Who does the EU AI Act apply to?

It applies to providers (organisations that develop or have AI systems developed and place them on the EU market), deployers (organisations that use AI systems in a professional context in the EU), importers, distributors, and product manufacturers. It applies regardless of where the organisation is established — a US company whose AI system is used in the EU must comply.

What are the four risk tiers in the EU AI Act?

Unacceptable risk (Article 5): prohibited AI practices including social scoring, most real-time biometric surveillance, and subliminal manipulation. High risk (Annex I and III): extensive obligations including technical documentation, conformity assessment, and CE marking. Limited risk: transparency obligations only (e.g., chatbots must identify themselves). Minimal risk: voluntary codes of conduct.

What is the deadline for EU AI Act compliance?

Article 5 prohibited practices became enforceable on 2 August 2025. GPAI model obligations and AI literacy requirements apply from 2 August 2025. High-risk AI system obligations (Annex III) apply from 2 August 2026. High-risk AI embedded in regulated products (Annex I) applies from 2 August 2027.

What are the maximum fines under the EU AI Act?

For prohibited AI practices (Article 5): up to €35 million or 7% of global annual turnover. For most high-risk AI violations: up to €30 million or 6% of global annual turnover. For GPAI model violations: up to €15 million or 3%. For providing incorrect information to authorities: up to €7.5 million or 1%.

Does the EU AI Act apply to AI used internally (not sold as a product)?

Yes. Organisations that deploy high-risk AI internally — for example, using AI to screen job applicants or assess creditworthiness — are "deployers" under the Act and have their own obligations: implementing human oversight, keeping usage logs, not using the system beyond its intended purpose, and reporting serious incidents.

EU AI Act Explained: Complete Guide 2026

What Is the EU AI Act?

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024, making it the first comprehensive legal framework for artificial intelligence anywhere in the world. It takes a risk-based approach: not all AI is treated the same. Systems that pose unacceptable risk are banned outright; high-risk systems face extensive pre-market obligations; limited-risk systems need only transparency measures; minimal-risk systems are largely unregulated.

The Act applies to any organisation that provides, imports, distributes, or deploys AI in the EU — regardless of where that organisation is headquartered. A startup in San Francisco, a bank in Singapore, or a health system in the UK whose AI outputs are used in EU member states all fall within scope.

The Four Risk Tiers

Unacceptable risk (Article 5 — banned from August 2025): AI systems that use subliminal or manipulative techniques, exploit vulnerable populations, enable social scoring by public authorities, allow most real-time biometric surveillance in public spaces, perform biometric categorisation inferring sensitive attributes, scrape facial images to build recognition databases, enable emotion recognition at work or school, or conduct predictive policing based solely on profiling.

High risk (Annex I and III — obligations from August 2026 for Annex III): AI systems that are safety components of regulated products (medical devices, machinery, vehicles) or fall into Annex III categories: critical infrastructure, education, employment and worker management, essential private and public services, law enforcement, migration and border control, and justice. These systems require a quality management system, Annex IV technical documentation, conformity assessment, CE marking, and registration in the EU AI Act database.

Limited risk (transparency obligations only): AI systems that interact with natural persons in real time (chatbots), generate synthetic content (deepfakes), or are used for emotion recognition or biometric categorisation in limited contexts must disclose their AI nature and, for synthetic content, apply machine-readable watermarks.

Minimal risk: General-purpose AI applications like spam filters, AI-enabled video games, or recommendation algorithms that do not fall into higher tiers are largely unregulated. Voluntary codes of conduct apply.

General-Purpose AI Models

The Act also regulates general-purpose AI (GPAI) models — foundation models trained on large amounts of data at scale. All GPAI providers must maintain Annex XI technical documentation, publish training data summaries, and implement a copyright compliance policy. Models that pose “systemic risk” (training compute exceeding 10²⁵ FLOPs, or designated by the AI Office) must additionally conduct adversarial testing, report serious incidents to the EU AI Office, and implement enhanced cybersecurity measures.

Enforcement Timeline

The regulation phases in progressively: prohibited AI practices and AI literacy obligations from August 2025; GPAI model obligations also from August 2025; high-risk AI in Annex III from August 2026; and high-risk AI embedded in regulated products (Annex I) from August 2027. Each EU member state designates a national supervisory authority responsible for enforcement.

What Organisations Need to Do Now

Start with a classification exercise: inventory all AI systems you develop, sell, or use, and map them to the risk tiers. For Annex III high-risk systems, begin building the quality management system and Annex IV technical documentation immediately — these take months to prepare. For prohibited practices, screen your AI portfolio now; Article 5 is already enforceable. For GPAI models, ensure copyright and transparency obligations are met.

The compliance journey for high-risk AI is longer than most organisations expect. A realistic timeline from standing start to CE marking is 9–18 months for a mature system, including documentation, conformity assessment, and notified body engagement if required.