EU AI Act

Comprehensive EU regulation establishing rules for artificial intelligence systems based on risk levels.

EUUpdated May 2026

IN A NUTSHELL

What

The world's first comprehensive legal framework for artificial intelligence, classifying AI systems by risk level and assigning obligations accordingly.

Who

Providers, deployers, importers, and distributors of AI systems placed on the EU market or whose outputs affect EU residents.

When

Phased rollout. Prohibitions from Feb 2025, GPAI rules from Aug 2025, full high-risk requirements from Aug 2026.

Penalty

Up to EUR 35 million or 7% of global annual turnover for prohibited practices; up to EUR 15 million or 3% for other violations.

OVERVIEW

Entering into force on 1 August 2024, the EU AI Act is the world's first comprehensive legal framework for artificial intelligence. Rather than regulating AI as a single category, the Act introduces a risk-based classification system that assigns obligations proportional to the potential harm an AI system may cause. This tiered approach spans from minimal-risk AI with no specific requirements, through limited-risk systems subject to transparency obligations, up to high-risk and prohibited AI practices subject to the strictest controls.

Businesses developing, deploying, or distributing AI systems within the EU, or whose AI outputs affect EU residents, fall within scope. This includes technology providers, deployers across all sectors, importers, and distributors. The regulation designates certain AI practices as unacceptable and prohibits them outright, including social scoring systems, manipulative AI that exploits vulnerabilities, and certain forms of real-time biometric identification. High-risk AI systems, such as those used in recruitment, credit scoring, law enforcement, and critical infrastructure, face the most demanding compliance requirements.

For high-risk AI, obligations include establishing risk management systems, ensuring data quality and governance, maintaining technical documentation, enabling human oversight, and meeting standards for accuracy, robustness, and cybersecurity. Providers of general-purpose AI models, including large language models, must comply with transparency requirements and, for models posing systemic risk, must conduct model evaluations and adversarial testing. Deployers of high-risk systems must perform fundamental rights impact assessments and maintain logs.

The Act is being phased in over a staged timeline. Prohibitions on unacceptable AI practices apply from February 2025. Obligations for general-purpose AI models take effect in August 2025. The full set of requirements for high-risk AI systems becomes applicable in August 2026, with some extensions for high-risk systems embedded in products regulated under existing EU product legislation.

The AI Act connects with multiple existing regulations. It aligns with GDPR on data processing and automated decision-making, builds on the EU Machinery Regulation for AI-enabled machinery, and complements the Digital Services Act regarding algorithmic transparency on platforms. The Platform Workers Directive further intersects by requiring transparency in algorithmic management of gig workers. For businesses, the AI Act demands early investment in governance frameworks, technical compliance, and cross-functional coordination to meet obligations that will shape the future of AI innovation in Europe.

KEY MILESTONES

May 28, 2026

YOU ARE HERE

WHO DOES THIS AFFECT?

Select your company type for tailored compliance guidance.

KEY OBLIGATIONS

☐Classify all AI systems by risk level (prohibited, high-risk, limited, minimal)

☐Implement risk management systems for high-risk AI applications

☐Maintain technical documentation and logging for high-risk systems

☐Register high-risk AI systems in the EU database before deployment

☐Comply with transparency obligations for AI-generated content

YOUR FIRST STEP

Create an AI inventory cataloguing every AI system you develop or deploy, with initial risk classification per the Act's Annex III

KEY COMPLIANCE REQUIREMENTS

Risk classification

Classify every AI system you develop or deploy into one of four risk tiers: unacceptable, high, limited, or minimal risk.

Prohibited practices

Immediately cease any AI practices banned outright, including social scoring, manipulative techniques, and certain biometric surveillance.

High-risk conformity

For high-risk AI, implement risk management systems, data governance, technical documentation, and human oversight mechanisms.

Transparency obligations

Ensure users know they are interacting with AI; label AI-generated content (deepfakes, synthetic media) clearly.

GPAI model compliance

Providers of general-purpose AI models must provide technical documentation, comply with copyright law, and publish training data summaries.

Fundamental rights assessment

Deployers of high-risk AI in public and private sectors must assess impacts on fundamental rights before deployment.

Post-market monitoring

Maintain continuous monitoring of high-risk AI systems in operation and report serious incidents to authorities.

Quality management system

Establish documented quality management procedures covering the entire AI system lifecycle from design to retirement.

KEY INTERPRETATIONS & FAQ