Europe AI Act Summary EU AI Regulations

Europe AI Act Summary: EU Artificial Intelligence Regulations

Updated: July 2026

The EU AI Act sets out a new way to regulate artificial intelligence. Instead of treating every AI system the same, it links legal duties to the level of risk a system poses to people and society. This risk-based approach decides whether an AI system is banned, must meet strict pre-market controls, must follow transparency rules, or stays largely unregulated.

The AI Act uses four risk tiers, from outright bans to light transparency duties.

Key Takeaways:

The AI Act ties duties to risk, sorting systems into four tiers: unacceptable (banned), high, limited, and minimal risk.

Prohibited AI has been banned since 2 February 2025. GPAI rules apply from August 2025, transparency rules from August 2026, and embedded high-risk rules from August 2027.

High-risk systems carry the heaviest load: risk management, quality management, technical documentation, human oversight, and conformity assessment before market placement.

Fines reach up to €35 million or 7% of worldwide annual turnover, and the rules cover non-EU companies whose AI affects people in the EU.

How does the AI Act classify risk?

The AI Act uses four risk tiers that set out exactly what you need to do:

• Unacceptable risk: some AI practices are such a clear threat to fundamental rights that they are banned. There is no compliance route, and these systems cannot operate in the EU.

• High risk: these systems carry the heaviest duties. Providers must run risk management and quality management systems and pass conformity assessments before putting products on the EU market.

• Limited risk: these systems must meet transparency duties. Users must know when they are dealing with AI, but providers face lighter documentation rules.

• Minimal risk: most AI systems sit here. The AI Act sets no mandatory rules, though voluntary codes of conduct are encouraged.

This classification shapes everything: documentation, testing, oversight, and ongoing monitoring.

Which AI systems are banned?

Eight categories of AI systems became illegal across the European Union on 2 February 2025:

Manipulation through subliminal techniques: AI exploiting psychological vulnerabilities of children, the elderly, or disabled individuals to distort behaviour, causing physical or psychological harm

Social scoring systems: Government or private evaluation of individuals based on behaviour, leading to detrimental treatment in unrelated contexts

Real-time remote biometric identification systems for law enforcement in public spaces (with narrow exceptions requiring judicial authorisation)

Biometric categorisation: using sensitive characteristics like race, political opinions, or sexual orientation

Untargeted facial image scraping from the internet or CCTV footage to build recognition databases.

Emotion recognition systems in workplaces and educational institutions

Predictive policing based solely on profiling or personality assessment

Exploitation AI targeting vulnerabilities based on age, disability, or social/economic situation

Law enforcement exceptions for biometric identification need prior authorisation from a judicial or independent administrative authority. In urgent cases, use can start while approval is pending, but it must be sought within 24 hours. If authorisation is refused, the system must shut down at once and all collected data must be deleted.

What do high-risk AI systems need to do?

High-risk AI systems are the core of this regulation. They work in sensitive areas where mistakes carry serious consequences.

What counts as high risk?

AI used in critical infrastructure management
Educational and vocational training access decisions
Employment, worker management, and recruitment tools
Access to essential services like credit scoring
Law enforcement applications
Migration and border control management
Administration of justice and democratic processes

What must providers do before market placement?

Providers must set up a full risk management system to find and reduce harms across the AI lifecycle. Training data must be relevant, representative, and free from errors.

Technical documentation must be complete before any high-risk system reaches the EU market. This includes:

Detailed system descriptions and intended purposes
Training methodologies and data governance procedures
Performance metrics and known limitations
Instructions for deployers on proper use

Human oversight must be built into these systems from the start. Systems also need logging that records events throughout their operation.

CE marking rules apply to certain AI embedded in regulated products, such as medical devices, toys, or vehicles, with compliance due by August 2027.

What are the rules for general-purpose AI models?

General-purpose AI models, including foundation models and generative AI like large language models, have their own tier, in force from August 2025.

What must all GPAI providers do?

Providers of GPAI models must keep detailed technical documentation covering training, evaluation results, and known limitations. Copyright rules require transparency about training data sources. They must also make model capabilities and limitations clear to downstream providers that build GPAI into their own applications.

When is a GPAI model a systemic risk?

GPAI models with exceptional capabilities face extra scrutiny. The threshold is 10^25 FLOPs of training compute, which currently covers only the largest generative AI models from major technology companies. Providers of GPAI models with possible systemic risks must:

Conduct adversarial testing and model evaluations
Assess and mitigate systemic risks, including to democratic processes
Track and report serious incidents to the European AI office
Implement appropriate cybersecurity protections
Maintain energy consumption records

What transparency rules apply to limited-risk AI?

Limited risk covers AI that needs user disclosure without the full weight of high-risk rules.

• Chatbots and conversational AI: any system that interacts directly with people must tell users they are dealing with AI. The notice must be clear and given before meaningful interaction starts.

• Deepfakes and AI-generated content: generative AI that creates synthetic audio, images, video, or text must label its output as AI-generated. This applies whatever the content or purpose.

• Emotion recognition: where it is allowed, outside banned workplace and school settings, operators must tell people their emotional states are being analysed.

• Biometric categorisation: systems that categorise people using biometric data must disclose this to the people affected.

These transparency rules start in August 2026, giving organisations time to update interfaces and disclosure methods.

Who enforces the AI Act?

A multi-level framework governs enforcement:

• National competent authorities: each Member State must name national authorities for market surveillance and enforcement within its borders. They run inspections, investigate complaints, and impose corrective measures on non-compliant systems. At least one authority per country must act as a notified body for conformity assessments of certain high-risk systems.

• EU AI Office: the European AI Office within the Commission holds central authority over GPAI models and systemic risk. It coordinates cross-border enforcement, publishes guidance, and maintains the EU database of high-risk systems. It also runs regulatory sandboxes, controlled settings where organisations can test high-risk systems before full deployment.

• EU AI Board: the AI Board brings together representatives from all Member States to coordinate enforcement, share information, and advise on implementation. It gives a forum for resolving cross-border disputes and keeps application consistent across the EU market.

• Post-market monitoring: providers must track performance after deployment. Serious incidents, such as deaths or serious damage to health, property, or the environment, need immediate notice to national authorities.

What are the practical compliance steps?

Work through these steps to prepare:

1. Inventory all AI systems. Document every AI system your organisation develops, deploys, or uses, including legacy systems and third-party tools. You cannot assess risk without knowing what exists.

2. Classify risk. Apply the AI Act’s criteria to each system. Many fall into minimal risk and need no action. Others may trigger major duties.

3. Run a gap analysis. For high-risk systems, compare current practice against the requirements. Ask whether you have a working risk management system, whether your quality management system is documented, whether you can show data governance procedures, and whether human oversight is operational.

4. Update documentation. Technical documentation must cover system design, development, testing, and deployment. Most organisations will need to formalise existing practices and fill gaps.

5. Appoint an authorised representative. Non-EU providers must appoint a representative established in the EU before placing AI systems on the market. This representative is legally responsible for compliance.

6. Provide AI literacy training. Staff who operate AI systems need enough understanding to comply. Training programmes must cover both technical operation and the regulatory requirements.

Financial Penalties and Non-Compliance Risks

The AI Act backs compliance with heavy financial penalties:

Penalty structure:

Prohibited AI violations: Up to €35 million or 7% of worldwide global annual turnover (whichever is higher)

High risk AI non-compliance: Up to €15 million or 3% of turnover

Incorrect information to authorities: Up to €7.5 million or 1% of turnover

For SMEs and start-ups, the lower figure applies, to keep the impact proportionate.

National authorities can order product withdrawals from the EU market, require system changes, and require public disclosure of breaches. In serious cases, they can stop further AI practices until the system complies.

Non-compliance brings risks beyond fines:

  • Market access: Products may be blocked from the entire EU market
  • Contracts: Business partners may require compliance warranties
  • Reputation: Public enforcement actions damage trustworthy AI positioning
  • Innovation delays: Non-compliant development must pause for remediation

Conclúid

Organisations throughout the AI value chain share responsibility. Distributors and importers also face obligations, not just those who develop AI systems. The regulation incentivises proactive compliance. Building trustworthy AI systems from inception costs less than retrofitting non-compliant products after deployment.

Zlatko Delev

About the Author

Zlatko Delev

Country Manager & Head of Commercial — GDPRLocal

Zlatko specialises in data protection compliance, ISMS strategy, and AI law. With a legal background and hands-on experience supporting organisations globally, he helps businesses navigate GDPR, the EU AI Act, and international privacy frameworks.

Frequently Asked Questions

Who does the EU AI Act apply to?

The AI Act applies to any organisation that develops, sells, or uses AI systems in the EU. This includes non-EU companies if their AI affects people in the EU or is placed on the EU market.

Are all AI systems heavily regulated under the AI Act?

No. Most AI systems fall under minimal risk and face no mandatory duties. Only high-risk and prohibited systems trigger strict requirements, while limited-risk systems mainly need user transparency.

What happens if a company doesn’t comply with the AI Act?

Non-compliance can lead to fines of up to €35 million or 7% of worldwide annual turnover, product bans across the EU, forced system changes, reputational damage, and loss of market access.