EU AI Act

The EU Artificial Intelligence Act (EU AI Act) was first proposed in 2021, as the development of artificial intelligence (AI) took off in full force. While the technology has many promising applications, a number of risks are also involved in its development and use.

The EU AI Act was created to shape the development of AI in a way that makes it safe, transparent, and non-discriminatory. For businesses developing, providing, deploying or importing AI tools, these new rules are important.

This article covers what the EU AI Act is, whether it is in force, who it applies to, what it requires, which AI systems are prohibited and which are high-risk, general-purpose AI systems, and the penalties for non-compliance.

On this page≡

1. What is the EU AI Act?
2. Is the EU AI Act in Force?
3. Who Will the EU AI Act Apply To?
4. What Does the EU AI Act Require?
5. What Types of AI Systems are Prohibited?
6. What Types of AI Are High Risk?
7. What Do You Have to Do if Your System is High Risk?
8. What is a General Purpose AI System (GPAI)?
9. What Do You Have to Do if Your System is a GPAI?
10. What Are the Penalties for Non-Compliance with the EU AI Act?
11. Summary

What is the EU AI Act?

The EU Artificial Intelligence Act (EU AI Act) is a European law that is intended to regulate the development and use of AI. It was first discussed in 2021 with the aim of making sure that AI systems in the EU would be "safe, transparent, traceable, non-discriminatory and environmentally friendly."

It is the world's first regulation on AI, and takes a risk-based approach. This means that AI systems that are considered to be higher risk are more strictly regulated than AI systems that are lower or no risk to human rights and freedoms.

Businesses need to assess the risk level of the AI system that they are developing, distributing, importing, or deploying, and comply with the relevant sections of the Act for their level of risk.

Is the EU AI Act in Force?

The EU AI Act came into force initially on 1 August, 2024. However, its provisions will come into force in a staggered manner, one step at a time.

Some provisions have transition periods, so that businesses have more time to get compliant. These include:

AI literacy obligations, which came into force on 2 February, 2025
Governance rules, and rules for general-purpose Artificial Intelligence (GPAI) models, which will come into force on 2 August, 2025.

The Act will be fully in force by 2 August, 2026.

Rules for high-risk AI systems that are embedded into regulated products have an extended transition period beyond the rest of the Act. They will come into force on 2 August, 2027.

Who Will the EU AI Act Apply To?

The EU AI Act applies to businesses operating in the EU or placing AI systems onto the EU market. The Act applies regardless of whether they are AI system providers (i.e. developers), users (called "deployers"), importers, distributors, or those manufacturing AI systems.

If your business is involved in the AI production chain in some way, you need to consider whether the Act applies to you.

If your company is not based in the EU, you may also have to comply. This would be the case if your AI or GPAI systems are deployed into the EU market, used in the EU, or if you manufacture, distribute, or import into the EU.

Now let's take a look at what you need to do, if the Act applies to you.

What Does the EU AI Act Require?

The EU AI Act requires that businesses assess the level of risk that their AI system poses, and take appropriate steps to comply with what is required for that type of system.

Some types of AI systems are prohibited under the EU AI Act, while others have compliance obligations if they present a higher risk to the public.

AI systems that are not classified as high-risk systems or general purpose AI (GPAI) systems are called "minimal risk" systems. These minimal risk systems do not have compliance obligations under the EU AI Act.

However, if you have developed a minimal risk AI system, you may still have obligations under other laws, like the General Data Protection Regulation (GDPR) in the EU, the California Consumer Privacy Act (CCPA) in the US, or the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.

Your business needs to conduct a risk assessment of your AI system, and determine which category it falls into.

There are tools and resources that can help you with this, such as the EU AI Act Compliance Checker made by the Future of Life Institute. This checker asks you a number of questions like the one shown in the image below.

Future of Life Institute: EU AI Act Compliance Checker Screenshot

After you have completed the questionnaire, the Compliance Checker will provide you with some results that indicate whether your model may be prohibited or high risk, and whether any exceptions apply to you. You can see an example of some results in the image below:

Future of Life Institute: EU AI Act Compliance Checker Results

Now let's take a deeper look at prohibited, high risk, and GPAI systems.

What Types of AI Systems are Prohibited?

Prohibited AI systems are those that are considered to pose a significant risk to people's rights, or could be used as tools for harm or discrimination.

The EU AI Act sets out a number of key types of prohibited AI systems, as shown in the image below:

Screenshot of EU AI Act: Prohibited Systems list

You can see that the following AI systems are prohibited:

Those using subliminal, manipulative or deceptive techniques, used to change the behaviour of people
Those exploiting the vulnerabilities of people based on age, disability, or social or economic status, in a way that causes or is likely to cause harm
Those which classify or evaluate people based on social behaviour to create a social score, which leads to harmful treatment
Those which make risk assessments for predictive policing

Additional prohibited types are shown in the image below:

Screenshot of EU AI Act: Additional Prohibited Systems list

This includes AI systems that:

Create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV
Infer emotions of people at work or in educational institutions
Are used for biometric categorisation systems that can deduce or infer race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation

Note that AI systems using biometric identification are prohibited for use in public spaces by law enforcement, unless they are used for:

Searching for victims of trafficking or abduction
Preventing specific, substantial and imminent threat to life
Locating or identifying a person suspected of committing a crime

Placing any of these systems on the EU market is prohibited. If you have developed such a system, you cannot distribute it for use in the EU.

Now let's take a look at high-risk systems.

What Types of AI Are High Risk?

High-risk AI systems are those that also pose some risks to people's rights or quality of life, but may be used under regulated conditions.

You can see in the section below that high-risk AI systems are systems that are used as safety components of products, or the AI system itself is a product that is covered by a law listed in Annex I.

Screenshot of EU AI Act Annex 1

You can also see that AI systems listed in Annex III are all high risk.

In Annex I there is a list of laws from the EU. In the image below you can see a number of these relate to safety equipment, dangerous equipment, or other things that could be a risk to life or health if something went wrong.

Screenshot of EU AI Act Annex 1: Section A

Some examples of the laws covered in Annex I include:

Machinery
Toy safety
Recreational craft and personal watercraft
Lifts and safety components for lifts
Equipment and protective systems for use in potentially explosive atmospheres
Radio equipment
Pressure equipment

There are many other types of laws listed in Annex I, such as medical devices, marine equipment, motor vehicles and their trailers and more.

In Annex III, other types of high-risk systems are listed, as you can see in the image below:

Screenshot of EU AI Act Annex 3 High-Risk Systems

Annex III includes AI systems used for:

Biometrics and emotion recognition
Management, operation, and safety components of critical infrastructure (e.g. road traffic, gas, water, electricity, or heating)
Educational and vocational training, for assignment, learning outcomes, education attainment prediction, and prohibited behaviour
Employment, workers' management and self-employment, for recruitment or selection, as well as for promotions, terminations, or the allocation of work
Essential private services and essential public services, such as eligibility for benefits or healthcare services, creditworthiness, risk assessment, and classification of emergency services
Law enforcement, for predicting the victims of crimes, to support polygraphs, to evaluate evidence reliability, predictive policing (including for reoffending), and for profiling
Migration, asylum and border control management, for polygraphs or similar tools, assessing security risk, migration risks, or health risks, as well as asylum, visa, or residence permit applications, as well as person detection (other than for verifying travel documents)
Administration of justice and democratic processes, including for judges interpreting facts, and for determining the outcome of an election, referendum, or voting

When you are assessing whether your AI system could be high risk, look through Annex I Section A and Section B, as well as Annex III and check whether any of the laws, sectors, or types of devices apply to anything that you are embedding an AI system in, such as a car, a medical device, a lift, or otherwise.

If you have determined that your AI system is a high-risk system, you need to make sure you comply with the EU AI Act's requirements. Let's take a look at those now.

What Do You Have to Do if Your System is High Risk?

There are a number of requirements that your system needs to comply with if your system is a high-risk AI system. These requirements are set out in Section 2 of the EU AI Act, including Article 9 to Article 15.

These include requirements such as:

Creating a risk management system and keeping it updated. It should apply across the entire AI system's life cycle (Article 9)
Set up a data governance system (Article 10)
Set up a quality management system and technical documentation, so that you can show compliance with the EU AI Act. This also should help authorities to test your compliance (Article 11)
Make sure the AI is designed to keep and update records automatically and continuously, so that any risks or major changes to the AI can be discovered (Article 12)
Make sure you include information and instructions to the AI's deployers so they can use it appropriately (Article 13)
Make sure your AI has human insight, so that people can make sure the system is secure, is working correctly and gives the correct output (Article 14)
Developing your AI system in such a way that it has appropriate level of accuracy, robustness, and cybersecurity (Article 15)

Providers and deployers then have additional obligations that are set out in Section 3 of the EU AI Act.

These include compliance with all of the obligations in Section 2, as well as additional obligations such as:

Having a quality management system in place (Article 17)
Having documentation such as technical documentation, quality management system, and decision-related documentation (Article 18)
Having automatically generated logs that are kept (Article 19)
Having the AI system undergo a conformity assessment procedure (Article 43)
Have an EU declaration of conformity in accordance (Article 47)
Having a CE marking on the high-risk AI system or included in its documentation (Article 48)
Registering the AI (Article 49)
Taking any corrective actions and providing information (Article 20).

A conformity assessment is a process in which you figure out if your AI is meeting the requirements in the EU AI Act. This includes the regulation itself, as well as technical or other regulatory specifications. This process makes sure everything is checked thoroughly before your AI system goes onto the market.

The CE marking is a mark that shows your AI system meets EU safety standards.

What is a General Purpose AI System (GPAI)?

Another type of AI system for the purposes of the EU AI Act is called a General Purpose AI System (GPAI).

Under the Act, a GPAI is defined as "an AI model, including where such an AI model is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications".

This means that a GPAI is an AI system that has general applications instead of only being able to perform one specific task. It can perform a wide range of tasks, with versatile applications, and can also be integrated into tools or other systems that it also wasn't specifically designed for.

What Do You Have to Do if Your System is a GPAI?

If you have determined that your system is a GPAI, you will need to comply with the EU AI Act's provisions on these systems. As noted above, the provisions relating to GPAIs are in force from 2 August, 2025 onwards, later than other parts of the Act.

Under Article 53 of the EU AI Act providers of GPAI models are required to:

Document technical information about their models so that they can provide that information to the AI Office and national competent authorities, as requested (Article 53(1)(a))
Make that information available to downstream providers (Article 53(1)(b))
Put in place a policy to comply with Union law on copyright and related rights (Article 53(1)(c))
Create and make public a sufficiently detailed summary about the content used for training the model (Article 53(1)(d))

Under Article 55 of the EU AI Act, if a GPAI has systemic risks, providers also need to:

Assess and mitigate systemic risks
Performing model evaluations
Keep track of, document, and report serious incidents
Ensure adequate cybersecurity protection for both the model and its physical infrastructure

If you are creating or involved with a GPAI, you should also look at the General-Purpose AI Code of Practice to ensure that you comply.

This Code of Practice is not yet complete, but it will provide further guidance for GPAI models, compliance obligations, best practices, and additional standards that accompany the EU AI Act. The Code of Practice is likely to be available in 2025, and is currently in its third draft.

What Are the Penalties for Non-Compliance with the EU AI Act?

The penalties for non-compliance with the EU AI Act are set out in Article 99. There are different penalties for different offenses. For example, placing a prohibited AI system on the market has high penalties of up to EUR 35,000,000 or up to 7% of the total worldwide annual turnover of a business.

Other offenses, such as providing incorrect or misleading information to notified bodies or national competent authorities can result in fines of up to 7,500,000. While this is much less, this is still a hefty fine.

The different obligations and who they apply to, as well as the fines for non-compliance, are set out in the table below:

Section	Obligation	Who it applies to	Fine for non-compliance
Article 5	Placing a prohibited AI system of any kind on the market.	Everyone	Up to EUR 35 000 000 or up to 7 % of total worldwide annual turnover.
Article 16	Requirements for high-risk AI systems for compliance, documentation, quality management, logs, conformity assessment procedures, and so on.	Providers	Up to EUR 15 000 000 or up to 3 % of total worldwide annual turnover.
Article 22	Authorised representatives must verify conformity, provide relevant documentation, cooperate with authorities	Authorised representative	Same
Article 23	Importers must verify conformity, prevent non-comforming AI systems from being placed on the market, provide relevant documentation, cooperate with authorities.	Importers	Same
Article 24	Verify that it bears the required CE marking, has a declaration of conformity, and that the provider and the importer of that system have complied with their obligations.	Distributors	Same
Article 26	Take appropriate technical and organisational measures to use AI systems in accordance with instructions for use, ensure human oversight, use appropriate input data, monitor operations, keep logs, inform users of use.	Deployers	Same
Article 31, Article 33(1), (3) and (4) or Article 34	Must be independent, objective and impartial, have documented procedures for confidentiality, and have appropriate liability insurance.	Notified bodies	Same
Article 50	Transparency. Users should know they are interacting with an AI system, users must be informed.	Providers and deployers	Same
General	Supply of correct, complete and accurate information.	Everyone	Up to EUR 7 500 000 or up to 1 % of worldwide annual turnover.

Non-compliance with the EU AI Act can result in serious penalties. This is because these technologies are new, and can pose serious risks to the public. Make sure you assess the risk level of your AI system appropriately, keep relevant documentation, maintain transparency and accuracy obligations, and seek external advice when necessary.

Summary

The EU AI Act is a new law intended to protect people from the risks that AI systems may pose to their rights or quality of life. It regulates the way that AI can be distributed on the market in the EU, and ensures that high-risk AI and GPAI systems are safe to use and well documented. If you are manufacturing, developing, deploying, distributing, importing an AI system of any kind, make sure you determine its correct risk level and comply with relevant obligations.