The EU AI Act: What It Is, What It Changes, and What Your Business Needs to Do

What is the EU AI Act?

The EU AI Act (Regulation (EU) 2024/1689) is the European Union's landmark regulation governing the development, deployment, and use of artificial intelligence. It was formally adopted on June 13, 2024, published in the Official Journal on July 12, 2024, and entered into force on August 1, 2024.

The regulation exists because AI systems are increasingly being used in decisions that affect people's lives — from hiring and lending to law enforcement and healthcare. While AI offers enormous benefits, it also introduces risks: bias, discrimination, lack of transparency, and potential threats to fundamental rights. The EU AI Act aims to ensure that AI systems used in Europe are safe, transparent, and respect fundamental rights, while still allowing innovation to thrive.

The Act establishes a risk-based regulatory framework, meaning that the obligations placed on an AI system depend on the level of risk it poses. Higher risk means stricter rules.

The risk-based framework

The EU AI Act classifies AI systems into four risk categories. Each category carries different obligations for providers (companies that develop or place AI systems on the market) and deployers (companies that use AI systems).

Unacceptable risk — banned practices (Article 5)

Some AI applications are considered to pose such a fundamental threat to people's rights that they are prohibited entirely. These include:

• Social scoring by public authorities — AI systems that evaluate or classify people based on social behavior or personal characteristics, leading to detrimental treatment
• Real-time remote biometric identification in publicly accessible spaces for law enforcement purposes, with narrow exceptions for specific serious crimes, missing children, or imminent terrorist threats
• Manipulative or deceptive AI techniques that exploit vulnerabilities of specific groups (e.g., due to age, disability, or social situation) to materially distort behavior in a way that causes significant harm
• Emotion recognition in workplaces and schools, except for medical or safety purposes
• Untargeted scraping of facial images from the internet or CCTV to build facial recognition databases

The prohibitions on these practices applied from February 2, 2025.

High risk (Annex III)

High-risk AI systems are those used in areas where failures or biases could significantly harm people's health, safety, or fundamental rights. Annex III of the regulation lists these areas, which include:

• Biometric identification and categorization of natural persons
• Management and operation of critical infrastructure (e.g., energy, transport, water supply, digital infrastructure)
• Education and vocational training — systems that determine access to education or evaluate students
• Employment and worker management — AI used in recruitment, screening, hiring decisions, task allocation, or performance monitoring
• Access to essential private and public services — credit scoring, insurance risk assessment, emergency services dispatch
• Law enforcement — risk assessment, polygraphs, evidence evaluation, crime prediction
• Migration, asylum, and border control — risk assessment, document authenticity verification
• Administration of justice and democracy — AI that assists judicial authorities in researching and interpreting facts and law

Providers of high-risk AI systems must complete a conformity assessment, produce detailed technical documentation, implement human oversight measures, and establish a risk management system — among other requirements detailed below.

Limited risk — transparency obligations (Article 50)

Some AI systems don't pose high risks but require transparency so that people know they are interacting with AI or viewing AI-generated content:

• Chatbots and conversational AI must clearly inform users that they are interacting with an AI system
• Deepfakes — AI-generated or manipulated images, audio, or video must be labeled as artificially generated or manipulated
• Emotion recognition systems must inform the people being analyzed that the system is in operation
• Biometric categorization systems must similarly notify individuals

Minimal risk

The vast majority of AI systems — such as spam filters, AI in video games, or inventory management tools — fall into the minimal risk category. These systems have no specific obligations under the EU AI Act, though providers are encouraged to voluntarily adopt codes of conduct.

Key compliance deadlines

The EU AI Act is being implemented in phases. Here are the critical dates:

A note on the Digital Omnibus proposal: In November 2025, the European Commission published a proposal to amend certain provisions of the AI Act as part of a broader "Omnibus" simplification package. One proposed change would extend the compliance deadline for certain standalone Annex III high-risk AI systems to December 2027. However, this proposal has not yet been adopted and may change during the legislative process. Companies should continue planning for the August 2, 2026 deadline until any extension is formally confirmed.

Who needs to comply?

The EU AI Act has extraterritorial scope (Article 2), similar to the GDPR. It applies to:

• Providers who develop AI systems or general-purpose AI models and place them on the EU market or put them into service in the EU — regardless of where the provider is established
• Deployers (users of AI systems) who are located in the EU
• Providers and deployers located outside the EU if the output produced by the AI system is used in the EU

In practical terms: if your AI system affects anyone in the EU, the regulation likely applies to you — regardless of where your company is headquartered.

The regulation distinguishes between two key roles. Providers are the companies that develop or commission the development of an AI system and place it on the market under their own name. They bear the primary compliance burden, including conformity assessment, technical documentation, and post-market monitoring. Deployers are the companies that use AI systems under their authority. Deployers have lighter obligations — primarily around using systems in accordance with instructions, ensuring human oversight, and monitoring for risks — but they are not exempt from regulation.

What high-risk compliance requires

If your AI system is classified as high-risk, the EU AI Act mandates seven core obligations. These are the most substantive requirements in the regulation.

1. Risk management system (Article 9)

Providers must establish, implement, document, and maintain a risk management system throughout the AI system's lifecycle. This includes identifying and analyzing known and reasonably foreseeable risks, estimating and evaluating risks that may emerge when the system is used in accordance with its intended purpose and under conditions of reasonably foreseeable misuse, and adopting appropriate risk management measures.

2. Data governance (Article 10)

Training, validation, and testing datasets must meet quality criteria. Data must be relevant, sufficiently representative, and as free from errors as possible. Providers must consider the specific geographical, contextual, behavioral, or functional setting within which the system is intended to be used.

3. Technical documentation (Article 11)

Providers must draw up technical documentation before the system is placed on the market or put into service. This documentation must demonstrate that the system complies with the regulation's requirements and provide national competent authorities and notified bodies with the information necessary to assess compliance.

4. Record-keeping and logging (Article 12)

High-risk AI systems must allow for automatic recording of events (logs) throughout the system's lifetime. Logging must be sufficient to enable traceability of the system's functioning and to facilitate post-market monitoring.

5. Transparency and information to deployers (Article 13)

High-risk systems must be designed and developed to ensure that their operation is sufficiently transparent to enable deployers to interpret the system's output and use it appropriately. Providers must supply clear instructions for use, including information about the system's capabilities, limitations, intended purpose, and level of accuracy.

6. Human oversight (Article 14)

High-risk AI systems must be designed to allow effective oversight by natural persons during the period they are in use. Human oversight measures must be identified and built into the system by the provider, or identified as appropriate to be implemented by the deployer. The goal is to prevent or minimize risks to health, safety, or fundamental rights.

7. Accuracy, robustness, and cybersecurity (Article 15)

High-risk AI systems must achieve an appropriate level of accuracy, robustness, and cybersecurity, and perform consistently in those respects throughout their lifecycle. Providers must declare accuracy metrics and address potential biases, ensure the system can withstand errors and inconsistencies, and protect against unauthorized access or manipulation.

Penalties for non-compliance

The EU AI Act includes a tiered penalty structure that reflects the severity of the violation:

In all cases, the higher amount applies — percentage of turnover or the fixed sum, whichever is greater. For SMEs and startups, the regulation provides for proportionate caps on fines.

What your business should do now

Compliance with the EU AI Act is not something to defer until enforcement begins. Here are practical steps to take today:

Steps a compliance tool can help with

The following steps involve structured, repeatable work that compliance platforms like ClearAct are designed to streamline:

1. Inventory your AI systems. Identify every AI system your company develops, deploys, or uses. Include third-party tools and embedded AI features in software you procure. A compliance tool lets you catalog these in one place with structured metadata.
2. Classify each system by risk level. Map each system against the EU AI Act's risk categories. A guided wizard can walk you through the Annex III categories and determine whether your system is high-risk, limited-risk, or minimal-risk in minutes.
3. Identify compliance gaps. For each high-risk system, assess which of the seven core requirements you currently meet and which need work. A dashboard that tracks document completion per system makes gaps immediately visible.
4. Generate compliance documentation. The five required document types (risk assessments, technical documentation, conformity declarations, human oversight procedures, and transparency notices) follow a defined structure. Template-based generation with AI-assisted fills for system-specific sections can produce professional drafts in seconds rather than weeks.

Steps that require human judgment

No tool can replace these — they require organizational decisions, legal expertise, and internal coordination:

1. Assign internal responsibility. Designate a person or team to own AI Act compliance. This could sit within legal, compliance, engineering, or a cross-functional group. This is an organizational decision that depends on your company structure.
2. Review all generated documents with a legal professional. AI-generated compliance documents are drafts, not finished products. A qualified lawyer familiar with the EU AI Act should review and approve all documents before regulatory submission.
3. Engage a notified body (if required). Certain high-risk AI systems under Annex III require third-party conformity assessment by an accredited notified body. This is an external process that cannot be handled by software.
4. Monitor regulatory developments. The regulation is still being supplemented with implementing acts, harmonized standards, and codes of practice. Stay informed about updates from the EU AI Office.
5. Ensure AI literacy. Article 4 requires that all staff involved in the operation and use of AI systems have a sufficient level of AI literacy. Plan training accordingly.