What is the EU AI Act? Requirements, Timeline & Risk Categories

EU AI Act

The EU AI Act is the world's first comprehensive legal framework for artificial intelligence, establishing rules based on risk levels — from prohibited practices to transparency obligations — that apply to providers, deployers, and importers of AI systems in the European Union.

regulation

risk-based

compliance

artificial intelligence

Why It Matters

The EU AI Act is a landmark regulation — the first comprehensive AI law in the world. Like GDPR did for data protection, the AI Act is expected to set the global standard for AI governance. Any organization developing, deploying, or importing AI systems used in the EU must comply, regardless of where they are headquartered.

The Four Risk Categories

The AI Act uses a risk-based approach:

Prohibited AI (Banned outright)

Social scoring by governments
Real-time biometric identification in public spaces (with narrow law enforcement exceptions)
AI that exploits vulnerabilities of specific groups
Subliminal manipulation techniques
Untargeted scraping of facial images for recognition databases
Emotion recognition in workplaces and schools
Biometric categorization by race, religion, or sexual orientation
Predictive policing based solely on profiling

High-Risk AI (Strict requirements)

AI systems used in:

Biometrics, critical infrastructure, education, employment
Essential services (credit scoring, insurance, government benefits)
Law enforcement, border control, justice
Democratic processes

Requirements: quality management, technical documentation, risk management, human oversight, accuracy/robustness/cybersecurity, post-market monitoring.

Limited Risk (Transparency obligations)

Chatbots must disclose they are AI
AI-generated content must be labeled
Emotion recognition and biometric categorization must inform users
Deep fakes must be clearly identified

Minimal Risk (No specific requirements)

AI-enabled video games, spam filters, basic automation
Still subject to the AI literacy obligation (Article 4)

Timeline

Date	What Takes Effect
February 2, 2025	Prohibited practices + AI literacy obligation
August 2, 2025	GPAI model obligations (foundation models)
August 2, 2026	High-risk AI obligations (most provisions)
August 2, 2027	High-risk AI in Annex I (regulated products)

Penalties

Prohibited practices: up to €35 million or 7% of global annual turnover
High-risk violations: up to €15 million or 3% of turnover
Incorrect information to authorities: up to €7.5 million or 1% of turnover
SME proportionality: lower caps for small and medium enterprises

Key Regulation

Regulation (EU) 2024/1689 — the EU AI Act
Entered into force: August 1, 2024
AI Office — EU body overseeing GPAI model compliance
National competent authorities — member state enforcement bodies

EU AI Act

Why It Matters

The Four Risk Categories

Prohibited AI (Banned outright)

High-Risk AI (Strict requirements)

Limited Risk (Transparency obligations)

Minimal Risk (No specific requirements)

Timeline

Penalties

Key Regulation

GDPR (General Data Protection Regulation)

High-Risk AI

AI Governance

Algorithmic Bias

DPIA (Data Protection Impact Assessment)

Want to learn more?

EU AI Act

Why It Matters

The Four Risk Categories

Prohibited AI (Banned outright)

High-Risk AI (Strict requirements)

Limited Risk (Transparency obligations)

Minimal Risk (No specific requirements)

Timeline

Penalties

Key Regulation

GDPR (General Data Protection Regulation)

High-Risk AI

AI Governance

Algorithmic Bias

DPIA (Data Protection Impact Assessment)

Want to learn more?