The plain-English explainer

EU AI Act compliance: the complete guide

The EU AI Act is the world's first comprehensive law on artificial intelligence. It sorts AI into four risk tiers and scales the rules to match, with the strictest obligations reserved for a defined set of high-risk uses. Regulation (EU) 2024/1689 sets all of this out; this page explains it without the legalese.

Reviewed by the AI Act Navigator team

TL;DR

  • What: the EU Artificial Intelligence Act, Regulation (EU) 2024/1689, the first horizontal AI law.
  • Approach: four risk tiers, prohibited, high-risk, limited (transparency) and minimal, with a separate track for general-purpose AI models.
  • Who: providers and deployers of AI, including non-EU and US companies whose AI reaches the EU.
  • When: phased. Bans + AI literacy since 2 Feb 2025; GPAI + governance + penalties since 2 Aug 2025; most high-risk + transparency from 2 Aug 2026.
  • Penalties: up to €35m or 7% of worldwide turnover for prohibited practices.
Find your risk tierOpen the glossary

The phased deadlines

Already in force

The Article 5 prohibitions and Article 4 AI literacy duty (since 2 Feb 2025), and GPAI rules, governance and penalties (since 2 Aug 2025).

2 August 2026

Most high-risk (Annex III) and Article 50 transparency obligations begin to apply.

⚠️ A proposed Digital Omnibus would push the Annex III high-risk date to 2 December 2027. It is PROPOSED, not yet law as of 9 June 2026. Council, provisional agreement. See the full timeline tracker.

What the AI Act is, and how it works

The EU Artificial Intelligence Act, the AI Act for short, is Regulation (EU) 2024/1689. It is the world's first comprehensive horizontal law on artificial intelligence, setting harmonised rules for placing AI systems and general-purpose AI models on the EU market and putting them into service, to protect safety and fundamental rights while supporting innovation. As a directly applicable EU Regulation it is binding in every Member State with no national transposition needed. European Commission

Its central idea is a risk-based approach: the obligations scale with the level of risk an AI system poses, across four tiers, unacceptable (prohibited), high-risk, limited (transparency) risk and minimal risk. General-purpose AI models are regulated on a separate track. Most everyday AI sits in the lighter tiers with few or no new duties. High-level summary

The four risk tiers

Everything in the Act flows from working out which tier your AI sits in.

Four ascending coloured bands over a faint compass, representing the four EU AI Act risk tiers

Prohibited (unacceptable)

Eight practices banned outright under Article 5. Banned since 2 February 2025.

High-risk

AI in the eight Annex III areas, or built into regulated products. The strictest obligations.

Limited (transparency)

Chatbots, deepfakes and AI-generated content. Must be disclosed or labelled under Article 50.

Minimal

Everything else, such as spam filters and AI in games. No mandatory obligations; voluntary codes encouraged.

Prohibited practices (Article 5)

These uses are deemed an unacceptable risk and are banned outright, with effect from 2 February 2025. Article 5

  1. Subliminal, manipulative or deceptive techniques that materially distort behaviour and cause significant harm.
  2. Exploiting vulnerabilities due to age, disability or socio-economic situation to distort behaviour and cause harm.
  3. Social scoring that leads to detrimental or unjustified treatment.
  4. Predictive policing based solely on profiling a person's risk of committing a crime.
  5. Untargeted scraping of facial images from the internet or CCTV to build facial-recognition databases.
  6. Emotion recognition in the workplace and in education (except medical or safety reasons).
  7. Biometric categorisation inferring sensitive attributes such as race, political opinions or sexual orientation.
  8. “Real-time” remote biometric identification in public spaces for law enforcement, with narrow, authorised exceptions.

Proposed, not yet law: a 9th prohibition

A proposed Digital Omnibus would add a ninth Article 5 ban, on AI generating non-consensual intimate imagery (“nudifier” apps) and AI-generated child sexual abuse material. As of 9 June 2026 this is a provisional political agreement, not yet adopted into law. Council, provisional agreement

High-risk AI: two routes in

An AI system is high-risk by one of two routes. Article 6

  • Route 1, Annex I, safety components. AI that is a safety component of, or is itself, a product covered by existing EU product-safety law (machinery, medical devices, toys, lifts, radio equipment, motor vehicles, aviation) and required to undergo third-party conformity assessment.
  • Route 2, Annex III, listed use cases. Stand-alone AI used in one of eight defined areas.

The eight Annex III areas are: Annex III

  1. Biometrics (remote ID, categorisation, emotion recognition where not prohibited).
  2. Critical infrastructure (safety components for traffic, water, gas, heating, electricity, digital infrastructure).
  3. Education and vocational training (admissions, assessment, exam proctoring).
  4. Employment and worker management (recruitment, screening, promotion, monitoring).
  5. Access to essential services (credit scoring, public benefits, life and health insurance pricing, emergency triage).
  6. Law enforcement (risk assessment, polygraphs, evidence evaluation, profiling).
  7. Migration, asylum and border control (risk assessment, application examination, person detection).
  8. Administration of justice and democratic processes (assisting judges, influencing elections).

The Article 6(3) filter: not every Annex III system is high-risk

An Annex III system is not high-risk if it does not pose a significant risk of harm, for example because it performs a narrow procedural task, improves a prior human activity, or does preparatory work without replacing human judgement. Important caveat: the exception does not apply if the system profiles natural persons. Don't assume the filter gets you out, work it through. Article 6(3)

Limited risk: the transparency duties (Article 50)

Some AI is not high-risk but still needs to be honest about what it is. Article 50

  • Chatbots: people must be told they are interacting with an AI, unless it is obvious.
  • AI-generated content: providers must mark synthetic audio, image, video or text in a machine-readable way.
  • Deepfakes: deployers must disclose that content is artificially generated or manipulated.
  • Emotion recognition and biometric categorisation: deployers must inform the people exposed to it.

Who must comply, and the extraterritorial reach

The duties fall mainly on two roles, with importers, distributors and product manufacturers also caught. Articles 16 and 26

Provider

Develops an AI system or GPAI model and places it on the market under its own name. Carries the heaviest load for high-risk systems: risk management, data governance, documentation, conformity assessment and CE marking.

Deployer

Uses an AI system under its own authority in a professional context. Must follow the instructions for use, assign human oversight, monitor operation and, in some cases, run a Fundamental Rights Impact Assessment.

A deployer, importer or distributor can be reclassified as a provider (taking on full provider duties) if it puts its name on a high-risk system, substantially modifies it, or changes its intended purpose. Article 25 See the full breakdown in the provider vs deployer obligations guide.

Why US and non-EU companies care

The Act has GDPR-style extraterritorial reach. A company with no EU establishment is still in scope if it places an AI system or GPAI model on the EU market, or if the output of its AI is used in the EU. A US SaaS vendor whose AI outputs reach EU users can be a regulated provider or deployer, and non-EU high-risk providers must appoint an EU authorised representative. Article 2

General-purpose AI (GPAI) models

Broadly capable models, such as large language models, are regulated on their own track under Chapter V, in force since 2 August 2025. The Commission's guidelines use an indicative marker of more than 10²³ FLOP of training compute to identify a GPAI model. GPAI guidelines

All GPAI model providers (Article 53) must keep technical documentation, give information to downstream providers who integrate the model, have a policy to comply with EU copyright law, and publish a summary of the content used for training. Free and open-source models are exempt from some documentation duties, unless they carry systemic risk. Article 53

GPAI models with systemic risk (Article 55), presumed when training compute exceeds 10²⁵ FLOP, face extra duties even when open-source: model evaluation including adversarial testing (red-teaming), assessing and mitigating systemic risks, reporting serious incidents to the AI Office, and adequate cybersecurity. Article 55

The voluntary GPAI Code of Practice, drawn up under the AI Office, helps providers demonstrate compliance with Articles 53 and 55 while harmonised standards are still being finalised. Code of Practice

The timeline at a glance

  • 1 Aug 2024: the Act enters into force.
  • 2 Feb 2025 (in force): Article 5 prohibitions and Article 4 AI literacy duty apply.
  • 2 Aug 2025 (in force): GPAI model rules, governance (the AI Office) and penalties apply.
  • 2 Aug 2026: most high-risk (Annex III) and Article 50 transparency obligations apply.
  • 2 Aug 2027: high-risk AI that is a safety component of regulated (Annex I) products, plus GPAI models placed on the market before 2 Aug 2025.

See the living timeline tracker for the proposed Digital Omnibus changes and the current status of each date. Implementation timeline

Penalties

Fines are tiered, and the regime has been in force since 2 August 2025. Article 99

  • Prohibited practices (Article 5): up to €35 million or 7% of total worldwide annual turnover, whichever is higher.
  • Other obligations (including high-risk and transparency): up to €15 million or 3%.
  • Misleading information to authorities: up to €7.5 million or 1%.

For SMEs and start-ups, each fine is capped at the lower of the percentage or the fixed amount, and authorities must weigh proportionality.

AI literacy (Article 4)

In force since 2 February 2025, this is a duty most organisations can act on now. Providers and deployers must take measures to ensure, to their best extent, a sufficient level of AI literacy among staff and others operating AI on their behalf, tailored to their knowledge and the context of use. It applies to all AI systems, not just high-risk, and to non-EU entities in scope. Article 4 See the AI literacy guide.

ISO 42001 and harmonised standards

ISO/IEC 42001 is the international standard for an AI management system, and a strong head-start on the governance controls the Act expects. But on its own it is an international standard, not a harmonised European one, and so confers no automatic presumption of conformity with the Act. ISMS.online

That presumption comes from following harmonised standards whose references are published in the Official Journal. CEN-CENELEC is still developing them. Until they land, ISO/IEC 42001 and the GPAI Code of Practice are practical bridges, not legal shields. Article 40 See our AI governance guide.

Not sure which tier your AI is in?

The free Risk-Tier Classifier walks you through a few plain-English questions and tells you whether your system is prohibited, high-risk, limited-risk or minimal-risk, with tailored next steps. No email wall to see your result.

Find your risk tier in two minutes

By the numbers

The EU AI Act in a few figures

4

Risk tiers: prohibited, high-risk, limited (transparency), minimal.

€35m / 7%

Maximum fine for prohibited practices: €35m or 7% of worldwide turnover.

2 Aug 2026

When most high-risk and transparency obligations apply.

8

Annex III high-risk use-case areas.

Penalty tiers run €35m / 7%, €15m / 3% and €7.5m / 1%; SMEs and start-ups face the lower of the two figures. Article 99

FAQ

People also ask

What is the EU AI Act?
The EU AI Act is Regulation (EU) 2024/1689, the world's first comprehensive law on artificial intelligence. It takes a risk-based approach, sorting AI into four tiers, prohibited, high-risk, limited (transparency) risk and minimal risk, with obligations that scale with the risk. General-purpose AI models are regulated on a separate track. It entered into force on 1 August 2024 and applies in phases through 2027.
When does the EU AI Act apply?
In phases. The Article 5 prohibitions and the Article 4 AI literacy duty have applied since 2 February 2025. GPAI model rules, governance and penalties since 2 August 2025. Most high-risk (Annex III) and transparency obligations from 2 August 2026, and AI embedded in regulated products from 2 August 2027. A proposed Digital Omnibus would postpone the Annex III high-risk date to 2 December 2027, but that is not yet law as of June 2026.
What are the four risk tiers?
Prohibited (unacceptable) practices are banned outright under Article 5, for example social scoring and untargeted facial-image scraping. High-risk AI, the eight Annex III use-case areas plus AI that is a safety component of regulated products, carries the strictest obligations. Limited-risk AI (chatbots, deepfakes, AI-generated content) carries transparency duties under Article 50. Everything else is minimal-risk with no mandatory obligations.
Does the AI Act apply to non-EU or US companies?
Yes, it can. The Act has extraterritorial reach. A company with no EU establishment is still in scope if it places an AI system or GPAI model on the EU market, or if the output produced by its AI is used in the EU. This "output used in the Union" trigger gives it broad reach comparable to GDPR, and non-EU high-risk providers must appoint an EU authorised representative.
What is the difference between a provider and a deployer?
A provider develops an AI system or GPAI model (or has it developed) and places it on the market or puts it into service under its own name or trademark, and carries the heaviest obligations for high-risk systems. A deployer uses an AI system under its own authority in a professional capacity. A deployer can be reclassified as a provider if it puts its name on a high-risk system, substantially modifies it, or changes its intended purpose.
How are general-purpose AI (GPAI) models regulated?
On a separate track under Chapter V. All GPAI model providers must keep technical documentation, give information to downstream providers, have a policy to comply with EU copyright law, and publish a summary of training content. Models presumed to carry systemic risk (training compute above 10^25 FLOP) face extra duties: model evaluation and adversarial testing, systemic-risk mitigation, serious-incident reporting and cybersecurity. The GPAI Code of Practice helps demonstrate compliance.
What are the penalties under the EU AI Act?
Fines are tiered. Breaching the Article 5 prohibited practices can cost up to €35 million or 7% of worldwide annual turnover, whichever is higher. Most other breaches are capped at €15 million or 3%, and supplying misleading information at €7.5 million or 1%. For SMEs and start-ups the lower of the two figures applies. The penalty regime has been in force since 2 August 2025.
Does ISO/IEC 42001 mean I comply with the AI Act?
Not on its own. ISO/IEC 42001 is the international standard for an AI management system and is strong evidence of governance maturity, but it is not a harmonised European standard under the Act and confers no automatic presumption of conformity. That presumption comes from following harmonised standards once their references are published in the Official Journal. ISO/IEC 42001 is a head-start on the controls, not a legal compliance shield.

This is guidance, not legal advice

This is guidance to help you understand the EU AI Act, not legal advice. For decisions specific to your business, confirm with the official sources we link or a qualified adviser. We cannot guarantee compliance, and you should be wary of anyone who says they can.

Sources

  1. [1]Regulation (EU) 2024/1689, Artificial Intelligence Act (EUR-Lex)retrieved 9 Jun 2026
  2. [2]European Commission: Regulatory framework on AIretrieved 9 Jun 2026
  3. [3]AI Act high-level summary (artificialintelligenceact.eu)retrieved 9 Jun 2026
  4. [4]Annex III, high-risk use-case areasretrieved 9 Jun 2026
  5. [5]Commission GPAI Guidelines overviewretrieved 9 Jun 2026
  6. [6]Introduction to the GPAI Code of Practiceretrieved 9 Jun 2026
  7. [7]Article 99, penaltiesretrieved 9 Jun 2026
  8. [8]Council of the EU: provisional agreement on the Digital Omnibus (7 May 2026)retrieved 9 Jun 2026
  9. [9]AI Act implementation timelineretrieved 9 Jun 2026

The AI Act Brief

Subscribe to The AI Act Brief

We watch Brussels so you don't. Plain-English EU AI Act updates, free.

No spam. Unsubscribe anytime.

EU AI Act Compliance: The Complete Guide · AI Act Navigator