Why the EU AI Act Uses a Risk-Based Approach
In short
The EU AI Act applies proportionate obligations based on the potential harm an AI system can cause — the higher the risk to people's rights or safety, the stricter the rules.
The EU chose a risk-based regulatory model because AI systems vary enormously in their real-world impact. A spam filter is not comparable to an AI system making parole decisions — and the rules governing each should reflect that difference.
The European Parliament's June 2023 briefing on the AI Act established the core principle: the classification system must balance innovation with the protection of fundamental rights. Proportionality is the governing logic.
The AI Act entered into force on August 1, 2024, often described by Deloitte and other analysts as "the world's first comprehensive AI law." Its provisions roll in over a 24–36 month transition window — not all at once.
| Date | Milestone |
|---|---|
| August 1, 2024 | AI Act enters into force |
| February 2, 2025 | General-Purpose AI (GPAI) rules apply; prohibited practices chapter in force |
| August 2, 2025 | Unacceptable Risk bans fully enforceable |
| August 2, 2026 | High Risk Annex III obligations apply (employment, healthcare, education, etc.) |
| August 2, 2027 | Full application including Annex I high-risk systems (product safety legislation) |
The four risk tiers — Unacceptable, High, Limited, and Minimal — form the spine of the entire regulatory framework. Each tier carries distinct obligations, from outright bans to no requirements at all.
The EU AI Act applies to any organisation placing AI systems on the EU market or using AI to affect EU residents — regardless of where the company is based. A US or Asia-headquartered company selling AI tools to European businesses must comply.
Who Must Comply With the EU AI Act
The Act defines four actor types, each with different obligations. Understanding which role your organisation holds is the first step to determining your compliance burden.
- Providers (developers): Companies that develop and place AI systems on the market. They carry the heaviest burden — conformity assessments, CE marking, registration in the EU database, and post-market monitoring.
- Deployers (users of AI): Businesses that use AI systems in their operations. Obligations include fundamental rights impact assessments for High Risk systems and maintaining human oversight.
- Importers: Entities bringing AI systems from outside the EU into the EU market. They must verify that providers have met compliance requirements.
- Distributors: Companies making AI systems available in the EU without substantial modification. They carry due-diligence obligations.
A company headquartered in the US, Canada, or Asia that sells AI tools to European businesses or consumers still falls under the Act. The EU Commission's AI Act Service Desk launched in 2025 as a resource for organisations navigating compliance questions.
For organisations already working through compliance requirements, our EU AI Act compliance checklist provides a step-by-step framework mapped to each risk tier.
Unacceptable Risk: AI Practices Banned Outright
In short
Unacceptable Risk AI practices are prohibited entirely under the EU AI Act — 8 categories of systems deemed so harmful to fundamental rights that no use case justifies them.
Article 5 of the EU AI Act defines the prohibited AI practices. These 8 categories became enforceable on August 2, 2025, per the EUR-Lex official text. Deploying any of them after that date triggers the Act's harshest penalties.
All Unacceptable Risk prohibitions became enforceable on August 2, 2025. Organisations still operating prohibited AI systems after this date face fines up to €35 million or 7% of global turnover, whichever is higher.
| Prohibited Practice | Example | Enforcement Date |
|---|---|---|
| Subliminal or manipulative techniques exploiting vulnerabilities | AI targeting people with cognitive impairments using subconscious nudges | August 2, 2025 |
| Government social scoring of citizens | State systems ranking citizens based on behaviour or social conduct | August 2, 2025 |
| Real-time remote biometric ID in public spaces (law enforcement) | Live facial recognition on CCTV for policing (narrow exceptions apply) | August 2, 2025 |
| Retrospective remote biometric identification using databases | Post-event facial recognition sweeps across footage archives | August 2, 2025 |
| Predictive policing based purely on profiling | AI-only crime risk scores used to deploy police resources | August 2, 2025 |
| Emotion recognition in workplaces and educational institutions | Employee mood monitoring systems; student emotion tracking during exams | August 2, 2025 |
| Biometric categorisation inferring sensitive attributes | Systems inferring political views, religion, or sexual orientation from facial data | August 2, 2025 |
| AI exploiting children or individuals with disabilities | Manipulative dark patterns in apps targeting minors | August 2, 2025 |
Penalties for Unacceptable Risk violations are the highest in the Act: €35 million or 7% of global annual turnover, per the Council of the European Union's May 2024 press release.
In our work across 100+ enterprise AI implementations at Alice Labs, social scoring concerns arise most frequently in public sector engagements, while biometric identification questions dominate HR-tech and retail security discussions.
Narrow Exceptions to the Biometric Identification Ban
The real-time remote biometric identification ban includes three tightly scoped law enforcement exceptions. These are not a general licence for surveillance — each requires prior authorisation from a judicial or independent administrative authority.
- Missing persons and trafficking victims: Searching for missing persons or victims of human trafficking and sexual exploitation.
- Imminent terrorist threats: Preventing a specific, credible, and imminent terrorist attack.
- Serious criminal suspects: Locating or identifying suspects in criminal offences punishable by at least 3 years imprisonment under EU member state law.
Each exception requires documented prior authorisation — except in cases of genuine urgency, where authorisation must be sought immediately after use. The bar is deliberately high to prevent mission creep.
High Risk AI Systems: Obligations and Annex III Categories
In short
High Risk AI systems face the Act's most comprehensive compliance requirements — conformity assessments, technical documentation, human oversight, and EU database registration — across 8 sectors defined in Annex III.
High Risk status is determined by two routes under Article 6. First, AI systems embedded in products already regulated under EU product safety legislation (listed in Annex I — including machinery, medical devices, and aviation equipment). Second, standalone AI systems listed in Annex III across 8 critical sectors.
The European Commission published official Article 6 classification guidelines in 2025 to help providers determine whether their system triggers High Risk obligations. These guidelines are particularly relevant for systems that might otherwise fall into grey areas.
| Sector | Example Use Cases |
|---|---|
| Biometric identification and categorisation | Remote biometric verification systems (permitted use cases only) |
| Critical infrastructure | AI managing water, energy, transport, or digital infrastructure |
| Education and vocational training | AI determining access to education; automated grading systems |
| Employment and worker management | CV screening tools; performance monitoring; promotion decisions |
| Access to essential private and public services | Credit scoring; AI in social benefits decisions; health insurance underwriting |
| Law enforcement | Polygraph-equivalent tools; risk assessment for crime or reoffending |
| Migration, asylum, and border control | Automated visa processing; asylum application assessments |
| Administration of justice and democratic processes | AI assisting judicial decisions; AI used in elections |
What High Risk Compliance Requires
Providers of High Risk AI systems must fulfil a detailed compliance package before placing their system on the EU market. Obligations apply from August 2, 2026 for Annex III systems.
- Conformity assessment: Documented evidence that the system meets the Act's technical requirements — either self-assessment or third-party audit, depending on the use case.
- Technical documentation: A comprehensive technical file covering system design, training data, accuracy metrics, and intended purpose.
- Risk management system: An ongoing process identifying, analysing, and mitigating risks throughout the system's lifecycle.
- Data governance: Training, validation, and test data must meet quality standards; bias evaluation is mandatory.
- Transparency and instructions for use: Clear documentation for deployers on intended purpose, limitations, and human oversight requirements.
- Human oversight measures: Technical features enabling human operators to monitor, intervene, and override system outputs.
- Accuracy, robustness, and cybersecurity: Documented performance benchmarks and security measures.
- EU database registration: High Risk systems must be registered in the European Commission's public AI database before deployment.
- CE marking: Required for systems placed on the EU market.
- Post-market monitoring: Ongoing data collection and reporting on system performance after deployment.
Deployers (organisations using High Risk AI) also carry obligations — most significantly a Fundamental Rights Impact Assessment (FRIA) before deploying systems in sensitive contexts, and maintaining logs of system operation for accountability.
Penalties for High Risk non-compliance reach €15 million or 3% of global annual turnover — lower than Unacceptable Risk penalties but still material for any organisation.
Our EU AI Act compliance guide covers the full documentation and assessment process for High Risk system providers in detail.
How Article 6 Classification Works in Practice
Not every AI system used in one of the 8 Annex III sectors is automatically High Risk. Article 6(3) introduces a filtering mechanism — a system does not qualify as High Risk if it poses no significant risk of harm to people's health, safety, or fundamental rights, including by not materially influencing decision-making outcomes.
The 2025 European Commission classification guidelines provide specific criteria for applying this filter. Providers must document their reasoning and retain that documentation as part of their technical file.
- Decision influence test: Does the AI system materially influence decisions affecting individuals? If not, it may fall outside High Risk scope.
- Ancillary function test: Is AI used only as a narrow tool within a broader human-led process, with no autonomous decisional role? This can reduce risk classification.
- Harm probability and severity: Low-probability, low-severity risk profiles can support a non-High Risk classification even within Annex III sectors.
At Alice Labs, our governance team applies these three filters as the starting point in every AI audit we conduct for enterprise clients operating in Annex III sectors. The documentation trail matters as much as the classification outcome itself.
Limited Risk: Transparency Obligations for Chatbots and Synthetic Content
In short
Limited Risk AI systems face one core obligation: transparency. Users must be told they are interacting with AI — this applies to chatbots, AI-generated images, and deepfakes.
Limited Risk covers AI systems where the primary concern is not physical harm but deception — specifically, systems that interact with humans or generate content that could be mistaken for human-created work.
The obligations are comparatively light but legally binding. Failure to disclose AI interaction or synthetic content can constitute a violation, even without any broader harm.
| System Type | Obligation | Who It Applies To |
|---|---|---|
| Chatbots and conversational AI | Inform users they are interacting with an AI system, not a human | Deployers and providers |
| AI-generated images, audio, and video (deepfakes) | Clearly label content as artificially generated or manipulated | Providers and deployers |
| Emotion recognition systems (non-prohibited contexts) | Inform individuals that their emotions are being recognised or inferred | Deployers |
| Biometric categorisation systems (permitted use) | Disclose to individuals when biometric categorisation is being used | Deployers |
The chatbot disclosure requirement is the most commercially significant. Any customer-facing AI assistant — whether deployed for customer service, sales, or support — must make its AI nature clear at the start of an interaction.
Deepfake labelling applies to synthetic media used in commercial, political, or public contexts. Narrow exceptions exist for clearly artistic or satirical purposes, provided the AI-generated nature is still appropriately disclosed.
Practical Compliance for Limited Risk Systems
Limited Risk compliance is operationally straightforward for most organisations. The key requirements are disclosure by design — building transparency into the user interface and content workflow, not bolting it on after deployment.
- Chatbot disclosure: Add a clear "You are speaking with an AI assistant" message at session start — not buried in terms and conditions.
- Synthetic content labelling: Use machine-readable metadata (such as C2PA standards) alongside human-visible labels on AI-generated images and video.
- Biometric disclosure: If using emotion recognition or biometric categorisation in permitted contexts, include real-time disclosure in the physical or digital environment.
- Documentation: Maintain records demonstrating that disclosure mechanisms are implemented and functioning — relevant if a regulator requests evidence.
Penalties for Limited Risk non-compliance are lower than for High Risk violations — up to €7.5 million or 1.5% of global annual turnover — but enforcement is expected to be active given the high volume of chatbot deployments across Europe.
Minimal Risk: No Specific EU AI Act Requirements
In short
Minimal Risk AI systems carry no mandatory obligations under the EU AI Act — the vast majority of AI applications fall into this tier, including spam filters, AI-powered games, and most recommendation systems.
Most AI systems in commercial use today are Minimal Risk under the EU AI Act. The European Commission estimates that the overwhelming majority of AI applications — by volume — will sit in this category and face no specific regulatory requirements from the Act.
"No mandatory requirements" does not mean "no governance." The Act encourages providers of Minimal Risk AI to voluntarily adopt codes of conduct — but this is optional, not enforceable.
| AI System | Reason for Minimal Risk Classification |
|---|---|
| Spam and content filters | No significant impact on individual rights or safety decisions |
| AI-powered video games and entertainment | Recreational use; no consequential decision-making affecting individuals |
| AI-driven inventory management | Operational tool with no direct impact on individual rights |
| Product recommendation engines (general retail) | Low harm potential; no access to sensitive personal categories |
| AI writing assistants (general purpose) | No consequential decisions affecting health, safety, or rights |
| Manufacturing quality control AI | Operational safety tool; covered by product safety law, not AI Act directly |
One important nuance: a system classified as Minimal Risk today may require reclassification if its intended purpose changes. A recommendation engine used for general retail is Minimal Risk. The same technical system repurposed for insurance underwriting or credit decisions would trigger High Risk obligations under Annex III.
This is why Alice Labs recommends all organisations building or deploying AI systems conduct a formal risk classification review — not just at launch, but whenever the system's use case, user base, or data inputs change materially.
Voluntary Codes of Conduct for Minimal Risk AI
The EU AI Act invites providers of Minimal Risk systems to adopt voluntary codes of conduct aligned with the Act's values. The European AI Office is expected to publish template codes through 2025–2026.
Adopting a voluntary code serves two practical purposes beyond compliance: it demonstrates responsible AI governance to enterprise customers requiring supplier due diligence, and it future-proofs the organisation if the Commission later reclassifies certain AI categories.
Ready to accelerate your AI journey?
Book a free 30-minute consultation with our AI strategists.
Book ConsultationGeneral-Purpose AI Models: A Separate Obligation Layer
In short
General-Purpose AI (GPAI) models — including large language models like GPT-4 and Claude — face their own obligations under the EU AI Act, separate from the four risk tier classification, effective from February 2, 2025.
The EU AI Act introduced a dedicated framework for General-Purpose AI models in Title VIII. GPAI models are AI systems trained on broad data that can perform a wide range of tasks — the category includes foundation models and large language models used across Europe.
GPAI obligations apply to providers of these models, not their downstream deployers. The rules became effective February 2, 2025.
| GPAI Category | Threshold | Key Obligations |
|---|---|---|
| Standard GPAI models | All GPAI models placed on EU market | Technical documentation; copyright compliance summary; transparency to downstream providers |
| GPAI models with systemic risk | Training compute exceeding 10²⁵ FLOPs, or designated by European Commission | All standard obligations plus: adversarial testing (red teaming); incident reporting to European AI Office; cybersecurity measures; energy efficiency reporting |
The systemic risk tier is designed for frontier models — the most capable and potentially impactful AI systems. At the 10²⁵ FLOPs training compute threshold, this currently captures a small number of the largest foundation models globally.
GPAI classification runs parallel to the risk tier system. A GPAI model integrated into a High Risk AI application triggers both sets of obligations — GPAI rules for the model provider, and High Risk rules for the system integrator or deployer.
Implications for Organisations Using GPAI APIs
If your organisation builds applications on top of GPAI APIs (such as OpenAI, Anthropic, or open-source foundation models), you are a downstream deployer — not a GPAI provider. Your obligations depend on how you use the model, not the model's own GPAI classification.
However, you must ensure the GPAI provider you use has met their documentation and transparency obligations. This is becoming a standard element of enterprise AI procurement due diligence — something we cover in depth in our enterprise AI strategy framework.
How to Classify Your AI System: A Practical Decision Process
In short
Classifying an AI system under the EU AI Act requires a structured four-step process: check for prohibited use cases, test against Annex I and Annex III, apply Article 6 filtering, then confirm Limited Risk transparency obligations.
The EU AI Act does not provide a single classification lookup table. Instead, providers and deployers must work through a sequential logic process. The European Commission's 2025 classification guidelines formalise this into a structured decision pathway.
At Alice Labs, our governance team uses the following four-step process as the starting point for every EU AI Act risk assessment across our enterprise implementations.
- Step 1 — Screen for Unacceptable Risk (Article 5): Does the system engage in any of the 8 prohibited practices? If yes, the system cannot be deployed in the EU. Full stop. No exemptions except the narrow biometric identification exceptions for law enforcement.
- Step 2 — Test for Annex I High Risk (product safety): Is the AI system a safety component of, or itself, a product covered by existing EU product safety legislation (Annex I)? If yes, High Risk obligations apply from August 2027.
- Step 3 — Test for Annex III High Risk (standalone AI): Does the system fall within one of the 8 Annex III sectors? If yes, apply the Article 6(3) filter — does it materially influence consequential decisions affecting individuals? If the answer is yes after filtering, High Risk obligations apply from August 2026.
- Step 4 — Check Limited Risk transparency obligations: Is the system a chatbot, emotion recognition tool, biometric categorisation system, or does it generate synthetic content? If yes, transparency obligations apply regardless of risk tier.
Systems that clear all four steps without triggering any obligations are Minimal Risk. No further action is required under the Act — though voluntary code adoption is encouraged.
Even where a system classifies as Minimal Risk, retain the written rationale for that classification. Regulators may request evidence of a classification decision, and documented reasoning is far stronger than a verbal assessment.
When to Reclassify an Existing AI System
Classification is not a one-time event. The EU AI Act's obligations follow the system's actual use — not its original design intent. Three scenarios typically trigger a reclassification review.
- Change in intended purpose: Repurposing a Minimal Risk system for an Annex III use case — e.g., adapting a general recommendation engine for credit decisions.
- New user population: Extending a B2B tool to direct consumer use, particularly involving vulnerable groups.
- Regulatory reclassification: The European Commission has the power to update Annex III categories via delegated acts — organisations should monitor these updates annually.
Our full step-by-step compliance process — including documentation templates and conformity assessment checklists — is available in our EU AI Act compliance checklist for 2026.
EU AI Act Penalties: What Non-Compliance Costs
In short
EU AI Act penalties are tiered by violation severity: up to €35 million or 7% of global turnover for prohibited AI, €15 million or 3% for High Risk violations, and €7.5 million or 1.5% for Limited Risk failures.
The EU AI Act's penalty structure is deliberately asymmetric — the most severe fines are reserved for the most harmful practices. Understanding the penalty tiers helps compliance teams prioritise remediation work.
| Violation Category | Maximum Fine | Alternative (if higher) |
|---|---|---|
| Unacceptable Risk — deploying prohibited AI (Article 5) | €35,000,000 | 7% of global annual turnover |
| High Risk — non-compliance with provider obligations | €15,000,000 | 3% of global annual turnover |
| Limited Risk — transparency obligation failures | €7,500,000 | 1.5% of global annual turnover |
| Providing incorrect or misleading information to authorities | €7,500,000 | 1.5% of global annual turnover |
| SME/startup — all violation types | Lower of the above caps | SMEs and startups benefit from proportionate caps to avoid disproportionate impact |
The "whichever is higher" rule means that for large global technology companies, the turnover-based calculation will typically exceed the absolute euro cap. A company with €10 billion in global turnover faces a €700 million exposure for the most serious violations — not €35 million.
Enforcement authority sits primarily with national market surveillance authorities in each EU member state. The European AI Office has oversight authority for GPAI model providers and for cross-border infringements. Coordinated enforcement is expected to intensify from 2026 onward as High Risk obligations come into full effect.
Enforcement Realities: What to Expect
Full enforcement of High Risk obligations begins in August 2026 — giving organisations a defined runway to complete conformity assessments and documentation. However, Unacceptable Risk violations have been enforceable since August 2, 2025. Regulators have already signalled that early enforcement actions are likely to focus on the most egregious prohibited practices.
National authorities are building enforcement capacity. Germany's Federal Network Agency, France's CNIL, and the Dutch ACM have all indicated active monitoring of AI deployments within their jurisdictions. The UK's equivalent framework is developing separately post-Brexit, but many principles align.
For organisations assessing their EU AI Act compliance readiness, our broader AI governance guide covers the governance infrastructure — policies, oversight committees, and audit processes — that compliance programmes depend on.
Frequently Asked Questions: EU AI Act Risk Categories
In short
Answers to the most common questions about EU AI Act risk classification, from how to determine your category to what obligations apply to each tier.
What are the 4 risk categories in the EU AI Act?
The EU AI Act defines four risk categories: Unacceptable Risk (8 prohibited AI practices, banned from August 2, 2025), High Risk (strict compliance obligations across 8 Annex III sectors, applying from August 2026), Limited Risk (transparency obligations for chatbots and synthetic content), and Minimal Risk (no mandatory requirements under the Act).
What counts as Unacceptable Risk under the EU AI Act?
Unacceptable Risk covers 8 specific practices defined in Article 5 of the EU AI Act. These include government social scoring of citizens, real-time biometric identification by law enforcement in public spaces (with narrow exceptions), subliminal manipulation of individuals, emotion recognition in workplaces and schools, and AI systems exploiting children or persons with disabilities.
Which sectors trigger High Risk AI classification?
Annex III of the EU AI Act lists 8 sectors: biometric identification, critical infrastructure, education and vocational training, employment and worker management, access to essential services (credit, benefits, insurance), law enforcement, migration and border control, and administration of justice and democratic processes. Systems in these sectors may qualify as High Risk depending on the Article 6(3) classification filter.
Do chatbots need to comply with the EU AI Act?
Yes. Chatbots fall under Limited Risk and must disclose to users that they are interacting with an AI system — not a human. This disclosure must be made at the start of the interaction, in a clear and accessible format. The obligation applies to deployers operating chatbots in the EU, regardless of where the underlying AI system was developed.
When do High Risk AI obligations apply?
High Risk obligations for Annex III systems apply from August 2, 2026. High Risk systems embedded in products covered by Annex I product safety legislation have until August 2, 2027. Providers should begin conformity assessments and technical documentation immediately — the 12–24 months of preparation time is necessary given the scope of required work.
Does the EU AI Act apply to companies outside the EU?
Yes. The EU AI Act has extra-territorial reach. Any company placing an AI system on the EU market or using AI to affect EU residents is subject to the Act — regardless of where the company is headquartered. This is sometimes called the "Brussels Effect" in AI regulation, similar to how GDPR applies globally to companies processing EU personal data.
What are examples of Minimal Risk AI systems?
Minimal Risk covers AI systems with no significant harm potential — including spam filters, AI-powered games, general product recommendation engines, AI writing assistants, and manufacturing quality control tools. The European Commission estimates the vast majority of commercial AI applications by volume fall into this category. No mandatory obligations apply, though voluntary codes of conduct are encouraged.
What is the penalty for deploying prohibited AI in the EU?
The maximum penalty for deploying Unacceptable Risk (prohibited) AI systems is €35 million or 7% of global annual turnover, whichever is higher — per the Council of the European Union's May 2024 official text. For large global companies, the 7% turnover calculation will typically produce a higher fine than the absolute euro cap.
How do I determine which risk category my AI system belongs to?
Work through a four-step process: (1) check whether the system engages in any Article 5 prohibited practices; (2) test for Annex I product safety integration; (3) test for Annex III sector membership and apply the Article 6(3) materiality filter; (4) check Limited Risk transparency obligations. The European Commission's 2025 classification guidelines provide detailed criteria for each step. Document your reasoning at each stage.
About the Authors & Reviewers

Co-Founder, Alice Labs
Co-Founder at Alice Labs. Builds AI automation, agent workflows and integration systems that hold up in real business operations.
- AI automation & agent systems lead
- Workflow design across 100+ deployments
- Specialist in RAG, integrations & APIs

Co-Founder, Alice Labs
Co-Founder at Alice Labs. Author of 7 research reports on AI adoption, governance and labor markets cited across EU, OECD and US benchmarks.
- 8+ years in AI strategy & implementation
- Top-5 AI Speaker, Sweden (Mindley 2025)
- 100+ enterprise AI engagements
Frequently Asked Questions
What are the 4 risk categories in the EU AI Act?
The EU AI Act defines four risk categories: Unacceptable Risk (8 prohibited practices, banned from August 2, 2025), High Risk (strict compliance across 8 Annex III sectors from August 2026), Limited Risk (transparency obligations for chatbots and synthetic content), and Minimal Risk (no mandatory requirements).
What counts as Unacceptable Risk under the EU AI Act?
Unacceptable Risk covers 8 specific practices in Article 5: government social scoring, real-time biometric ID by law enforcement in public (with narrow exceptions), subliminal manipulation, predictive policing by profiling, emotion recognition in workplaces and schools, biometric categorisation inferring sensitive attributes, and AI exploiting children or disabled persons.
Which sectors trigger High Risk AI classification?
Annex III lists 8 High Risk sectors: biometric identification, critical infrastructure, education, employment and worker management, access to essential services (credit, benefits, insurance), law enforcement, migration and border control, and administration of justice. Classification depends on applying the Article 6(3) filter to determine whether the system materially influences consequential decisions.
Do chatbots need to comply with the EU AI Act?
Yes. Chatbots are Limited Risk and must disclose to users at the start of each interaction that they are speaking with an AI system. The obligation applies to EU-market deployers regardless of where the underlying AI was developed. Failure to disclose can result in fines up to €7.5 million or 1.5% of global turnover.
When do High Risk AI obligations apply?
High Risk obligations for Annex III systems apply from August 2, 2026. Annex I product safety-integrated systems have until August 2, 2027. Providers should start conformity assessments and technical documentation immediately — preparation requires 12–24 months given the documentation and audit requirements.
Does the EU AI Act apply to companies outside the EU?
Yes. The EU AI Act applies to any company placing AI on the EU market or using AI affecting EU residents, regardless of headquarters location. A US, Canadian, or Asian company selling AI tools to European businesses must comply — mirroring how GDPR applies globally to companies processing EU personal data.
What is the penalty for deploying prohibited AI in the EU?
The maximum penalty for deploying Unacceptable Risk AI is €35 million or 7% of global annual turnover, whichever is higher (Council of the EU, May 2024). For large global companies, 7% of turnover will typically exceed the absolute euro cap significantly.
How do I determine which risk category my AI system belongs to?
Use a four-step process: (1) screen for Article 5 prohibited practices; (2) test for Annex I product safety integration; (3) test for Annex III sectors and apply the Article 6(3) materiality filter; (4) check Limited Risk transparency obligations. Document your reasoning at each step using the European Commission's 2025 classification guidelines.
EU AI Act Timeline 2026: Key Deadlines & Compliance Dates
Next in AI Governance & ComplianceEU AI Act Compliance Guide: Step-by-Step for Enterprises
Further reading
- Council of the European Union — AI Act Final Approval, May 2024· consilium.europa.eu
- EUR-Lex — EU AI Act Official Summary· eur-lex.europa.eu
- European Commission — AI Regulatory Framework· digital-strategy.ec.europa.eu
Related services
Related reading
EU AI Act Compliance Checklist 2026: 10-Step Guide
Learn more about eu ai act compliance checklist 2026: 10-step guide.
howtoEU AI Act Compliance Guide: Step-by-Step for Enterprises
Learn more about eu ai act compliance guide: step-by-step for enterprises.
glossaryWhat Is AI Governance? Frameworks & Compliance (2026)
Learn more about what is ai governance? frameworks & compliance (2026).
howtoEnterprise AI Strategy: 6-Step Framework for 2026
Learn more about enterprise ai strategy: 6-step framework for 2026.
Sources
- Council of the European Union — AI Act Final Approval“EU AI Act final approval; penalty figures of €35M or 7% global turnover confirmed”
- EUR-Lex — Rules for Trustworthy AI in the EU (Regulation EU 2024/1689)“Official text of EU AI Act; enforcement dates, Article 5 prohibited practices, Annex III sectors”
- European Commission — Digital Strategy, AI Regulatory Framework“Risk-based classification framework; four tier structure; GPAI obligations”
- European Parliament Briefing — EU AI Act“Classification system established to balance innovation with protection of fundamental rights”
Next scheduled review: