Business

EU AI Act

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive horizontal AI regulation, adopted by the European Union in 2024, which classifies AI systems by risk tier and imposes requirements ranging from transparency disclosures to outright prohibitions on certain applications.

The EU AI Act (Regulation (EU) 2024/1689) is the European Union's landmark legislation governing artificial intelligence across all sectors and member states. The European Commission proposed the regulation in April 2021; it was substantially amended during negotiations to address generative AI models following the public emergence of ChatGPT, formally adopted by the European Parliament in March 2024 and by the Council in May 2024, and entered into force on August 1, 2024. The Act applies to providers who place AI systems on the EU market and deployers who use them within the EU, regardless of where those parties are headquartered, giving it extraterritorial reach comparable to the GDPR.

The Act organizes AI systems into risk tiers. Unacceptable-risk systems — including government social scoring, real-time remote biometric identification in public spaces (with narrow law-enforcement exceptions), and AI that exploits psychological vulnerabilities to manipulate behavior — are prohibited entirely. High-risk systems covering critical infrastructure, education, employment decisions, access to essential public services, law enforcement, migration control, and administration of justice face mandatory conformity assessments, extensive technical documentation requirements, human-oversight mechanisms, and registration in an EU-wide database before market placement. Limited-risk systems such as chatbots carry transparency obligations: users must be informed they are interacting with an AI. A separate framework governs general-purpose AI (GPAI) models; those trained above 10^25 FLOPs are designated as posing systemic risk and face additional obligations including adversarial testing, incident reporting, and cybersecurity measures. Penalties for the most serious violations — prohibited AI — reach €35 million or 7% of global annual turnover, whichever is higher.

The Act matters for several reasons beyond the EU's internal market. Because major AI developers build systems for global deployment, compliance requirements applicable to EU operations tend to propagate as de facto global standards — a "Brussels Effect" already observed with GDPR for data privacy. The Act established a European AI Office within the European Commission with oversight authority specifically over GPAI models, creates enforceable obligations where none previously existed under EU law, and funds regulatory sandboxes enabling supervised experimentation with AI in regulated domains.

As of 2026, implementation is progressing in phases. Prohibitions on unacceptable-risk systems applied from February 2025. GPAI model provider obligations — directly affecting companies including Anthropic, Google, Meta, and OpenAI — phased in through 2025. Full obligations for high-risk systems take effect in August 2026. Technical standards and detailed compliance guidance are still being finalized by the European AI Office and standardization bodies CEN and CENELEC, and major AI providers have participated in a voluntary Code of Practice for GPAI models while mandatory harmonized standards are completed.

Example

A company offering an AI-powered CV-screening tool to EU employers must classify it as high-risk under the Act, conduct and document a conformity assessment, register the system in the EU AI database, and ensure that human recruiters can meaningfully override or contest the system's rankings before any candidate is rejected based on its output.

Related terms

Latest news on this topic

← Glossary