aiwiki
Policy

What is the EU AI Act?

Published May 28, 2026 · 4 min read

EU AI Act risk tiers A pyramid of risk Four tiers · obligations scale with potential harm RISK / OBLIGATIONS Unacceptablee.g. social scoring · manipulationBanned outrightHigh-riske.g. CV screening · biometricsHeavy obligationsLimited-riske.g. chatbots · deepfakesTransparency req.Minimal-riske.g. spam filters · AI in gamesNo obligations EU AI Act risk pyramid REG (EU) 2024/1689 · effective Aug 2024 (phased)

Definition

The EU AI Act is a 2024 European Union law that sorts AI systems into risk tiers and imposes obligations on each tier in proportion to its risk.

Key takeaways

  • The EU AI Act is the first comprehensive, horizontal AI law in any major jurisdiction[1].
  • It groups AI systems into four risk tiers: unacceptable, high, limited, and minimal[2].
  • Obligations escalate sharply with tier: prohibited systems are banned outright, high-risk systems face documentation, testing, and oversight duties, and minimal-risk systems are largely untouched[2].
  • The Act applies extraterritorially to providers and deployers whose AI affects people in the EU, regardless of where the company is based[1].
  • Non-compliance penalties reach up to seven percent of global annual turnover for the most serious violations[1].

What is the EU AI Act?

The EU AI Act is Regulation (EU) 2024/1689, adopted in 2024 and entered into force on 1 August 2024[1]. The regulation is binding in all twenty-seven EU member states and applies in phases through 2027. The first set of prohibitions took effect on 2 February 2025, obligations on general-purpose AI providers applied from 2 August 2025, and most high-risk system rules apply from 2 August 2026, with a final tranche of high-risk obligations following in 2027[1][2].

The Act is described by the European Commission as the first comprehensive legal framework on AI worldwide[2]. Where earlier rules in privacy or product safety touched AI indirectly, this regulation defines AI systems and assigns rules to them as such. It applies to both providers, who place an AI system on the EU market, and deployers, who use one in their operations, and it reaches non-EU companies whose AI systems are used in the Union or whose outputs are used there[1].

How does the EU AI Act work?

The Act uses a risk-tier framework. Each AI system is classified into one of four tiers, and the obligations attached to that tier follow automatically.

Figure 2
Unacceptable Social scoring · real-time biometric ID High-risk CV screening · credit scoring · education Limited Chatbots · deepfakes (disclose) Minimal Spam filters · video games
The Act's four risk tiers, with example systems for each.

The four tiers are unacceptable risk, high risk, limited or transparency risk, and minimal risk[2]. Unacceptable-risk practices are prohibited outright. High-risk systems face the bulk of the regulatory burden: risk management, data governance, technical documentation, logging, human oversight, transparency to deployers, and a conformity assessment before market entry[2]. Limited-risk systems, such as chatbots and generative-AI tools, face only transparency duties: end users are informed that they are interacting with AI or viewing AI-generated content[2]. Minimal-risk systems, which the Commission notes cover the majority of AI currently in use in the EU, have no specific obligations[2].

A separate track inside the Act covers general-purpose AI models, including the large foundation models behind many commercial products. Providers of those models face documentation and copyright-transparency duties, with stricter obligations for models that pose systemic risk[1].

Examples

The Act’s annexes give concrete shape to the tiers. Banned practices include social scoring of individuals by public authorities, manipulative or exploitative AI that distorts behaviour, untargeted scraping of facial images to build recognition databases, real-time biometric identification in public spaces by law enforcement subject to narrow exceptions, and emotion-recognition systems in the workplace and in schools[3].

High-risk uses listed in Annex III include AI for recruitment and candidate evaluation, AI that scores eligibility for credit or insurance, AI used in educational admissions or grading, AI components in critical infrastructure such as electricity and water networks, biometric identification systems, and AI used by border-control or asylum authorities[3]. A computer-vision system used to screen job applicants and a credit-scoring model used by an EU bank therefore both fall into the high-risk tier and inherit its full compliance stack.

EU AI Act vs US executive orders

The United States has taken a different route. Rather than a single horizontal statute, the federal response has centered on Executive Order 14110 on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, signed in October 2023, and the voluntary NIST AI Risk Management Framework, with enforcement distributed across existing agencies using their existing authorities[5]. The Brookings Institution characterises the US approach as comprehensive in scope but largely non-binding, and notes that as of its analysis only a small minority of major federal agencies had produced the AI regulatory plans the executive order called for[4].

The contrast matters for global businesses. A company that builds an HR screening tool faces voluntary guidance and sectoral enforcement in the United States, and a binding, ex-ante conformity assessment plus fines of up to seven percent of global turnover under the EU regime[1][4].

Historical context

Figure 3
2021-04 Commission proposes 2023-12 Trilogue agreement 2024-08 Enters force 2025-02 Banned-practices in effect 2026-08 GPAI rules apply 2027-08 High-risk rules apply
The Act's phased rollout timeline.

The Commission’s original proposal landed in April 2021, three-way negotiations between Parliament, Council, and Commission produced political agreement in December 2023, and the final text entered force in August 2024[1]. The staggered application schedule that follows is deliberate: the ban on the most harmful uses lands first, governance and general-purpose-model rules apply a year in, and the heavy high-risk compliance stack lands two to three years out so providers have time to prepare.

Bottom line

For a business owner, the practical implication of the EU AI Act is that any AI system touching EU residents now sits inside a defined regulatory tier, and the tier determines the paperwork. The first questions are which systems are deployed, what those systems do, and where their outputs land. Recruitment tools, credit decisions, customer-facing chatbots, and AI used in regulated products are the obvious places to look first. Documentation, risk classification, and a clear deployer-versus-provider role assignment are the entry-level controls. Penalties at the top of the scale are large enough that the Act has become a de facto global compliance baseline for cross-border AI deployments.

Citations

[1] Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) — EUR-Lex (Publications Office of the European Union) https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng [2] AI Act — European Commission, Directorate-General for Communications Networks, Content and Technology https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai [3] High-level summary of the AI Act — Future of Life Institute - EU Artificial Intelligence Act tracker https://artificialintelligenceact.eu/high-level-summary/ [4] The EU and U.S. diverge on AI regulation: A transatlantic comparison and steps to alignment — Brookings Institution https://www.brookings.edu/articles/the-eu-and-us-diverge-on-ai-regulation-a-transatlantic-comparison-and-steps-to-alignment/ [5] Executive Order 14110: Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence — Joseph R. Biden Jr. — Federal Register / The White House https://www.federalregister.gov/documents/2023/11/01/2023-24283/safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence

References

  1. 1.Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). EUR-Lex (Publications Office of the European Union). eur-lex.europa.eu
  2. 2.AI Act. European Commission, Directorate-General for Communications Networks, Content and Technology. digital-strategy.ec.europa.eu
  3. 3.High-level summary of the AI Act. Future of Life Institute - EU Artificial Intelligence Act tracker. artificialintelligenceact.eu
  4. 4.The EU and U.S. diverge on AI regulation: A transatlantic comparison and steps to alignment. Brookings Institution. www.brookings.edu
  5. 5.Executive Order 14110: Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence — Joseph R. Biden Jr.. Federal Register / The White House. www.federalregister.gov

Related concepts

Social phenomena

What is AI labor displacement?

AI labor displacement is the substitution of human workers by AI systems for cognitive tasks, observed first at the task level and increasingly at the entry-level employment level in language- and code-heavy occupations.