Updated: July 2026
The EU AI Act, formally known as Regulation (EU) 2024/1689, is the world’s first comprehensive legal framework for artificial intelligence. It entered into force on 1 August 2024 and sets rules across the European Union for the development, deployment, and use of AI systems, while protecting fundamental rights.
The EU Artificial Intelligence Act applies to all organisations placing AI systems on the EU market, regardless of their location. This makes compliance essential for global AI providers.
This article covers the AI Act’s risk-based classification system, compliance obligations for different stakeholder roles, and implementation timelines through 2026. The focus is on practical requirements rather than detailed legal analysis, so you can plan your compliance work now.
Non-compliance with the EU AI Act can result in fines of up to €35 million or 7% of global annual turnover, whichever is higher. Beyond penalties, the regulation determines market access across the EU’s roughly 450 million consumers.
• Four-tier risk classification system and how it applies to your AI systems.
• Specific compliance obligations for providers, deployers, and distributors.
• Implementation timeline with critical deadlines starting February 2025.
• Practical steps for conducting risk assessments and setting up governance.
The EU AI Act sorts AI systems into four risk levels, each with its own compliance obligations. Different AI systems pose different levels of risk to safety, fundamental rights, and democratic processes, so the rules scale with the risk.
The regulation covers the entire AI value chain, from development through deployment and ongoing operation.
The AI Act defines an AI system as software that, for explicit or implicit objectives, generates outputs such as predictions, recommendations, or decisions that influence physical or virtual environments. This definition covers machine learning models, neural networks, and rule-based systems.
General-purpose AI models get separate treatment under the regulation, because of their wide capabilities and potential systemic risks. These models, including large language models, are trained on large datasets and can perform many different tasks.
The regulation distinguishes between three roles in the AI value chain: providers who develop or substantially modify AI systems, deployers who use AI systems for their intended purpose, and distributors who make AI systems available on the EU market.
The EU AI Act sets four risk categories that determine compliance requirements:
• Unacceptable risk AI systems are banned outright, including social scoring systems and AI practices that manipulate human behaviour through subliminal techniques.
• High-risk AI systems face full regulatory requirements, including conformity assessments and registration in an EU database.
• Limited-risk systems must meet transparency obligations.
• Minimal-risk systems can operate freely, with basic AI literacy requirements for deployers.
The practical impact of the EU AI Act depends on how your AI systems fall within the four-tier risk framework. Obligations range from a full ban to minimal transparency requirements.
Eight specific AI practices are banned under the EU AI Act, effective 2 February 2025. These include social scoring systems used by public authorities, AI systems that use subliminal techniques to manipulate behaviour, and specific AI systems for emotion recognition in workplace and educational settings.
Real-time remote biometric identification in publicly accessible spaces is generally prohibited too, with narrow exceptions for law enforcement in cases involving serious crimes, subject to judicial authorisation and specific safeguards.
Organisations must immediately discontinue any prohibited AI systems and remove them from the EU market, regardless of their current operational status.
High-risk AI systems operate in safety-critical sectors or in the specific use cases listed in Annex III of the regulation. Common examples include AI systems used for hiring and personnel management, credit scoring and loan decisions, critical infrastructure management, and border control.
These systems must undergo third-party conformity assessment before market entry, keep detailed technical documentation, and be registered in the official EU database. Providers must set up strong risk management systems and ensure proper human oversight throughout the AI system’s lifecycle.
Key compliance requirements:
• Pre-market conformity assessment and CE marking.
• Registration in the EU database within specified timeframes.
• Continuous post-market monitoring and serious incident reporting.
• Quality management system implementation and maintenance.
High-risk AI system deployers must also carry out fundamental rights impact assessments and make sure personnel involved in system operation and oversight have adequate AI literacy.
Limited-risk systems, mainly chatbots and AI-generated content tools, must meet transparency obligations to inform users they’re interacting with AI. These systems must clearly disclose when a person is dealing with artificial intelligence rather than another human.
Most AI systems fall into the minimal-risk category, including spam filters, AI-enabled video games, and basic recommendation systems. These systems face no extra regulatory requirements beyond general EU law. Organisations still need to make sure relevant staff meet AI literacy obligations.
The EU AI Act follows a phased rollout. This gives organisations time to adapt while the most critical protections take effect quickly for the highest-risk applications.
When to use this: compliance planning and regulatory preparation across all organisational levels.
1. 1 August 2024: The EU AI Act entered into force, setting up the legal framework and institutional structure, including the European AI Office and the AI Board.
2. 2 February 2025: Prohibited AI systems must be discontinued, and AI literacy obligations take effect for all organisations deploying AI systems in the European Union.
3. 2 August 2025: General-purpose AI model providers must meet transparency requirements, including disclosure of copyrighted training data and technical documentation for models with systemic risk.
4. 2 August 2026: Full applicability for high-risk AI systems, including complete conformity assessment requirements, EU database registration, and full quality management system implementation.
| Responsibility Area | AI System Providers | AI System Deployers |
| Conformity Assessment | Conduct before market placement | Verify completion and validity |
| EU Database Registration | Register high-risk systems | Monitor compliance status |
| Risk Management | Develop and maintain the system | Implement operational procedures |
| Impact Assessments | Technical risk evaluation | Fundamental rights assessment |
Deployers carry the main responsibility for making sure AI systems are used appropriately and monitored in their specific operational context. Providers focus on technical compliance and system design.
Organisations often fulfil multiple roles at once. This means you need a clear picture of overlapping obligations and shared responsibilities across the AI value chain.
Organisations working on AI Act compliance run into predictable hurdles around risk assessment, role identification, and timeline management. Here’s how to work through them.
Run a systematic assessment using the Annex III checklist, combined with an intended use case analysis and a fundamental rights impact evaluation.
Many AI systems operate across multiple contexts. This calls for a careful look at each specific deployment scenario rather than broad assumptions based on the type of technology.
Map all your AI development, deployment, and distribution activities to the regulation’s defined roles. Organisations frequently act in more than one capacity at the same time.
Document decision-making authority, technical modification capabilities, and market-facing responsibilities to work out your primary and secondary obligations under the AI Act.
Use a phased approach. Start with an immediate review of prohibited systems, then set up a governance framework, and work systematically towards each applicable deadline.
Prioritise actions based on AI system risk levels and how ready your organisation is. Give critical compliance dates enough preparation time and resources.
The EU AI Act is the first regulatory framework that requires compliance planning in advance, rather than a reaction to enforcement action. Organisations must adapt their AI governance, documentation, and operational procedures to meet requirements that keep expanding through 2026.
About the Author
Zlatko Delev
Country Manager & Head of Commercial — GDPRLocal
Zlatko specialises in data protection compliance, ISMS strategy, and AI law. With a legal background and hands-on experience supporting organisations globally, he helps businesses navigate GDPR, the EU AI Act, and international privacy frameworks.
The EU AI Act prohibits AI systems that pose unacceptable risks. This includes social scoring systems by public authorities, AI systems that manipulate human behaviour through subliminal techniques, and real-time remote biometric identification systems in publicly accessible spaces, except in narrowly defined law enforcement scenarios with proper human review and judicial authorisation.
High-risk AI systems are those used in safety-critical sectors or specific use cases listed in Annex III of the regulation, such as hiring processes, credit scoring, critical digital infrastructure management, and border control. These systems must undergo third-party conformity assessment, be registered in the EU database, and implement risk management systems along with human oversight.
The EU AI Act came into force on 1 August 2024. Key deadlines include 2 February 2025 for discontinuing prohibited AI systems and implementing AI literacy obligations; 2 August 2025 for general-purpose AI model transparency requirements; and 2 August 2026 for full applicability of high-risk AI system compliance, including conformity assessments and EU database registration.