AI Act ›

AI Act Guide: What the EU AI Act Means for Your Organisation

A practical, plain-English guide to the EU AI Act. Understand the four risk categories, your role, what you must do, and how it connects to GDPR. No gate, no fluff, just what you need to act.

Feature image for the article with the large headline “AI Act Guide” in dark blue on a blue-to-purple gradient background with soft blob shapes. Above the headline the label “Regulation (EU) 2024/1689” and below it a short subheading. On the right, a shield icon ringed by twelve dots evoking the EU circle of stars, with the .legal logo at the top.

Table of Contents

    Almost every organisation in Europe now uses AI in some form, often without realising it. It sits inside your recruitment tool, your customer service chatbot, your fraud checks and the productivity assistants your team opens every morning. The EU AI Act is the first comprehensive law that governs all of it, and it reaches far beyond the companies that build AI.

    This guide walks you through what the AI Act actually requires, in plain language and grounded in the regulation itself. You'll learn the four risk categories, how to identify your role, which practices are banned outright, what high-risk systems demand, how the rules overlap with GDPR, and a practical roadmap to get compliant. We've deliberately made this the public, ungated version of the guide most vendors hide behind a form.

    One thing up front: we've written this around your obligations, not around specific calendar dates. As you'll see below, the deadlines keep moving, most recently through the EU's Digital Omnibus simplification package. The obligations themselves are stable, and the work you need to do doesn't change because a date shifts.

    What Is the EU AI Act?

    The EU AI Act (formally Regulation (EU) 2024/1689) is the world's first comprehensive legal framework for artificial intelligence. It entered into force on 1 August 2024 and applies in stages. Like GDPR before it, it's a regulation rather than a directive, which means it applies directly across all EU member states without needing separate national laws to take effect.

    The core idea is simple. The AI Act regulates AI according to the risk it poses to people's health, safety and fundamental rights. The higher the risk, the stricter the obligations. Most AI carries little or no risk and is barely touched by the law. A small set of uses are considered so harmful they're banned. In between sits a category of "high-risk" systems that carry real obligations.

    If you already understand GDPR, the mental model transfers well. Both laws are risk-based, both reach organisations outside the EU, both put documentation and accountability at their centre, and both carry turnover-based fines. If you want the wider regulatory picture, we cover how these frameworks fit together in our article on digital sovereignty and EU legislation.

    Does the AI Act Apply to My Organisation?

    Probably, yes. The AI Act has broad extraterritorial reach under Article 2. It applies to providers that place AI systems on the EU market wherever they're established, to deployers located in the EU, and, crucially, to providers and deployers outside the EU where the output of the system is used in the EU.

    That last trigger is the one most organisations miss. The threshold is whether the system's output is used in the Union, which is a lower bar than GDPR's "targeting" standard. A company based outside the EU whose AI output reaches EU users can be caught even without an EU establishment. Non-EU providers of high-risk systems must appoint an EU authorised representative under Article 22.

    Stylised, abstract map with the EU highlighted as a single shape at the centre. Curved arrows from several points outside the EU flow inward, ending in small nodes carrying AI-output icons. The image illustrates the extraterritorial reach of the AI Act: AI output created outside the EU is covered once it is used in the EU.

    The Four AI Act Risk Categories

    Everything in the AI Act flows from four risk tiers. Working out which tier each of your systems falls into is the single most important classification exercise you'll do, because it determines every obligation that follows.

    Risk tier Where it's defined What it means
    Unacceptable (prohibited) Article 5 Banned outright. These uses cannot be placed on the market or used in the EU at all.
    High-risk Article 6 + Annex I and Annex III Permitted, but subject to strict requirements on data, documentation, oversight and more.
    Limited (transparency) risk Article 50 Permitted, with duties to tell people they're dealing with AI or AI-generated content.
    Minimal risk Not regulated The vast majority of AI. No mandatory obligations, only voluntary codes of conduct.

    A quick word on a common misconception. The tiers don't describe how advanced or powerful a system is. They describe how it's used. The same underlying model can be minimal risk in one setting and high-risk in another. Classification always follows the use case, not the technology.

    Who the AI Act Applies To: Your Role Decides Your Duties

    The AI Act assigns obligations by role, defined in Article 3. The same organisation can hold more than one role at once, and the role you hold determines what you must do. We go deeper on this in our dedicated article on who should comply with the AI Act.

    • Provider develops an AI system or general-purpose AI model and places it on the market or into service under its own name or trademark. OpenAI and Google are obvious examples, but you become a provider the moment you build or substantially modify AI and offer it to others.
    • Deployer uses an AI system under its own authority in a professional context. This is where most organisations sit. If you use ChatGPT, Microsoft Copilot or an AI-powered HR tool at work, you're a deployer.
    • Importer places an AI system from a non-EU provider on the EU market.
    • Distributor makes an AI system available on the EU market without being the provider or importer.

    Here's a trap that catches organisations off guard. Under Article 25, a deployer can turn into a provider, with all the heavier obligations that brings, if it puts its own name or trademark on a high-risk system, makes a substantial modification to it, or changes its intended purpose so that it becomes high-risk. In practice this means fine-tuning or rebranding a third-party high-risk system can quietly promote you from deployer to provider. It's worth checking before you build on top of someone else's model.

    Diagram of the four roles in Article 3 of the AI Act, shown as four cards in sequence: provider, importer, distributor and deployer, each with an icon and a short description. A red dashed arc labelled “Article 25” runs from deployer back to provider, showing that a deployer can become a provider.

    Prohibited AI Practices (Article 5)

    Article 5 lists the AI uses that are banned in the EU. The original text of the regulation sets out eight prohibited practices, lettered (a) to (h). These have applied since 2 February 2025 and carry the heaviest fines in the entire Act.

    1. Subliminal or manipulative techniques that materially distort behaviour and are likely to cause significant harm.
    2. Exploiting vulnerabilities due to age, disability, or a specific social or economic situation.
    3. Social scoring that leads to detrimental or disproportionate treatment in unrelated contexts.
    4. Predictive policing on the individual, meaning assessing the risk of someone committing a crime based solely on profiling or personality traits.
    5. Untargeted scraping of facial images from the internet or CCTV to build facial recognition databases.
    6. Emotion recognition in the workplace and in education (with narrow medical and safety exceptions).
    7. Biometric categorisation that infers sensitive attributes such as race, political opinions, trade union membership, religion, sex life or sexual orientation.
    8. Real-time remote biometric identification in publicly accessible spaces for law enforcement, subject to three narrow exceptions.

    One point where you'll see other guides go slightly out of date. The Digital Omnibus adds a further prohibition targeting AI-generated non-consensual intimate imagery and child sexual abuse material. So the accurate picture is eight original prohibited practices plus a new prohibition on the way, rather than a flat "eight" forever.

    High-Risk AI: Where the Real Work Lives (Articles 6-27)

    High-risk is the category that generates most of the compliance effort, and it's where you should spend your attention. A system becomes high-risk through one of two routes under Article 6.

    Route 1: Annex I (embedded in regulated products)

    The AI is a safety component of, or is itself, a product already covered by EU harmonisation legislation that requires third-party conformity assessment. Think medical devices, machinery, toys, vehicles, lifts and radio equipment.

    Route 2: Annex III (standalone high-risk use cases)

    The system is used in one of eight enumerated areas:

    • Biometrics
    • Critical infrastructure
    • Education and vocational training
    • Employment, worker management and access to self-employment
    • Access to essential private and public services (including creditworthiness and credit scoring, and life and health insurance pricing)
    • Law enforcement
    • Migration, asylum and border control
    • Administration of justice and democratic processes

    There's an important exemption in Article 6(3). An Annex III system is not high-risk if it only performs a narrow procedural task, improves the result of a completed human activity, detects decision patterns without replacing human judgement, or does purely preparatory work. But watch the catch: profiling of natural persons always counts as high-risk, no exemption. If you rely on the exemption, you must document the assessment and still register the system.

    What high-risk systems must satisfy (Articles 8-15)

    High-risk systems have to meet a package of requirements: a risk management system (Article 9), data and data governance controls (Article 10), technical documentation (Article 11), automatic record-keeping and logging (Article 12), transparency and clear information for deployers (Article 13), effective human oversight (Article 14), and appropriate accuracy, robustness and cybersecurity (Article 15).

    Provider versus deployer obligations

    Provider of high-risk AI (Article 16) Deployer of high-risk AI (Article 26)
    Ensure the system meets Articles 9-15 Use the system according to the instructions for use
    Operate a quality management system Assign human oversight to trained, competent people
    Keep technical documentation and logs Keep the automatically generated logs for at least six months
    Carry out conformity assessment and affix CE marking Ensure input data is relevant where the deployer controls it
    Register the system in the EU database Monitor operation, suspend on risk and report serious incidents

    The Fundamental Rights Impact Assessment (Article 27)

    Some deployers of high-risk systems must carry out a Fundamental Rights Impact Assessment, or FRIA, before putting the system into use. This applies to public bodies and private providers of public services, and to deployers using high-risk systems for creditworthiness and credit scoring or for life and health insurance risk assessment and pricing. We come back to how the FRIA relates to your GDPR data protection impact assessment below, because there's a common misunderstanding worth clearing up.

    Decision tree for high-risk classification under Article 6. From “AI system” the path splits into two routes: Route 1 (Annex I) for AI embedded in regulated products, and Route 2 (Annex III) for eight use-case areas. On Route 2 the Article 6(3) exception question leads to “Not high-risk” if yes and “High-risk” if no; Route 1 leads straight to “High-risk”. A note highlights that profiling of natural persons is always high-risk.

    Transparency Rules and General-Purpose AI

    Limited-risk transparency (Article 50)

    Article 50 covers the systems most businesses actually run day to day. It sets four transparency duties: tell people when they're interacting with an AI system such as a chatbot, mark synthetic audio, image, video and text in a machine-readable way, tell people when they're exposed to emotion recognition or biometric categorisation, and label deepfakes and AI-generated text published to inform the public. Burying the disclosure in your terms and conditions doesn't satisfy this. The information has to be clear and accessible.

    General-purpose AI models (Articles 51-56)

    General-purpose AI models, the large foundation models behind tools like ChatGPT and Gemini, have their own regime under Chapter V. Baseline obligations for GPAI providers include technical documentation, information for downstream providers, a copyright policy and a public summary of training content. A model is classed as carrying "systemic risk" when the compute used to train it exceeds 10^25 floating point operations, which brings extra duties around model evaluation, adversarial testing, risk mitigation and incident reporting to the EU AI Office. These rules have applied since 2 August 2025.

    AI Literacy: The Obligation Almost Everyone Overlooks (Article 4)

    Article 4 is short, easy to miss, and applies to nearly everyone. It requires providers and deployers to ensure a sufficient level of AI literacy among staff and anyone operating AI on their behalf. It applies across all risk tiers, so even if all you do is let staff use ChatGPT, this one lands on you. It has applied since 2 February 2025.

    The good news is there's no prescribed curriculum, exam or certificate. The obligation is proportionate and role-based, and the sensible response is straightforward: give people training matched to how they actually use AI, and document that you've done it. Our article on AI literacy under the AI Act sets out what good looks like in practice.

    Penalties: What Non-Compliance Costs (Article 99)

    The AI Act uses tiered fines, and the amount depends on which obligation you breach. Multiple sources quote the headline 7% figure, but the full picture matters, because most obligations sit in the lower tiers.

    Breach Maximum fine
    Prohibited practices (Article 5) Up to €35 million or 7% of worldwide annual turnover, whichever is higher
    Most operator obligations (providers, deployers, importers, distributors, transparency) Up to €15 million or 3%
    Supplying incorrect or misleading information to authorities Up to €7.5 million or 1%

    There's relief for smaller organisations. For SMEs and start-ups, the fine is the lower of the fixed amount or the percentage, not the higher. General-purpose AI model providers face a separate regime with fines up to €15 million or 3%, imposed by the Commission.

    The Timeline and Why We're Not Anchoring to Dates

    The AI Act was designed to apply in phases rather than all at once. Prohibited practices and AI literacy came first, then general-purpose AI rules, with high-risk obligations arriving later. That was the plan. In practice, the dates have proven to be a moving target.

    In late 2025 the European Commission proposed the Digital Omnibus, a simplification package that, among other things, pushes back the high-risk deadlines and adjusts several obligations. The high-risk Annex III timeline moved from August 2026 to December 2027, and the embedded high-risk Annex I timeline moved to August 2028. The package reached final adoption by the Council in mid-2026 and binds only once published in the Official Journal.

    This is exactly why we've built this guide around obligations rather than dates. Deadlines have already shifted once and could shift again. Treating a delay as a reprieve is a mistake, because the extra time is a planning window, not a cancellation. The two tasks that matter most, taking an inventory of your AI and classifying each system by risk, don't depend on any deadline or on harmonised standards being finalised. You can and should start them now. The deadline moved. The obligation didn't.

    The AI Act and GDPR: How They Fit Together

    If your AI processes personal data, and most does, you're complying with two frameworks at once. The AI Act doesn't replace GDPR. It sits alongside it, and GDPR remains the law that governs whether your processing of personal data is lawful. Getting the overlap right is where you save the most effort, so it's worth being precise.

    The most common point of confusion is the relationship between a GDPR Data Protection Impact Assessment (DPIA, under GDPR Article 35) and the AI Act's Fundamental Rights Impact Assessment (FRIA, under Article 27). You'll often read that a DPIA "satisfies" your AI Act documentation. That's not quite right, and the imprecision can trip you up. The accurate position is that the FRIA complements the DPIA, it does not replace it. Where a DPIA already covers some of the required content, you can rely on it for that part. But the FRIA is a distinct, pre-deployment obligation, and it applies to a narrower set of deployers than the DPIA does. Many organisations owe a DPIA but not a FRIA, and a handful owe both.

    Aspect DPIA (GDPR Art. 35) FRIA (AI Act Art. 27)
    Focus Risks to personal data Risks to fundamental rights
    Who Controllers, for high-risk processing A narrower set of high-risk deployers
    Relationship May cover part of the FRIA content Complements, does not replace, the DPIA

    Two more overlaps are worth knowing. AI Act Article 10 sets data-quality and bias-examination duties for high-risk systems on top of GDPR, and Article 10(5) permits processing special-category data specifically to detect and correct bias, though this supplements rather than removes the need for a GDPR Article 9 basis. And the roles line up neatly: controller and processor under GDPR map onto provider and deployer under the AI Act. Your Data Protection Officer is the natural person to coordinate both. If you don't have one, our guide on what a Data Protection Officer does is a good starting point, and our overview of GDPR compliance covers the foundations.

    A Practical Six-Step Compliance Roadmap

    You don't need to do everything at once. This sequence takes you from a standing start to a defensible position, and the first two steps deliver most of the value.

    1. Map your AI assets. Build an inventory of every AI system in use, including the tools buried inside software you already licence. Reuse your GDPR records of processing to seed it. You can't govern what you can't see.
    2. Classify each system by risk. Run each system through the four tiers. Most will be minimal or limited risk. Flag anything that touches an Annex III area or a prohibited practice.
    3. Establish governance. Decide who owns AI decisions, set an internal AI policy, and assign clear responsibility for oversight.
    4. Document. Keep records of your classification decisions, your risk assessments and your reasoning. If you rely on the Article 6(3) exemption, document why.
    5. Align with GDPR. Combine your DPIA and FRIA work where they overlap, involve your DPO, and avoid doing the same assessment twice.
    6. Train your team. Deliver role-based AI literacy training under Article 4 and record that you've done it.

    Your Ready-to-Use AI Act Checklist

    Use this as a working checklist. It covers both AI Act and GDPR obligations so you're not tracking them in separate places.

    ☐ We've inventoried every AI system in use, including embedded AI
    ☐ We've classified each system into one of the four risk tiers
    ☐ We've confirmed no system falls under the Article 5 prohibitions
    ☐ We've identified our role (provider, deployer, importer, distributor) for each system
    ☐ We've checked the Article 25 role-flip risk for any system we modify or rebrand
    ☐ For high-risk systems, we've mapped the Article 8-15 requirements
    ☐ We've assessed whether a FRIA (Article 27) is required, and completed it where it is
    ☐ We meet the Article 50 transparency duties for chatbots and AI-generated content
    ☐ We've delivered and documented AI literacy training (Article 4)
    ☐ We've aligned our DPIA and FRIA work and involved our DPO
    ☐ We've assigned clear ownership and set an internal AI policy
    ☐ We keep documentation of our decisions and reasoning

    How .legal Helps You Get AI Act Ready

    Doing this in spreadsheets works right up until it doesn't. As your AI inventory grows and the deadlines shift, keeping classifications, assessments and training records in sync by hand becomes a real burden. Our AI Act Framework is built to carry that load for you.

    • A guided classification flow that walks each system through the four risk tiers
    • A central register of your AI systems, roles and risk levels
    • Linked DPIA and FRIA workflows so you don't duplicate GDPR work
    • Documentation and audit trails ready for supervisory authorities
    • One platform for AI Act, GDPR and your other frameworks together

    The point isn't more admin. It's spending your time on the actual governance decisions instead of the paperwork around them. See how it works, or book a demo to walk through your own AI inventory with us.

    Frequently Asked Questions about the EU AI Act

    What is the EU AI Act in simple terms?

    The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive law on artificial intelligence. It regulates AI according to the risk it poses to people, using four tiers: prohibited uses that are banned outright, high-risk systems with strict obligations, limited-risk systems with transparency duties, and minimal-risk AI that is largely unregulated. The higher the risk, the stricter the rules.

    Does the AI Act apply to companies outside the EU?

    Yes. Under Article 2, the AI Act applies to providers placing AI on the EU market wherever they are based, to deployers located in the EU, and to providers and deployers outside the EU where the output of the system is used in the EU. That 'used in the EU' trigger is a lower bar than GDPR's targeting standard, so many non-EU organisations are caught. Non-EU providers of high-risk systems must appoint an EU authorised representative.

    What are the four AI Act risk categories?

    Unacceptable or prohibited risk (banned under Article 5), high-risk (permitted but strictly regulated under Article 6 and Annexes I and III), limited or transparency risk (permitted with disclosure duties under Article 50), and minimal risk (the vast majority of AI, with no mandatory obligations). Classification follows how a system is used, not how advanced it is.

    How many prohibited AI practices are there under the AI Act?

    The original text of the AI Act sets out eight prohibited practices in Article 5, lettered (a) to (h), covering things like social scoring, untargeted facial image scraping, emotion recognition in the workplace and real-time remote biometric identification. These have applied since 2 February 2025. The Digital Omnibus adds a further prohibition on AI-generated non-consensual intimate imagery and child sexual abuse material, so the picture is best described as eight original practices plus a new prohibition.

    What counts as a high-risk AI system?

    A system is high-risk under Article 6 through one of two routes: it is a safety component of a product already regulated by EU law (Annex I), or it is used in one of eight areas listed in Annex III, including biometrics, critical infrastructure, education, employment, essential services such as credit scoring, law enforcement, migration and the administration of justice. A limited exemption in Article 6(3) applies to narrow procedural tasks, but profiling of individuals is always high-risk.

    What is the difference between a provider and a deployer?

    A provider develops an AI system or general-purpose AI model and places it on the market under its own name. A deployer uses an AI system under its own authority in a professional context. Most organisations are deployers. Watch Article 25: a deployer can become a provider, with the heavier obligations that brings, if it puts its name on a high-risk system, substantially modifies it, or changes its intended purpose.

    When do the AI Act deadlines apply after the Digital Omnibus?

    The AI Act applies in phases. Prohibited practices and AI literacy have applied since February 2025, and general-purpose AI rules since August 2025. The Digital Omnibus simplification package pushed the high-risk deadlines back, moving standalone high-risk (Annex III) to December 2027 and embedded high-risk (Annex I) to August 2028. Because these dates have already shifted and could shift again, the sensible approach is to focus on the obligations and start your AI inventory and risk classification now.

    What are the fines for breaching the AI Act?

    Fines are tiered. Prohibited practices under Article 5 carry up to 35 million euros or 7% of worldwide annual turnover, whichever is higher. Most other operator obligations carry up to 15 million euros or 3%. Supplying incorrect or misleading information to authorities carries up to 7.5 million euros or 1%. For SMEs and start-ups, the lower of the fixed amount or the percentage applies. General-purpose AI providers face a separate regime of up to 15 million euros or 3%.

    How does the AI Act relate to GDPR, and does my DPIA count?

    The AI Act sits alongside GDPR rather than replacing it, and GDPR still governs the lawfulness of personal-data processing. A GDPR Data Protection Impact Assessment (Article 35) and the AI Act's Fundamental Rights Impact Assessment (Article 27) are related but distinct. The FRIA complements the DPIA and does not replace it. Where your DPIA already covers some of the required content you can rely on it for that part, but the FRIA is a separate obligation and applies to a narrower set of deployers.

    Are ChatGPT and Microsoft Copilot regulated under the AI Act?

    Yes. These are general-purpose AI systems, and using them at work makes your organisation a deployer. That brings obligations including transparency under Article 50 and AI literacy under Article 4. The underlying models also carry provider-side obligations under Chapter V, and models trained with more than 10^25 floating point operations are treated as carrying systemic risk with additional duties.

    Still unsure?

    Ask Johannes directly, he runs most demos personally

    Book him here
    Processing activities

    .legal compliance platform Identify Your AI Act Roles and Obligations

    You can't govern the AI you can't see. .legal gives you a live inventory of every AI system, a guided flow to classify each by risk, linked DPIA and FRIA workflows, and audit-ready documentation - AI Act and GDPR in one place.
    • Map provider, deployer, and distributor roles per AI system
    • Get role-specific compliance checklists automatically
    • Track obligations and deadlines for each role
    • Document compliance evidence in a centralized platform
    • Generate audit-ready reports for regulatory inquiries
    +400 companies use .legal
    Region Sjælland
    Aarhus Universitet
    aj_vaccines_logo
    Realdania
    Right People
    IO Gates
    PLO
    Finans Danmark
    geia-food
    Evida
    Klasselotteriet
    NRGI1
    BLUE WATER SHIPPING
    Karnov
    Ingvard Christensen
    VP Securities
    AH Industries
    Lægeforeningen
    InMobile
    AK Nygart
    DEIF
    DMJX
    Axel logo
    qUINT Logo
    KAUFMANN (1)
    SMILfonden-logo
    kurhotel_skodsborg
    nemlig.com
    Molecule Consultancy
    Novicell