The EU AI Act: An Overview

The EU AI Act defines an Artificial Intelligence (AI) system as a machine-based system designed to operate with varying levels of autonomy. Its ability to both exhibit adaptiveness after deployment, as well as infer from the inputs it receives, means it has the potential to influence physical and virtual environments. Considering this, the EU have introduced a law that intends to foster trustworthy AI in Europe, prioritising growth and security simultaneously.   

---

What is the EU AI Act?

The EU AI Act is a flagship law introduced to regulate how AI systems should be designed and implemented, within the EU. With the growing focus on AI’s implications on information and cyber security, the Act proposes taking a risk-based approach when considering both. By classifying AI applications on a spectrum from no risk to banned entirely, it allows for tighter controls and improved protection of sensitive data that was otherwise left exposed. 

Here are the Risk-Based Classifications: 

• Unacceptable→ AI application will be banned due to their potential to cause harm e.g., social scoring systems and manipulative technologies 

• High→ Includes tools that evaluate creditworthiness or critical infrastructure. These AI applications will require rigorous assessment before market entry and businesses must determine whether their existing/planned AI applications fall under this. 

• Limited→ Such as image processing systems and chatbots, these AI applications will still carry obligations e.g., disclosing that a user interacted with an AI system. 

• Minimal→ Applications, such as spam filters, are not subjected to further regulatory requirements. 

Businesses utilising applications considered ‘high risk’ must meet a range of requirements also laid out in the Act, such as a risk management system and technical documentation, to be compliant and avoid penalties. Whilst systems labelled as a ‘limited risk’ are evaluated under these same requirements, they face reduced scrutiny in comparison. 

---

EU AI Act Timeline

After a three year long legislative process, the act officially entered into force on 1^st August 2024. As of the 2^nd of February 2025, all providers and deployers of AI systems must ensure, to the fullest of their ability, a sufficient level of AI literacy among staff dealing with its operation and use. Prohibitions on unacceptable risk were also entered into force. Up until August of 2026, new regulations will be routinely introduced every 6-12 months. These range from the introduction of fines in August 2025 to the obligations (registration in EU database and quality management systems) for high-risk AI systems coming into effect in August 2026. 

---

What are the consequences of non-compliance?

A lack of compliance with the EU AI Act imposes significant fines, either a predetermined amount or calculated as a percentage of the offending company’s annual turnover- whichever is higher.  

Here’s the breakdown: 

• Non-compliance with prohibitions→ €35M or 7% of turnover 

• Supplying incorrect, incomplete or misleading information→ €7.5M or 1.5% of turnover 

• Non-compliance with other obligations→ €15M or 3% of turnover 

---

How will this affect companies outside the EU?

Much like the global reach of the General Data Protection Regulation (GDPR), the AI Act applies so long as the AI system is either on the EU market, or its outputs have effects within the EU. However, even if there is a non-European company with no intentions of going to the EU market, it may still be necessary for them to comply with the EU AI Act in order to reduce the legal risks associated with selling AI-based products/services. 

Overall, the EU AI Act marks a significant step towards regulating artificial intelligence in a way that balances innovation with ethics. And whilst its aims to ensure AI’s responsible development and deployment across Europe could present some challenge to businesses, it sets a much needed global standard for safe and accountable AI use.