EU AI Act: What Indian Businesses Need to Know

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive law governing artificial intelligence. It applies to many Indian businesses because of its extraterritorial scope: if your AI system is placed on the EU market, or its output is used in the EU, the rules reach you even with no office in Europe. Obligations depend on a four-tier risk classification and roll out in phases.

General information only, not legal advice. Confirm your obligations with qualified EU counsel.

What is the EU AI Act?

The EU AI Act entered into force on 1 August 2024. It takes a risk-based approach: rather than regulating the technology uniformly, it scales obligations to the potential harm of each AI use case. A spam filter and a CV-screening engine are both AI, but the law treats them very differently.

For Indian IT services firms, Global Capability Centres (GCCs), and product companies, the Act matters because so much Indian AI work is delivered into Europe. A hiring model built in Bengaluru, a credit-scoring API hosted in Mumbai, or a support chatbot run for a German client can all fall in scope. The trigger is where the AI or its results are used, not where the code is written.

The four risk tiers

The Act sorts AI systems into four categories, each with its own duties.

What are the four EU AI Act risk levels?

• Prohibited (unacceptable risk): Banned since February 2025. Examples include social scoring by public authorities, untargeted scraping of facial images, manipulative or exploitative systems, and certain biometric categorisation.
• High-risk: Permitted but heavily regulated. Covers AI used in employment, credit and creditworthiness, education, essential services, critical infrastructure, law enforcement, and AI embedded as a safety component in regulated products.
• Limited risk (transparency): Systems such as chatbots, emotion-recognition tools, and generators of synthetic image, audio, video, or text. The core duty is disclosure.
• Minimal risk: Everything else, such as spam filters, recommendation engines, and game AI. No mandatory obligations.

Most commercial AI sits in the limited or minimal tiers. The expensive obligations concentrate in the high-risk tier, so accurate classification is the single most important early step.

Who does it apply to (and why Indian firms are in scope)?

The Act assigns roles. A provider develops an AI system or places it on the EU market under its own name. A deployer uses an AI system under its own authority in a professional context. Importers and distributors have narrower duties.

Does the EU AI Act apply to Indian companies?

Yes, in many cases. Article 2 extends the regulation to providers and deployers established outside the EU when the output produced by the AI system is used in the EU. So an Indian company is caught if it:

• Places an AI system or general-purpose AI model on the EU market, directly or through a partner;
• Is a provider or deployer whose AI output (a score, ranking, classification, generated text, or decision) is used in the EU;
• Builds or operates AI for an EU client whose customers or employees are affected in the EU.

This extraterritorial reach mirrors how GDPR pulled in Indian firms a decade ago. Non-EU providers of high-risk systems must also appoint an authorised representative in the EU. For Indian export-led IT services and GCCs, the rule of thumb is simple: if the AI touches Europe, assume the Act may apply and classify the use case early.

The phased timeline

The Act applies in stages rather than all at once. As of mid-2026 the picture is also being reshaped by the EU's Digital Omnibus simplification package, which reached a provisional political agreement on 7 May 2026 and is moving toward formal adoption.

• February 2025: Prohibited-practice bans and AI-literacy duties took effect.
• August 2025: Obligations for general-purpose AI (GPAI) models and the governance framework began to apply.
• High-risk systems: The original headline date of 2 August 2026 for stand-alone (Annex III) high-risk systems is being deferred under the Digital Omnibus to 2 December 2027, with high-risk AI embedded in regulated products (Annex I) moving from 2 August 2027 to 2 August 2028.

Because the Omnibus was still completing the EU legislative process at the time of writing, treat the deferred high-risk dates as the current direction of travel rather than fixed law, and verify the final published deadlines before you plan. The net effect: high-risk obligations now arrive later than first announced, giving Indian delivery teams more runway, not a reason to stop preparing.

General-purpose AI (GPAI) obligations

GPAI models, the foundation and large language models that power many downstream products, have their own regime. Providers must supply technical documentation, publish a sufficiently detailed summary of training data, put a copyright-compliance policy in place, and inform downstream developers who integrate the model.

Models judged to pose systemic risk (very capable models above a defined compute threshold) face stricter duties: model evaluations, adversarial testing, incident reporting, and cybersecurity safeguards. GPAI obligations have applied since August 2025, while models already on the market before that date have until 2 August 2027 to comply fully. Indian firms that fine-tune, host, or redistribute foundation models into the EU should check whether they inherit provider duties.

Penalties for non-compliance

Enforcement is scaled to global revenue.

• Up to 35 million euros or 7% of total worldwide annual turnover (whichever is higher) for breaching the prohibited-practices rules.
• Up to 15 million euros or 3% for breaching most other obligations, including high-risk and GPAI duties.
• Up to 7.5 million euros or 1% for supplying incorrect, incomplete, or misleading information to authorities.

Because the percentage is calculated on worldwide turnover, a global Indian IT group could face a material fine even if its EU revenue is small.

How it relates to GDPR and India's DPDP Act

The AI Act does not replace data-protection law; it sits on top of it. Where a high-risk AI system processes personal data, you must satisfy both the AI Act and the GDPR, including lawful basis, data-subject rights, and data-protection impact assessments. The AI Act regulates the system and its risks; GDPR regulates the personal data inside it.

How is the EU AI Act different from India's DPDP Act?

India's Digital Personal Data Protection Act, 2023 (DPDP Act) is a data-privacy law: it governs how personal data of individuals (Data Principals) is processed, built around consent and data-fiduciary duties. The EU AI Act is a product-safety-style law for AI systems, governing how AI is built and used regardless of whether personal data is involved. They overlap where AI processes Indian personal data, but answer different questions. An Indian firm exporting AI to the EU navigates three regimes at once: the DPDP Act at home, GDPR for EU personal data, and the AI Act for the AI system itself. Mapping all three early avoids duplicated, conflicting controls.

What Indian businesses should do next

Start with an inventory: list every AI system you build, sell, or operate that could reach the EU, and classify each by risk tier. For anything high-risk, begin governance and documentation now, even with the deferred deadlines, because conformity assessment is slow. Decide who is provider and who is deployer for each engagement, and write those roles into contracts.

For a role-by-role walkthrough, see our EU AI Act compliance checklist for Indian companies. If governance and AI operations are stretching your teams, Opsio's managed AI support can help you operationalise compliance. And if your delivery model is shifting toward AI-assisted development, our guide to agentic coding for the enterprise covers the governance angle.

Frequently asked questions

Does the EU AI Act apply to Indian companies?

Yes, where your AI system is placed on the EU market or its output is used in the EU. This extraterritorial scope means an Indian provider or deployer can be in scope without any EU office. High-risk providers based outside the EU must also appoint an EU authorised representative.

EU AI Act vs India's DPDP Act, what is the difference?

The DPDP Act, 2023 is India's personal-data privacy law, centred on consent and data-fiduciary duties. The EU AI Act is a product-safety-style law for AI systems, applying by risk tier whether or not personal data is involved. Firms exporting AI to the EU usually must comply with both, plus GDPR.

When does the EU AI Act apply?

It entered into force on 1 August 2024 and applies in phases. Prohibited-practice bans applied from February 2025 and GPAI obligations from August 2025. Under the 2026 Digital Omnibus simplification, stand-alone high-risk obligations are being deferred toward December 2027; confirm the final published dates as adoption completes.

What are the penalties under the EU AI Act?

Fines reach up to 35 million euros or 7% of worldwide annual turnover for prohibited practices, up to 15 million euros or 3% for most other breaches, and up to 7.5 million euros or 1% for supplying incorrect information. The percentage applies to global turnover.