The EU AI Act is the world’s first comprehensive law regulating artificial intelligence — and like the GDPR before it, its influence reaches far beyond Europe’s borders. If your business builds, sells, or even just uses AI, and it touches the EU market in any way, this law likely applies to you. This guide explains it in plain, practical terms.
This article is general information, not legal advice. For your specific obligations, consult a qualified professional.
Key takeaways
- The EU AI Act is the first comprehensive AI law, taking a risk-based approach.
- Four risk tiers: unacceptable (banned), high-risk (strict rules), limited-risk (transparency), minimal-risk (free).
- It applies extraterritorially — non-EU companies are covered if their AI affects the EU market.
- It phases in over time, with different obligations taking effect on different dates.
- Penalties are severe — large fines based on global turnover.
What is the EU AI Act?
The EU AI Act is European Union legislation that sets rules for how AI systems can be developed, sold, and used. Its goal is to ensure AI used in the EU is safe, transparent, and respects fundamental rights — while still allowing innovation.
Its defining feature is a risk-based approach. Rather than regulating all AI the same way, it sorts AI systems by how much risk they pose to people, and applies heavier rules to higher-risk uses. A spam filter and an AI system that screens job applicants are not treated alike — and that’s the point.
The four risk tiers
Everything in the Act flows from these categories:
| Risk tier | Treatment | Examples |
|---|---|---|
| Unacceptable risk | Banned outright | Social scoring, manipulative or exploitative AI |
| High risk | Strict obligations | AI in hiring, credit, education, critical infrastructure |
| Limited risk | Transparency duties | Chatbots, AI-generated content |
| Minimal risk | Largely unregulated | Spam filters, AI in games, recommendation tools |
Unacceptable risk — a small set of AI uses considered a clear threat to people’s rights are prohibited entirely.
High risk — the category that matters most for compliance. AI used in consequential areas — employment decisions, access to credit and essential services, education, certain critical systems — faces strict requirements before and during use.
Limited risk — systems like chatbots and AI-generated content carry transparency duties: people must be told they’re interacting with AI, or that content is AI-generated.
Minimal risk — the large majority of AI applications fall here and face essentially no new obligations.
Who does it apply to?
This is the part many businesses miss: the EU AI Act applies extraterritorially. You do not have to be in Europe to be covered.
The Act reaches:
- Providers — those who develop AI systems or put them on the EU market.
- Deployers — businesses that use AI systems in their operations within the EU.
- Non-EU companies — if your AI system is used in the EU, or its outputs are used in the EU, the Act can apply to you regardless of where your company is based.
So a company anywhere in the world that offers an AI product to EU customers, or uses AI to make decisions affecting people in the EU, is potentially within scope. This is the same “Brussels effect” that made GDPR a global standard.
Key obligations for high-risk AI
If your AI falls into the high-risk tier, expect requirements such as:
- Risk management — an ongoing process to identify and reduce risks.
- Data governance — using appropriate, well-managed datasets, with attention to bias.
- Documentation — detailed technical records demonstrating compliance.
- Transparency — clear information for the people deploying and affected by the system.
- Human oversight — the system must be designed so humans can meaningfully supervise it.
- Accuracy and robustness — appropriate performance and security.
- Record-keeping — logging so the system’s operation can be traced.
For limited-risk systems, the central duty is simpler: disclosure. Tell users they’re dealing with AI, and label AI-generated content.
General-purpose AI
The Act also addresses general-purpose AI — the large foundation models behind many products. Providers of these models face their own set of obligations, including transparency and documentation requirements, with additional duties for the most capable models that could pose broader risks.
Timeline and penalties
The EU AI Act does not switch on all at once. It phases in, with different obligations becoming applicable on different dates — the bans on prohibited uses came first, with high-risk and other requirements following on a staggered schedule. Because the exact dates depend on the category, businesses should confirm the current timeline for the obligations that affect them.
The penalties are deliberately serious — substantial fines calculated as a percentage of a company’s global annual turnover, with the steepest fines for the most serious violations. As with GDPR, the penalty design ensures large companies cannot simply treat compliance as optional.
What businesses should do now
A practical starting checklist:
- Inventory your AI. List every AI system you build or use that touches the EU.
- Classify each one by risk tier. This determines what, if anything, you must do.
- Focus on high-risk systems — that’s where the real compliance work is.
- Check transparency duties — if you use chatbots or generate AI content, make sure you’re disclosing it.
- Assign ownership. Make AI governance someone’s clear responsibility.
- Get expert advice for anything high-risk or uncertain.
For most businesses, much of their AI use will fall into the minimal- or limited-risk tiers and require little. The effort concentrates on high-risk systems — so the first job is simply knowing which of yours, if any, qualify.
FAQ
What is the EU AI Act?
The EU AI Act is the European Union’s comprehensive law regulating artificial intelligence — the first of its kind. It uses a risk-based approach, sorting AI systems into four tiers (unacceptable, high, limited, and minimal risk) and applying obligations proportionate to the risk each poses.
Does the EU AI Act apply to non-EU companies?
Yes. The Act applies extraterritorially. A company based anywhere can be covered if its AI system is placed on the EU market, used within the EU, or its outputs are used in the EU. Businesses worldwide may have obligations if their AI touches the EU.
What are the risk categories in the EU AI Act?
Four: unacceptable risk (banned outright), high risk (strict obligations, such as AI in hiring or credit), limited risk (transparency duties, such as chatbots disclosing they are AI), and minimal risk (most AI applications, largely unregulated).
What are the penalties for breaking the EU AI Act?
Penalties are substantial fines calculated as a percentage of a company’s global annual turnover, with the largest fines reserved for the most serious violations, such as using banned AI systems. The design mirrors GDPR’s approach of making non-compliance genuinely costly.
What should my business do to comply with the EU AI Act?
Start by inventorying all AI systems you build or use that touch the EU, then classify each by risk tier. Most will be low-risk and need little. Concentrate compliance effort on any high-risk systems, ensure transparency for chatbots and AI content, assign clear governance ownership, and seek legal advice where needed.
Bottom line
The EU AI Act is a landmark: the first comprehensive attempt to regulate AI, and — through its extraterritorial reach — a likely global benchmark, just as GDPR became one for data. Its risk-based design is reasonable: minimal-risk AI is left alone, while AI used for consequential decisions faces real scrutiny.
For most businesses the practical task is manageable. Inventory your AI, classify it by risk, and you’ll find the heavy obligations apply only to high-risk uses. The mistake to avoid is assuming the law doesn’t apply because you’re not in Europe — if your AI reaches the EU market, it very well might.