What Is the EU AI Act?

The EU AI Act (Regulation 2024/1689) is a horizontal law that regulates artificial intelligence based on risk. It groups AI systems into four tiers — prohibited, high-risk, limited-risk, and minimal-risk — and places graduated obligations on providers and deployers, backed by fines of up to EUR 35 million or 7 percent of global turnover.

The four risk tiers

Key deadlines

DateMilestone
1 August 2024Regulation entered into force
2 February 2025Prohibited practices apply; AI literacy duty
2 August 2025General-purpose AI model rules and governance apply
2 August 2026Core high-risk system requirements apply
2 August 2027Extended deadline for AI embedded in regulated products

Obligations for providers of high-risk AI

  1. Establish and document a risk management system across the lifecycle
  2. Ensure data governance, quality, and representativeness
  3. Draw up and keep up-to-date technical documentation
  4. Enable automatic recording of logs
  5. Provide instructions and transparency to deployers
  6. Design for human oversight
  7. Achieve appropriate accuracy, robustness, and cybersecurity
  8. Undergo conformity assessment before placing on the market
  9. Register the system in the public database
  10. Apply CE marking
  11. Implement a post-market monitoring plan
  12. Report serious incidents to authorities

Obligations for deployers

Deployers must use high-risk systems in accordance with the provider's instructions, assign human oversight, monitor operation, keep logs, inform affected people where required, and — for certain public-authority uses — carry out a fundamental rights impact assessment.

Penalties

Frequently asked questions

What is the EU AI Act?

The EU AI Act is Regulation 2024/1689, a horizontal law that regulates artificial intelligence systems based on the level of risk they pose. It classifies systems into four tiers — prohibited, high-risk, limited-risk, and minimal-risk — and imposes graduated obligations on providers and deployers.

When does the EU AI Act take effect?

The regulation entered into force on 1 August 2024. Obligations phase in over time: prohibitions on unacceptable-risk practices apply from 2 February 2025, general-purpose AI model rules from 2 August 2025, and the core high-risk system requirements from 2 August 2026, with certain embedded high-risk categories following in 2027.

What are the four risk tiers?

Prohibited: uses banned outright (e.g. social scoring by public authorities). High-risk: strict compliance duties (e.g. AI in critical infrastructure, employment, credit, education). Limited-risk: transparency duties (e.g. chatbots must disclose they are AI). Minimal-risk: no specific obligations.

Who has obligations under the Act?

The main duty-holders are providers (organizations that develop or place an AI system on the market) and deployers (organizations that use an AI system in a professional context). Importers and distributors have secondary duties. Some obligations also attach to authorized representatives and product manufacturers embedding AI.

What must providers of high-risk AI do?

Providers must implement a risk management system, ensure data quality, prepare technical documentation, keep automatic logs, provide transparency to deployers, enable human oversight, meet accuracy and cybersecurity levels, undergo conformity assessment, register the system, apply CE marking, and set up post-market monitoring.

What are the penalties for non-compliance?

Fines are graduated. Prohibited practices attract fines up to EUR 35 million or 7 percent of global annual turnover, whichever is higher. Other high-risk obligations attract up to EUR 15 million or 3 percent. Supplying incorrect information to authorities attracts up to EUR 7.5 million or 1 percent.

Does the EU AI Act apply to general-purpose AI models?

Yes. Providers of general-purpose AI models have specific duties covering technical documentation, training-data summaries, and copyright policy. Models that pose systemic risk carry additional obligations including model evaluation, adversarial testing, and incident reporting.

Get ready for the 2026 deadline

Zilonex Govern classifies your AI systems, tracks obligations per tier, and produces the technical documentation the Act requires.

Start Zilonex Govern free for 14 days