Full requirements from August 2, 2026
High-risk AI systems are those listed in Annex III (e.g. recruitment, credit scoring, insurance, essential services, law enforcement, migration, administration of justice, critical infrastructure, education, employment, access to services) or that are safety components of products subject to EU harmonisation legislation. They must meet comprehensive requirements before being placed on the market or put into service.
Key obligation areas:
- Risk management: Continuous identification and mitigation of risks across the lifecycle.
- Data governance: Training data relevant, representative, and free of bias where appropriate; data quality and relevance documentation.
- Technical documentation: System description, development methodology, testing and validation, intended purpose and limitations.
- Record-keeping and logging: Automatic logging of events for traceability and audit.
- Transparency and user information: Clear instructions, capabilities and limitations, human oversight requirements.
- Human oversight: Effective human oversight—either in the loop, on the loop, or other appropriate measures.
- Accuracy, robustness, and cybersecurity: Appropriate levels of accuracy and resilience; cybersecurity measures.
- Quality management system: Processes for compliance, change management, and incident reporting.
- Conformity assessment: Self-assessment or third-party assessment depending on system type; CE marking and registration in the EU database.
Penalty for non-compliance: Up to €15 million or 3% of global annual turnover.
3. Limited-Risk AI (Transparency Obligations)
Status: Requirements from August 2, 2025
AI systems that interact with persons, generate content, or are used for emotion recognition or biometric categorisation (outside prohibited/high-risk cases) are subject to transparency obligations: users must be informed that they are interacting with an AI system; AI-generated content must be labelled where required (e.g. deepfakes).
Examples: Chatbots, content-generation systems, certain emotion recognition or biometric categorisation (where not prohibited or high-risk).
Penalty for non-compliance: Up to €7.5 million or 1% of global annual turnover (for supplying incorrect or misleading information).
4. Minimal Risk
Most AI systems that do not fall into the above categories (e.g. spam filters, recommendation engines, AI in games) have no specific AI Act obligations beyond general product safety and consumer protection. Voluntary codes of conduct are encouraged.
Strategic Analysis: Where Your Obligations Lie
In 2025–2026, the primary driver of AI Act compliance is correct classification and timeline discipline. Prohibited AI must already be discontinued. Limited-risk and GPAI obligations apply from August 2025. High-risk AI has until August 2026—but implementation (inventory, risk management, documentation, conformity) typically takes 12–18 months for complex organisations.
Compliance Benchmarks
| Metric | Benchmark |
|---|---|
| Prohibited AI ban | February 2, 2025 (in force) |
| GPAI & limited-risk transparency | August 2, 2025 |
| High-risk AI full compliance | August 2, 2026 |
| Max fine (prohibited AI) | €35M or 7% global turnover |
| Max fine (high-risk non-compliance) | €15M or 3% global turnover |
| Typical implementation lead time (high-risk) | 12–18 months |
General-Purpose AI Models (GPAI)
Status: Obligations from August 2, 2025
GPAI models (e.g. foundation models, generative AI) have separate rules. All GPAI providers must meet transparency and documentation obligations. GPAI with systemic risk (defined by criteria including compute and impact) must additionally meet stricter requirements: model evaluation, adversarial testing, systemic risk assessment and mitigation, serious incident reporting, and cybersecurity.
Penalty: Up to €15 million or 3% of global annual turnover (or €7.5 million / 1.5% for certain infringements and SMEs where applicable).
EU AI Act vs GDPR: How They Work Together
If you process personal data in or via AI systems, both the EU AI Act and GDPR apply. They are complementary: the AI Act focuses on AI system safety, transparency, and human oversight; the GDPR focuses on personal data processing, lawful basis, and data subject rights.
Strategic Comparison
| Dimension | EU AI Act | GDPR |
|---|---|---|
| Object | AI systems (safety, rights, democracy) | Personal data processing |
| Approach | Risk-based (prohibited / high / limited / minimal) | Rights-based (lawful basis, rights, accountability) |
| Scope | All in-scope AI in/affecting EU | Processing of personal data |
| Focus | Conformity, transparency, oversight | Lawfulness, purpose, minimisation, rights |
Overlap: Data governance (quality, bias), transparency, automated decision-making (Article 22 GDPR and high-risk AI), record-keeping, and documentation. Best practice: Integrate AI Act and GDPR into a single governance framework where both apply.
Valuation: Penalties for Non-Compliance
The EU AI Act imposes tiered penalties by type of infringement:
| Violation type | Maximum fine |
|---|---|
| Prohibited AI practices | €35 million or 7% of global annual turnover |
| High-risk / GPAI systemic non-compliance | €15 million or 3% of global annual turnover |
| Other infringements (e.g. incorrect information) | €7.5 million or 1.5% of global annual turnover |
Calculation: Whichever of the fixed amount or the percentage of turnover is higher applies. For SMEs and startups, caps may apply in certain cases under the Act.
Example: A company with €2 billion annual revenue using prohibited emotion recognition in the workplace could face up to €140 million (7% of turnover).
Top 5 Strategic Pitfalls
Assuming "we don't use AI." Many HR, marketing, and operations tools embed AI (recruitment screening, chatbots, content generation). If they affect EU persons, the AI Act can apply. Start with an inventory.
Underestimating classification. Recruitment, credit scoring, insurance pricing, diagnostic support, and similar use cases are high-risk under Annex III. Treating them as "low risk" leaves you exposed by August 2026.
Ignoring the February 2025 prohibited list. Emotion recognition in the workplace, certain social scoring, and other practices are already banned. Continuing use creates immediate enforcement risk.
Leaving high-risk compliance to the last year. Conformity assessment, technical documentation, risk management, and human oversight take time. Starting in 2026 is too late for complex systems.
Treating AI Act and GDPR in silos. Where AI processes personal data, both apply. Align documentation, data governance, and transparency so one programme supports both regimes.
The 6-Step EU AI Act Compliance Process
A structured path from awareness to conformity typically follows these steps.
Inventory → Classify → Eliminate Prohibited → Implement High-Risk → Transparency (Limited-Risk & GPAI) → Review
Conduct an AI system inventory. List every AI system you develop, deploy, or use (including embedded in products and third-party tools). Document purpose, vendor, and data flows.
Classify by risk level. For each system, determine: prohibited, high-risk (Annex III or safety component), limited-risk, or minimal. Document rationale; prioritise prohibited and high-risk.
Eliminate prohibited AI immediately. Discontinue any use that falls under the prohibited list. Notify affected persons where appropriate; document steps and date of cessation.
Implement high-risk AI requirements. For each high-risk system: risk management system, data governance, technical documentation, logging, human oversight, accuracy and cybersecurity measures, quality management system, conformity assessment. Plan for registration in the EU database by August 2026.
Meet transparency obligations for limited-risk AI and GPAI. From August 2025: disclose that users interact with AI where required; label AI-generated content (e.g. deepfakes) as specified; meet GPAI documentation and, if applicable, systemic risk obligations.
Review and maintain. Schedule periodic review of inventory and classification; update documentation and conformity when systems or use cases change; train staff on AI governance and compliance.
Ready to build your AI Act compliance programme? Explore our compliance courses or contact our team for tailored support.
Conclusion: The Future of AI Regulation
The EU AI Act and similar frameworks are not a one-off project but a new baseline for AI in the single market. As prohibited AI is already banned and high-risk obligations approach, organisations that classify correctly and act early will be in a stronger position than those that delay.
Strategic Takeaways for 2026
- Prioritise classification: Prohibited and high-risk systems drive the heaviest obligations and penalties.
- Respect the February 2025 deadline: Prohibited AI must already be discontinued.
- Plan for August 2026: High-risk AI compliance takes 12–18 months—start inventory and gap analysis now.
- Integrate with GDPR: Where AI involves personal data, align AI Act and GDPR governance.
- Document and train: Conformity and accountability depend on documentation, oversight, and trained staff.
Ready to prepare for the EU AI Act?
Whether you need to inventory and classify your AI systems or build risk management and conformity processes, we can help.
Get in Touch · Browse Compliance Courses
Frequently Asked Questions
When does the EU AI Act take effect?
The EU AI Act (Regulation (EU) 2024/1689) entered into force on August 1, 2024. It uses a phased implementation approach: prohibited AI practices have been banned since February 2, 2025; transparency obligations for limited-risk AI and GPAI rules apply from August 2, 2025; and high-risk AI systems must meet full compliance requirements by August 2, 2026. National competent authorities must be designated by August 2, 2025.
Does the EU AI Act apply to companies outside the EU?
Yes. The EU AI Act has extraterritorial scope, similar to the GDPR. It applies to any organisation that: (1) places AI systems on the EU market or puts them into service in the EU, or (2) is located outside the EU but the output of its AI system is used within the EU (Art. 2(1)). For example, a US company using AI-powered recruitment tools for its European office is a "deployer" in scope of the Act.
What is a high-risk AI system under the EU AI Act?
A high-risk AI system is one listed in Annex III of the EU AI Act or one that serves as a safety component of a product already covered by EU harmonisation legislation (e.g. medical devices, machinery). Annex III categories include: biometric identification, critical infrastructure management, education and vocational training, employment and recruitment, access to essential services (credit, insurance), law enforcement, migration and border control, and administration of justice. These systems must meet comprehensive requirements including risk management, data governance, technical documentation, human oversight, and conformity assessment before being deployed.
What are the penalties for violating the EU AI Act?
The EU AI Act imposes tiered fines based on the severity of the violation: up to €35 million or 7% of global annual turnover for prohibited AI practices; up to €15 million or 3% for high-risk or GPAI non-compliance; and up to €7.5 million or 1.5% for other infringements such as supplying incorrect information (Art. 99). The higher of the fixed amount or the percentage applies. Reduced caps may apply for SMEs and startups under certain conditions.
How does the EU AI Act differ from the GDPR?
The EU AI Act and GDPR are complementary regulations. The GDPR governs the processing of personal data (lawful basis, data subject rights, accountability), while the EU AI Act governs AI systems themselves (risk classification, safety, transparency, human oversight). When an AI system processes personal data, both regulations apply simultaneously. Organisations should integrate AI Act and GDPR compliance into a single governance framework to avoid duplication and gaps. Key overlaps include data governance, automated decision-making (GDPR Art. 22), transparency, and documentation requirements.
Do I need to comply with the EU AI Act if I only use AI tools (not develop them)?
Yes. The EU AI Act applies to "deployers" — organisations that use AI systems under their authority — not just developers ("providers"). If you deploy high-risk AI systems (e.g. for recruitment, credit decisions, or employee monitoring), you must: use the system according to the provider's instructions, ensure human oversight is in place, monitor the system during operation, and report serious incidents. You may also need to conduct a fundamental rights impact assessment for certain high-risk uses in public-facing sectors (Art. 27).
Related Insights
- 7 GDPR Mistakes That Could Cost Your Company Millions in 2025 — How to avoid the most common data protection fines.
- EU AI Act and GDPR — Overlap and integration (when available).
Our AI & Compliance Courses
- Compliance & Regulatory Training — Build foundational knowledge in governance, risk, and regulation.
- Contact us for AI Act–specific training or compliance support.