EU AI Act

Background: Why the EU AI Act Was Created

Artificial intelligence had been spreading across industries faster than any regulatory framework could keep pace. Hiring tools were screening candidates. Healthcare systems were flagging patients. Credit algorithms were approving or denying loans. Each of these applications carried real potential for harm to individuals, to fairness, and to fundamental rights.

The European Commission recognized that voluntary guidelines weren't enough. The EU AI Act was designed to change that; creating the world's first comprehensive, legally binding framework for AI, covering not just what AI systems must do, but what they must never do.

How the EU AI Act Works: The Risk-Based Framework

The Act's core mechanism is a four-tier risk classification system. Rather than applying the same rules to every AI application, it scales obligations based on how much harm a system could cause.

• Unacceptable Risk (Prohibited): These are AI applications the EU has banned outright. Examples include AI systems that manipulate people through subliminal techniques, social scoring systems used by governments, and most uses of real-time remote biometric identification in public spaces.
• High Risk: This is the most regulated tier that isn't outright banned. High-risk AI systems are those deployed in sensitive domains: hiring and recruitment, credit scoring, medical devices, critical infrastructure, border control, and law enforcement. 
• Limited Risk: These systems face lighter transparency obligations. For example, chatbots must inform users that they are interacting with AI. Deepfake content must be labeled as artificially generated.‍
• Minimal Risk: Most AI applications, such asspam filters or AI-powered video games, fall into this category. They are largely unregulated under the Act, though voluntary codes of conduct are encouraged.

There is also a separate category for General-Purpose AI (GPAI) models, such as large language models, which carry their own obligations around transparency, copyright compliance, and systemic risk assessment if they exceed a certain capability threshold.

Key Obligations Under the EU AI Act

For organizations deploying high-risk AI systems, the Act introduces a set of concrete requirements:

• Risk management systems: Providers must identify, analyze, and mitigate risks throughout the AI system's lifecycle.
• Data governance: Training data must meet quality standards and be monitored for biases.
• Technical documentation: Detailed records must be maintained to demonstrate compliance.
• Transparency and human oversight: Users must be informed when interacting with AI, and meaningful human oversight must be built into high-risk systems.
• Accuracy and robustness: Systems must perform consistently and be protected against adversarial manipulation.
• Conformity assessments: Before market entry, certain high-risk systems require a formal conformity assessment either self-assessed or reviewed by a notified third party.

Non-compliance carries significant penalties: up to €35 million or 7% of global annual turnover for prohibited AI violations, and up to €15 million or 3% for other breaches.

Who Does the EU AI Act Apply To?

Scope is one of the most important practical questions for organizations. The Act applies to:

• Providers who develop and place AI systems on the EU market, regardless of where they are based.
• Deployers (called "users" in the Act's terminology) who use AI systems in a professional context within the EU.
• Importers and distributors of AI systems sold in EU markets.
• Product manufacturers who integrate AI into their products.

Crucially, geographic location does not exempt an organization. A U.S.-based company deploying a hiring tool used by EU employees is subject to the Act. This extraterritorial reach mirrors the approach taken by the GDPR and makes the EU AI Act a global compliance concern.

The EU AI Act in the Context of AI Governance

The EU AI Act is part of a global shift toward structured, externally verifiable AI oversight.

For AI governance teams, it provides a practical compliance anchor. Its risk-based approach aligns with key governance practices, including:

• AI risk management
• Impact assessments
• Model and system documentation
• Data lineage tracking
• Vendor oversight
• Human oversight
• Audit readiness

The timeline is already underway: unacceptable-risk prohibitions began in February 2025, GPAI obligations apply from August 2025, and high-risk system requirements phase in through 2026 and 2027.

For organizations with EU exposure, reactive compliance is no longer enough.