EU AI Act

The Act classifies AI systems by the severity of potential harm. Unacceptable risk — systems that are outright prohibited — includes social scoring by governments, real-time biometric surveillance in public spaces (with narrow law enforcement exceptions), subliminal manipulation techniques that exploit vulnerabilities, and AI that infers emotions in workplaces or educational settings without medical justification. These prohibitions took effect first, applying from February 2025.

High-risk systems carry the heaviest compliance burden and include AI used in employment and worker management decisions (hiring, promotion, termination, task allocation), credit scoring and insurance underwriting, education admissions and student assessment, law enforcement profiling, migration and asylum case processing, and critical infrastructure management. These systems require conformity assessments, human oversight mechanisms, detailed technical documentation, data governance procedures, and ongoing monitoring throughout their lifecycle. Most enterprise AI deployments that touch consequential decisions about people fall into this tier.

Limited risk covers systems like chatbots, deepfake generators, and emotion recognition systems. These must meet transparency obligations — primarily disclosing to users that they are interacting with AI-generated content or an AI system. The requirement is straightforward but important: users must be able to make informed decisions about how they engage with the system. Minimal risk systems — spam filters, AI-powered inventory management, video game AI — face no specific requirements under the Act, though general product safety law still applies.

General-purpose AI models, including large language models, have their own set of obligations separate from the risk tiers. Providers of these foundation models must publish technical documentation, comply with EU copyright law, and provide sufficiently detailed summaries of training data. Models deemed to pose systemic risk (based on computational resources used for training) face additional requirements including model evaluation, adversarial testing, incident reporting, and cybersecurity protections.

Like GDPR before it, the AI Act has extraterritorial scope that extends far beyond the EU's borders. The regulation applies to any provider that places an AI system on the EU market or whose system's output is used within the EU, regardless of where the company is headquartered or where its servers are located. A US-based SaaS company whose hiring tool screens resumes for European clients is subject to the high-risk requirements, even if its development team, training data, and infrastructure are entirely in North America.

This extraterritorial reach is already reshaping global AI development practices. Many international companies are finding it more cost-effective to adopt EU-compliant practices as their global baseline rather than maintaining separate compliance regimes for European and non-European markets. This 'Brussels Effect' mirrors what happened with GDPR, where European data protection standards effectively became the worldwide standard for privacy engineering because building separate systems for each jurisdiction was impractical.

The Act also introduces distinct obligations for deployers — organizations that use AI systems in their operations, not just those that develop them. A company purchasing an AI-powered hiring tool must ensure it is deployed in compliance with the Act, including maintaining human oversight capability, conducting fundamental rights impact assessments for high-risk systems, and keeping deployment logs. The compliance obligation does not stop at procurement; it extends through the entire lifecycle of use.

The most cost-effective strategy is to classify your AI systems by risk tier today and build compliance into the development process rather than retrofitting it later. Organizations that treated GDPR as a last-minute checkbox exercise spent significantly more — often by orders of magnitude — than those that integrated privacy-by-design from the start. The same economic dynamic applies to AI Act compliance, and the window for proactive preparation is closing as enforcement dates approach.

For high-risk systems, the Act requires a comprehensive set of capabilities: a risk management system operating throughout the AI lifecycle, data governance practices covering training and validation data quality, technical documentation sufficient for third-party conformity assessment, automatic logging of system operation, transparency information for deployers, human oversight capability that allows intervention and override, and accuracy, robustness, and cybersecurity standards appropriate to the risk level. Many of these requirements overlap with practices recommended by AI governance frameworks and the NIST AI RMF, so teams already following structured risk management practices will find themselves partially compliant.

A practical starting point is to audit every AI system your organization builds, deploys, or procures. For each system, determine the applicable risk tier, document the current state of compliance across each requirement category, and identify the gaps. This gap analysis becomes your compliance roadmap, prioritized by enforcement timeline and business risk. For systems relying on third-party AI models or APIs, ensure your vendor agreements include provisions for the documentation, transparency, and incident reporting obligations that the Act places on the value chain.

Enforcement is deliberately phased to give organizations time to prepare. Prohibitions on unacceptable-risk AI practices took effect in February 2025. Governance provisions and obligations for general-purpose AI models apply from August 2025. The full requirements for high-risk AI systems take effect from August 2026, with an extended deadline of August 2027 for AI systems that serve as safety components of products already regulated under existing EU sectoral legislation such as medical devices, aviation, or automotive standards.

Penalties are structured to be dissuasive at the corporate level: up to 35 million euros or 7% of worldwide annual turnover (whichever is higher) for deploying prohibited AI practices, up to 15 million euros or 3% of turnover for violations of high-risk system obligations, and up to 7.5 million euros or 1.5% of turnover for providing incorrect or misleading information to regulatory authorities. For companies already operating in the EU, these fines sit alongside existing GDPR penalties, creating a cumulative compliance risk that makes proactive investment in AI governance increasingly difficult to defer.

Each EU member state will designate national competent authorities responsible for enforcement, and a new European AI Office coordinates cross-border enforcement and oversees general-purpose AI model compliance at the EU level. Organizations should monitor both EU-level and national implementation developments, as member states may add sector-specific guidance that affects how the Act applies in practice.