Updated: July 2026
The EU AI Act sets out a new way to regulate artificial intelligence. Instead of treating every AI system the same, it links legal duties to the level of risk a system poses to people and society. This risk-based approach decides whether an AI system is banned, must meet strict pre-market controls, must follow transparency rules, or stays largely unregulated.
The AI Act uses four risk tiers, from outright bans to light transparency duties.
• The AI Act ties duties to risk, sorting systems into four tiers: unacceptable (banned), high, limited, and minimal risk.
• Prohibited AI has been banned since 2 February 2025. GPAI rules apply from August 2025, transparency rules from August 2026, and embedded high-risk rules from August 2027.
• High-risk systems carry the heaviest load: risk management, quality management, technical documentation, human oversight, and conformity assessment before market placement.
• Fines reach up to €35 million or 7% of worldwide annual turnover, and the rules cover non-EU companies whose AI affects people in the EU.
The AI Act uses four risk tiers that set out exactly what you need to do:
• Unacceptable risk: some AI practices are such a clear threat to fundamental rights that they are banned. There is no compliance route, and these systems cannot operate in the EU.
• High risk: these systems carry the heaviest duties. Providers must run risk management and quality management systems and pass conformity assessments before putting products on the EU market.
• Limited risk: these systems must meet transparency duties. Users must know when they are dealing with AI, but providers face lighter documentation rules.
• Minimal risk: most AI systems sit here. The AI Act sets no mandatory rules, though voluntary codes of conduct are encouraged.
This classification shapes everything: documentation, testing, oversight, and ongoing monitoring.
Eight categories of AI systems became illegal across the European Union on 2 February 2025:
• Manipulation through subliminal techniques: AI exploiting psychological vulnerabilities of children, the elderly, or disabled individuals to distort behaviour, causing physical or psychological harm
• Social scoring systems: Government or private evaluation of individuals based on behaviour, leading to detrimental treatment in unrelated contexts
• Real-time remote biometric identification systems for law enforcement in public spaces (with narrow exceptions requiring judicial authorisation)
• Biometric categorisation: using sensitive characteristics like race, political opinions, or sexual orientation
• Untargeted facial image scraping from the internet or CCTV footage to build recognition databases.
• Emotion recognition systems in workplaces and educational institutions
• Predictive policing based solely on profiling or personality assessment
• Exploitation AI targeting vulnerabilities based on age, disability, or social/economic situation
Law enforcement exceptions for biometric identification need prior authorisation from a judicial or independent administrative authority. In urgent cases, use can start while approval is pending, but it must be sought within 24 hours. If authorisation is refused, the system must shut down at once and all collected data must be deleted.
High-risk AI systems are the core of this regulation. They work in sensitive areas where mistakes carry serious consequences.
What counts as high risk?
• AI used in critical infrastructure management
• Educational and vocational training access decisions
• Employment, worker management, and recruitment tools
• Access to essential services like credit scoring
• Law enforcement applications
• Migration and border control management
• Administration of justice and democratic processes
What must providers do before market placement?
Providers must set up a full risk management system to find and reduce harms across the AI lifecycle. Training data must be relevant, representative, and free from errors.
Technical documentation must be complete before any high-risk system reaches the EU market. This includes:
• Detailed system descriptions and intended purposes
• Training methodologies and data governance procedures
• Performance metrics and known limitations
• Instructions for deployers on proper use
Human oversight must be built into these systems from the start. Systems also need logging that records events throughout their operation.
CE marking rules apply to certain AI embedded in regulated products, such as medical devices, toys, or vehicles, with compliance due by August 2027.
General-purpose AI models, including foundation models and generative AI like large language models, have their own tier, in force from August 2025.
Providers of GPAI models must keep detailed technical documentation covering training, evaluation results, and known limitations. Copyright rules require transparency about training data sources. They must also make model capabilities and limitations clear to downstream providers that build GPAI into their own applications.
GPAI models with exceptional capabilities face extra scrutiny. The threshold is 10^25 FLOPs of training compute, which currently covers only the largest generative AI models from major technology companies. Providers of GPAI models with possible systemic risks must:
• Conduct adversarial testing and model evaluations
• Assess and mitigate systemic risks, including to democratic processes
• Track and report serious incidents to the European AI office
• Implement appropriate cybersecurity protections
• Maintain energy consumption records
Limited risk covers AI that needs user disclosure without the full weight of high-risk rules.
• Chatbots and conversational AI: any system that interacts directly with people must tell users they are dealing with AI. The notice must be clear and given before meaningful interaction starts.
• Deepfakes and AI-generated content: generative AI that creates synthetic audio, images, video, or text must label its output as AI-generated. This applies whatever the content or purpose.
• Emotion recognition: where it is allowed, outside banned workplace and school settings, operators must tell people their emotional states are being analysed.
• Biometric categorisation: systems that categorise people using biometric data must disclose this to the people affected.
These transparency rules start in August 2026, giving organisations time to update interfaces and disclosure methods.
A multi-level framework governs enforcement:
• National competent authorities: each Member State must name national authorities for market surveillance and enforcement within its borders. They run inspections, investigate complaints, and impose corrective measures on non-compliant systems. At least one authority per country must act as a notified body for conformity assessments of certain high-risk systems.
• EU AI Office: the European AI Office within the Commission holds central authority over GPAI models and systemic risk. It coordinates cross-border enforcement, publishes guidance, and maintains the EU database of high-risk systems. It also runs regulatory sandboxes, controlled settings where organisations can test high-risk systems before full deployment.
• EU AI Board: the AI Board brings together representatives from all Member States to coordinate enforcement, share information, and advise on implementation. It gives a forum for resolving cross-border disputes and keeps application consistent across the EU market.
• Post-market monitoring: providers must track performance after deployment. Serious incidents, such as deaths or serious damage to health, property, or the environment, need immediate notice to national authorities.
Work through these steps to prepare:
1. Inventory all AI systems. Document every AI system your organisation develops, deploys, or uses, including legacy systems and third-party tools. You cannot assess risk without knowing what exists.
2. Classify risk. Apply the AI Act’s criteria to each system. Many fall into minimal risk and need no action. Others may trigger major duties.
3. Run a gap analysis. For high-risk systems, compare current practice against the requirements. Ask whether you have a working risk management system, whether your quality management system is documented, whether you can show data governance procedures, and whether human oversight is operational.
4. Update documentation. Technical documentation must cover system design, development, testing, and deployment. Most organisations will need to formalise existing practices and fill gaps.
5. Appoint an authorised representative. Non-EU providers must appoint a representative established in the EU before placing AI systems on the market. This representative is legally responsible for compliance.
6. Provide AI literacy training. Staff who operate AI systems need enough understanding to comply. Training programmes must cover both technical operation and the regulatory requirements.
The AI Act backs compliance with heavy financial penalties:
Penalty structure:
• Prohibited AI violations: Up to €35 million or 7% of worldwide global annual turnover (whichever is higher)
• High risk AI non-compliance: Up to €15 million or 3% of turnover
• Incorrect information to authorities: Up to €7.5 million or 1% of turnover
For SMEs and start-ups, the lower figure applies, to keep the impact proportionate.
National authorities can order product withdrawals from the EU market, require system changes, and require public disclosure of breaches. In serious cases, they can stop further AI practices until the system complies.
Non-compliance brings risks beyond fines:
Organisations throughout the AI value chain share responsibility. Distributors and importers also face obligations, not just those who develop AI systems. The regulation incentivises proactive compliance. Building trustworthy AI systems from inception costs less than retrofitting non-compliant products after deployment.
About the Author
Zlatko Delev
Country Manager & Head of Commercial — GDPRLocal
Zlatko specialises in data protection compliance, ISMS strategy, and AI law. With a legal background and hands-on experience supporting organisations globally, he helps businesses navigate GDPR, the EU AI Act, and international privacy frameworks.
The AI Act applies to any organisation that develops, sells, or uses AI systems in the EU. This includes non-EU companies if their AI affects people in the EU or is placed on the EU market.
No. Most AI systems fall under minimal risk and face no mandatory duties. Only high-risk and prohibited systems trigger strict requirements, while limited-risk systems mainly need user transparency.
Non-compliance can lead to fines of up to €35 million or 7% of worldwide annual turnover, product bans across the EU, forced system changes, reputational damage, and loss of market access.