Chapter 1: Regulatory Overview
1.1 What the EU AI Act Is
The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive legal framework for artificial intelligence. It establishes harmonised rules for the development, placing on the market, putting into service, and use of AI systems within the European Union. The regulation follows a risk-based approach: the higher the risk an AI system poses, the stricter the rules.
The Act applies directly in all 27 EU Member States without the need for national transposition. It operates alongside existing EU legislation including the General Data Protection Regulation (GDPR), the Product Liability Directive, and sector-specific safety legislation.
1.2 Scope and Territorial Application
The AI Act applies to:
- Providers (developers) of AI systems that place them on the EU market or put them into service in the EU, regardless of whether the provider is established within the EU or in a third country
- Deployers (users) of AI systems that are established in the EU or located in the EU
- Providers and deployers of AI systems established in a third country, where the output produced by the AI system is used in the EU
- Importers and distributors of AI systems
- Product manufacturers placing AI systems on the market together with their product under their own name or trademark
Exclusions: AI systems developed or used exclusively for military or defence purposes; AI systems used solely for scientific research and development; AI used by natural persons for purely personal, non-professional activity; and AI systems released under free and open-source licences (with specific exceptions for high-risk and prohibited categories).
1.3 Key Definitions
AI system (Article 3(1)): A machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.
Provider: A natural or legal person that develops an AI system or a general-purpose AI model and places it on the market or puts the AI system into service under its own name or trademark.
Deployer: A natural or legal person using an AI system under its authority, except where the AI system is used in the course of a personal non-professional activity.
General-purpose AI model (GPAI model): An AI model, including where such an AI model is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks.
1.4 Regulatory Authorities
European AI Office: Established within the European Commission. Responsible for GPAI oversight, coordination of enforcement across Member States, and development of codes of practice. The AI Office has direct enforcement powers over GPAI model providers from 2 August 2026.
National Competent Authorities: Each Member State must designate at least one notifying authority and at least one market surveillance authority. These bodies enforce AI Act obligations for high-risk AI systems within their territory.
AI Board: The European Artificial Intelligence Board consists of representatives from each Member State. It advises the Commission and coordinates between national authorities.
Advisory Forum: A body for stakeholder consultation, including industry, civil society, and academia.
1.5 Enforcement Timeline
| Date | Milestone |
|---|---|
| 1 August 2024 | AI Act enters into force |
| 2 February 2025 | Prohibited AI practices (Article 5) apply. AI Literacy obligation (Article 4) applies |
| 2 August 2025 | GPAI model obligations (Chapter V) apply. Governance structure obligations apply |
| 2 August 2026 | Transparency obligations (Article 50) apply. Commission enforcement powers for GPAI in full effect. Notification rules for high-risk AI apply |
| 2 August 2026 (original) | High-risk AI (Annex III) obligations — POSTPONED (see below) |
| 2 December 2027 | Annex III high-risk AI system obligations apply (revised by Omnibus, 7 May 2026) |
| 2 August 2028 | Annex I high-risk AI system obligations apply (AI embedded in regulated products) |
Critical update — Omnibus Agreement of 7 May 2026: The European Parliament and Council reached a provisional political agreement on targeted amendments to the AI Act as part of the Digital Omnibus initiative. The key change: Annex III standalone high-risk AI system obligations are deferred by 16 months, from 2 August 2026 to 2 December 2027. Annex I product-embedded AI obligations are deferred by 12 months to 2 August 2028. This agreement must still be formally adopted by co-legislators. The prohibited practices, AI literacy, GPAI, and transparency obligations remain on their original schedules.
Want to monitor your AI compliance automatically? Try AIOS — your AI compliance OS. https://mmoww.net/ai/app/
Quick Decision Matrix
Use this matrix to determine your AI compliance obligations.
| Your Situation | Risk Level | Priority Action | Go To |
|---|---|---|---|
| Deploying AI that affects employment decisions | High | Impact assessment required | Chapter 3 |
| Using AI for customer-facing services | Medium-High | Transparency obligations apply | Chapter 4 |
| Internal AI tools (analytics, automation) | Medium | Document and monitor | Chapter 5 |
| AI in regulated sector (finance, health) | High | Sector-specific rules apply | Chapter 3 |
| Procuring AI from third-party vendor | Medium | Vendor due diligence needed | Chapter 5 |
| Just exploring AI for the first time | Low | Start with governance framework | Chapter 2 |
5-second answer: If your AI system makes decisions that affect people, you have compliance obligations. Start with Chapter 2 for the regulatory framework, then Chapter 3 for your specific obligations.