What Is the EU AI Act?

As the world’s first comprehensive legal framework for artificial intelligence (AI), the EU AI Act sets the stage for organisations and individuals who create, deploy, or integrate AI systems for products, services or outputs that are used in EU markets.

EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024. It is the world’s first comprehensive AI regulation. In 2026, organisations are required to meet its major obligations. Like the GDPR (General Data Protection Regulation), the Act has extraterritorial reach, affecting businesses, not only in the EU but outside of the EU.

The Act classifies AI based on its risk. It introduces transparency obligations, requiring developers and deployers to make end-users aware of their interactions with AI. Regulated high-risk AI systems are subjected to greater transparency obligations than limited risk AI systems. Unacceptable risks such as social scoring systems and manipulative AI are prohibited while minimal risk is unregulated.

Who Must Comply?

Most of the obligations in the EU AI Act are to be met by providers (developers) of high-risk AI systems and those that aim to have their high-risk AI systems in the EU. This obligation must be met, irrespective of whether they are based in the EU or a third country.

General-Purpose AI (GPAI) refers to the AI systems that are trained on broad datasets to perform a variety of tasks, such as text generation, coding, and image creation. In order to comply with the Act, providers of general purpose AI models must provide instructions for use, technical documentation, act in pursuance of the Copyright Directive, and publish summaries that show the content used for training their models.

Key Deadlines

Deadlines for compliance were adjusted in May 2026. The applicability of high-risk AI obligations were extended by a year, compared to the initial dates. Compliance is expected by 2 December 2027 for stand-alone Annex III systems (including recruitment, credit scoring, law enforcement, education, and border control tools). For AI that is embedded in regulated products under Annex I (medical devices, vehicles, machinery), compliance is expected by 2 August 2028.

Transparency obligations under Article 50 of the AI Act will be enforceable from 2 August 2026. Users will need to be informed when they are interacting with an AI system. Notification will also need to be provided when content is AI-generated or manipulated. A grace period has been given until 2 December 2026 for machine-readable marking/watermarking for generative AI outputs.

High-Risk Classification of AI Systems

On 19 May 2026, draft guidelines on the classification of AI systems were published by the European Commission. The aim of the guidelines is to support providers and deployers of AI systems, and market surveillance authorities to determine whether AI systems should be classified as high-risk. This is in pursuance of Article 6 AI Act, which provides the classification rules for high-risk AI systems.

Article 6(1) of the EU AI Act provides that an AI system is a safety component of a product (or is a regulated product itself listed in Annex I) which requires a third-party safety check (conformity assessment) under EU laws, before it can be sold. Under Article 6 (2), if an AI system falls into one of the high-impact categories listed in Annex III of the Act, it is deemed high-risk. The categories include:

• Biometrics

• Critical Infrastructure

• Education & Vocational Training

• Employment & Worker Management

• Essential Public and Private Services

• Law Enforcement

• Migration, Asylum, & Border Control

• Administration of Justice & Democracy

Under Article 6(1), if an AI system is a safety component of a product (or is itself a product) covered by EU harmonisation legislation listed in Annex I (such as machinery, medical devices, toys, vehicles) and that product requires third-party conformity assessment.

The guidelines require providers of GPAI systems to describe their AI systems in publicly available materials. The publicly available materials may include technical documentation, marketing materials, and instructions for use. The system’s intended purpose can be classified as high-risk if high-risk use cases are not consistently limited or excluded from it. This expands the scope of high-risk requirements.

Article 6 (3) provides that a system won’t be treated as high risk if providers of the system can demonstrate that it doesn’t present a significant risk. Such risks include risks of harm to health, safety, or fundamental rights. In order to be exempt from high-risk classification, the provider must conduct and document a self-assessment prior to putting the system into service or launching the AI system on the market. AI systems can be exempt if they meet the conditions in Article 6 (3) but systems that profile natural persons will always be classified as high risk.

Penalties for Noncompliance

Noncompliance can lead to significant costs of up to 3 percent of global annual revenue or 15 million euros. This supports the AI Office in collecting information it requires to assess whether providers are meeting their obligations under Article 53 (for GPAI models) or Article 55 (for systemic risk). Failure to satisfy information requests or deny access for evaluations can result in fines of 1 percent of turnover or 7.5 million euros. Under Article 101, GPAI model providers that fail to respond to requests for documentation and information could face fines. Prohibited AI violations can incur fines of up to 35 million euros or 7% of a company’s total worldwide annual turnover.

Providers that fail to respond, or that supply incomplete or misleading information, face fines under Article 101. This power is the foundation of the enforcement architecture. Without reliable information about what models can do and how they were trained, the AI Office cannot assess whether providers are meeting their obligations under Article 53 (for all GPAI models) or Article 55 (for models with systemic risk).

An Act that Goes Beyond Borders

The EU AI Act is not just a European concern. It sets the stage for how AI will be governed, deployed and challenged in the coming years. Treating compliance as a strategic opportunity rather than a regulatory burden could improve positioning as AI matures.

With the guidelines being open for consultation until 23 June 2026, there are further potential changes to lookout for in the regulatory environment.

Disclaimer: This publication is for educational and informational purposes only and does not constitute formal legal advice or create an attorney-client relationship.