EU AI Act Fundamentals

What is the EU AI Act?

The EU AI Act is the world's first comprehensive law that regulates AI based on how risky it is. The riskier the system, the more rules apply.

It applies to:

• Anyone building AI (providers)
• Anyone using it in their business (deployers)
• The people in between (importers, distributors, product manufacturers)

Where you are based does not matter. If the output is used in the EU, the law applies.

The four risk tiers

1. Unacceptable risk: banned outright

Some uses are simply off-limits under Article 5. The full ban list includes:

• Social scoring by government bodies
• Real-time face recognition in public spaces (narrow law-enforcement exceptions apply)
• AI that manipulates vulnerable groups
• Untargeted facial-image scraping for databases
• Emotion recognition in workplaces and schools
• Biometric categorisation by race, political opinion, or sexual orientation

2. High-risk: heavy compliance burden

Listed in Annex III. Covers AI used in:

• Biometric identification and categorisation (where not banned)
• Critical infrastructure (water, gas, electricity)
• Education and training (access decisions, exam scoring)
• Employment (CV screening, performance evaluation)
• Essential services (credit scoring, benefits eligibility, emergency dispatch)
• Law enforcement (risk assessment, evidence evaluation)
• Migration, asylum, and border control
• Justice and democratic processes

If your system is high-risk, you need:

• Conformity assessment (Article 43)
• Risk management system (Article 9)
• Data governance (Article 10)
• Technical documentation (Article 11)
• Record-keeping (Article 12)
• Transparency (Article 13)
• Human oversight (Article 14)
• Accuracy and security (Article 15)
• Registration in the EU database (Article 49)
• Ongoing post-market monitoring (Articles 61 to 64)

3. Limited risk: just be transparent

The main job here is honesty (Article 50):

• Chatbots must tell users they are talking to AI
• Generated or manipulated images, audio, and video (deepfakes) must be labelled
• Emotion recognition and biometric categorisation outside high-risk cases need disclosure

4. Minimal risk: voluntary

Most AI sits here. Spam filters, video game NPCs, inventory management. Codes of conduct are encouraged, but there are no mandatory obligations beyond general product safety law.

General-purpose AI (GPAI)

Foundation models like large language models get their own rules. Every GPAI provider must publish:

• Technical documentation
• Copyright compliance information
• A summary of training data

Models with "systemic risk" (above 10 to the 25th floating-point operations during training) face additional obligations: model evaluation, adversarial testing, and incident reporting. See Articles 51 to 55.

Timeline

• August 2024: Act entered into force
• February 2025: Prohibitions on unacceptable-risk AI took effect
• August 2025: GPAI rules and governance structure took effect
• August 2026: Most high-risk obligations take effect
• August 2027: High-risk rules for AI embedded in regulated products (e.g. medical devices) take effect

What the fines look like

• Up to €35 million or 7% of global annual turnover for prohibited AI
• Up to €15 million or 3% for other breaches
• Up to €7.5 million or 1% for giving regulators incorrect information

Who enforces it

• European AI Office at the Commission: supervises GPAI providers
• Each Member State: designates national competent authorities
• In Germany: BNetzA (Federal Network Agency) and BSI (Federal Office for Information Security) for general matters, plus sectoral regulators like BaFin for financial services

What to do next

• Inventory every AI system you build or use
• For each system, decide which of the four tiers it sits in
• Check whether any Annex III use case applies
• If high-risk, the August 2026 deadline is real. Start gathering conformity assessment evidence now
• Use the classifier tool for a quick starting view, then confirm with qualified counsel