Introductory guidance to the EU A
I Act,
formally Regulation (EU) 2024/1689.
- A regulation applies directly across the EU, unlike
a directive which normally needs national transposition. - It entered into force on 1 August 2024,
with obligations phased in over time. - Not all parts has been put into full enforcement as of yet,
but will be phased in. See the timeline further down.
Disclaimer:
Please note that this does not constitute legal advice, but only serves as a general guidance to the current state of the EU AI Act As a quick introduction as to do’s and don’ts for most situations. Specific legal advice must be sought individuall where applicable and especially so where it is flagged as a “risky practice”.
Timeline:
| Date | What comes into force |
|---|---|
| Already in force: 2 February 2025 | Bans on prohibited AI practices, plus AI literacy duties |
| Already in force: 2 August 2025 | General-purpose AI model obligations, AI Office/governance provisions, penalties framework |
| Main 2026 step: 2 August 2026 | Most of the AI Act starts applying, including many high-risk AI obligations, transparency rules, notified-body rules, market-surveillance rules, and deployer/provider obligations
High-risk AI systems, particularly Annex III areas such as employment, education, access to essential services, law enforcement, migration, justice and democratic processes. |
| Later: 2 August 2027 | Full roll-out under the original timetable, including some high-risk AI systems linked to regulated products |
For 2026 planning, treat 2 August 2026 as the main compliance deadline unless your lawyer confirms that your specific AI category is covered by a formally adopted extension.
For an R&D/software business, prioritise before August:
- Inventory all AI systems.
- Classify each one: prohibited, high-risk, transparency-only, GPAI-based, or low-risk.
- Identify whether you are a provider, deployer, importer, distributor, or product manufacturer.
- For anything touching hiring, scoring, biometrics, education, safety, credit, insurance, public services or legal decision support, assume it may be high-risk until checked.
- Put documentation, logging, human oversight, data governance and user disclosure in place.
The final “everything is fully live” date is not this year. It is currently 2 August 2027, subject to the newer extension proposals as may happen.
Core idea
The Act regulates AI by risk category:
| Category | Meaning | Status |
|---|---|---|
| Prohibited AI | Uses considered unacceptable | Banned |
| High-risk AI | AI used in sensitive areas such as safety, employment, education, law enforcement, critical infrastructure, migration, credit, essential services |
Allowed, but heavily regulated |
| Transparency-risk AI | Chatbots, deepfakes, emotion recognition, biometric categorisation in some cases |
Allowed with disclosure duties |
| General-purpose AI models | Foundation models, including LLMs | Allowed with provider obligations |
| Low/minimal risk AI | Most ordinary AI tools | Mostly unregulated by the Act |
What is not allowed
The main banned uses include:
| Prohibited practice | Plain-English meaning |
|---|---|
| Manipulative or deceptive AI causing harm | AI that materially distorts people’s behaviour in harmful ways |
| Exploiting vulnerabilities | Targeting children, disabled people, elderly people, or economically/socially vulnerable groups in harmful ways |
| Social scoring | Public or private scoring of people leading to unjustified or disproportionate treatment |
| Predictive policing based mainly on profiling | Predicting criminal risk from personality traits or profiling alone |
| Untargeted scraping of facial images | Building facial recognition databases by scraping CCTV or the internet |
| Emotion recognition in workplace or education | Generally banned, except narrow safety or medical cases |
| Biometric categorisation of sensitive traits | Inferring things like race, political opinions, religion, trade union membership, sex life or sexual orientation |
| Real-time remote biometric identification in public by law enforcement | Generally banned, with narrow exceptions requiring safeguards |
These prohibited-practice rules have applied since 2 February 2025.
What is allowed but regulated
High-risk AI is allowed, but you need a compliance system around it. Common high-risk areas include:
| Area | Examples |
|---|---|
| Employment | CV screening, hiring, promotion, termination recommendations |
| Education | Exam scoring, admission ranking, learner assessment |
| Essential services | Credit scoring, insurance eligibility, public benefits |
| Critical infrastructure | Safety-related AI for energy, transport, water, telecoms |
| Law enforcement | Risk assessment, evidence analysis, crime analytics |
| Migration and border control | Visa, asylum, border-risk assessment |
| Justice and democracy | Tools assisting courts, legal interpretation, election influence |
The Act also treats some AI as high-risk if it is a safety component of a regulated product, for example machinery, medical devices, vehicles, aviation or other CE-marked safety products.
Must do: high-risk AI
If you provide or place a high-risk AI system on the EU market, the main duties are:
| Duty | Meaning |
|---|---|
| Risk management | Identify, assess and reduce foreseeable risks |
| Data governance | Training, validation and testing data must be suitable, representative and checked for bias where relevant |
| Technical documentation | Keep evidence showing how the system works and complies |
| Logging | System must produce logs sufficient for traceability |
| Transparency to deployers | Users must receive clear instructions, limits, accuracy info and intended use |
| Human oversight | Humans must be able to monitor and intervene appropriately |
| Accuracy, robustness and cybersecurity | System must meet declared performance and security standards |
| Conformity assessment | Compliance must be checked before market placement |
| CE marking and EU database registration | Required for many high-risk systems |
| Post-market monitoring | Watch performance after deployment and report serious incidents |
The broad high-risk obligations are scheduled to apply from 2 August 2026, although some product-related high-risk rules phase in later.
Must do: deployers/users of high-risk AI
If you are not building the AI but using it professionally, you still have duties. Typical deployer duties include:
| Duty | Meaning |
|---|---|
| Use it according to instructions | Do not use the system outside its intended scope |
| Human oversight | Assign competent people to supervise it |
| Input data control | Ensure input data is relevant and suitable |
| Monitor operation | Stop or escalate if risks or malfunction appear |
| Keep logs | Preserve logs where under your control |
| Inform workers | Tell employees or representatives where high-risk AI is used at work |
| Fundamental rights assessment | Required in some public-sector and sensitive deployments |
Transparency rules
Some AI systems must disclose themselves even if they are not high-risk.
You generally need to tell people when they are:
| Situation | Requirement |
|---|---|
| Interacting with a chatbot or AI assistant | Disclose that it is AI, unless obvious |
| Seeing deepfake or synthetic content | Mark or disclose it as artificially generated or manipulated |
| Exposed to emotion recognition or biometric categorisation | Inform affected people, where allowed |
| Publishing AI-generated text on public-interest matters | Disclose AI generation unless there was human editorial control |
General-purpose AI and LLMs
For foundation models and LLMs, the Act regulates the model provider, not only the final app.
General-purpose AI model providers must generally:
| Duty | Meaning |
|---|---|
| Keep technical documentation | Document model capabilities, limits, training process at a suitable level |
| Provide information to downstream providers | So others can comply when building apps on top |
| Respect EU copyright rules | Including policies for copyright compliance |
| Publish training-content summaries | A sufficiently detailed summary of training data/content sources |
| Extra duties for systemic-risk models | Testing, risk assessment, incident reporting, cybersecurity and model evaluation |
GPAI obligations started applying from 2 August 2025, with some transitional treatment for older models.
Must not do
For practical compliance, avoid these:
| Do not | Why |
|---|---|
| Deploy AI in hiring, firing, credit, education or safety without classification | These often fall into high-risk |
| Use AI to infer sensitive traits | Often prohibited or heavily restricted |
| Scrape faces from the internet or CCTV for recognition databases | Prohibited |
| Use workplace emotion recognition | Generally prohibited |
| Hide that users are speaking to AI | Transparency breach |
| Publish deepfakes without disclosure | Transparency breach |
| Put high-risk AI on the EU market without documentation and conformity checks | Core compliance failure |
| Assume “we are outside the EU” avoids the Act | It can apply where AI output is used in the EU or the system is placed on the EU market |
Penalties
The fines are substantial:
| Breach | Maximum fine |
|---|---|
| Prohibited AI practices | Up to €35 million or 7% of worldwide annual turnover |
| Other major AI Act breaches | Up to €15 million or 3% |
| Supplying incorrect or misleading information |
Up to €7.5 million or 1% |
The Act uses the higher of the fixed amount or percentage, with adjusted treatment for SMEs/startups in some cases.
Quick business checklist
For a product or internal tool, I would check this order:
- Is it actually an AI system under the Act?
- Is any use prohibited?
- Is it high-risk under Annex I or Annex III?
- Does it interact with people, generate content, or produce deepfakes?
- Is it based on a GPAI/foundation model?
- Are you the provider, deployer, importer, distributor, or product manufacturer?
- What evidence do you need: risk file, data checks, logs, human oversight, documentation, instructions, monitoring?
For most normal software teams, the biggest danger zones are
- Employment tools,
- User scoring,
- Automated eligibility decisions,
- Biometric features,
- Safety-related systems,
- Education,
- Finance,
- Public-sector tools,
- … and anything that manipulates or profiles people.
What if I am not in the EU?
Let’s say you’re in the US or UK. The rules would potential still apply.
- If you are offering the service into the EU, dealing with EU users, or the AI system’s output is being used in the EU, then you should assume the EU AI Act may apply and check the position properly.
- If the service and offering are strictly [nation]-only, with [nation] customers and [nation] use only, then it most likely would not apply.
- The important distinction is that it is not just where the company is based.
It is also where the AI system is placed on the market, where it is used, and where its outputs are used.
As always, and if in any doubt, please obtain legal reference.