What the EU AI Act Is
The EU AI Act is the world's first comprehensive AI law. Here's a plain-English explainer: what it does, the four risk tiers, who it applies to, and the timeline, with no jargon and no scare tactics.
What is the EU AI Act, and why does everyone keep mentioning it?
The EU AI Act is the world’s first comprehensive law on artificial intelligence. It is a single binding regulation (formally Regulation (EU) 2024/1689) that came into force on 1 August 2024 and is phasing in over several years. Where most countries are still publishing principles and consultations, the EU has written an actual statute with defined obligations and real penalties.
You will hear it referenced constantly, often with a large penalty figure attached. This post strips out the noise and explains what it actually is: what it does, how it sorts AI into risk levels, who it applies to, and when the key dates land. We will cover what it means for UK businesses specifically in a follow-up post; this one is the plain-English foundation.
The core idea: classify by risk, then assign obligations
The Act’s central mechanism is simple to grasp. It does not regulate “AI” as one undifferentiated thing. Instead, it sorts AI uses into risk tiers and attaches heavier obligations to higher-risk uses. A spam filter and an AI system that screens job applicants are treated very differently, because the potential for harm is very different.
That single design choice explains almost everything about how the Act behaves. If your use of AI is low-risk, the Act asks little of you. If it touches people’s livelihoods, safety, or fundamental rights, it asks a great deal.
The four risk tiers
Everything in the Act flows from where your AI system sits across four tiers.
- Prohibited. A small set of AI practices is banned outright. These include harmful social scoring, certain kinds of biometric surveillance, and manipulative techniques designed to cause harm. These prohibitions have applied since February 2025. Most commercial products are nowhere near this category, but it is the line you cannot cross.
- High-risk. This is where the substantial obligations live: risk management, data governance, technical documentation, logging, human oversight, conformity assessment, and ongoing monitoring. The high-risk categories are specific, not “anything advanced.” They cover AI used in areas such as recruitment and HR, credit scoring, education assessment, essential public and private services, and safety components of regulated products. If an AI system makes or materially informs decisions about people in one of these areas, it is likely high-risk.
- Limited risk. Here the Act asks mainly for transparency. Chatbots must tell users they are interacting with AI. Deepfakes and certain AI-generated or manipulated content must be disclosed or marked, subject to exceptions such as editorial control, artistic or satirical use, and law-enforcement contexts. These obligations apply from August 2026 and are light: disclosure, not a compliance programme.
- Minimal risk. The vast majority of AI applications. Things like spam filters, recommendation engines, translation tools, and internal productivity assistants. The Act adds no specific obligations here beyond the laws that already apply, such as data protection.
The practical headline: most everyday business AI lands in the bottom two tiers, where the burden is modest. The cost and complexity concentrate in the high-risk band.
Who it applies to
The Act assigns obligations by the role you play, not just by what your product does. The three roles that matter most:
- GPAI provider. You trained a general-purpose foundation model from scratch. This is the world of the large AI labs. Fine-tuning an existing model only puts you in this category if your fine-tuning compute exceeds a third of the original training run, which is far beyond a normal team’s reach.
- Provider. You built an AI product or service and put it on the market. This is the most common role for companies building with AI, including products that are essentially a layer over someone else’s model.
- Deployer. You use someone else’s AI tool in your own operations. Lighter obligations, focused on using the tool as intended and keeping appropriate human oversight.
The Act also reaches beyond the EU’s borders. It can apply to a company outside the EU if that company places an AI system on the EU market, or if the outputs of its AI system are used in the EU. This extraterritorial reach is the reason non-EU businesses pay attention to it at all.
The timeline
The Act does not switch on all at once. It phases in:
- August 2024: the Act enters into force.
- February 2025: the prohibited-practice bans and basic AI-literacy duties apply.
- August 2025: obligations for general-purpose AI models begin.
- August 2026: transparency rules and most general application provisions apply. Many high-risk systems listed in Annex III also become subject to the core high-risk regime.
- August 2027: under the Act as originally adopted, the remaining high-risk rules for AI embedded in regulated products apply. The Commission has since proposed changes that could move some high-risk deadlines later, so treat the dates above as the current baseline rather than the final word.
This staggered schedule is deliberate. It gives organisations time to classify their systems and build compliance in proportion to risk, rather than facing every obligation on day one.
What about the penalties?
The headline figures are real: fines can reach up to 35 million euros or 7% of global annual turnover for the most serious breaches, with lower bands for lesser ones. But two points keep this in perspective. First, the top penalties attach to the prohibited practices that most businesses never go near. Second, the Act is built to be proportionate: low-risk uses carry low obligations and correspondingly low exposure. The figures are a ceiling for the worst cases, not a flat threat to everyone in scope.
How this differs from the UK approach
It is worth knowing the contrast, because the two systems sit side by side for many businesses. The EU has chosen one comprehensive, codified regulation with a central risk-classification scheme. The UK has chosen the opposite: no single AI Act, but existing sector regulators applying cross-cutting principles, underpinned by data protection law. We explain that model in the UK’s AI stance.
Neither approach is simply “ahead” of the other. The EU’s is easier to point to as a single rulebook but heavier to comply with across the board. The UK’s is lighter for most firms but more distributed and harder to map. Which one matters more to you depends on where your AI operates and who its users are.
The bottom line
The EU AI Act is a single, binding, risk-based regulation: it classifies AI by potential for harm and scales obligations to match. Most everyday business AI falls into its lower tiers, where the asks are modest; the real weight lands on high-risk uses and on the large model providers. It applies by role, reaches beyond EU borders, and phases in over several years.
We will be following this up with posts on what the Act means for UK businesses specifically, and for small teams building AI products. And if you would like help sizing your exposure accurately, without building compliance you do not need, get in touch.
References
- Regulation (EU) 2024/1689 (Artificial Intelligence Act). EUR-Lex official text; see Article 5 (prohibited practices), Article 50 (transparency), and Annex III (high-risk categories).
- AI Act overview. European Commission, for the risk-tier structure, roles, and implementation timeline.
- Article 113 of Regulation (EU) 2024/1689. Official application dates; note that proposed 2026 implementation changes may affect some high-risk deadlines.
- The UK’s AI Stance. Octonion Technologies, for the UK contrast.