Loading…
Loading…
The European Union's AI Act (Regulation 2024/1689/EU) is the world's first binding legal framework specifically for artificial intelligence. It classifies every AI system by risk level — prohibited, high-risk, limited-risk, and minimal-risk — and imposes obligations that scale with that classification. High-risk AI must undergo conformity assessment, maintain technical documentation, implement human oversight, and register in an EU database before deployment. The Act applies to any AI system deployed in the EU, regardless of where the developer is based. Full enforcement for high-risk systems begins August 2, 2026.
Why this matters for your team
The EU AI Act applies to you if any EU-based users interact with your AI system — even if your company is based outside the EU. The most important first step: determine your risk classification. Most commercial SaaS AI falls in the minimal-risk or limited-risk category, which requires only basic transparency measures. If you build AI for hiring, credit, healthcare, or critical infrastructure, you are almost certainly in high-risk territory.
The EU AI Act passed in May 2024, entered into force on August 1, 2024, and rolls out in phases over three years. It is primarily a product safety law: it sets pre-market obligations on developers (providers) and post-market obligations on companies that deploy AI (deployers). The extraterritorial scope is one of its most important features — any company whose AI system has output that is used in the EU is covered, regardless of where servers, staff, or offices are located.
The Act distinguishes between 'providers' (the developer or importer who places an AI system on the EU market) and 'deployers' (organizations that put the system into use under their own name or brand). For most SaaS companies, you are a provider if you sell an AI product and a deployer if you use a third-party AI tool internally. Both roles carry obligations, but providers face heavier requirements — conformity assessments, technical documentation, and EU database registration.
General-purpose AI (GPAI) models like GPT-4, Claude, or Gemini get their own chapter. Any GPAI provider with systemic risk (broadly: models trained on more than 10^25 FLOPs) faces additional obligations including adversarial testing, incident reporting, and cybersecurity measures. From August 2025, all GPAI providers — systemic or not — must publish a summary of training data and maintain technical documentation.
A US startup selling an AI-powered recruitment tool to European companies must comply with the EU AI Act's high-risk requirements — including conformity assessment and mandatory human oversight — even though the company is based in the United States.
The EU AI Act becomes law. The 24-month clock starts for most provisions.
Chapter II takes effect. AI systems in the prohibited category — social scoring, real-time biometric surveillance in public, subconscious manipulation — are banned.
Chapter V (general-purpose AI models) takes effect. All GPAI providers must publish training data summaries and maintain documentation. Systemic-risk GPAI providers face additional adversarial testing and incident-reporting duties.
The main high-risk AI obligations apply: conformity assessments, technical documentation, human oversight, EU database registration, post-market monitoring. This is the deadline most small teams need to prepare for.
High-risk AI systems already on the market before August 2026 get a one-year grace period. Systems that were placed on the market before this date must comply by August 2027.
AI applications that pose an unacceptable risk to fundamental rights, safety, or democracy. These are banned outright — no compliance path exists.
Examples
Obligations
AI systems used in regulated products or for high-stakes decisions affecting safety, employment, education, justice, or essential services. Full compliance required before market deployment.
Examples
Obligations
AI systems that interact directly with users or generate synthetic content. Transparency obligations only — users must know they are dealing with AI.
Examples
Obligations
The vast majority of AI applications — spam filters, recommendation engines, productivity tools — fall here. No mandatory obligations, but voluntary codes of conduct are encouraged.
Examples
Obligations
Step 1: Classify your AI systems
List every AI system your team builds or deploys. Map each against the four risk tiers. Most commercial SaaS AI is minimal-risk. If you build for HR, healthcare, credit, or infrastructure — high-risk classification is likely.
Step 2: Check the prohibited list
Verify none of your systems fall in the prohibited category (social scoring, real-time biometric surveillance, subliminal manipulation). If they do, you must stop by February 2, 2025 — no grace period.
Step 3: Determine your role (provider vs. deployer)
If you sell an AI product in the EU, you are a 'provider' with heavier obligations. If you use a third-party AI tool for internal business decisions, you are a 'deployer' with lighter obligations. You can be both.
Step 4: For high-risk systems — build a risk management system
Document the foreseeable risks of your AI system, test against those risks throughout the product lifecycle, and maintain evidence. This is not a one-time exercise — it must be updated with each significant change.
Step 5: Prepare technical documentation
Annex IV lists the required documentation: system description, design specifications, training data summary, testing methodology, performance metrics. Build this documentation alongside development, not after.
Step 6: Implement human oversight
High-risk AI systems must have a mechanism for human operators to understand the system's output, intervene, and override decisions. Design your UI and processes to make this possible — not just technically but operationally.
Step 7: For limited-risk systems — add AI disclosure
Chatbots and AI-generated content must clearly inform users they are interacting with AI. A one-line disclosure in the UI ('This response was generated by AI') satisfies this requirement in most cases.
Step 8: Register high-risk systems in the EU AI database
Before deploying a high-risk AI system in the EU, it must be registered in the EU's public AI database (managed by the European AI Office). This registration is required even for non-EU providers.
Step 9: Review your vendor agreements
If you use third-party AI models or tools that are part of your high-risk system, ensure your contracts require them to provide the technical documentation and cooperation you need to meet your own obligations.
Step 10: Monitor and report post-deployment
High-risk providers must implement post-market monitoring. Serious incidents must be reported to national authorities within 15 days (safety incidents) or 3 months (non-safety). Build incident detection into your operations.
Does the EU AI Act apply to companies outside the EU?
Yes. The Act applies to any provider that places an AI system on the EU market or whose AI system output is used in the EU, regardless of where the company is headquartered. A US startup selling AI to European customers is covered.
What is the difference between a provider and a deployer under the EU AI Act?
A provider is the entity that develops and places an AI system on the market (the developer or importer). A deployer uses a third-party AI system under their own authority, typically for business operations. Providers face heavier compliance obligations, including conformity assessments and technical documentation. Deployers must ensure proper use, maintain logs, and provide human oversight for high-risk applications.
What happens if I use a third-party AI tool (like ChatGPT or Claude) in a high-risk application?
You become a deployer — and deployers of high-risk AI systems have their own obligations: implementing human oversight, maintaining usage logs, informing affected individuals, and cooperating in incident investigations. Your vendor contract should specify what documentation and cooperation the provider will give you to meet these obligations.
When does the EU AI Act enforcement start?
Prohibited AI practices have been banned since February 2, 2025. GPAI model obligations (for foundation model providers) apply from August 2, 2025. Full enforcement for high-risk AI systems begins August 2, 2026. Existing legacy systems already on the market get until August 2, 2027.
What are the penalties for violating the EU AI Act?
Non-compliance with prohibited AI provisions: up to €35 million or 7% of global annual turnover (whichever is higher). Violations of high-risk or GPAI obligations: up to €15 million or 3% of global annual turnover. Providing incorrect information to authorities: up to €7.5 million or 1.5% of global annual turnover.
Is a customer service chatbot subject to the EU AI Act?
Yes — a standard customer service chatbot falls in the limited-risk category. The only obligation is transparency: the chatbot must clearly inform users they are interacting with an AI system. No conformity assessment or technical documentation is required unless the chatbot also makes consequential decisions (e.g., automatically approving or denying service requests with real consequences).
What is the EU AI Act compliance deadline for small teams?
For most small teams with minimal-risk AI (productivity tools, internal AI assistants, recommendation engines), there is no mandatory compliance deadline — only voluntary guidelines. If your AI falls in the limited-risk category (chatbots, deepfakes), you should add transparency disclosures now. If your AI is high-risk, the hard deadline is August 2, 2026.