EU AI Act: What It Is and How It Works

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive law governing artificial intelligence. It entered into force on 1 August 2024 and applies in phases. The Act sorts AI systems into risk tiers, imposes obligations that scale with risk, and reaches any provider or deployer whose AI affects people in the EU.

What is the EU AI Act?

The EU AI Act is a horizontal regulation that sets harmonised rules for developing, placing on the market, and using AI systems across the European Union. Rather than banning AI or regulating it as a single block, it takes a risk-based approach: the higher the potential harm to health, safety, or fundamental rights, the stricter the requirements.

Because it is a regulation rather than a directive, it applies directly in all 27 member states without national transposition. The European Commission's AI Office coordinates enforcement, supported by national market surveillance authorities. Its stated goals are to make AI in the EU trustworthy, protect fundamental rights, and give businesses legal certainty for a single internal market.

The four risk tiers

The Act's core mechanism is a four-level pyramid of risk. Where your system sits determines what you must do.

Which tier do most business systems fall into?

Most everyday enterprise AI lands in the minimal or limited tiers. The compliance weight concentrates in the high-risk category, defined partly by use cases listed in Annex III and partly by AI embedded in already-regulated products under Annex I (such as medical devices and machinery). Misclassifying a high-risk system as limited is one of the most common and costly mistakes, which is why a structured assessment matters.

Who does it apply to?

The Act assigns obligations mainly by role. Providers develop an AI system or have one developed and place it on the market under their own name. Deployers use an AI system under their authority in a professional context. The Act also names importers, distributors, and product manufacturers, each with tailored duties. Providers of high-risk systems carry the heaviest burden; deployers have lighter but real obligations, such as ensuring human oversight and using the system as instructed.

Does it apply to companies outside the EU?

Yes. The EU AI Act has extraterritorial scope. It applies to providers placing AI systems on the EU market regardless of where they are established, and to providers and deployers located outside the EU when the system's output is used inside the EU. A US, UK, or Asian company that offers an AI product to EU customers, or whose AI output reaches EU users, falls within scope just as an EU-based firm would. This mirrors the global reach that made GDPR a worldwide compliance standard.

The phased application timeline

The Act did not switch on all at once. Obligations apply in waves, and the timeline is actively being revised through the EU's 2026 simplification work, so you should confirm the current dates before planning.

• 1 August 2024: The Regulation enters into force.
• 2 February 2025: Prohibitions on unacceptable-risk practices and AI-literacy obligations began to apply.
• 2 August 2025: Obligations for general-purpose AI (GPAI) models, governance provisions, and the penalty framework began to apply.
• High-risk systems: The most demanding obligations are phased in later. Under the original text these applied from 2 August 2026 (Annex III use cases) and 2 August 2027 (Annex I regulated products).

In late 2025 the Commission proposed a "Digital Omnibus on AI" package, and in May 2026 EU negotiators reached a provisional agreement to defer several high-risk deadlines, including pushing Annex III high-risk obligations toward December 2027 and adjusting related milestones. Because these revisions remained in flux as of mid-2026, treat high-risk timing as phased and subject to change, and verify the current applicable date for your specific system rather than relying on a fixed future date.

Rules for general-purpose AI (GPAI) models

The Act creates a separate regime for general-purpose AI models, the foundation and large language models that can be adapted to many downstream tasks. All GPAI providers must maintain technical documentation, publish a summary of training-data content, supply information to downstream developers, and put a copyright-compliance policy in place.

Models judged to carry systemic risk, based on capability thresholds, face additional duties: model evaluations and adversarial testing, systemic-risk assessment and mitigation, incident reporting, and cybersecurity safeguards. A General-Purpose AI Code of Practice helps providers demonstrate compliance. These GPAI obligations sit on top of, not instead of, the risk-tier rules that apply when a model is built into a concrete AI system.

Penalties for non-compliance

Enforcement carries serious financial teeth, with fines set as the higher of a fixed amount or a percentage of worldwide annual turnover.

Proportionate caps apply for SMEs and start-ups. The headline figure, up to €35 million or 7% of global turnover, applies to the most serious breaches and is one reason boards are treating AI compliance as a governance priority rather than a purely technical concern.

How the EU AI Act relates to GDPR

The EU AI Act and the General Data Protection Regulation (GDPR) are complementary, not interchangeable. GDPR governs how personal data is processed; the AI Act governs how AI systems are designed, placed on the market, and used. An AI system can trigger both: GDPR when it processes personal data, and the AI Act based on its risk tier and your role.

In practice the regimes reinforce each other. GDPR principles such as data minimisation, lawful basis, transparency, and rights around automated decision-making run alongside AI Act duties like risk management, documentation, and human oversight. Many organisations extend their existing GDPR governance, data protection impact assessments, records of processing, and accountability structures, to cover AI Act obligations, which is an efficient way to avoid duplicating effort.

How Opsio helps

Opsio is an ISO 27001-certified cloud and AI partner that helps enterprises operationalise AI governance and compliance. Our managed AI support team helps you classify systems, build documentation, and embed oversight into day-to-day operations. For practical implementation guidance, see our EU AI Act compliance checklist, and if you are scaling AI development, our overview of agentic coding for enterprises.

Frequently asked questions

When does the EU AI Act apply?

It entered into force on 1 August 2024 and applies in phases. Prohibitions and AI-literacy duties applied from 2 February 2025, and GPAI and governance rules from 2 August 2025. High-risk obligations are phased in later and were being revised through the EU's 2026 simplification work, so confirm the current applicable date for your system.

Does the EU AI Act apply to my company if we are not in the EU?

Very likely, if your AI reaches the EU. The Act applies to providers placing AI on the EU market wherever they are based, and to providers and deployers outside the EU whose system output is used in the EU. Non-EU companies serving EU customers are generally in scope.

What is the difference between the EU AI Act and GDPR?

GDPR regulates the processing of personal data; the EU AI Act regulates AI systems by risk level and by your role as provider or deployer. They overlap and complement each other, and an AI system handling personal data must satisfy both frameworks.

What are the penalties for non-compliance?

Fines reach up to €35 million or 7% of total worldwide annual turnover (whichever is higher) for prohibited practices, up to €15 million or 3% for most other breaches, and up to €7.5 million or 1% for supplying incorrect information, with proportionate caps for SMEs.

This article is general information, not legal advice. The EU AI Act and its implementation timeline are evolving; consult qualified legal counsel for your specific situation.