What Is the EU AI Act?
The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive law regulating artificial intelligence. Adopted on May 21, 2024, and published in the Official Journal of the EU on July 12, 2024, it establishes harmonized rules for placing AI systems on the EU market and using them within the European Union.
The regulation takes a risk-based approach: the higher the risk an AI system poses, the stricter the requirements. It applies to anyone placing AI systems on the EU market or using AI whose output is intended for use in the EU — regardless of where the developer or deployer is based.
This means that a company outside the EU offering AI-powered tools to European customers is also subject to the regulation. The only exclusions are purely military/national security systems, R&D prototypes before market placement, and personal non-commercial use.
For most companies, the key distinction is between a provider and a deployer. A provider develops an AI system. A deployer uses it in a business context. If your company uses AI tools — ChatGPT, HR screening tools, credit scoring, customer service chatbots — you are a deployer. And you have specific obligations.
EU AI Act Timeline & Deadlines
The AI Act doesn't apply all at once. It enters into force in phases, with different obligations becoming enforceable at different dates.
Aug 1, 2024
AI Act enters into force
Published in the Official Journal of the EU.
Feb 2, 2025
Prohibited Practices (Art. 5) + AI Literacy (Art. 4)
Already enforceable for over a year. These are your first two obligations.
Aug 2, 2025
GPAI obligations + AI Office operational
Rules for general-purpose AI models. Market Surveillance Authorities designated.
Aug 2, 2026
Full application: High-risk obligations
All deployer obligations (Art. 26), FRIA (Art. 27), transparency (Art. 50). This is the big deadline.
Aug 2, 2027
High-risk AI in regulated products
AI embedded in medical devices, machinery, automotive (Annex I products).
Aug 2, 2030
Legacy public sector systems
AI systems already in use by public bodies must comply.
EU AI Act Risk Classification
The EU AI Act classifies AI systems into four risk levels. The classification determines which obligations apply to you.
Prohibited practices (Art. 5). Banned entirely in the EU.
Up to €35M or 7% of turnover
Social scoring, manipulative AI, emotion recognition at work
Annex III use cases + safety components. Full compliance required.
Up to €15M or 3% of turnover
HR screening, credit scoring, biometric ID, critical infrastructure
AI interacting with people. Transparency obligations.
Up to €7.5M or 1% of turnover
Chatbots, content recommendation, ad targeting
Most AI systems. No mandatory obligations beyond AI Literacy.
None (except Art. 4)
Spam filters, translation tools, content generation, analytics
Art. 5 Prohibited AI Practices
Article 5 lists eight categories of AI systems that are entirely banned in the EU. These have been enforceable since February 2, 2025, and carry the highest tier of penalties (up to €35M or 7% of global turnover).
- 1
Manipulative and deceptive AI
AI using subliminal, manipulative, or deceptive techniques to distort behavior, causing or likely to cause significant harm.
- 2
Exploiting vulnerabilities
AI deliberately exploiting weaknesses due to age, disability, or socio-economic situation to distort behavior.
- 3
Social scoring
AI evaluating or classifying people based on social behavior or personal characteristics, leading to detrimental treatment in unrelated contexts.
- 4
Crime prediction from profiling
AI assessing the risk of committing a crime solely based on profiling or personality traits.
- 5
Untargeted facial scraping
Creating facial recognition databases by scraping images from the internet or CCTV in an untargeted manner.
- 6
Emotion recognition at work/school
AI inferring emotions in workplace and educational settings (except for medical or safety reasons).
- 7
Biometric categorization by sensitive traits
AI categorizing people based on biometrics to deduce race, political opinions, union membership, religion, or sexual orientation.
- 8
Real-time remote biometric identification
In public spaces by law enforcement (with narrow exceptions for missing persons, imminent threats, and serious crime suspects).
Am I a Deployer Under the EU AI Act?
Under the AI Act, a deployer is any natural or legal person that uses an AI system under its authority — except where the AI is used in the course of a personal, non-professional activity. If your company uses AI tools in its business operations, you are almost certainly a deployer.
This includes using third-party AI services: if your HR team uses an AI screening tool, if your finance team uses AI-powered credit assessment, or if your customer service runs an AI chatbot — the company is a deployer for each of those systems.
The distinction matters because deployers have their own set of obligations under Art. 26, separate from provider (developer) obligations. You cannot simply rely on your vendor being compliant — you have independent legal responsibilities.
Important: you become a provider (and inherit provider duties) if you put your own brand on a high-risk AI system, substantially modify a system, or change its intended purpose so it becomes high-risk. Fine-tuning, RAG, or significant customization can trigger this reclassification.
EU AI Act Deployer Obligations — What You Must Do
Deployer obligations depend on the risk level of the AI systems you use. Below is what's already enforceable and what takes effect in August 2026.
Already enforceable (since February 2, 2025)
AI Literacy
Ensure that staff involved in the operation and use of AI systems have a sufficient level of AI literacy. This applies to every company using any AI system, regardless of risk level. You must provide an AI Literacy training course appropriate to the context and role of each person.
Prohibited Practices Screening
Screen all AI systems in use to confirm none fall under the eight prohibited categories. Document the screening process and results. This applies to every company, regardless of whether you use high-risk systems.
Enforceable from August 2, 2026 (for high-risk systems)
Use in accordance with instructions
Use high-risk AI systems in accordance with the provider's instructions of use. Ensure the system is used only for its intended purpose and within its technical boundaries.
Human oversight
Assign human oversight to natural persons who have the necessary competence, training, authority, and resources. The overseer must be able to understand the system's capabilities and limitations.
Monitoring & periodic reviews
Monitor the operation of high-risk AI systems and report anomalies, malfunctions, and unexpected behavior.
Record-keeping (logging)
Keep logs automatically generated by the high-risk AI system for a minimum period of at least 6 months unless specified otherwise by law.
Worker notification
Inform workers and their representatives before deploying a high-risk AI system in the workplace.
Informing individuals
Inform individuals subject to decisions made by a high-risk AI system about the use of such a system.
Fundamental Rights Impact Assessment (FRIA)
Perform a FRIA before deploying a high-risk AI system from Annex III. Required for public bodies and private entities in specific sectors.
Serious incident reporting
Report serious incidents to the provider and Market Surveillance Authority immediately when they threaten health, safety, or fundamental rights.
Data Protection Impact Assessment (DPIA)
Perform a DPIA for personal data processing by AI systems that may pose high risk to rights and freedoms. A GDPR requirement complementing FRIA.
FRIA: Who Needs One?
A Fundamental Rights Impact Assessment (FRIA) is required under Art. 27 before deploying a high-risk AI system from Annex III.
Public bodies
All bodies governed by public law deploying high-risk AI systems from Annex III — no exceptions.
Credit scoring & BNPL
Private entities using AI to assess creditworthiness of natural persons or establish their credit scoring.
Insurance
Private entities using AI for risk assessment and pricing in life and health insurance.
Other Annex III sectors
Other high-risk use cases from Annex III when required by the supervisory authority or national legislation.
FRIA and DPIA are different documents but complement each other. DPIA (GDPR Art. 35) focuses on personal data protection risks. FRIA (Art. 27) assesses broader fundamental rights impact — discrimination, freedom of expression, access to justice. Data from one assessment can feed the other.
Transparency Notice Requirements
Art. 50 imposes transparency obligations on specific AI systems, regardless of risk level:
Chatbots and systems interacting with people: users must be informed they are interacting with AI (unless obvious from context).
Deepfakes and synthetic content: content generated or manipulated by AI must be labelled.
Emotion recognition and biometric categorization systems: affected persons must be informed about the system's operation.
High-risk AI systems making decisions about individuals: those individuals must know a decision was made with the assistance of an AI system (Art. 26(11)).
Additionally, Art. 26(7) requires worker notification BEFORE deploying high-risk AI in the workplace. This is a separate obligation from general transparency notices.
AI and Shine generates three types of transparency notices: interaction notices (chatbots), decision notices (systems making decisions about individuals), and general notices.
Human Oversight Requirements
Art. 26(2) requires deployers of high-risk AI systems to assign oversight to natural persons with the necessary competence, training, and authority.
- Assign specific persons responsible for overseeing each high-risk AI system
- Document their competence — understanding the system, ability to interpret outputs
- Formal authority to intervene — ability to override, suspend, or shut down the system
- Regular training of oversight persons on the system's operation and limitations
- Auditable evidence of oversight — not just a name, but documented actual oversight actions
Market Surveillance Authorities
Each EU Member State must designate Market Surveillance Authorities (MSAs) responsible for enforcing the EU AI Act. Deadline: August 2, 2025.
| Country | Authority | Status |
|---|---|---|
| Poland 🇵🇱 | Designation in progress | pending |
| France 🇫🇷 | CNIL, DGCCRF, ARCOM | designated |
| Germany 🇩🇪 | BNetzA (Bundesnetzagentur) | designated |
| Spain 🇪🇸 | AESIA | designated |
| Italy 🇮🇹 | AgID / Garante | designated |
| Netherlands 🇳🇱 | Algoritmetoezicht (AT) | designated |
| Ireland 🇮🇪 | 15 bodies + AI Office | designated |
| Belgium 🇧🇪 | Designation in progress | pending |
Penalties & Fines
The EU AI Act provides three tiers of administrative penalties.
Tier 1 — Prohibited practices
Up to €35M or 7% of global annual turnover
Violation of Art. 5 — engaging in prohibited AI practices
Tier 2 — High-risk systems
Up to €15M or 3% of global annual turnover
Non-compliance with high-risk AI system requirements (documentation, human oversight, FRIA, monitoring, etc.)
Tier 3 — Incorrect information
Up to €7.5M or 1% of global annual turnover
Supplying incorrect, incomplete, or misleading information to authorities
Headline figures like €35M are designed for the largest violations by the largest companies. For a 200-person company, the practical risk is proportionally smaller — but the legal obligation is the same regardless of company size.
EU AI Act and GDPR — How They Work Together
The EU AI Act does not replace GDPR. Both regulations apply simultaneously. Most AI systems process personal data, so in practice you need to comply with both.
| Aspect | DPIA (GDPR Art. 35) | FRIA (Art. 27 EU AI Act) |
|---|---|---|
| Purpose | Assess risks to personal data protection | Assess impact on fundamental rights (broader scope) |
| When required | Processing likely to result in high risk to rights and freedoms | High-risk AI systems from Annex III |
| Who performs | Data controller | AI system deployer |
| Scope | Personal data, security, minimization | Fundamental rights: non-discrimination, freedom of expression, privacy, access to justice |
| Legal basis | GDPR Art. 35 | EU AI Act Art. 27 |
| Cross-feeding | DPIA data can feed FRIA | FRIA data can feed DPIA |
Companies already GDPR-compliant have a significant head start: they maintain records of processing (ROPA), have DPAs with vendors, conduct DPIAs, and have a DPO. These same processes and documents form the foundation for EU AI Act compliance.
How to Start — 7 Practical Steps
EU AI Act compliance is a process, not a one-time project. Here's a practical path for companies that want to start now.
Inventory all AI tools
Review all tools used in the company. Check which have AI features. Most companies discover 3–5× more AI tools than expected.
Classify each tool's risk level
For each AI tool, determine: how it's used (use case), whether it falls under Annex III, what risk level applies. Remember: the use case determines classification.
Screen for prohibited practices (Art. 5)
Verify that none of your use cases engage in practices prohibited under Art. 5. This is already enforceable and carries the highest penalties.
Conduct AI Literacy training (Art. 4)
Organize documented AI competence training for all employees. Doesn't require certification — internal training with attendance records is sufficient. Required since February 2025.
Collect and analyze vendor DPAs
Review contracts with AI tool vendors. Do you have DPAs? Do they contain clauses required by GDPR? Are they ready for AI Act requirements? Most vendors haven't updated their contracts yet.
Prepare documentation for high-risk tools
For high-risk tools: risk assessment, FRIA (if required), DPIA, transparency notices, worker notification, human oversight assignment.
Establish governance processes
Implement processes: new tool approval, incident reporting, periodic reviews, log retention tracking. Compliance is an ongoing process, not a one-time audit.
Disclaimer: This guide is provided for informational purposes only and does not constitute legal advice. While we strive to keep the information accurate and up to date, the EU AI Act is a complex regulation subject to ongoing interpretation by national authorities and courts. Companies should consult qualified legal counsel for advice specific to their situation.