Why It Matters
The EU AI Act is a landmark regulation — the first comprehensive AI law in the world. Like GDPR did for data protection, the AI Act is expected to set the global standard for AI governance. Any organization developing, deploying, or importing AI systems used in the EU must comply, regardless of where they are headquartered.
The Four Risk Categories
The AI Act uses a risk-based approach:
Prohibited AI (Banned outright)
- Social scoring by governments
- Real-time biometric identification in public spaces (with narrow law enforcement exceptions)
- AI that exploits vulnerabilities of specific groups
- Subliminal manipulation techniques
- Untargeted scraping of facial images for recognition databases
- Emotion recognition in workplaces and schools
- Biometric categorization by race, religion, or sexual orientation
- Predictive policing based solely on profiling
High-Risk AI (Strict requirements)
AI systems used in:
- Biometrics, critical infrastructure, education, employment
- Essential services (credit scoring, insurance, government benefits)
- Law enforcement, border control, justice
- Democratic processes
Requirements: quality management, technical documentation, risk management, human oversight, accuracy/robustness/cybersecurity, post-market monitoring.
Limited Risk (Transparency obligations)
- Chatbots must disclose they are AI
- AI-generated content must be labeled
- Emotion recognition and biometric categorization must inform users
- Deep fakes must be clearly identified
Minimal Risk (No specific requirements)
- AI-enabled video games, spam filters, basic automation
- Still subject to the AI literacy obligation (Article 4)
Timeline
| Date | What Takes Effect |
|---|---|
| February 2, 2025 | Prohibited practices + AI literacy obligation |
| August 2, 2025 | GPAI model obligations (foundation models) |
| August 2, 2026 | High-risk AI obligations (most provisions) |
| August 2, 2027 | High-risk AI in Annex I (regulated products) |
Penalties
- Prohibited practices: up to €35 million or 7% of global annual turnover
- High-risk violations: up to €15 million or 3% of turnover
- Incorrect information to authorities: up to €7.5 million or 1% of turnover
- SME proportionality: lower caps for small and medium enterprises
Key Regulation
- Regulation (EU) 2024/1689 — the EU AI Act
- Entered into force: August 1, 2024
- AI Office — EU body overseeing GPAI model compliance
- National competent authorities — member state enforcement bodies