EU AI Act
The world's first comprehensive AI regulation framework
Updated 2 May 2025
legaleuregulationai-actcompliance
EU AI Act
Overview
The EU AI Act is the world’s first comprehensive legal framework for artificial intelligence. Adopted in March 2024, it takes a risk-based approach — the higher the risk an AI system poses, the stricter the rules.
Key Dates
| Date | Milestone |
|---|---|
| April 2021 | European Commission proposal |
| March 2024 | Final adoption |
| August 2024 | Entry into force |
| February 2025 | Banned AI practices take effect |
| August 2025 | Rules for general-purpose AI (GPAI) apply |
| August 2026 | Full enforcement (high-risk systems) |
Risk Categories
Unacceptable Risk (BANNED)
- Social scoring by governments
- Real-time biometric surveillance in public (with exceptions)
- Manipulation of vulnerable people
- Emotion recognition in workplaces/schools
- Untargeted scraping of facial images for databases
High Risk (Heavy Regulation)
Requires conformity assessment, registration, transparency, human oversight:
- AI in critical infrastructure (transport, energy, water)
- Education and vocational training (scoring, admissions)
- Employment (recruitment, performance evaluation)
- Essential services (credit scoring, insurance)
- Law enforcement (risk assessment, evidence evaluation)
- Migration and border control
- Justice and democratic processes
Limited Risk (Transparency Obligations)
- Chatbots: Must disclose they are AI
- Deepfakes: Must be labelled
- Emotion recognition: Must inform subjects
Minimal Risk (No Specific Rules)
- AI-enabled video games
- Spam filters
- Most general-purpose applications
General-Purpose AI (GPAI) Rules
Applies to foundation models (GPT, Claude, Gemini, LLaMA, etc.):
All GPAI providers must:
- Provide technical documentation
- Comply with EU copyright law (transparency about training data)
- Publish a summary of training data
Systemic risk GPAI (>10^25 FLOPs training) must also:
- Perform model evaluations and adversarial testing
- Assess and mitigate systemic risks
- Report serious incidents
- Ensure adequate cybersecurity
Enforcement
- Fines: Up to €35M or 7% of global annual turnover (whichever is higher)
- AI Office: EU body overseeing GPAI compliance
- National authorities: Each member state designates supervisory bodies
Key Implications for AICI
- Any AI system deployed in the EU falls under this regulation
- Content generation systems likely fall under “limited risk” (transparency)
- If advising clients, need to understand which risk category their use case falls into
- GPAI rules are most relevant for organisations using/deploying frontier models
Questions / Follow-up
- How does this interact with GDPR?
- What are the specific documentation requirements for high-risk systems?
- How are open-source models treated? (Partial exemptions exist)
- What enforcement actions have been taken so far?
Resources
- Full text of the EU AI Act
- EU AI Office website
- Future of Life Institute — AI Act tracker