EU AI Act
Overview
The EU AI Act is a comprehensive legislative framework adopted by the European Union to govern artificial intelligence systems within EU member states and systems affecting EU residents. Formally known as Regulation (EU) 2024/1689, it became applicable on 1 August 2024, with full compliance required by 2 August 2026. The Act establishes a tiered risk-based classification system rather than a blanket prohibition, distinguishing between prohibited high-risk, and lower-risk AI systems based on their potential to cause harm to fundamental rights and safety.
The Act's classification structure centers on four risk tiers: prohibited AI (systems creating an unacceptable risk to fundamental rights), high-risk AI (systems affecting safety or fundamental rights in critical domains), limited-risk AI (systems subject to transparency obligations), and minimal-risk AI (systems not subject to specific regulatory requirements). This approach aims to balance innovation with consumer protection, requiring operators to conduct impact assessments, implement guardrails, maintain documentation, and in some cases undergo third-party conformity assessment before market deployment.
The regulatory scope covers foundation models including large language models, systems used in employment decisions, biometric identification, and content recommendation systems. Operators must identify and mitigate risks including hallucination, bias, and adversarial vulnerabilities. The Act also mandates disclosure of AI-generated content in certain contexts and establishes enforcement mechanisms through national AI offices in each member state.
How it works
The EU AI Act operates through a tiered compliance framework structured around risk assessment and operational requirements:
Risk classification: Providers must first classify their AI system against prohibited uses (e.g., certain manipulative biometric identification systems), high-risk categories (8 defined domains including employment, education, and law enforcement), or lower-risk categories. High-risk systems require pre-market conformity assessment; lower-risk systems require transparency documentation.
Pre-market requirements for high-risk systems: Developers must conduct and document AI impact assessments, implement risk management and monitoring systems, maintain training data documentation with sufficient quality standards, ensure instruction compliance and human oversight mechanisms, perform post-market surveillance, and maintain model cards with technical documentation. Third-party notified bodies may conduct conformity assessment before deployment.
Transparency and disclosure obligations: Systems must disclose when content is AI-generated when used in sensitive contexts (newsrooms, deep fakes). Foundation model developers must document training data composition, energy consumption, and capability benchmarks. Providers must maintain logs of system operations and be able to demonstrate compliance.
Governance and enforcement: National AI offices in each EU member state monitor compliance, investigate violations, and issue corrective orders. The Act provides for administrative fines up to 6% of annual global turnover or €30 million (whichever is higher) for violations of core obligations. Providers can also face liability under existing EU product liability regimes.
| Term | Distinction |
|---|---|
| Acceptable Use Policy (AI) | AUP is a contractual mechanism between a service provider and users specifying permitted uses; the EU AI Act is mandatory legislation governing all developers and operators of AI systems in the EU regardless of contractual terms. |
| Content filtering | Content filtering is a technical implementation mechanism to prevent prohibited outputs; the EU AI Act is a regulatory framework governing system design, documentation, and impact assessment across the entire AI lifecycle. |
| Constitutional AI | Constitutional AI is a training methodology using principles or rules to guide model behavior; the EU AI Act is statutory regulation imposing compliance obligations on system operators independent of training methodology. |
| Guardrails | Guardrails are technical safety mechanisms limiting model outputs; the EU AI Act is a regulatory framework that may mandate guardrails as part of required risk mitigation but is not limited to technical controls. |
| General Data Protection Regulation (GDPR) | GDPR specifically governs personal data processing; the EU AI Act governs AI system design, deployment, and risk management independent of whether personal data is involved, though both frameworks may apply concurrently. |
Examples
- Large language model deployment: A provider releasing a foundation model in the EU must document training data composition, publish a model card with capability information, and implement monitoring for harmful use. If the model is classified as high-risk due to its use in a critical domain, pre-market conformity assessment is required before release.
- Employment decision system: An HR software vendor offering AI-based resume screening or hiring recommendation systems must classify this as high-risk under the Act's employment domain requirements. This triggers obligations to conduct impact assessments, implement human review mechanisms, maintain training data documentation, and undergo third-party conformity assessment before deploying to EU customers.
- Biometric identification system: Real-time facial recognition systems used for law enforcement are prohibited under the Act unless deployed in narrow circumstances (missing child identification, terrorism prevention) with judicial oversight. Retrospective biometric matching systems used in law enforcement are classified as high-risk and require impact assessment and third-party conformity assessment before deployment.
See also
- Foundation model — Base models subject to transparency obligations under the Act's foundation model provisions
- Guardrails — Technical risk mitigation mechanisms required for high-risk AI systems
- Model card — Documentation standard mandated by the Act for foundation models
- Bias detection (LLM) — Assessment method required within high-risk AI impact assessments
- AI-generated content disclosure — Transparency obligation for AI-generated content in certain EU AI Act contexts
