When does the EU AI Act apply?

Prohibited AI practices: 2 February 2025. GPAI model rules: 2 August 2025. Transparency obligations: 2 August 2026. High-risk AI (Annex III stand-alone): 2 December 2027. High-risk AI embedded in regulated products (Annex I): 2 August 2028. (Deadlines updated by the May 2026 Digital Omnibus agreement.)

Does the EU AI Act apply outside the EU?

Yes. The Act applies to any organisation that places AI systems on the EU market or whose AI outputs affect people in the EU — regardless of where the organisation is based.

What are the penalties under the EU AI Act?

Up to €35 million or 7% of global turnover for prohibited AI; up to €15 million or 3% for other high-risk violations; up to €7.5 million or 1% for providing incorrect information.

What is high-risk AI under the EU AI Act?

High-risk AI is listed in Annex III. It includes AI in: biometric identification, critical infrastructure, education, employment, essential services, law enforcement, migration control, and judicial administration.

Reference · Updated May 2026

What Is the EU AI Act?

Q: What is the EU AI Act?

The EU AI Act (Regulation EU 2024/1689) is the world's first comprehensive AI law. It classifies AI systems into four risk tiers — prohibited, high-risk, limited-risk, and minimal-risk — with obligations matched to risk level.

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive AI law. Approved by the European Parliament in March 2024 and formally adopted by the Council in May 2024, it entered into force on 1 August 2024 and applies progressively. It applies to any organisation whose AI systems affect people in the EU — regardless of where the organisation is based.

Key fact: The Act has extraterritorial reach. A US, UK, Australian, or Asian organisation whose AI system is used by EU residents is in scope. There is no exemption for organisations headquartered outside the EU.

Enforcement timeline

1 Aug 2024

In force

Regulation entered into force.

2 Feb 2025

Prohibited practices

Banned AI practices take effect: social scoring, subliminal manipulation, real-time biometric ID (with narrow exceptions), emotional recognition at work, biometric categorisation by sensitive characteristics.

2 Aug 2025

GPAI model rules

General-purpose AI model obligations: transparency, copyright compliance, technical documentation. Systemic risk rules for large frontier models.

2 Dec 2027

High-risk AI obligations (Annex III)

Main Annex III high-risk AI system rules: conformity assessment, technical documentation, human oversight, EU AI database registration, post-market monitoring.

2 Aug 2028

Annex I systems (embedded)

High-risk AI embedded in products covered by existing EU sector legislation (medical devices, civil aviation, motor vehicles, toys, etc.) — deadline extended from Aug 2027 to Aug 2028 by the May 2026 Omnibus.

The four risk tiers

Every AI system falls into one category. Classification drives your compliance obligations.

Prohibited

Banned outright. Includes AI used for social scoring by public authorities, real-time biometric surveillance in public spaces, subliminal manipulation causing harm, exploitation of vulnerable groups, and untargeted scraping of facial images for recognition databases.

High-risk

Listed in Annex III. Covers AI in: biometric identification, critical infrastructure, education and training, employment decisions, essential services access (credit, benefits), law enforcement, migration and border control, and judicial administration. Requires conformity assessment, technical documentation, human oversight, and EU database registration before deployment.

Limited-risk

Transparency obligations only. Chatbots must disclose they are AI. Deepfake and synthetic content must be labelled. Emotion recognition systems must notify users. No conformity assessment required.

Minimal-risk

The vast majority of AI systems. Spam filters, product recommendation engines, AI writing assistants, video game AI. No mandatory requirements under the Act. Voluntary codes of conduct apply.

Providers vs deployers

Provider

Companies that develop, build, or place AI systems on the EU market.

Conformity assessment before deployment
Technical documentation
Quality management system
EU AI database registration
Post-market monitoring
Incident reporting to authorities

Deployer

Companies that use AI systems built by others in the course of professional activities.

Implement human oversight measures
Monitor AI system performance
Fundamental rights impact assessment (public sector and specific contexts)
Inform affected individuals AI is being used
Maintain use logs for high-risk systems

Penalties

Prohibited AI violationsUp to €35 million or 7% of global annual turnover

Other violations (high-risk AI, GPAI)Up to €15 million or 3% of global annual turnover

Providing incorrect information to authoritiesUp to €7.5 million or 1% of global annual turnover

SMEs and startupsUp to Lower percentage thresholds apply

What Is the EU AI Act?

Enforcement timeline

The four risk tiers

Providers vs deployers

Penalties

Further reading