AI Act ›
Who should comply with the AI Act?
Almost every organisation in Europe now uses AI in some form, often without realising it. It sits inside your recruitment tool, your customer service chatbot, your fraud checks and the productivity assistants your team opens every morning. The EU AI Act is the first comprehensive law that governs all of it, and it reaches far beyond the companies that build AI.
This guide walks you through what the AI Act actually requires, in plain language and grounded in the regulation itself. You'll learn the four risk categories, how to identify your role, which practices are banned outright, what high-risk systems demand, how the rules overlap with GDPR, and a practical roadmap to get compliant. We've deliberately made this the public, ungated version of the guide most vendors hide behind a form.
One thing up front: we've written this around your obligations, not around specific calendar dates. As you'll see below, the deadlines keep moving, most recently through the EU's Digital Omnibus simplification package. The obligations themselves are stable, and the work you need to do doesn't change because a date shifts.
The EU AI Act (formally Regulation (EU) 2024/1689) is the world's first comprehensive legal framework for artificial intelligence. It entered into force on 1 August 2024 and applies in stages. Like GDPR before it, it's a regulation rather than a directive, which means it applies directly across all EU member states without needing separate national laws to take effect.
The core idea is simple. The AI Act regulates AI according to the risk it poses to people's health, safety and fundamental rights. The higher the risk, the stricter the obligations. Most AI carries little or no risk and is barely touched by the law. A small set of uses are considered so harmful they're banned. In between sits a category of "high-risk" systems that carry real obligations.
If you already understand GDPR, the mental model transfers well. Both laws are risk-based, both reach organisations outside the EU, both put documentation and accountability at their centre, and both carry turnover-based fines. If you want the wider regulatory picture, we cover how these frameworks fit together in our article on digital sovereignty and EU legislation.
Probably, yes. The AI Act has broad extraterritorial reach under Article 2. It applies to providers that place AI systems on the EU market wherever they're established, to deployers located in the EU, and, crucially, to providers and deployers outside the EU where the output of the system is used in the EU.
That last trigger is the one most organisations miss. The threshold is whether the system's output is used in the Union, which is a lower bar than GDPR's "targeting" standard. A company based outside the EU whose AI output reaches EU users can be caught even without an EU establishment. Non-EU providers of high-risk systems must appoint an EU authorised representative under Article 22.

Everything in the AI Act flows from four risk tiers. Working out which tier each of your systems falls into is the single most important classification exercise you'll do, because it determines every obligation that follows.
| Risk tier | Where it's defined | What it means |
|---|---|---|
| Unacceptable (prohibited) | Article 5 | Banned outright. These uses cannot be placed on the market or used in the EU at all. |
| High-risk | Article 6 + Annex I and Annex III | Permitted, but subject to strict requirements on data, documentation, oversight and more. |
| Limited (transparency) risk | Article 50 | Permitted, with duties to tell people they're dealing with AI or AI-generated content. |
| Minimal risk | Not regulated | The vast majority of AI. No mandatory obligations, only voluntary codes of conduct. |
A quick word on a common misconception. The tiers don't describe how advanced or powerful a system is. They describe how it's used. The same underlying model can be minimal risk in one setting and high-risk in another. Classification always follows the use case, not the technology.
The AI Act assigns obligations by role, defined in Article 3. The same organisation can hold more than one role at once, and the role you hold determines what you must do. We go deeper on this in our dedicated article on who should comply with the AI Act.
Here's a trap that catches organisations off guard. Under Article 25, a deployer can turn into a provider, with all the heavier obligations that brings, if it puts its own name or trademark on a high-risk system, makes a substantial modification to it, or changes its intended purpose so that it becomes high-risk. In practice this means fine-tuning or rebranding a third-party high-risk system can quietly promote you from deployer to provider. It's worth checking before you build on top of someone else's model.

Article 5 lists the AI uses that are banned in the EU. The original text of the regulation sets out eight prohibited practices, lettered (a) to (h). These have applied since 2 February 2025 and carry the heaviest fines in the entire Act.
One point where you'll see other guides go slightly out of date. The Digital Omnibus adds a further prohibition targeting AI-generated non-consensual intimate imagery and child sexual abuse material. So the accurate picture is eight original prohibited practices plus a new prohibition on the way, rather than a flat "eight" forever.
High-risk is the category that generates most of the compliance effort, and it's where you should spend your attention. A system becomes high-risk through one of two routes under Article 6.
The AI is a safety component of, or is itself, a product already covered by EU harmonisation legislation that requires third-party conformity assessment. Think medical devices, machinery, toys, vehicles, lifts and radio equipment.
The system is used in one of eight enumerated areas:
There's an important exemption in Article 6(3). An Annex III system is not high-risk if it only performs a narrow procedural task, improves the result of a completed human activity, detects decision patterns without replacing human judgement, or does purely preparatory work. But watch the catch: profiling of natural persons always counts as high-risk, no exemption. If you rely on the exemption, you must document the assessment and still register the system.
High-risk systems have to meet a package of requirements: a risk management system (Article 9), data and data governance controls (Article 10), technical documentation (Article 11), automatic record-keeping and logging (Article 12), transparency and clear information for deployers (Article 13), effective human oversight (Article 14), and appropriate accuracy, robustness and cybersecurity (Article 15).
| Provider of high-risk AI (Article 16) | Deployer of high-risk AI (Article 26) |
|---|---|
| Ensure the system meets Articles 9-15 | Use the system according to the instructions for use |
| Operate a quality management system | Assign human oversight to trained, competent people |
| Keep technical documentation and logs | Keep the automatically generated logs for at least six months |
| Carry out conformity assessment and affix CE marking | Ensure input data is relevant where the deployer controls it |
| Register the system in the EU database | Monitor operation, suspend on risk and report serious incidents |
Some deployers of high-risk systems must carry out a Fundamental Rights Impact Assessment, or FRIA, before putting the system into use. This applies to public bodies and private providers of public services, and to deployers using high-risk systems for creditworthiness and credit scoring or for life and health insurance risk assessment and pricing. We come back to how the FRIA relates to your GDPR data protection impact assessment below, because there's a common misunderstanding worth clearing up.

Article 50 covers the systems most businesses actually run day to day. It sets four transparency duties: tell people when they're interacting with an AI system such as a chatbot, mark synthetic audio, image, video and text in a machine-readable way, tell people when they're exposed to emotion recognition or biometric categorisation, and label deepfakes and AI-generated text published to inform the public. Burying the disclosure in your terms and conditions doesn't satisfy this. The information has to be clear and accessible.
General-purpose AI models, the large foundation models behind tools like ChatGPT and Gemini, have their own regime under Chapter V. Baseline obligations for GPAI providers include technical documentation, information for downstream providers, a copyright policy and a public summary of training content. A model is classed as carrying "systemic risk" when the compute used to train it exceeds 10^25 floating point operations, which brings extra duties around model evaluation, adversarial testing, risk mitigation and incident reporting to the EU AI Office. These rules have applied since 2 August 2025.
Article 4 is short, easy to miss, and applies to nearly everyone. It requires providers and deployers to ensure a sufficient level of AI literacy among staff and anyone operating AI on their behalf. It applies across all risk tiers, so even if all you do is let staff use ChatGPT, this one lands on you. It has applied since 2 February 2025.
The good news is there's no prescribed curriculum, exam or certificate. The obligation is proportionate and role-based, and the sensible response is straightforward: give people training matched to how they actually use AI, and document that you've done it. Our article on AI literacy under the AI Act sets out what good looks like in practice.
The AI Act uses tiered fines, and the amount depends on which obligation you breach. Multiple sources quote the headline 7% figure, but the full picture matters, because most obligations sit in the lower tiers.
| Breach | Maximum fine |
|---|---|
| Prohibited practices (Article 5) | Up to €35 million or 7% of worldwide annual turnover, whichever is higher |
| Most operator obligations (providers, deployers, importers, distributors, transparency) | Up to €15 million or 3% |
| Supplying incorrect or misleading information to authorities | Up to €7.5 million or 1% |
There's relief for smaller organisations. For SMEs and start-ups, the fine is the lower of the fixed amount or the percentage, not the higher. General-purpose AI model providers face a separate regime with fines up to €15 million or 3%, imposed by the Commission.
The AI Act was designed to apply in phases rather than all at once. Prohibited practices and AI literacy came first, then general-purpose AI rules, with high-risk obligations arriving later. That was the plan. In practice, the dates have proven to be a moving target.
In late 2025 the European Commission proposed the Digital Omnibus, a simplification package that, among other things, pushes back the high-risk deadlines and adjusts several obligations. The high-risk Annex III timeline moved from August 2026 to December 2027, and the embedded high-risk Annex I timeline moved to August 2028. The package reached final adoption by the Council in mid-2026 and binds only once published in the Official Journal.
This is exactly why we've built this guide around obligations rather than dates. Deadlines have already shifted once and could shift again. Treating a delay as a reprieve is a mistake, because the extra time is a planning window, not a cancellation. The two tasks that matter most, taking an inventory of your AI and classifying each system by risk, don't depend on any deadline or on harmonised standards being finalised. You can and should start them now. The deadline moved. The obligation didn't.
If your AI processes personal data, and most does, you're complying with two frameworks at once. The AI Act doesn't replace GDPR. It sits alongside it, and GDPR remains the law that governs whether your processing of personal data is lawful. Getting the overlap right is where you save the most effort, so it's worth being precise.
The most common point of confusion is the relationship between a GDPR Data Protection Impact Assessment (DPIA, under GDPR Article 35) and the AI Act's Fundamental Rights Impact Assessment (FRIA, under Article 27). You'll often read that a DPIA "satisfies" your AI Act documentation. That's not quite right, and the imprecision can trip you up. The accurate position is that the FRIA complements the DPIA, it does not replace it. Where a DPIA already covers some of the required content, you can rely on it for that part. But the FRIA is a distinct, pre-deployment obligation, and it applies to a narrower set of deployers than the DPIA does. Many organisations owe a DPIA but not a FRIA, and a handful owe both.
| Aspect | DPIA (GDPR Art. 35) | FRIA (AI Act Art. 27) |
|---|---|---|
| Focus | Risks to personal data | Risks to fundamental rights |
| Who | Controllers, for high-risk processing | A narrower set of high-risk deployers |
| Relationship | May cover part of the FRIA content | Complements, does not replace, the DPIA |
Two more overlaps are worth knowing. AI Act Article 10 sets data-quality and bias-examination duties for high-risk systems on top of GDPR, and Article 10(5) permits processing special-category data specifically to detect and correct bias, though this supplements rather than removes the need for a GDPR Article 9 basis. And the roles line up neatly: controller and processor under GDPR map onto provider and deployer under the AI Act. Your Data Protection Officer is the natural person to coordinate both. If you don't have one, our guide on what a Data Protection Officer does is a good starting point, and our overview of GDPR compliance covers the foundations.
You don't need to do everything at once. This sequence takes you from a standing start to a defensible position, and the first two steps deliver most of the value.
Use this as a working checklist. It covers both AI Act and GDPR obligations so you're not tracking them in separate places.
☐ We've inventoried every AI system in use, including embedded AIDoing this in spreadsheets works right up until it doesn't. As your AI inventory grows and the deadlines shift, keeping classifications, assessments and training records in sync by hand becomes a real burden. Our AI Act Framework is built to carry that load for you.
The point isn't more admin. It's spending your time on the actual governance decisions instead of the paperwork around them. See how it works, or book a demo to walk through your own AI inventory with us.
The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive law on artificial intelligence. It regulates AI according to the risk it poses to people, using four tiers: prohibited uses that are banned outright, high-risk systems with strict obligations, limited-risk systems with transparency duties, and minimal-risk AI that is largely unregulated. The higher the risk, the stricter the rules.
Yes. Under Article 2, the AI Act applies to providers placing AI on the EU market wherever they are based, to deployers located in the EU, and to providers and deployers outside the EU where the output of the system is used in the EU. That 'used in the EU' trigger is a lower bar than GDPR's targeting standard, so many non-EU organisations are caught. Non-EU providers of high-risk systems must appoint an EU authorised representative.
Unacceptable or prohibited risk (banned under Article 5), high-risk (permitted but strictly regulated under Article 6 and Annexes I and III), limited or transparency risk (permitted with disclosure duties under Article 50), and minimal risk (the vast majority of AI, with no mandatory obligations). Classification follows how a system is used, not how advanced it is.
The original text of the AI Act sets out eight prohibited practices in Article 5, lettered (a) to (h), covering things like social scoring, untargeted facial image scraping, emotion recognition in the workplace and real-time remote biometric identification. These have applied since 2 February 2025. The Digital Omnibus adds a further prohibition on AI-generated non-consensual intimate imagery and child sexual abuse material, so the picture is best described as eight original practices plus a new prohibition.
A system is high-risk under Article 6 through one of two routes: it is a safety component of a product already regulated by EU law (Annex I), or it is used in one of eight areas listed in Annex III, including biometrics, critical infrastructure, education, employment, essential services such as credit scoring, law enforcement, migration and the administration of justice. A limited exemption in Article 6(3) applies to narrow procedural tasks, but profiling of individuals is always high-risk.
A provider develops an AI system or general-purpose AI model and places it on the market under its own name. A deployer uses an AI system under its own authority in a professional context. Most organisations are deployers. Watch Article 25: a deployer can become a provider, with the heavier obligations that brings, if it puts its name on a high-risk system, substantially modifies it, or changes its intended purpose.
The AI Act applies in phases. Prohibited practices and AI literacy have applied since February 2025, and general-purpose AI rules since August 2025. The Digital Omnibus simplification package pushed the high-risk deadlines back, moving standalone high-risk (Annex III) to December 2027 and embedded high-risk (Annex I) to August 2028. Because these dates have already shifted and could shift again, the sensible approach is to focus on the obligations and start your AI inventory and risk classification now.
Fines are tiered. Prohibited practices under Article 5 carry up to 35 million euros or 7% of worldwide annual turnover, whichever is higher. Most other operator obligations carry up to 15 million euros or 3%. Supplying incorrect or misleading information to authorities carries up to 7.5 million euros or 1%. For SMEs and start-ups, the lower of the fixed amount or the percentage applies. General-purpose AI providers face a separate regime of up to 15 million euros or 3%.
The AI Act sits alongside GDPR rather than replacing it, and GDPR still governs the lawfulness of personal-data processing. A GDPR Data Protection Impact Assessment (Article 35) and the AI Act's Fundamental Rights Impact Assessment (Article 27) are related but distinct. The FRIA complements the DPIA and does not replace it. Where your DPIA already covers some of the required content you can rely on it for that part, but the FRIA is a separate obligation and applies to a narrower set of deployers.
Yes. These are general-purpose AI systems, and using them at work makes your organisation a deployer. That brings obligations including transparency under Article 50 and AI literacy under Article 4. The underlying models also carry provider-side obligations under Chapter V, and models trained with more than 10^25 floating point operations are treated as carrying systemic risk with additional duties.
This guide is your map of the whole regulation. From here, explore our focused articles on who must comply, AI literacy obligations, and how the AI Act works alongside GDPR.
Info
.legal A/S
hello@dotlegal.com
+45 7027 0127
VAT-no: DK40888888
Support
support@dotlegal.com
+45 7027 0127
Need help?
Let me help you get started
.legal is not a law firm and is therefore not under the supervision of the Bar Council.