Glossary · EU AI Regulation EU AI Act
The world's first comprehensive legal framework for artificial intelligence. Risk-based classification, in force since August 2024, with major enforcement provisions phased through 2025-2026.
## What the EU AI Act actually does
The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive legal framework regulating artificial intelligence. Adopted in August 2024, it establishes risk-based requirements for AI systems based on their potential impact on safety, fundamental rights, and society.
The regulation applies to:
- **AI providers** — companies developing AI systems placed on the EU market
- **AI deployers** — organizations using AI systems within the EU
- **Importers and distributors** — entities making AI systems available in the EU
Like GDPR, the AI Act has extraterritorial effect. Any AI system whose output is used in the EU falls under the regulation, regardless of where the AI is developed.
## The four risk categories
The AI Act classifies AI systems into four risk levels:
### Unacceptable risk (banned)
AI systems that violate fundamental rights or pose unacceptable threats are prohibited entirely:
- Social scoring by governments
- Real-time biometric identification in public spaces (with narrow law enforcement exceptions)
- Manipulation of vulnerable groups
- Emotion recognition in workplaces and schools
- Untargeted scraping of facial images for face recognition databases
### High risk
AI systems used in critical contexts must meet stringent requirements:
- Critical infrastructure (water, gas, electricity, transport)
- Education and vocational training
- Employment and worker management
- Essential private and public services (credit scoring, benefits)
- Law enforcement
- Migration, asylum, border control
- Justice and democratic processes
High-risk systems must undergo conformity assessments, maintain risk management systems, ensure data quality, provide transparency to users, and allow human oversight.
### Limited risk
Systems requiring transparency obligations:
- Chatbots — users must be informed they're interacting with AI
- Deepfakes — AI-generated content must be labeled
- Emotion recognition systems (where allowed) — users must be informed
### Minimal risk
The vast majority of AI applications — spam filters, AI in video games, inventory management. No additional regulatory requirements.
## Penalty structure
The AI Act's enforcement teeth are substantial:
- **Up to €35 million or 7% of global annual turnover** (whichever is higher) for prohibited AI practices
- **Up to €15 million or 3% of turnover** for non-compliance with high-risk requirements
- **Up to €7.5 million or 1% of turnover** for supplying incorrect information to authorities
For SMEs and startups, fines are capped at proportionally lower thresholds.
## Compliance timeline
The AI Act provisions phase in over multiple years:
- **August 2024**: Regulation enters into force
- **February 2025**: Prohibited AI practices ban takes effect
- **August 2025**: General-purpose AI model requirements apply
- **August 2026**: Most other provisions take effect, including high-risk system requirements
- **August 2027**: Full applicability for embedded AI in regulated products
We're currently in the second phase. The major enforcement actions are expected late 2026 and into 2027.
## What this means for European businesses
For organizations deploying AI in 2026:
1. **Inventory your AI systems.** You can't comply with rules you don't know apply to you.
2. **Classify by risk level.** Most AI is minimal-risk; the meaningful work is identifying which systems fall into high-risk or limited-risk categories.
3. **Document everything.** AI Act compliance is heavily documentation-driven — risk management, data governance, technical specifications.
4. **For high-risk systems**, plan conformity assessment and CE marking processes.
5. **For general-purpose AI providers**, review obligations around transparency, copyright compliance, and systemic risk evaluations.
## Why European AI providers are well-positioned
European AI companies (Mistral, Aleph Alpha) have built their products with AI Act compliance in mind from the outset. US-headquartered AI providers (OpenAI, Anthropic, Google) are retrofitting compliance, often with friction.
This creates a structural market opening similar to GDPR's effect on European cloud providers. EU-resident AI tools can credibly market "AI Act compliance by architecture, not by configuration" — a meaningful sales feature for European enterprises navigating the regulation.
## Open weights and sovereignty
A specific provision worth highlighting: open-weights AI models (Mistral 7B, Pharia, Llama, etc.) have somewhat lighter regulatory obligations than closed models, particularly for academic research and non-commercial use.
For European organizations needing genuine sovereign AI deployment, the open-weights options from Mistral and Aleph Alpha enable on-premise hosting on EU infrastructure (Hetzner, Scaleway) — a deployment pattern US closed-weight providers structurally cannot offer.
## What to watch
- **First major enforcement actions** expected late 2026 / 2027 — will set practical compliance expectations
- **Code of practice for general-purpose AI** — voluntary framework currently being negotiated
- **Member state implementation variations** — each EU country must designate national authorities
- **EU AI Office** — central coordinating body shaping interpretation across member states
The AI Act is the most significant tech regulation since GDPR. Treat it accordingly.
Was this helpful?
Thanks for your feedback!