What is the EU AI Act? A complete guide for businesses

The EU AI Act is the European Union's regulation on artificial intelligence. It is the first horizontal law of its kind anywhere in the world, and it applies to almost every organisation that develops, sells, distributes or uses an AI system in the European market. If your product touches an EU user, the Act probably touches you.

This article gives you the operating picture: what the Act actually does, who it binds, when it bites, and what the practical compliance work looks like. It is intentionally non-exhaustive. The Act runs to 113 articles, 13 annexes and roughly 460 recitals, and you should not make commercial decisions from a guide. But this is enough to know whether you have a problem and what to read next.

What the Act actually regulates

The Act is a product safety regulation, not a privacy law. That distinction matters more than it sounds. Where the General Data Protection Regulation (GDPR) controls how personal data is processed, the AI Act controls the AI system itself: how it is designed, tested, documented, and deployed. The two regulations stack rather than overlap. Almost every organisation in scope of one will be in scope of the other.

The Act takes a risk-based approach. Rather than applying a uniform set of rules to every AI system, it sorts systems into four tiers, then applies obligations proportionate to the risk each tier poses to health, safety and fundamental rights:

• Unacceptable risk. A short list of practices is banned outright. Social scoring by governments, certain real-time remote biometric identification in public spaces, manipulative techniques that exploit vulnerable groups, untargeted scraping of facial images, and a few others. See the prohibited practices article for the full list.
• High risk. AI systems used in domains like medical devices, recruitment, credit scoring, education, critical infrastructure, law enforcement and migration. These are not banned but carry the heaviest compliance load: a quality management system, technical documentation, risk and data-governance procedures, human oversight, post-market monitoring, registration in the EU database, and (for many) third-party conformity assessment.
• Limited risk. Systems that interact with people in ways that may mislead them: chatbots, emotion recognition, biometric categorisation, generative AI producing synthetic media. The obligation is transparency. Users must know they are dealing with AI; deepfakes must be labelled.
• Minimal risk. Everything else. Spam filters, video-game NPCs, inventory optimisation. No specific obligations beyond voluntary codes of conduct.

A separate, parallel regime applies to general-purpose AI (GPAI) models, the foundation models that power downstream applications. Providers of GPAI face their own obligations regardless of how downstream developers ultimately use the model. The rules tighten further for "systemic-risk" GPAI, currently defined by a training-compute threshold of 10^25 floating-point operations.

Who is in scope

The Act creates four roles, and most of an organisation's compliance burden is determined by which role it occupies for a given AI system.

• Provider — the entity that develops an AI system, or that has an AI system developed, and places it on the EU market under its own name or trade mark. Providers carry the bulk of the obligations.
• Deployer — the entity that uses an AI system under its own authority, except where the use is in the course of a personal non-professional activity. A hospital using a third-party diagnostic tool is a deployer.
• Importer — the entity that places on the EU market an AI system bearing the name or trade mark of a person established outside the Union.
• Distributor — anyone else in the supply chain that makes an AI system available on the EU market.

A single organisation can wear several hats. If you fine-tune a third-party large language model and resell it under your own brand, you have become a provider of a new AI system even though you did not train it from scratch. The role determines what you have to do; the risk tier determines how much.

The Act applies regardless of where the organisation is established, provided the AI system is placed on the EU market or its output is used in the EU. A US startup with an EU customer base is in scope. A model trained in Singapore but available via API to European users is in scope. The territorial scope is deliberately broad.

There are limited carve-outs. AI systems developed and used exclusively for military, defence or national security purposes are out. So are systems used solely for scientific research and development before being placed on the market. Open-source AI components are partly exempted, though not when they are integrated into a high-risk system or sold commercially.

What you actually have to do

The compliance work falls into three buckets, depending on what tier you land in.

If you are a provider of a high-risk system, the obligations are substantial. You must build a quality management system that covers your AI development lifecycle. You must produce technical documentation that demonstrates conformity with the Act before the system goes to market, and you must keep it current. You must implement risk management, data governance practices that address bias and representativeness in training data, human oversight measures, accuracy and robustness benchmarks, and a post-market monitoring system. You will likely need to register the system in the EU AI database, and for systems falling under Annex I product legislation, undergo third-party conformity assessment. Practically, this is the same compliance posture as a medical device or industrial machinery manufacturer.

If you are a deployer of a high-risk system, your obligations are lighter but real. You must use the system in accordance with the provider's instructions, ensure appropriate human oversight, monitor its operation, log its outputs where required, and notify the provider and authorities of serious incidents. Public-sector deployers and some private deployers (for example in financial services) must additionally complete a fundamental rights impact assessment before deployment.

If you fall in the limited-risk tier, the obligations come down to disclosure. You must make it clear to natural persons that they are interacting with an AI system unless that is obvious. You must label AI-generated content as such, in machine-readable form. Deepfakes need conspicuous labelling. There is no documentation regime; just transparent communication with end users.

If you are a GPAI provider, you have a baseline set of obligations — technical documentation, a summary of training data, a copyright policy, and downstream-developer support — regardless of risk tier. Systemic-risk GPAI providers must additionally evaluate their models for systemic risks, take mitigating measures, report serious incidents, and ensure adequate cybersecurity. The European AI Office supervises this layer directly.

When the rules apply

The Act came into force on 1 August 2024 but the substantive obligations apply in phases:

• 2 February 2025 — prohibitions on unacceptable-risk practices apply. The AI literacy obligation also kicks in.
• 2 August 2025 — GPAI rules and governance provisions apply. Member States must designate competent authorities.
• 2 August 2026 — the bulk of the Act applies, including the high-risk system obligations under Annex III.
• 2 August 2027 — high-risk systems that are components of products regulated under existing Union harmonisation law (Annex I) become subject to the AI Act.

You can find a detailed breakdown in the AI Act timeline guide.

What it costs to get wrong

Fines are tiered, in the same shape as GDPR but at higher headline numbers:

• Up to EUR 35 million or 7% of worldwide annual turnover for breaching the prohibited practices in Article 5.
• Up to EUR 15 million or 3% of worldwide annual turnover for most other obligation breaches.
• Up to EUR 7.5 million or 1.5% of worldwide turnover for supplying incorrect information to authorities.

Whichever number is higher applies. Small and medium-sized enterprises and startups face the same percentage caps but the absolute figures are scaled down. The full breakdown sits in the penalties article.

The honest version

The Act has been criticised on every side. Industry calls it onerous, civil society calls it loophole-ridden. Both are partly right. For most businesses the practical reality sits in between: if you ship an AI product into the EU and you operate at any scale, you need to know which tier each of your AI systems falls into, which roles you occupy in each supply chain, and what evidence you can produce that you have done the work the Act asks for. Most of the obligations are familiar in shape to anyone who has been through product-safety, ISO management-system or GDPR programmes. The cost sits in the doing, not the reading.

The next move depends on where you are. If you have not yet classified your AI systems, start with the risk-tier guide and the high-risk decision walkthrough. If you are deploying third-party models, the GPAI obligations article covers what your suppliers should already be giving you. If you are running both an AI and a personal-data programme, the AI Act vs GDPR comparison is the right next read.