Artificial intelligence is now regulated by law in the European Union. Not proposed, not consulted on, not pending – enacted, in force, and already creating compliance obligations for thousands of organizations across the world.
If you use AI tools at work, build software that includes AI features, or run a business that operates in Europe, the EU AI Act applies to you in some form. Most people do not yet know what it says.
So, let us try to understand how that works!
Quick Answer
The EU AI Act is the world’s first comprehensive legal framework regulating artificial intelligence. It came into force on 1 August 2024 and applies across all 27 EU member states. It classifies AI systems into four risk tiers - unacceptable, high, limited, and minimal - and assigns compliance obligations based on that classification. Penalties for the most serious violations reach €35 million or 7% of global annual turnover, whichever is higher. Key deadlines are staggered between 2025 and 2027, with the most significant obligations now active.
What Is The EU AI Act And Why Does It Exist?
The EU Artificial Intelligence Act – formally Regulation (EU) 2024/1689 – entered into force on 1 August 2024, establishing comprehensive rules for AI systems across all 27 EU member states. [Source: Yousign]
The law emerged from a straightforward concern: as AI systems began making decisions that significantly affected people’s lives – credit applications, job screening, medical diagnoses, police surveillance – there were no binding legal standards governing how those systems had to be designed, tested, or disclosed.
The EU moved to fill that gap with a regulation that applies not just to European companies, but to any organization placing AI systems on the EU market or deploying them within EU territory.
Like GDPR, the AI Act has extraterritorial reach. Article 2 applies the regulation to providers placing AI systems on the EU market or putting them into service in the EU, regardless of where the provider is established. [Source: Legiscope]
A company based in the United States, India, or Japan that sells or deploys AI tools used by EU residents is subject to this law.
The Four Risk Tiers Of EU AI Act

The AI Act’s central mechanism is a risk classification system. Four risk tiers – unacceptable, high, limited, and minimal – determine compliance obligations. [Source: Yousign]
Unacceptable Risk – Banned Outright
These are AI applications the EU considers fundamentally incompatible with fundamental rights.
Certain AI practices have been prohibited under Article 5 of the AI Act since February 2, 2025. According to what Latham & Watkins reports, this includes:
- Social scoring.
- Subliminal manipulation.
- Real-time biometric remote identification in public spaces.
Effective December 2, 2026, the Agreement extends these prohibitions to “nudifier” applications – AI systems that generate or manipulate sexually explicit or intimate images, video, or audio without explicit consent, or that create CSAM.
The list of outright bans is expected to continue expanding.
High Risk – Heavily Regulated
High-risk AI systems govern critical sectors like employment, education, and law enforcement.
These platforms require rigorous conformity assessments, CE marking, and strict human oversight.
Additionally, classification under the EU AI Act depends entirely on the system’s intended use rather than the underlying technology, explicitly capturing tools managing biometrics or essential services.
Limited Risk – Transparency Required
Limited-risk systems only need transparency disclosures – users must know they are interacting with AI.
Chatbots, AI-generated content, and deepfake tools fall into this category. If you have ever seen a disclosure saying “this response was generated by AI,” that is a limited-risk compliance obligation in practice.
Minimal Risk – No Obligations
The vast majority of AI applications – spam filters, recommendation algorithms, basic automation tools – fall into the minimal risk tier and face no specific compliance requirements under the Act.
What AI Systems Are Completely Banned Under The Act?
Social scoring systems, subliminal manipulation tools, real-time biometric surveillance in public spaces, and AI systems that exploit vulnerabilities of specific groups are prohibited outright. Deepfake intimate image generators are banned from December 2026.
General Purpose AI: A Separate Category
The Act creates a distinct framework for General Purpose AI models – systems capable of performing a wide range of tasks, such as large language models like GPT-4, Claude, and Gemini.
GPAI model obligations took effect on 2 August 2025. Legiscope mentions that some of the providers of models like GPT-4, Claude, and Gemini must comply now.
These obligations include:
- Technical documentation.
- Transparency reporting.
- Copyright compliance.
Particularly powerful GPAI models – those demonstrating cumulative computing power exceeding 10²⁵ floating point operations (FLOPs) or designated by the Commission as having capabilities presenting systemic risks – face enhanced obligations.
This tier targets the most capable frontier AI models and imposes the most stringent governance requirements.
The Compliance Timeline
As per what I have analyzed from Europa, the AI Act uses a staggered rollout, which means different obligations have become active at different times.
February 2, 2025:
General provisions on definitions and AI literacy, and prohibitions on unacceptable-risk AI, began to apply.
August 2, 2025:
Rules for general-purpose AI entered into application. Member states were required to designate national competent authorities, and EU-level governance bodies – including the AI Board, Scientific Panel, and Advisory Forum – had to be established.
August 2, 2026:
The majority of rules of the AI Act come into force and enforcement starts. Rules for high-risk AI systems in Annex III enter into application.
Additionally, transparency rules under Article 50 also begin to apply, and member states are required to have at least one AI regulatory sandbox per country established.
August 2, 2027:
Rules for high-risk AI embedded in regulated products apply, and the Act becomes fully applicable for all remaining operators.
When Do The Main Compliance Obligations Apply?
Prohibitions have applied since February 2025. GPAI obligations since August 2025. High-risk system obligations from August 2026. Full application of the Act is from August 2027.
The Omnibus Amendment – A Recent Development
The implementation story has one significant recent development worth understanding. The European Commission published the Digital Omnibus on AI on 19 November 2025, proposing to defer the high-risk compliance deadline from 2 August 2026 to 2 December 2027. [Source: DLA Piper]
On 7 May 2026, EU legislative bodies reached a political agreement on proposed amendments to the AI Act.
Latham & Watkins mentions that the Agreement clarifies existing requirements, extends compliance deadlines for high-risk AI systems, and introduces new rules on AI-generated intimate content.
On 29 June, the Council of the EU gave its final green light to the AI Act simplification package, following the European Parliament’s formal endorsement on 16 June 2026. The legislative act will be published in the EU’s official journal shortly.
For organizations deploying high-risk AI, this means additional time to prepare – but compliance programs should continue without pause.
Read here: Can Pied-À-Terre Tax Help Close The Budget Deficit Of New York?
Penalties Of The EU AI Act

The AI Act’s penalties are structured by violation type and are more severe than GDPR in their upper limit.
Prohibited practices carry penalties of up to €35 million or 7% of global turnover. High-risk system non-compliance carries penalties of up to €15 million or 3% of turnover.
Supplying incorrect information to authorities carries penalties of up to €7.5 million or 1% of turnover. SMEs and startups benefit from proportionate penalty caps. [Source: IBM]
These are per-infringement penalties. An organization with multiple non-compliant AI systems could face multiple separate fines.
Prohibited AI Practices Under The EU AI Act
Article 5 of the EU Artificial Intelligence Act strictly bans the use of artificial intelligence systems for real-time remote biometric identification in publicly accessible spaces for law enforcement. [Source: EU Artificial Intelligence Act]
However, narrow exceptions apply if the technology is deployed to prevent, detect, or investigate specific severe criminal activities.
Law enforcement may only use these systems to target individuals suspected of, or contextually linked to, the following major international and violent crimes:
- Terrorism and sabotage.
- Human trafficking and child sexual exploitation or pornography.
- Illicit trafficking of weapons, explosives, narcotics, or nuclear materials.
- Illicit trade in human organs and tissue.
- Violent crimes including murder, rape, grievous bodily injury, kidnapping, and hostage-taking.
- Organized crime, armed robbery, or participating in syndicates committing these offenses.
- International crimes falling under the jurisdiction of the International Criminal Court.
- High-security threats such as the unlawful seizure of aircraft or ships, and environmental crime.
What Are The Maximum Fines?
Up to €35 million or 7% of global annual turnover for the most serious violations - banned AI practices. High-risk system non-compliance carries penalties of up to €15 million or 3% of turnover.
Who Needs To Pay Attention Right Now
The AI Act uses specific terminology to define who carries which obligations.
Providers develop or place AI systems on the market. They carry the heaviest compliance burden – technical documentation, conformity assessments, quality management systems, and registration in the EU database for high-risk systems.
Deployers use AI systems developed by others in their own products or services. They must do the following:
- Conduct fundamental rights impact assessments for high-risk systems.
- Maintain human oversight.
- Ensure staff is adequately trained in AI literacy.
Importers and distributors bring AI systems developed outside the EU into the European market and carry obligations to verify that those systems meet the Act’s requirements before placing them on the market.
The AI Act’s simplified compliance framework for small and medium-sized enterprises will be extended to companies with up to 750 employees and €150 million in annual revenue.
Benefits include simplified guidance, reduced fines, regulatory sandbox access, and standardized documentation templates. [Source: Latham & Watkins]
What Compliance Actually Involves
For high-risk AI systems, compliance is substantive. Before deployment, organizations must do the following things:
- Establish a risk management system.
- Implement data governance measures.
- Draw up technical documentation.
- Maintain records of system activity.
- Prepare instructions for deployers.
- Build in human oversight mechanisms.
- Register their systems in the EU AI database.
According to DataGuard, while the EU Commission is working with member states to build out the reporting and monitoring infrastructure of the AI Act, companies have several key areas to focus on:
- Establishing a risk management system.
- Implementing data governance measures.
- Drawing up technical documentation.
- Maintaining records.
- Preparing detailed instructions.
The EU has also established AI regulatory sandboxes – controlled testing environments where organizations can develop and test AI systems under regulatory supervision before full-scale deployment.
These are particularly valuable for startups and smaller organizations navigating compliance for the first time.
Sources:
- Regulation (EU) 2024/1689 of the European Parliament and of the Council – Official Journal of the European Union, 12 July 2024
- EU AI Act Service Desk – Implementation Timeline – ai-act-service-desk.ec.europa.eu
- Latham & Watkins – AI Act Update: EU Resolves to Change Rules and Extend Deadlines (May 2026)
- DLA Piper – The Digital AI Omnibus: Proposed Deferral of High-Risk AI Obligations (June 2026)
- Travers Smith – EU Agrees to Delay Key AI Act Compliance Deadlines (May 2026)
- Legiscope – EU AI Act Deadlines 2026-2027: Compliance Calendar + Fines
- European Commission – AI Act Omnibus Agreement (May 7, 2026)
0 Reply
No comments yet.