What Is the EU AI Act?
The EU AI Act (Regulation 2024/1689) is a horizontal law that regulates artificial intelligence based on risk. It groups AI systems into four tiers — prohibited, high-risk, limited-risk, and minimal-risk — and places graduated obligations on providers and deployers, backed by fines of up to EUR 35 million or 7 percent of global turnover.
The four risk tiers
- Prohibited — practices considered unacceptable, such as social scoring by public authorities, manipulative subliminal techniques, exploitation of vulnerabilities, and untargeted scraping of facial images.
- High-risk — AI in areas like biometrics, critical infrastructure, education, employment, essential public and private services, law enforcement, migration, and administration of justice. Full compliance regime applies.
- Limited-risk — systems that interact with people (chatbots), generate synthetic content, or perform emotion recognition. Transparency duties apply.
- Minimal-risk — everything else. No specific obligations under the Act.
Key deadlines
| Date | Milestone |
|---|---|
| 1 August 2024 | Regulation entered into force |
| 2 February 2025 | Prohibited practices apply; AI literacy duty |
| 2 August 2025 | General-purpose AI model rules and governance apply |
| 2 August 2026 | Core high-risk system requirements apply |
| 2 August 2027 | Extended deadline for AI embedded in regulated products |
Obligations for providers of high-risk AI
- Establish and document a risk management system across the lifecycle
- Ensure data governance, quality, and representativeness
- Draw up and keep up-to-date technical documentation
- Enable automatic recording of logs
- Provide instructions and transparency to deployers
- Design for human oversight
- Achieve appropriate accuracy, robustness, and cybersecurity
- Undergo conformity assessment before placing on the market
- Register the system in the public database
- Apply CE marking
- Implement a post-market monitoring plan
- Report serious incidents to authorities
Obligations for deployers
Deployers must use high-risk systems in accordance with the provider's instructions, assign human oversight, monitor operation, keep logs, inform affected people where required, and — for certain public-authority uses — carry out a fundamental rights impact assessment.
Penalties
- Up to EUR 35 million or 7 percent of global annual turnover — for prohibited practices
- Up to EUR 15 million or 3 percent — for breach of most other obligations
- Up to EUR 7.5 million or 1 percent — for supplying incorrect information
Frequently asked questions
What is the EU AI Act?
The EU AI Act is Regulation 2024/1689, a horizontal law that regulates artificial intelligence systems based on the level of risk they pose. It classifies systems into four tiers — prohibited, high-risk, limited-risk, and minimal-risk — and imposes graduated obligations on providers and deployers.
When does the EU AI Act take effect?
The regulation entered into force on 1 August 2024. Obligations phase in over time: prohibitions on unacceptable-risk practices apply from 2 February 2025, general-purpose AI model rules from 2 August 2025, and the core high-risk system requirements from 2 August 2026, with certain embedded high-risk categories following in 2027.
What are the four risk tiers?
Prohibited: uses banned outright (e.g. social scoring by public authorities). High-risk: strict compliance duties (e.g. AI in critical infrastructure, employment, credit, education). Limited-risk: transparency duties (e.g. chatbots must disclose they are AI). Minimal-risk: no specific obligations.
Who has obligations under the Act?
The main duty-holders are providers (organizations that develop or place an AI system on the market) and deployers (organizations that use an AI system in a professional context). Importers and distributors have secondary duties. Some obligations also attach to authorized representatives and product manufacturers embedding AI.
What must providers of high-risk AI do?
Providers must implement a risk management system, ensure data quality, prepare technical documentation, keep automatic logs, provide transparency to deployers, enable human oversight, meet accuracy and cybersecurity levels, undergo conformity assessment, register the system, apply CE marking, and set up post-market monitoring.
What are the penalties for non-compliance?
Fines are graduated. Prohibited practices attract fines up to EUR 35 million or 7 percent of global annual turnover, whichever is higher. Other high-risk obligations attract up to EUR 15 million or 3 percent. Supplying incorrect information to authorities attracts up to EUR 7.5 million or 1 percent.
Does the EU AI Act apply to general-purpose AI models?
Yes. Providers of general-purpose AI models have specific duties covering technical documentation, training-data summaries, and copyright policy. Models that pose systemic risk carry additional obligations including model evaluation, adversarial testing, and incident reporting.
Get ready for the 2026 deadline
Zilonex Govern classifies your AI systems, tracks obligations per tier, and produces the technical documentation the Act requires.
Start Zilonex Govern free for 14 days