The EU AI Act (Regulation 2024/1689) is the world's first comprehensive AI law. It classifies AI systems by risk level and imposes obligations ranging from outright bans on certain practices to transparency and documentation requirements. Full enforcement begins August 2, 2026.
EU AI Act: Complete Guide to AI Regulation in Europe
What Is the EU AI Act
The EU AI Act, formally known as Regulation (EU) 2024/1689, is the first comprehensive legal framework governing artificial intelligence anywhere in the world. Adopted by the European Parliament and the Council of the European Union, it entered into force on August 1, 2024. The regulation establishes harmonised rules for the development, placing on the market, putting into service, and use of AI systems within the European Union.
The regulation follows a risk-based approach. Rather than regulating AI technology as a whole, it categorises AI systems according to the level of risk they pose to health, safety, and fundamental rights. This approach means that the most dangerous uses face the strictest rules, while lower-risk applications face lighter or no additional obligations beyond existing law.
Who Must Comply
The EU AI Act applies to a broad range of actors across the AI value chain. Under Article 2, the regulation covers providers (those who develop or have an AI system developed and place it on the market or put it into service under their own name), deployers (those who use an AI system under their authority), importers, distributors, and product manufacturers who integrate AI systems into their products.
Importantly, the regulation has extraterritorial reach. It applies to providers and deployers located outside the EU if the output produced by their AI system is used within the Union. This means that organisations based in the United States, the United Kingdom, or Asia must comply when their AI systems affect people in EU member states.
Certain exemptions exist. The regulation does not apply to AI systems used exclusively for military or defence purposes, AI systems used solely for scientific research and development, or AI systems released under free and open-source licences (with specific conditions under Article 2(12)).
Risk Categories Explained
The EU AI Act establishes four tiers of risk, each carrying different obligations.
Unacceptable risk covers AI practices that are outright prohibited under Article 5. These include social scoring by public authorities, real-time remote biometric identification in publicly accessible spaces for law enforcement (with narrow exceptions), subliminal manipulation techniques, and exploitation of vulnerabilities of specific groups. These prohibitions took effect on February 2, 2025.
High-risk AI systems are defined under Article 6 and Annexes I and III. These include AI used in biometric identification, critical infrastructure management, education and vocational training, employment and worker management, access to essential private and public services, law enforcement, migration and asylum management, and administration of justice. High-risk systems must meet extensive requirements for risk management, data governance, transparency, human oversight, accuracy, and cybersecurity.
Limited risk applies to AI systems that interact with natural persons or generate synthetic content. Under Article 50, these systems must meet specific transparency obligations, such as informing users that they are interacting with an AI system or that content has been artificially generated.
Minimal risk covers all other AI systems. These face no additional obligations under the regulation, though voluntary codes of conduct are encouraged under Article 95.
Key Obligations for High-Risk AI Systems
Providers of high-risk AI systems face the most substantial compliance requirements. Article 9 requires the establishment and maintenance of a risk management system throughout the entire lifecycle of the AI system. This system must identify and analyse known and reasonably foreseeable risks, estimate and evaluate risks that may emerge, and adopt suitable risk management measures.
Article 10 sets out data governance requirements. Training, validation, and testing datasets must be relevant, sufficiently representative, and as free of errors as possible. Data must be subject to appropriate data governance and management practices.
Article 13 mandates transparency. High-risk AI systems must be designed and developed so that their operation is sufficiently transparent to enable deployers to interpret the system output and use it appropriately. Instructions for use must include information about the provider, the system characteristics, its performance metrics, and known limitations.
Article 14 requires human oversight measures. High-risk AI systems must be designed to allow effective oversight by natural persons during the period in which they are in use. The oversight measures must enable the individuals to whom human oversight is assigned to correctly interpret the system output and to decide not to use the system or to override or reverse its output.
Article 15 addresses accuracy, robustness, and cybersecurity. High-risk AI systems must achieve an appropriate level of accuracy, robustness, and cybersecurity and perform consistently in those respects throughout their lifecycle.
Timeline of Key Deadlines
The EU AI Act follows a phased implementation schedule. August 1, 2024 marked the entry into force of the regulation. February 2, 2025 was the deadline for compliance with prohibited AI practices under Article 5 and AI literacy requirements under Article 4. August 2, 2025 is the deadline for rules on general-purpose AI (GPAI) models under Articles 51 through 56, with the AI Office assuming oversight responsibilities. August 2, 2026 is the deadline for the majority of the regulation, including all high-risk AI system requirements. August 2, 2027 is the deadline for high-risk AI systems that are safety components of products covered by Union harmonisation legislation listed in Annex I.
Organisations should not wait for the final deadlines. The AI literacy obligation under Article 4, which requires that staff and other persons dealing with AI systems on behalf of an organisation have sufficient AI literacy, already applies.
How to Prepare for Compliance
Organisations should begin by conducting an inventory of all AI systems they develop, deploy, or use. Each system should be classified according to the risk categories established by the regulation. For any system that falls into the high-risk category, a gap analysis against Articles 9 through 15 should be performed.
Establishing an AI governance framework is essential. This includes appointing responsible individuals, creating documentation procedures, implementing risk management processes, and setting up incident reporting mechanisms. Article 4 requires AI literacy training for all relevant personnel, and this obligation is already in effect.
Deployers should review contracts with AI providers to ensure that adequate documentation, instructions for use, and technical information are being provided. Providers should prepare conformity assessment procedures and ensure that quality management systems under Article 17 are in place.
Monitoring the guidance published by the European AI Office and national competent authorities will be important as implementing acts and standards are developed throughout 2025 and 2026.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.