The world's first comprehensive AI legal framework. In force August 2024, with obligations applying progressively through 2026–2027. If you deploy AI in or to the EU, this applies to you — regardless of where you are based.
The EU AI Act applies to providers (organisations that develop or place AI systems on the market), deployers (organisations that use AI systems in a professional context), importers, and distributors. Geographic scope follows the effect of the AI system, not the location of the developer.
You are in scope if any of the following apply:
Common misconception: Many non-EU organisations assume the Act does not apply to them. The jurisdictional reach is designed to be broad. If your system affects people in the EU, legal advice on applicability is warranted before assuming you are out of scope.
The Act classifies AI systems into four risk tiers. Your obligations depend entirely on which tier your system falls into.
AI systems that pose unacceptable risks to fundamental rights are prohibited entirely. This includes social scoring by public authorities, real-time biometric surveillance in public spaces (with narrow exceptions), manipulation of persons using subliminal techniques, and exploitation of vulnerabilities of specific groups.
Your obligation: Do not deploy. These use cases are banned.
Systems used in critical infrastructure, education, employment, essential services, law enforcement, migration, and administration of justice. Also applies to safety components of products covered by existing EU product safety legislation.
Your obligation: Full compliance regime: conformity assessment, technical documentation, risk management system, human oversight measures, accuracy and robustness requirements, registration in the EU AI Act database.
AI systems that interact directly with users (chatbots, emotion recognition, AI-generated content). Users must be informed they are interacting with an AI. Deepfakes must be disclosed as AI-generated.
Your obligation: Transparency disclosures. Users must know they are engaging with AI. No conformity assessment required.
The vast majority of AI applications fall here: spam filters, AI in video games, recommendation engines, most productivity tools. The Act does not impose mandatory requirements but encourages voluntary codes of practice.
Your obligation: No mandatory obligations. Voluntary adherence to codes of practice is encouraged.
If your system is classified as high-risk, the Act imposes a significant ongoing compliance regime. This is not a point-in-time certification — it is continuous obligation.
Establish, implement, document, and maintain a risk management system throughout the AI system's lifecycle. Identify and analyse known and foreseeable risks. Evaluate risks arising from post-market monitoring. Implement risk mitigation measures.
Prepare and maintain comprehensive technical documentation before market placement. Includes a general description, design specifications, development data, training and testing methodology, accuracy metrics, and cybersecurity measures. Must be available to national authorities on request.
Training, validation, and testing data must meet quality criteria for relevance, representativeness, freedom from errors, and completeness. Document data collection methodologies, data provenance, and any known limitations.
High-risk AI systems must have logging capabilities that enable traceability of operation throughout the system's lifetime. Logs must be stored for at minimum the system's operating lifetime or 10 years, whichever is longer.
Provide deployers with instructions for use covering system capabilities and limitations, accuracy and robustness characteristics, human oversight requirements, and how to interpret outputs correctly.
High-risk AI systems must be designed to allow human oversight during operation. Specific requirements: individuals must be able to understand system capabilities and limitations, detect anomalies, and override or interrupt operation. This cannot be a nominal compliance checkbox — oversight must be genuinely implementable.
Systems must achieve appropriate levels of accuracy, robustness, and cybersecurity. For systems making consequential decisions, accuracy must be declared and validated. Resilience against attempts to alter the system or its output must be built in.
Before market placement, conduct conformity assessment. For most high-risk AI systems, this can be a self-assessment against Annex VI requirements with supporting documentation. For certain systems (biometrics, critical infrastructure), third-party assessment by a notified body is required.
The Act implements obligations progressively. The timeline as of the August 2024 entry into force:
Act published in Official Journal. 24-month implementation period begins for most provisions.
Chapter II (unacceptable risk) prohibitions apply. Immediately ban any systems falling into this category.
General Purpose AI (GPAI) model obligations apply. Affects providers of foundation models placed on the EU market.
Article 6(2) high-risk AI system obligations fully apply. The majority of compliance work must be complete by this date.
High-risk AI systems already in use before August 2026 must comply by this date (3-year grace period).
For organisations beginning compliance work now, the following sequence reflects the most common practical starting point:
This is not legal advice. The EU AI Act is complex legislation with implementing acts, delegated regulations, and national transposition that continue to evolve. This article provides a practical overview for technical and operational teams. Classification decisions and compliance strategies for high-risk systems require qualified EU legal counsel.