Key facts
- Official name: Regulation (EU) 2024/1689, the ‘Artificial Intelligence Act’.
- Entered into force on 1 August 2024, with obligations phasing in through 2027–2028.
- Risk-based: four tiers — unacceptable (banned), high-risk, limited-risk (transparency) and minimal-risk.
- Covers providers, deployers, importers and distributors — including non-EU businesses whose AI output is used in the EU.
- Penalties reach up to €35m or 7% of global annual turnover for banned practices.
What does the EU AI Act actually regulate?
It regulates how AI systems are developed, placed on the EU market and used. Rather than banning or approving AI wholesale, it scales obligations to risk. A handful of practices are prohibited outright; a defined set of ‘high-risk’ uses carry strict duties such as risk management, data governance, technical documentation, human oversight and logging; and certain systems must simply be transparent with users.
Most everyday business AI — spam filters, recommendation engines, productivity tools — falls into the minimal-risk tier with no specific obligations beyond existing law.
What are the four risk categories?
Unacceptable risk: banned practices such as social scoring, manipulative or exploitative systems, and untargeted scraping of facial images.
High risk: AI used in areas like recruitment, credit, education, critical infrastructure and certain regulated products; subject to the strictest obligations.
Limited risk: systems that interact with people or generate content must meet transparency duties under Article 50, for example disclosing AI chat and labelling deepfakes.
Minimal risk: everything else, with no specific obligations.
Who does the EU AI Act apply to?
The Act applies to providers (who develop and place AI on the market) and deployers (who use it under their own authority), as well as importers and distributors. Its reach is extraterritorial: a business based outside the EU is covered if it places AI on the EU market or if the system's output is used in the EU. See does the EU AI Act apply to UK businesses?
When do the rules take effect?
Obligations phase in. Bans and AI-literacy duties applied from February 2025, general-purpose AI rules from August 2025, and transparency duties from 2 August 2026. Most high-risk obligations fall due across 2027 and 2028, with some dates provisionally deferred under the Digital Omnibus. See the full EU AI Act timeline.
What are the penalties for non-compliance?
Fines are tiered: up to €35m or 7% of global annual turnover for prohibited practices; up to €15m or 3% for most other breaches; and lower caps for supplying incorrect information. Smaller caps apply to SMEs and start-ups.
How should an organisation start?
Begin with visibility. Build an AI inventory, classify each system by risk, then put proportionate AI governance around the systems that need it. You cannot comply with obligations you have not mapped.
Frequently asked questions
What is the EU AI Act?
The world's first comprehensive AI law (Regulation 2024/1689); a risk-based framework regulating how AI is developed and used in the EU.
What are the EU AI Act risk categories?
Four tiers: unacceptable (banned), high-risk (strict obligations), limited risk (transparency), and minimal risk (no obligations).
Does the EU AI Act apply to UK businesses?
Yes, if you place AI on the EU market, are established in the EU, or your AI's output is used in the EU — regardless of where you are based.
What are the penalties for non-compliance?
Up to €35m or 7% of global turnover for prohibited practices; up to €15m or 3% for most other breaches; lower caps for SMEs.
Does the EU AI Act ban any AI?
Yes — e.g. social scoring, untargeted facial-recognition scraping, manipulative or exploitative systems, and certain biometric categorisation.
What's the first step to EU AI Act compliance?
Build an AI inventory and classify each system by risk — you can't comply with obligations you haven't mapped.
Related pages
Sources
Last updated 19 June 2026.