Chapter 1: What Is the EU AI Act and Why Should You Care?
What you will know after reading this chapter:
By the end of this chapter, you will understand what the EU AI Act is, why it was created, how it is structured, and whether it applies to your business.
A new law for AI
On 1 August 2024, the European Union's Artificial Intelligence Act entered into force. This is the world's first comprehensive legal framework specifically designed to regulate AI systems. Not guidelines. Not recommendations. A binding regulation with fines that can reach 35 million euros or 7% of global annual turnover — whichever is higher.
If your business develops, sells, or uses AI in any way that touches the EU market, this law applies to you. It does not matter where your company is headquartered. If your AI system is used by people in the EU, or if its output affects people in the EU, you are within scope.
This is not a future concern. The first set of obligations — AI literacy training and the prohibition of certain AI practices — became enforceable on 2 February 2025. The full set of high-risk obligations takes effect on 2 August 2026, with a possible extension to 2 December 2027 for certain systems.
Why this law exists
To understand what the EU AI Act requires, it helps to understand why it was created.
The EU has a consistent regulatory philosophy: technology should serve people, not the other way around. The General Data Protection Regulation (GDPR) applied this philosophy to personal data. The AI Act applies it to artificial intelligence.
The core concern is straightforward. AI systems are increasingly making or influencing decisions that significantly affect people's lives — whether they get a job, a loan, medical treatment, or attention from law enforcement. When these decisions are made by algorithms rather than humans, two problems arise. First, the people affected often do not know that AI is involved. Second, even when they do know, they have no way to understand why a particular decision was made or how to challenge it.
The AI Act addresses both problems. It requires transparency — people must be told when AI is being used. And it requires accountability — organisations must ensure that AI systems are safe, fair, and subject to human oversight.
How the law is structured: the risk-based approach
The AI Act does not treat all AI systems the same way. Instead, it uses a risk-based approach. The higher the potential harm of an AI system, the stricter the rules.
There are five categories:
Prohibited AI (Unacceptable Risk) — These are AI practices that the EU considers fundamentally incompatible with European values. They are banned outright. Examples include social scoring systems that evaluate people based on their behaviour or personality, and real-time biometric identification in public spaces (with narrow exceptions for law enforcement). If your AI system falls into this category, you cannot operate it in the EU. There is no compliance pathway. You stop, or you face the maximum fine.
High-Risk AI — These are AI systems used in areas where errors or bias can cause serious harm to individuals. The law provides a specific list in Annex III, covering areas such as recruitment and HR, credit scoring and insurance, medical devices, law enforcement, immigration, and critical infrastructure. If your system falls into one of these areas, you face a substantial set of obligations — but they are manageable. Most of the work is process and documentation, not engineering.
Limited-Risk AI (Transparency Obligations) — These are AI systems that interact directly with people or generate content. Chatbots, AI-generated images, deepfakes, and emotion recognition systems fall here. The primary obligation is disclosure: you must tell people they are interacting with AI or that content was AI-generated.
Minimal-Risk AI — This covers the vast majority of AI systems currently in use. Spam filters, AI-powered search, recommendation engines, and most internal business tools fall here. The only binding obligation is AI literacy training under Article 4.
Out-of-Scope AI — Some AI systems are explicitly excluded from the regulation. These include AI used exclusively for military or defence purposes, scientific research that is not placed on the market, purely personal use, and certain open-source AI released under free and open-source licences — unless the system is classified as high-risk, falls under a prohibited practice (Article 5), or has transparency obligations (Article 50). Chapter 3 covers the open-source criteria in detail.
The most common mistake businesses make is assuming they are minimal-risk when they are actually high-risk. A recruitment tool powered by AI? High-risk. An AI system that helps decide insurance premiums? High-risk. An AI-powered medical diagnostic? High-risk. The classification is determined by the use case, not by the complexity of the technology.
Who does this law apply to?
The AI Act defines several roles within the AI value chain. The two most important are:
Providers — the organisations that develop AI systems or have them developed, and place them on the market under their own name. Think of the companies that build and sell AI products. Their obligations are the heaviest under the law.
Deployers — the organisations that use AI systems under their own authority in a professional context. If you are a company using a third-party AI tool — calling an API, embedding a model, licensing a SaaS product — you are almost certainly a deployer.
The law also defines roles for importers (who bring AI systems into the EU from outside), distributors (who make AI systems available on the EU market), and authorised representatives (who act on behalf of non-EU providers). These roles carry their own obligations, but they affect a much smaller number of organisations. If you are an importer or distributor, you should seek specialised legal advice for your specific situation.
The critical point is this: most businesses reading this guide will be deployers. You did not build the AI. But you use it, and that use creates legal obligations. The nature and extent of those obligations depend on the risk classification of the AI system you are using — which is exactly what the next chapters will help you determine. If you are a provider, this guide covers your obligations as well. From Chapter 4 onward, deployer and provider obligations are addressed separately so you can focus on what applies to you.
How the AI Act relates to GDPR
If your organisation already complies with GDPR, you have a head start. The two laws overlap in several areas:
Data Protection Impact Assessments (DPIAs) — GDPR already requires DPIAs for high-risk processing. The AI Act requires its own impact assessment (the Fundamental Rights Impact Assessment, or FRIA) for certain high-risk AI systems. The two assessments are different — a FRIA focuses specifically on AI-related risks such as bias and fundamental rights impacts, while a DPIA focuses on data protection risks — but they can be conducted together. Chapter 8 explains both in detail.
Transparency and notification — GDPR requires you to inform individuals about automated decision-making (Articles 13, 14, and 22). The AI Act adds specific requirements about informing people that AI is being used and, in some cases, giving them the right to an explanation.
Data quality — GDPR's data accuracy principle (Article 5(1)(d)) aligns with the AI Act's requirement for data input quality. If you are already ensuring your data is accurate and up to date for GDPR purposes, you are partially meeting your AI Act obligations.
Human oversight — GDPR gives individuals the right not to be subject to solely automated decisions with legal effects (Article 22). The AI Act goes further, requiring that high-risk AI systems be designed to allow effective human oversight.
However, GDPR compliance does not equal AI Act compliance. The AI Act introduces obligations that GDPR does not cover — such as AI literacy training, system monitoring, log retention, and specific incident reporting requirements. Chapter 14 will explore the overlap and gaps in detail.
The enforcement timeline
The AI Act does not take effect all at once. It follows a phased timeline:
Already in force (since 2 February 2025): Article 4 (AI literacy) and Article 5 (prohibited AI practices). If you are using any AI system at all, you should already have conducted AI literacy training. If you are operating a prohibited AI practice, you are already in violation.
2 August 2025: Obligations for providers of general-purpose AI models (GPAI) take effect. This primarily affects companies like OpenAI, Google, Anthropic, and Meta — but it also matters for deployers because these providers must supply you with documentation you need for your own compliance.
2 August 2026: The full set of high-risk obligations takes effect. This is the main deadline for most businesses. Deployers of high-risk AI systems must have all Article 26 obligations in place by this date. There is a possible extension to 2 December 2027 for certain AI systems that are also regulated as safety components under other EU product legislation, such as the Medical Devices Regulation (MDR) or the Machinery Regulation.
Ongoing: The EU AI Office and national authorities will begin enforcement activities, including market surveillance, complaints handling, and audits.
What this means for you — right now
If you have read this far, you should have a clear picture of what the EU AI Act is and why it matters. But understanding the law in general terms is not enough. You need to answer three specific questions:
1. What is my role? Am I a provider or a deployer? (Chapter 2)
2. What is my risk classification? Is my AI system prohibited, high-risk, limited-risk, minimal-risk, or out of scope? (Chapter 3)
3. What are my specific obligations? What exactly do I need to do, and by when? (Chapters 4-13)
The rest of this guide will answer each of these questions in detail, with concrete examples, self-assessment tools, and step-by-step guidance.
Self-Check: Does the EU AI Act Apply to You?
Answer these three questions about your business:
1. Does your organisation develop, sell, or use any AI system or AI-powered tool? This includes third-party SaaS products with AI features, API-based AI services (such as OpenAI, Claude, or Google Gemini), and internally developed models or algorithms. If yes, the AI Act likely applies to you in some capacity. Continue to question 2. If no, the AI Act does not currently apply, but revisit this assessment if you adopt AI in the future.
2. Does your AI system interact with, affect, or process data about people in the EU? If yes, you are within the territorial scope of the AI Act. Continue to question 3. If no, you may be outside scope, but verify carefully. "Affecting people in the EU" includes situations where your AI's output is used to make decisions about EU residents, even if your servers and company are outside the EU.
3. Is your use of AI limited to purely personal, non-professional purposes? If yes, you are excluded under Article 2(10). If no, you have obligations under the AI Act. The next step is to determine your role (Chapter 2) and risk classification (Chapter 3).
Summary
The EU AI Act is a binding EU regulation that classifies AI systems by risk level and assigns obligations accordingly. It applies to any organisation whose AI systems affect people in the EU, regardless of where that organisation is based. The law is already partially in force, with full high-risk obligations taking effect on 2 August 2026. Your obligations depend on two things: your role (provider or deployer) and your risk classification (prohibited, high, limited, minimal, or out of scope). The following chapters will help you determine both.