The EU AI Act explained: scope, risk tiers, and the deadlines that actually apply
The EU AI Act is usually described as a single deadline. It is not. It is a staggered set of obligations, some already in force and some years away, and the gap between what applies now and what applies later is where most organisations get their planning wrong.
The EU AI Act is the European Union's horizontal regulation for artificial intelligence. It sorts AI systems by the risk they pose, bans a small number outright, places strict obligations on a defined set of high-risk uses, and applies lighter transparency rules to most of the rest. It is the first comprehensive AI law of its kind, and its reach extends well beyond the EU's borders.
This guide explains the parts that matter in practice: who is covered, how the risk tiers work, the deadlines in the order they actually bite, and the rollout details that are still settling.
Who the EU AI Act applies to
The Act follows the AI system, not the postcode of the company behind it. If your AI output is used in the EU or affects people in the EU, you are likely in scope wherever you are based. It defines three roles.
Providers develop AI systems, or have them developed, and place them on the EU market under their own name. Deployers use AI systems under their own authority, and this is where most organisations sit: if you use a third-party tool for recruitment, credit decisions, or customer service, you are a deployer with obligations. Importers and distributors bring AI-enabled products into the EU market and carry responsibility for what they place there.
The practical implication catches many teams off guard: even if you did not build the AI, deploying it in an EU context makes it yours to govern. Non-EU companies are squarely in scope, which we cover in the guide for US companies.
The four risk tiers, and the mistake that inflates budgets
Your obligations are set by the tier your system falls into. Getting the tier right is the single most important step, because it decides how much work everything else requires.
Prohibited. A small set of uses is banned outright, including social scoring, untargeted scraping of facial images, real-time remote biometric identification in public spaces (with narrow law-enforcement exceptions), and emotion recognition in workplaces and schools. This ban has been in force since February 2025.
High-risk. Systems used in contexts where failure or bias can seriously affect rights, safety, or life chances: employment, credit and essential services, biometrics, critical infrastructure, education, law enforcement, and the administration of justice. These carry the full stack of obligations, including risk management, technical documentation, data governance, human oversight, and conformity assessment.
Limited risk. Systems that interact with people or generate content, such as chatbots and synthetic media, owe transparency rather than the full high-risk treatment. Users must be told they are dealing with AI, and AI-generated content must be labelled, under Article 50.
Minimal risk. The large majority of AI, including spam filters, recommendation engines, and most productivity tools, carries no specific obligations beyond existing law such as GDPR.
The most expensive mistake is treating a limited-risk system as high-risk. A customer-service chatbot needs a clear disclosure that users are talking to AI, not a full technical file, a conformity assessment, and EU database registration. Over-classifying inflates a compliance budget many times over for controls the Act never asked for. Right-sizing by tier, honestly, is what separates a proportionate programme from an expensive one. The risk classification guide works through where each system lands.
The deadlines, in the order they actually bite
The Act has no single deadline. Obligations switch on in phases, and the order matters more than any one date.
Already in force. Prohibited practices and AI literacy duties since 2 February 2025, and obligations on general-purpose AI model providers since 2 August 2025.
Transparency, from 2 August 2026. Article 50 obligations for chatbots, deepfakes, and AI-generated content labelling. The watermarking duties under Article 50(2) carry a short grace period to 2 December 2026 for content and systems already on the market.
Standalone high-risk, from 2 December 2027. The Annex III use cases: employment, credit, essential services, biometrics, education, law enforcement, and similar.
Product-embedded high-risk, from 2 August 2028. AI built into regulated products such as medical devices, machinery, and vehicles.
The takeaway for planning: transparency comes first, and the heavy high-risk obligations come later. A bank with an AI recruitment tool deals with its Article 50 disclosures well before it has to finish full high-risk conformity work. The compliance checklist sequences the work step by step.
Why the high-risk deadlines moved: the Digital Omnibus
The original Act placed most high-risk obligations at 2 August 2026. In early May 2026, EU institutions reached a provisional political agreement, the Digital Omnibus, that deferred the standalone high-risk deadline to 2 December 2027 and the product-embedded deadline to 2 August 2028. Transparency and general-purpose AI obligations were left on their original timeline.
Two things matter for planning. The deferral was, at the point of writing, a political agreement pending formal adoption and publication in the Official Journal, so it takes full legal effect only once published. And the extra time is not a reason to wait: the documentation a high-risk system needs takes months to build credibly, and the deadline that did not move, Article 50 transparency, is the one that arrives first.
The rollout is still maturing: supervision and guidance
The text of the Act is settled. The machinery around it is not, and that is the part organisations underestimate. Two gaps are worth knowing.
Supervision. Member states have to designate the national authorities that enforce the Act. At the time of writing only a minority have done so, which creates uncertainty about who you answer to and how evenly the Act will be enforced across the bloc. Germany, for example, has named the Bundesnetzagentur, while others are still organising.
Guidance. The Commission's detailed guidance on classifying high-risk systems and on Article 50 transparency arrived only in draft during 2026, and the harmonised technical standards that turn the Act's requirements into testable criteria are expected later still. In practice you are building against requirements that are still being clarified, so design a programme that can adapt rather than assuming today's draft is the final word.
Penalties
Enforcement carries real financial weight. Breaching the ban on prohibited practices can cost up to 35 million euros or 7% of global annual turnover, whichever is higher. Most other breaches, including high-risk obligations, reach up to 15 million euros or 3%, and supplying incorrect information to regulators up to 7.5 million euros or 1.5%. SMEs and start-ups pay the lower figure in each band. Beyond fines, regulators can order a system off the market, which for a product built around AI is the more existential risk.
What to do about it
The Act rewards organisations that can see and sort their AI, and exposes those that cannot. Three moves matter most, in order. Build an inventory of every AI system in use, including the embedded features inside software you already run. Classify each one by tier, honestly, so you neither under-protect a high-risk system nor over-spend on a limited-risk one. Then sequence the work to the deadlines, with transparency first and high-risk documentation on the longer runway. For high-risk systems specifically, the conformity assessment guide covers what the technical file and assessment actually involve.
Frequently asked questions
What is the EU AI Act in simple terms?
It is the EU's law for artificial intelligence. It classifies AI systems by risk, bans a few uses outright, imposes strict obligations on high-risk uses, and requires transparency from systems like chatbots and AI-generated content. It applies to any organisation whose AI affects people in the EU, not only EU companies.
What does the EU AI Act regulate?
It regulates how AI systems are placed on the EU market and used, based on the risk each system poses. It bans a small set of uses, imposes detailed obligations on high-risk systems, requires transparency from systems such as chatbots and synthetic media, and leaves minimal-risk AI largely untouched. It governs the use of AI, not underlying research.
How does the EU AI Act define an AI system?
It uses a broad, technology-neutral definition aligned with the OECD: a machine-based system that, for explicit or implicit objectives, infers from its input how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. The breadth is deliberate, so the law does not date as techniques change.
Is the EU AI Act in force yet?
Partly. The ban on prohibited practices and the general-purpose AI rules are already in force. Transparency obligations apply from 2 August 2026, standalone high-risk obligations from 2 December 2027, and product-embedded high-risk from 2 August 2028, following the Digital Omnibus deferral.
Who does the EU AI Act apply to?
Providers that build or place AI systems on the EU market, deployers that use them under their own authority, and importers and distributors that bring AI-enabled products in. Most organisations are deployers. The Act applies extraterritorially, so non-EU companies with EU users or operations are in scope.
Who enforces the EU AI Act?
Enforcement sits with national authorities that each member state must designate, coordinated at EU level by the AI Office for general-purpose AI. At the time of writing only a minority of member states have named their authorities, so the supervisory picture is still forming. Germany, for example, has designated the Bundesnetzagentur.
What is prohibited under the EU AI Act?
The banned uses include social scoring, untargeted scraping of facial images to build recognition databases, real-time remote biometric identification in public spaces (with narrow law-enforcement exceptions), and emotion recognition in workplaces and schools. These prohibitions have applied since February 2025.
Is my chatbot high-risk under the EU AI Act?
Almost certainly not. A general customer-service chatbot is limited-risk: it owes a transparency disclosure under Article 50, not the full high-risk stack. A system only becomes high-risk when it is used in an Annex III context such as recruitment or credit decisions. Treating a simple chatbot as high-risk is the most common over-spend.
What are the fines for breaching the EU AI Act?
Up to 35 million euros or 7% of global annual turnover for prohibited practices, up to 15 million euros or 3% for most other breaches, and up to 7.5 million euros or 1.5% for supplying incorrect information. SMEs and start-ups pay the lower figure in each band.
Does the EU AI Act apply to companies outside the EU?
Yes. If your AI system is placed on the EU market or its output is used by or affects people in the EU, you are in scope regardless of where you are based. The detail is in our guide for US companies.
Grasp maps every AI system in your organisation to its EU AI Act risk tier, flags what each one needs, and keeps the picture current as the rules settle. See the EU AI Act solution →
