The EU AI Act is the world’s first comprehensive law regulating artificial intelligence systems. It creates binding obligations based on risk level, enforced across all EU Member States.

 

1️⃣ Scope & Who Must Comply

The Act applies to any organization that:

• Develops AI systems placed on the EU market

• Deploys AI systems used in the EU

• Provides outputs affecting people in the EU

This includes non-EU companies (extra-territorial reach, similar to GDPR).

 

2️⃣ Risk-Based Classification (Core Structure)

Unacceptable Risk (Prohibited)

Banned outright (Article 5):

• Social scoring by governments

• Real-time remote biometric identification in public (with narrow law-enforcement exceptions)

• AI that manipulates behavior or exploits vulnerabilities (children, disabled persons)

• Predictive policing based solely on profiling

Penalty: Immediate prohibition + top-tier fines

 

High-Risk AI Systems

(Regulated heavily – Articles 6–15, Annex III)

Examples:

• Hiring & recruitment systems

• Creditworthiness & lending decisions

• Biometric identification

• Education & exam scoring

• Medical devices & diagnostics

• Critical infrastructure management

• Law enforcement & border control tools

Mandatory obligations include:

• Risk management system

• High-quality, bias-controlled training data

• Technical documentation

• Human oversight

• Accuracy, robustness, cybersecurity controls

• Logging & record-keeping

• Post-market monitoring

This is where most enterprise compliance effort lives

 

Limited Risk AI

(Transparency obligations only)

Examples:

• Chatbots

• Emotion-recognition systems

• Deepfakes / synthetic media

Requirements:

• Users must be informed they are interacting with AI

• Synthetic content must be labeled (with limited exceptions)

 

Minimal Risk AI

Examples:

• AI in games

• Photo enhancement

• Spam filters

• Recommendation engines (non-sensitive)

No mandatory obligations, voluntary codes encouraged

 

3️⃣General-Purpose AI (GPAI) & Foundation Models

Special rules for General-Purpose AI models (e.g., foundation models):

All GPAI Models Must:

• Provide technical documentation

• Publish training compute summaries

• Respect EU copyright safeguards

 

GPAI with Systemic Risk (very large models):

Additional obligations:

• Model evaluations & red-teaming

• Incident reporting

• Cybersecurity risk mitigation

• Energy usage transparency

 

4️⃣ Governance & Lifecycle Obligations

Applies primarily to high-risk AI:

• AI risk management system

• Data governance framework

• Human oversight procedures

• Change management & version control

• Post-market monitoring

• Serious incident reporting (within strict timelines)

AI is regulated as a living system, not a one-time approval.

 

5️⃣ Documentation & Evidence Requirements

Organizations must maintain audit-ready artifacts, including:

• Technical documentation (Annex IV)

• Risk assessments

• Training data summaries

• Model cards / system cards

• Logs & monitoring records

• Human oversight instructions

• Compliance declarations (CE marking for high-risk AI)

 

6️⃣ Enforcement & Penalties

Violation Type

Maximum Fine

Prohibited AI practices

€35M or 7% of global turnover

High-risk AI non-compliance

€15M or 3% of turnover

False information

€7.5M or 1.5%

➡️ Fines apply to developers, deployers, importers, and distributors

 

7️⃣ Compliance Timeline (High-Level)

• 2024 – Law adopted

• 2025 – GPAI & prohibited practices enforced

• 2026 – High-risk AI obligations fully enforceable

 

8️⃣ Relationship to Other Laws

The EU AI Act does not replace:

• GDPR / UK GDPR (privacy & personal data)

• Product safety & liability laws

• Medical device regulations

• Financial services regulations

Instead, it layers on top as AI-specific governance.

 

9️⃣ What Companies Must Do (Practically)

For most SaaS & AI companies:

1. Inventory AI systems

2. Classify risk level

3. Identify if Annex III applies

4. Build required documentation

5. Implement governance processes

6. Prepare for regulator audits

​