The EU AI Act Explained: Risk Tiers, Obligations, and Timelines
The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) is the world's first comprehensive statutory framework for artificial intelligence. Adopted in 2024 and entering into force on 1 August 2024, it applies through a phased timetable that runs into the late 2020s. Like the GDPR, it has significant extraterritorial reach: it can bind providers and deployers located outside the EU whenever an AI system's output is used within the Union. For legal teams advising technology companies and corporate adopters alike, understanding its architecture is now a core competency.
A Risk-Based Architecture
The defining feature of the AI Act is that it regulates AI according to the level of risk a system poses, rather than the technology itself. It establishes four broad tiers:
- Unacceptable risk — practices that are prohibited outright.
- High risk — permitted but subject to stringent obligations.
- Limited risk — subject principally to transparency duties.
- Minimal risk — largely unregulated, covering the vast majority of AI applications such as spam filters or recommendation features.
Layered on top of this pyramid is a separate regime for general-purpose AI (GPAI) models, which reflects the rise of large foundation models that can be adapted to many downstream uses.
Prohibited Practices
Certain uses of AI are considered incompatible with EU fundamental rights and are banned. The prohibitions, which became applicable on 2 February 2025, include AI systems that:
- Deploy subliminal, manipulative, or deceptive techniques that materially distort behaviour and cause harm.
- Exploit vulnerabilities arising from age, disability, or socio-economic situation.
- Enable social scoring by public or private actors leading to detrimental treatment.
- Conduct untargeted scraping of facial images to build or expand facial-recognition databases.
- Infer emotions in the workplace or educational settings, save for narrow medical or safety purposes.
- Perform biometric categorisation to deduce sensitive attributes such as race, political opinions, or sexual orientation.
Real-time remote biometric identification in publicly accessible spaces for law-enforcement purposes is prohibited in principle, subject to tightly defined and authorised exceptions.
High-Risk Systems
The heart of the Act concerns high-risk AI. A system is high-risk if it falls into one of two groups: AI used as a safety component of a product already covered by EU product-safety legislation (such as medical devices, machinery, or vehicles), or AI listed in Annex III as posing risks in sensitive domains. Annex III areas include:
- Biometrics and biometric identification.
- Critical infrastructure such as water, gas, and electricity.
- Education and vocational training, including exam scoring.
- Employment, worker management, and access to self-employment, including recruitment screening.
- Access to essential private and public services, including creditworthiness and benefits eligibility.
- Law enforcement, migration, asylum, and border control.
- Administration of justice and democratic processes.
Providers of high-risk systems must satisfy substantial obligations before placing a system on the market, including a risk-management system, data governance controls to reduce bias, technical documentation, logging capabilities, transparency to deployers, human oversight measures, and appropriate accuracy, robustness, and cybersecurity. They must also implement a quality-management system, undergo a conformity assessment, affix the CE marking, and register the system in an EU database.
Obligations for Providers Versus Deployers
The Act carefully distinguishes roles, and the same organisation may occupy more than one:
- A provider develops an AI system, or has it developed, and places it on the market or puts it into service under its own name.
- A deployer uses an AI system under its own authority in a professional capacity.
Providers carry the bulk of the compliance load for high-risk systems. Deployers have their own, lighter but meaningful duties: using systems in accordance with instructions, ensuring human oversight is exercised by competent staff, monitoring operation, keeping logs, and, in some cases, conducting a fundamental-rights impact assessment. Importantly, a deployer can be reclassified as a provider — and inherit provider obligations — if it substantially modifies a high-risk system or puts its own name on it.
Transparency Obligations
For limited-risk systems, the Act focuses on ensuring people know when they are interacting with AI. Key transparency duties include:
- Informing individuals when they are interacting with an AI system, such as a chatbot, unless it is obvious.
- Labelling AI-generated or manipulated audio, image, video, or text content, including so-called deepfakes, in a machine-readable format.
- Disclosing the use of emotion-recognition or biometric-categorisation systems to the people exposed to them.
These duties operate independently of the high-risk regime and can apply even to otherwise low-risk products.
General-Purpose AI Models
Recognising the systemic role of foundation models, the Act imposes a dedicated set of obligations on GPAI providers, applicable from 2 August 2025. Baseline duties include preparing technical documentation, providing information to downstream developers, putting in place a policy to respect EU copyright law, and publishing a sufficiently detailed summary of the training data used.
GPAI models judged to present systemic risk — a threshold linked to the scale of compute used in training — face heightened obligations, including model evaluation, adversarial testing, systemic-risk assessment and mitigation, incident reporting, and cybersecurity protection.
The Compliance Timeline
The Act's obligations switch on in stages, giving organisations a runway to prepare:
- 1 August 2024 — entry into force.
- 2 February 2025 — prohibitions and AI-literacy obligations apply.
- 2 August 2025 — GPAI obligations and governance provisions apply.
- 2 August 2026 — the bulk of the Act, including most high-risk obligations, applies.
- 2 August 2027 — extended transition for high-risk AI embedded in regulated products.
Enforcement and Penalties
Enforcement is backed by GDPR-style penalties calibrated to the severity of the breach. Fines can reach up to €35 million or 7% of total worldwide annual turnover for prohibited practices, up to €15 million or 3% for most other infringements, and up to €7.5 million or 1% for supplying incorrect information. National market-surveillance authorities enforce the rules, coordinated at Union level by the European AI Office.
Preparing Now
Even organisations whose systems are minimal or limited risk should not assume the Act is irrelevant. Sensible early steps include inventorying AI systems and classifying them by risk tier, clarifying whether the organisation is acting as a provider or deployer for each, and building AI governance that can absorb the high-risk obligations landing in August 2026. Given the phased timeline and the size of the penalties, treating AI compliance as an ongoing programme — rather than a deadline-driven scramble — is the prudent course.