EU AI Act Compliance

The EU AI Act is the world's first comprehensive legal framework for artificial intelligence. It establishes a risk-based classification system that imposes different obligations depending on how an AI system is used, ranging from outright prohibitions on certain practices to transparency requirements for lower-risk systems.

The Act applies to providers (developers) and deployers (users) of AI systems that are placed on the EU market or whose outputs are used in the EU — regardless of where the company is based. If your AI system affects people in the EU, you likely have obligations under the Act.

Penalties are tiered based on the severity of the violation. The highest fines — up to €35 million or 7% of global annual turnover — apply to prohibited AI practices. High-risk system violations can attract fines of up to €15 million or 3% of turnover. Providing incorrect information to authorities can result in fines up to €7.5 million or 1% of turnover.

The EU AI Act defines high-risk AI systems in two ways: (1) AI used as a safety component of products already covered by EU product safety legislation, and (2) AI used in specific use cases listed in Annex III, including biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, and justice. A self-assessment against these categories is the starting point.

The Act is being phased in. Prohibited AI practices became enforceable in February 2025. GPAI rules apply from August 2025. The main deadline — obligations for high-risk AI systems — is 2 August 2026. Companies should already be working towards compliance given the complexity of the requirements.

Yes. The Act has extraterritorial reach, similar to the GDPR. It applies to any provider placing an AI system on the EU market and any deployer using an AI system whose output is used within the EU, regardless of where the provider or deployer is established.