What is the EU AI Act?

How it works

The Act is built around roles, and getting the role right is the start of everything else. A provider is the organisation that develops an AI system or general-purpose AI model, or has one developed, and places it on the market or puts it into service under its own name or trade mark. A deployer is the organisation using the system under its own authority in the course of work. The Act also defines importers, distributors, authorised representatives and product manufacturers. The distinction matters more than it first appears, because a business that considers itself a simple user can become a provider in law if it brands a system as its own, modifies it substantially, or changes what it is for.

A small number of uses are banned outright. These prohibited practices include AI that manipulates or deceives in ways that materially distort behaviour and cause significant harm, AI that exploits vulnerabilities tied to age, disability or economic situation, social scoring that leads to unjustified detrimental treatment, certain predictive policing based solely on profiling, untargeted scraping of facial images to build recognition databases, emotion recognition in workplaces and schools outside medical or safety reasons, biometric categorisation that infers sensitive traits such as race or political opinion, and most real-time remote biometric identification in public spaces by law enforcement. The agreed amendments add a further prohibition covering AI that generates non-consensual intimate imagery or child sexual abuse material, with a safe harbour for systems that have effective preventive safeguards. For these categories the response is not a policy document but a decision not to do it. Most ordinary organisations will not approach the law-enforcement biometric lines, but workplace emotion recognition and manipulative consumer techniques are closer to everyday practice than leaders sometimes assume.

The larger operational category is high-risk AI, and there are two routes into it. The first covers AI that is a safety component of, or itself is, a regulated product already subject to third-party assessment under existing EU product law: some machinery, medical devices, toys, lifts, vehicles and similar. The second covers AI used in the sensitive contexts listed in Annex III: biometrics, critical infrastructure, education, employment, access to essential services, law enforcement, migration and border control, and the administration of justice and democratic processes.

Annex III is where many service businesses will recognise themselves. In employment it names AI used to recruit or select people, to filter applications and evaluate candidates, and to make or support decisions about terms, promotion, task allocation or termination. In essential private services it names AI used to assess creditworthiness or set a credit score, other than for fraud detection, and AI used for risk assessment and pricing in life and health insurance. For an organisation with EU-facing hiring, lending or insurance activity, these are not edge cases; they are written into the statute.

Not everything that touches a sensitive sector is automatically high-risk. The Act carves out systems that do not pose a significant risk of harm and do not materially influence a decision, for example where the AI performs a narrow procedural task, improves the result of work a person has already done, detects patterns without replacing human judgement, or handles only a preparatory step. There is a firm limit, though: a system that profiles individuals is always treated as high-risk. Because the boundary is genuinely fine in places, borderline cases deserve a written rationale rather than a confident guess, and further classification guidance has been the subject of consultation.

For providers of high-risk systems the duties are substantial and run across the whole life of the product. Before a high-risk system goes onto the EU market, the provider must meet the Act's mandatory requirements and complete a conformity assessment. Those requirements span risk management, data quality and governance, documentation and traceability, transparency, human oversight, accuracy, cybersecurity and robustness, supported by a quality management system, retained logs, an EU declaration of conformity, and ongoing responsibility for the system in use. This is a design, documentation and testing regime, not a single page of policy.

Human oversight is the requirement most often misread. The Act asks that high-risk systems be built so that real people can oversee them effectively in use, and that the people assigned have the competence, training and authority to act. It is not satisfied by a vague claim that someone is in the loop, or by the theoretical ability to override a decision after the fact. The practical test is whether the organisation has genuinely equipped a person to understand the tool, watch it, interpret it correctly, and step in when it matters.

Buying a system rather than building it does not remove obligations. Deployers of high-risk systems must use them in line with the instructions, assign capable human oversight, ensure that any input data they control is relevant and representative, monitor operation, report serious incidents and risks to providers and authorities, and keep logs under their control, generally for at least six months. Where a high-risk system is used in the workplace, employers must inform worker representatives and affected staff before it goes live, and where an Annex III system makes or supports decisions about individuals, those individuals must be told they are subject to it. Procurement, in other words, is not a substitute for governance.

In some cases deployers must go further and complete a fundamental rights impact assessment before first use. This applies to public bodies, private providers of public services, and deployers of the high-risk systems used for creditworthiness assessment and for life and health insurance pricing. The assessment sets out how and how often the system will be used, who may be affected, the likely risks, the oversight in place, and what will happen if those risks materialise. Where personal data is involved, a data protection impact assessment will usually sit alongside it, which is one reason the Act is connected to data protection law without being the same thing.

The Act also gives individuals a right to an explanation. Where a decision with legal or similarly significant effects is taken about a person on the basis of a high-risk system's output, that person can ask for a clear and meaningful explanation of the system's role in the decision and the main factors involved. For any organisation making consequential EU-facing decisions with AI, that has practical implications for how decisions are recorded and how processes are designed.

A lighter category, often called limited risk, is mostly about transparency. People interacting directly with an AI system should be told they are dealing with AI unless it is obvious. Synthetic audio, image, video or text should be marked, where feasible, as artificially generated. Emotion-recognition and biometric-categorisation systems require notice to the people exposed to them, deepfakes must be disclosed, and AI-generated text published to inform the public on matters of public interest must be flagged, subject to exceptions. In most ordinary cases this asks for clear notices and honest disclosure rather than a full compliance apparatus.

The majority of AI uses fall into a minimal-risk space that the Act largely leaves to existing law. That should not be read as nothing to do. A general obligation on AI literacy applies to providers and deployers across the board, and other law, including data protection, consumer, employment, equality and sector rules, continues to apply. Minimal risk means the Act is not building a bespoke regime for that tool, not that governance disappears.

AI literacy is easy to overlook and worth singling out. Providers and deployers must take reasonable measures to ensure the people using AI on their behalf have a sufficient understanding of it: what AI is, what the organisation uses, what opportunities and risks it creates, and what role the organisation plays. Telling staff to read the manual is rarely enough, particularly for higher-risk systems. This obligation is among the earliest to apply, which makes literacy a present concern rather than a future one for any organisation in scope.

General-purpose AI models sit in their own part of the Act. Providers of these models must keep technical documentation current, give downstream builders enough information to understand the model's capabilities and limits and meet their own duties, maintain a policy for complying with copyright law, and publish a summary of the training data along an official template. A business that consumes frontier-model APIs or embeds a broad model in its own product depends on this information flowing down the chain, even if it is not the model provider itself. The most capable models, those judged to carry systemic risk, face additional duties around evaluation, adversarial testing, risk mitigation, incident reporting and cybersecurity. That layer is aimed more at the model builders than at an organisation using an off-the-shelf assistant, but it still matters commercially, because downstream businesses rely on those providers for documentation and contractual assurance.

Open-source deserves a note of caution, because it is often misread as a blanket exemption. Some free and open-source releases are excluded, but not where the system is high-risk or falls under the prohibited or transparency rules, and some documentation reliefs for open models fall away where a model carries systemic risk. Open-source changes the analysis; it does not end it. The same questions still apply: what does the system do, what role do you play, and who in the EU is affected.

A value-chain rule catches businesses by surprise more than almost any other part of the Act. A distributor, importer, deployer or other party can itself become the provider of a high-risk system if it puts its own name or mark on the system, makes a substantial modification, or changes the purpose of a previously non-high-risk system so that it becomes high-risk. Deep customisation, white-labelling or repurposing can move an organisation from the lighter user position into the heavier provider one. For any business wrapping a third-party model into its own branded EU-facing offer, this is among the most commercially important lines in the Act.

Enforcement is shared. A European AI Office within the Commission oversees implementation and supervises the most powerful general-purpose models, while national market surveillance authorities supervise and enforce the rules for AI systems, including the prohibitions and the high-risk regime. Member States designate the authorities that oversee the bodies handling certain pre-market conformity work, and advisory and scientific structures help steer the system. In practice an organisation should expect supervision at the EU level for the largest models and interaction with national authorities for most system-level obligations.

The penalties are significant and worth reading precisely. Breaching the prohibited practices can attract fines up to EUR 35 million or 7 per cent of total worldwide annual turnover, whichever is higher. A broad set of other obligations, including provider and deployer duties and the transparency rules, can reach up to EUR 15 million or 3 per cent. Supplying incorrect, incomplete or misleading information to authorities can reach up to EUR 7.5 million or 1 per cent. For smaller firms and start-ups the fine is capped at the lower of the fixed amount or the percentage rather than the higher. Providers of general-purpose AI models face a separate route to fines of up to EUR 15 million or 3 per cent of worldwide turnover.

The timetable needs care, because it is both phased and recently revised. The Regulation entered into force in 2024. The earliest obligations, on AI literacy and the prohibited practices, applied from February 2025. Obligations for general-purpose AI models, governance and penalties followed in August 2025. A political agreement reached in early May 2026, part of a wider simplification package known as the Digital Omnibus, then moved several of the later dates. The high-risk obligations for the Annex III use-based categories, such as employment, credit, biometrics and critical infrastructure, are now set to apply from 2 December 2027 rather than August 2026. The high-risk obligations for AI embedded in regulated products, such as medical devices and machinery, move to 2 August 2028. The transparency obligations for synthetic and AI-generated content are due from 2 December 2026, after the grace period was shortened. National regulatory sandboxes move to August 2027.

Three cautions follow from that. First, as of mid-2026 this agreement is provisional and takes legal effect only on formal adoption and publication. Until then, the original date of 2 August 2026 for the use-based high-risk obligations technically still governs, which is why the institutions have said they intend to complete adoption before that date. Treat the revised dates as the operative planning baseline, but understand that the old date remains the legal position until the amendment is published. Second, the revised dates are an outer limit rather than a fixed floor: the agreement lets the authorities bring obligations forward, to roughly six months after the necessary standards and guidance are confirmed in place, so 2 December 2027 is the latest the Annex III duties would begin, not a guarantee of that exact day. Third, the sensible posture is neither "nothing applies until 2027" nor "all high-risk rules start in August 2026", because neither is accurate. Parts of the Act are already in force, others are imminent, and the high-risk timetable has been extended to give standards and guidance time to mature. A precise, dated understanding is worth more here than a single remembered deadline.