Table of Contents
📋 Key Takeaways — What You Need to Know Right Now:
- The EU AI Act (Regulation 2024/1689) is the world’s first comprehensive legal framework governing artificial intelligence — and it applies to any company whose AI touches EU citizens, regardless of where you’re headquartered.
- Enforcement is phased: prohibited practices were banned in February 2025, GPAI obligations applied from August 2025, and high-risk AI obligations are fully enforceable from August 2, 2026.
- Fines reach €35 million or 7% of global annual turnover — and documented compliance effort is a formal mitigating factor under the Act.
- This guide covers everything: the history, the four risk tiers, every enforcement deadline, and a summary of each key Article.
If you’ve landed here, you’re either trying to understand what the EU AI Act actually requires, or you’re trying to explain it to someone else — a board member, a product manager, a legal team that keeps asking the same questions. Either way, this is the resource you need.
I’ve spent the better part of three years helping companies navigate AI regulation across Europe. The EU AI Act is genuinely complex — 113 Articles, multiple Annexes, a phased implementation timeline, and an ongoing stream of delegated acts and guidance from the European AI Office. But the core logic is surprisingly clear once you understand the structure.
This guide covers everything: the history and intent behind the law, the four risk tiers, the full enforcement timeline through 2027, and a plain-language summary of every major Article. Bookmark it. Share it with your team. Update your reading when new Commission guidance drops.
And when you’re ready to move from understanding to action, start with the 6-Month Readiness Checklist or run a free Audit Simulation to see exactly where your compliance programme stands today.
Part 1: Why the EU AI Act Exists — The History and Intent
The EU AI Act didn’t appear from nowhere. It is the product of a decade-long policy conversation about the risks posed by increasingly capable automated decision-making systems — and a direct political response to a set of documented, real-world harms.
The European Commission first published its White Paper on AI in February 2020, outlining a “human-centric” approach to AI regulation that sought to balance innovation with fundamental rights protection. The formal legislative proposal followed in April 2021 — a 108-page draft that triggered three years of intense negotiation between the Commission, the European Parliament, and the Council of the EU.
The key political debates centred on three areas: the scope of prohibition on biometric surveillance (Parliament pushed for stronger restrictions than the Council wanted), the treatment of general-purpose AI models (not in the original draft — added following the explosion of interest in large language models in 2022–2023), and the balance between innovation support for SMEs and the compliance burden of the high-risk obligations.
The final text was adopted by the European Parliament on March 13, 2024, and entered into force on August 1, 2024. It is directly binding across all 27 EU member states with no need for national transposition — though member states must designate national supervisory authorities.
The underlying intent, as stated in Recital 1, is to ensure that AI systems placed on the EU market are safe, transparent, non-discriminatory, and environmentally sustainable, while supporting innovation and the internal market. That dual mandate — protection and enablement — is the philosophical tension that runs through every Article of the Act.
The official text is published on EUR-Lex. Ongoing Commission guidance and European AI Office publications are available at the European Commission’s AI policy hub.
Part 2: Scope — Who Does the EU AI Act Apply To?
Before anything else: does the Act apply to you? Article 2 defines scope with deliberate breadth.
The AI Act applies to:
- Providers who place AI systems or GPAI models on the EU market or put them into service in the EU — regardless of whether the provider is established in the EU or in a third country
- Deployers of AI systems who are established or located in the EU
- Providers and deployers established outside the EU, where the AI system’s output is used in the EU
- Importers and distributors of AI systems made available in the EU
- Product manufacturers who incorporate AI systems into regulated products under EU law
The extraterritorial reach is explicit and intentional — it mirrors the GDPR model. A US company whose AI product is used by EU-based customers, a Singaporean startup selling AI hiring tools to European corporations, a UK company (post-Brexit) whose AI produces outputs consumed in France — all are potentially in scope.
Notable exclusions include: AI systems used exclusively for military or national security purposes, AI used purely for scientific research (with some caveats), and open-source models where the weights are freely available and the provider is not otherwise placing a high-risk system on the market.
Part 3: The Four Risk Tiers Explained
The Act’s most important structural feature is its risk-based approach. Rather than applying identical rules to every AI system, it creates four tiers of obligation calibrated to the potential harm an AI system can cause.
| Risk Tier | Definition | Regulatory Approach | Real-World Examples |
|---|---|---|---|
| Unacceptable Risk | AI that poses a clear threat to fundamental rights, human dignity, or safety | Completely prohibited — no commercial justification permitted | Government social scoring; real-time biometric surveillance of public spaces; subliminal manipulation tools; workplace emotion recognition |
| High Risk | AI with significant potential to harm health, safety, or fundamental rights | Full compliance obligations — Technical File, risk management, human oversight, post-market monitoring | CV screening tools; credit scoring AI; medical device software; student assessment systems; critical infrastructure AI |
| Limited Risk | AI that poses specific transparency risks to users | Transparency obligations only — users must be informed they’re interacting with AI | Chatbots; AI-generated content tools; deepfake generators; emotion recognition in consumer settings |
| Minimal Risk | Negligible harm potential in standard deployment | No mandatory obligations — voluntary codes of practice encouraged | Spam filters; basic product recommendation engines; AI in video games; image categorisation for personal use |
The most important tier for most commercial AI operators is High Risk — specifically the systems defined in Annex III. This is where the majority of compliance effort concentrates. To determine whether your system falls into this category, read our dedicated guide: Is Your AI High-Risk? A Guide to Annex III Classifications.
Part 4: The Complete EU AI Act Enforcement Timeline
The Act’s phased implementation is one of its most misunderstood features. Not all obligations apply from the same date. Understanding the timeline is essential for sequencing your compliance programme correctly.
| Date | Milestone | What Becomes Enforceable | Who’s Affected |
|---|---|---|---|
| August 1, 2024 | Act enters into force | Law is active; compliance clock starts; member states begin supervisory authority designation | All operators |
| February 2, 2025 | Prohibited practices enforceable | Article 5 prohibitions fully in force; Article 4 AI literacy obligations apply | All operators; highest fines apply |
| August 2, 2025 | GPAI model obligations apply | Chapter V (GPAI) obligations; EU AI Office operational; Codes of Practice for GPAI active | GPAI model providers; downstream deployers |
| August 2, 2026 | High-risk AI obligations fully enforceable ⬅ THIS IS NOW | All Annex III high-risk obligations (Articles 8–15, 25, 26, 72); EU AI database registration required; conformity assessments operational | Providers & deployers of high-risk AI systems |
| August 2, 2027 | Annex I high-risk AI (regulated products) | AI embedded in products regulated under existing EU product safety legislation (medical devices, machinery, vehicles) | Manufacturers of regulated products containing AI |
| Ongoing | Commission delegated acts and guidance | Ongoing: harmonised standards, sector-specific guidance, AI Office opinions, threshold reviews | All operators |
Part 5: Key Articles — Plain-Language Summary
The EU AI Act contains 113 Articles organised across 13 Chapters. Below is a plain-language summary of the Articles most relevant to commercial AI operators. This is not a substitute for legal advice — but it is the foundation every compliance professional needs. You may also check our EU AI Act Glossary section.
Chapter I: General Provisions (Articles 1–4)
Article 1 — Subject Matter. Establishes the Act’s purpose: to ensure AI systems placed on the EU market are safe and respect fundamental rights, while supporting the internal market and innovation.
Article 2 — Scope. Defines who is subject to the Act. Critically includes non-EU operators whose AI outputs are used within the EU. Key exclusions: military AI, purely scientific research, open-source models (with conditions).
Article 3 — Definitions. Contains 65 defined terms. The most important for compliance purposes: AI system (a machine-based system that infers from inputs how to generate outputs such as predictions, recommendations, or decisions), provider, deployer, substantial modification, and general-purpose AI model.
Article 4 — AI Literacy. Requires providers and deployers to ensure that people working with AI systems have sufficient AI literacy — “appropriate” to their role and the context. In force from February 2025. See our post on meeting mandatory AI literacy training requirements.
Chapter II: Prohibited AI Practices (Article 5)
Article 5 — Prohibited AI Practices. The Act’s absolute red lines. In force since February 2025. Prohibitions cover: subliminal manipulation causing harm, exploitation of psychological vulnerabilities, government social scoring systems, real-time biometric identification by law enforcement in public spaces (narrow exceptions apply), emotion recognition in workplaces and educational institutions, and biometric categorisation that infers protected characteristics.
For a detailed breakdown of each prohibition with worked product examples, see our post: Prohibited AI Practices 2026: What Features You Must Remove Now.
Chapter III: High-Risk AI Systems (Articles 6–51)
This is the Act’s operational core — the longest and most detailed section, covering the full compliance programme for high-risk AI.
Article 6 — Classification of High-Risk AI Systems. Establishes the two-track classification: Annex II (AI embedded in regulated products) and Annex III (standalone high-risk AI). Also contains the Article 6(3) exemption for systems performing narrow procedural tasks that don’t substitute for human decisions.
Article 7 — Amendments to Annex III. Gives the Commission power to update the Annex III list by delegated act, based on evolving AI capabilities and risk evidence. This means the high-risk categories can expand without full legislative process — monitor Commission activity closely.
Article 8 — Compliance with Requirements. Establishes that high-risk AI systems must comply with the requirements in Articles 9 through 15 throughout their entire lifecycle — not just at the point of market placement.
Article 9 — Risk Management System. Requires a continuous, iterative risk management process covering: identification of known and foreseeable risks, estimation and evaluation of risks, risk mitigation measures, and residual risk documentation. The risk management system must be established before market placement and maintained throughout the system’s lifetime. This is one of the most operationally demanding requirements in the Act.
Article 10 — Data and Data Governance. Sets requirements for training, validation, and testing datasets: practices must be appropriate, datasets must be sufficiently representative, data quality measures must address biases, and sensitive personal data handling must be justified. This is where AI and data protection law overlap most directly.
Article 11 — Technical Documentation. Requires providers to draw up and maintain technical documentation before market placement. The documentation must be sufficient to demonstrate conformity with requirements and to enable conformity assessment. The specific content requirements are defined in Annex IV. For engineering teams, see our Article 11 implementation guide and our Technical File pillar guide.
Article 12 — Record-Keeping. High-risk AI systems must have automatic logging capabilities that enable post-hoc review of their operation. Logs must be stored for at least six months (longer where sector law requires). For systems deployed by public authorities, logging requirements are more extensive. This is the technical foundation for the audit trail requirements explored in our Evidence Vault post.
Article 13 — Transparency and Provision of Information to Deployers. Providers must design systems to operate transparently and supply deployers with sufficient information about the system’s capabilities, limitations, accuracy metrics, and maintenance requirements — enabling deployers to meet their own obligations.
Article 14 — Human Oversight. High-risk AI systems must be designed and built to allow human oversight — including the ability to understand the system’s output, monitor it during operation, and override or interrupt it. The design must prevent “automation bias”: the tendency of humans to defer to AI outputs without critical evaluation. For implementation guidance, see our post on designing Article 14 compliant human oversight.
Article 15 — Accuracy, Robustness, and Cybersecurity. High-risk AI systems must achieve appropriate levels of accuracy throughout their lifecycle. They must be resilient against errors, faults, and inconsistencies. They must be protected against attempts to alter their behaviour by malicious third parties (adversarial attacks). Performance metrics must be documented in the Technical File.
Articles 16–27 — Obligations for Providers and Deployers. These Articles establish the specific legal obligations for each operator type:
- Article 16 lists provider obligations: establishing a quality management system, drafting technical documentation, implementing conformity assessment, affixing the CE marking, registering in the EU database, and post-market monitoring.
- Article 17 requires providers to establish a Quality Management System (QMS) covering compliance strategy, design and development procedures, data governance practices, risk management, post-market monitoring, and incident reporting.
- Article 25 covers obligations that apply when a downstream deployer substantially modifies a high-risk system — at that point, the deployer effectively becomes a provider and must meet all provider obligations.
- Article 26 sets deployer obligations: use systems in accordance with instructions, ensure appropriate human oversight, monitor for risks, and report serious incidents.
For the practical distinction between provider and deployer status, see: Provider vs. Deployer: Which EU AI Act Obligations Apply to You?
Articles 43–47 — Conformity Assessment. High-risk AI systems must undergo a conformity assessment before market placement. For most Annex III systems, providers can self-certify (internal conformity assessment procedure). Exceptions requiring third-party Notified Body assessment include biometric identification systems and AI used in critical infrastructure. Article 47 requires a formal EU Declaration of Conformity — a legal document signed by the provider affirming compliance.
Article 49 — CE Marking. High-risk AI systems that pass conformity assessment must bear the CE marking — the standard EU conformity marker used across product safety regulation.
Article 51 — Registration. Providers must register high-risk AI systems in the EU’s public AI database before placing them on the market. The database entry must include system descriptions, conformity assessment references, and contact information for the provider.
Chapter IV: Transparency Obligations (Articles 50–52)
Article 50 — Transparency Obligations for Limited-Risk AI. Providers of AI systems that interact directly with users (chatbots, AI-generated content tools) must ensure users are informed they’re interacting with AI — unless the AI nature is obvious from context. For AI-generated content, appropriate labelling or disclosure is required. These “limited risk” obligations apply to a much broader universe of AI products than the high-risk provisions.
Chapter V: General-Purpose AI Models (Articles 51–56)
Articles 53–54 — GPAI Provider Obligations. All GPAI model providers must: maintain technical documentation, provide downstream operators with information about training data and model capabilities, establish copyright compliance policies, and publish summaries of training data used. These obligations applied from August 2, 2025.
Article 55 — Systemic Risk GPAI. Models with training compute exceeding 10²⁵ FLOPs face additional obligations: model evaluation against the state of the art, adversarial testing, serious incident reporting to the European AI Office, and implementation of cybersecurity measures. Currently captures the largest frontier models.
For product teams building on GPAI models, see our full analysis: 2026 Roadmap: Transitioning from GPAI Transparency to High-Risk Governance.
Chapter VI: Market Surveillance (Articles 57–70)
Article 57 — National Competent Authorities. Each EU member state must designate at least one national competent authority responsible for market surveillance. This authority has powers to investigate, audit, order corrective measures, restrict or prohibit market access, and impose fines.
Article 64 — Access to Data and Documentation. Market surveillance authorities have the right to access the source code of high-risk AI systems where necessary to assess compliance. This is a significant provision — it means compliance cannot rely on opacity about system workings. Your Technical File and logging systems need to be able to support this access.
Article 71 — EU AI Database. A public database of registered high-risk AI systems, maintained by the European AI Office. Registration is mandatory before market placement. The database entries are publicly accessible — making your compliance status (or lack of it) visible to customers, competitors, and the press.
Article 72 — Post-Market Monitoring. Providers must establish and operate a post-market monitoring system — a structured process for collecting and analysing data on system performance throughout its operational life. For systems used by large numbers of users, this must include automatic logging and systematic feedback mechanisms. For the practical implementation of post-market monitoring, see our post on managing model drift and post-market monitoring requirements.
Articles 73–75 — Incident Reporting. Providers must report serious incidents — where an AI system caused or contributed to death, serious injury, or significant disruption to critical infrastructure — to national authorities without undue delay. For consumer-facing systems, the timeline is 15 days for serious incidents, 3 days for life-threatening incidents.
Chapter X: Penalties (Articles 99–101)
Article 99 — Penalties. Establishes the three-tier fine structure: up to €35M / 7% turnover for prohibited practice violations; up to €15M / 3% for high-risk AI non-compliance; up to €7.5M / 1% for providing misleading information to authorities. For a complete breakdown of how fines are calculated and the non-fine costs of non-compliance, see: The Cost of Non-Compliance: Breaking Down the €35M EU AI Act Fines.
Article 101 — Limitation Period. Five-year limitation period for infringement investigations — giving market surveillance authorities a substantial enforcement window.
Part 6: The Key Annexes Explained
The Act’s Annexes are as important as the Articles — they define the specific content requirements and categories that the Articles reference.
Annex I — High-Risk AI in Regulated Products. Lists the existing EU product safety legislation (medical devices, machinery, vehicles, toys, aviation) within whose scope AI systems are automatically high-risk if they constitute a safety component. This annex covers the August 2027 compliance deadline.
Annex II — Corresponding Union Legislation. The list of existing EU product safety laws referenced by Annex I. Understanding this annex helps manufacturers of regulated products understand when their embedded AI triggers high-risk status.
Annex III — High-Risk AI Systems Standalone. The eight categories of standalone high-risk AI: biometric identification, critical infrastructure, education and training, employment and worker management, essential services, law enforcement, migration and asylum, and administration of justice. August 2026 deadline. Full analysis: Is Your AI High-Risk?
Annex IV — Technical Documentation. The complete content requirements for the Technical File. This is the most operationally significant annex for engineering and product teams. It requires: a general system description, design and development process documentation, training methodology and data documentation, validation and testing procedures and results, monitoring and logging specifications, and cybersecurity measures. Full implementation guide: Article 11 & Annex IV: How to Build a Compliant AI Technical File.
Annex VII — Third-Party Conformity Assessment. The procedure for Notified Body assessment — required for biometric identification systems and certain other high-risk categories. Specifies the documentation the Notified Body must receive and the assessment process it must follow.
Annex VIII — Information for Registration in the EU AI Database. The mandatory fields for the public AI database entry — includes system description, intended purpose, contact details, and conformity assessment reference.
Part 7: How to Build Your Compliance Programme — The Five Pillars
Understanding the law is step one. Building an operational compliance programme is the actual work. Every robust EU AI Act compliance programme rests on five structural pillars:
Pillar 1 — AI System Inventory and Classification
You cannot comply with obligations you don’t know you have. Start by cataloguing every AI system your organisation builds, operates, or purchases. For each system, conduct a classification assessment against the four risk tiers. Document your conclusions. Review the inventory at least annually and whenever systems change substantially. Unorma’s AI System Inventory makes this process systematic and auditable.
Pillar 2 — Technical Documentation (Article 11 / Annex IV)
For every confirmed high-risk system, build and maintain the Technical File specified in Annex IV. This is a living document — it must be updated throughout the system’s lifecycle. Automated documentation tools reduce the manual overhead significantly. See our Article 11 automation guide for the practical approach.
Pillar 3 — Risk Management (Article 9)
Establish a formal, iterative risk management process for each high-risk system. Document known and foreseeable risks, mitigation measures, and residual risks. The risk management system must be active throughout the system’s operational life — not just at launch. See our AI Governance Framework for the executive-level framework that surrounds this technical requirement.
Pillar 4 — Human Oversight and Audit Trail
Implement the technical controls required by Article 14 (human oversight) and Article 12 (logging). Every consequential AI output needs an auditable record of what the system produced, in what context, and what human decision followed. The Evidence Vault concept — explored in our post on immutable audit trails — operationalises this requirement.
Pillar 5 — Conformity Assessment and Registration
Complete the conformity assessment procedure, draft the Declaration of Conformity, affix the CE marking (where applicable), and register in the EU AI database before market placement. Then maintain the compliance programme through post-market monitoring, incident reporting, and Technical File updates. For the full audit preparation methodology, see our Audit-Ready AI pillar guide.
Part 8: What Regulators Will Look for in 2026
Enforcement in the first years of a new regulatory regime follows a pattern that GDPR made familiar: early enforcement focuses on the most provable, most egregious violations first. For the EU AI Act, expect 2026 enforcement to concentrate on:
- Prohibited practice violations — these have been in force since February 2025, are clearly defined, and carry the highest fines. Regulators will go after emotion recognition in workplaces and manipulation-based systems first.
- Absence of any compliance programme — companies that have made no attempt to classify their systems or begin Technical File preparation by August 2026 will be lower-hanging fruit than companies with partially complete programmes.
- High-profile consumer-facing systems — AI hiring tools, consumer credit scoring systems, and student assessment platforms will attract early regulatory attention because they affect large numbers of individuals with direct impact on their life outcomes.
- Companies that had GDPR enforcement history — national data protection authorities that supervise both GDPR and AI Act will prioritise organisations already known to them for prior non-compliance.
The single most effective enforcement defence is a documented compliance programme. Article 99(6) lists good-faith compliance effort as a formal mitigating factor in fine calculations. Your paper trail is not just a compliance artefact — it’s your legal defence.
Frequently Asked Questions
What is the EU AI Act in simple terms?
The EU AI Act is a law that classifies AI systems into risk categories and imposes specific compliance obligations based on the potential harm they can cause. The highest-risk AI applications are banned outright. High-risk applications — those used in employment, credit, education, law enforcement, and similar consequential contexts — must meet technical, transparency, and governance requirements before they can be sold or operated in the EU. Lower-risk applications face lighter transparency obligations or none at all.
Does the EU AI Act apply to my company if we’re based outside the EU?
Almost certainly yes, if your AI system’s outputs are used within the EU or affect EU-based individuals. Article 2 explicitly extends the Act’s reach to non-EU providers and deployers on the same extraterritorial basis as GDPR. Geography of incorporation is not the determining factor — the geography of impact is.
What is the difference between a “provider” and a “deployer” under the Act?
A provider is an entity that develops or substantially modifies an AI system and places it on the market. A deployer is an entity that uses an AI system in the course of professional activities. Most SaaS companies selling AI products are providers. Businesses that integrate third-party AI tools into their operations are typically deployers. In practice, many organisations are both — providing their own AI product to customers while deploying third-party AI tools internally. The obligations differ significantly, explored fully in our post on Provider vs. Deployer obligations.
How long does it take to build a compliant high-risk AI programme?
For a single high-risk AI system with a competent team and the right tools, a complete compliance programme — from gap analysis through Technical File, risk management, human oversight implementation, conformity assessment, and EU database registration — typically takes 4 to 6 months. Companies with multiple systems, complex data governance situations, or limited compliance infrastructure should plan for 6 to 9 months. Our 6-Month Readiness Checklist maps the full timeline.
What harmonised standards apply to EU AI Act compliance?
The European Commission has mandated CEN/CENELEC to develop harmonised standards for the EU AI Act. ISO/IEC 42001 (AI Management Systems) is the most directly relevant existing international standard — it maps closely to the Act’s risk management and governance requirements. Our post on harmonising ISO 42001 and the EU AI Act explores the overlap in detail. Harmonised standards for specific Annex III categories are expected through 2026 and 2027.
Can I use a consultant or law firm to handle EU AI Act compliance?
External legal and compliance expertise is valuable for interpretation questions, conformity assessment procedures, and enforcement situations. However, the Act’s ongoing obligations — Technical File maintenance, post-market monitoring, incident reporting, logging — require internal operational infrastructure, not just external advice. The most effective model combines a lean internal compliance function with purpose-built tooling (like Unorma) and external legal support for complex questions.
Ready to move from understanding to action?
Unorma gives you the complete infrastructure to run your EU AI Act compliance programme — from system inventory and automated Technical File generation to audit simulation and evidence vault. Start with a free compliance assessment and find out exactly where you stand.Download Our EU AI Act for high risk ai→
Jasper Claes is a Compliance Manager and consultant specializing in AI governance for high-scale technology companies operating in regulated markets. He advises product and legal teams on implementing practical compliance frameworks aligned with evolving regulations such as the EU AI Act. Through his writing, Jasper focuses on translating complex regulatory requirements into clear, actionable guidance for teams building and deploying AI systems.