The EU AI Act: What Businesses Need to Know
The EU AI Act, which entered into force in August 2024 and will apply in stages through 2027, represents the world's first comprehensive legal framework specifically regulating artificial intelligence. For businesses operating in or serving customers in the European Union, understanding its requirements is now essential compliance work.
Risk-Based Structure
The Act classifies AI systems by risk level. Unacceptable risk systems (social scoring by governments, real-time biometric surveillance in public spaces for law enforcement) are outright prohibited. High-risk systems — including AI used in hiring, credit decisions, critical infrastructure, and certain medical applications — face strict requirements including mandatory risk assessments, human oversight, data quality standards, and registration in an EU database before deployment.
General Purpose AI Models
The Act includes specific provisions for general-purpose AI models (GPAIs) like large language models. Models with systemic risk — defined as training compute above 10^25 FLOPs — face additional obligations including adversarial testing, incident reporting to the EU AI Office, and cybersecurity measures. All GPAI providers must maintain technical documentation, comply with EU copyright law, and publish summaries of training data.
Compliance Timeline
Prohibited practices rules applied from February 2025. High-risk system requirements apply from August 2026. The GPAI model rules apply from August 2025. Businesses should conduct an inventory of their AI systems now to determine which risk categories apply and what compliance steps are needed before relevant deadlines.
Prohibited AI Practices
The AI Act outright bans several categories of AI application. These prohibitions, which took effect in February 2025, cover: AI systems that use subliminal techniques to manipulate behavior in harmful ways; systems that exploit vulnerabilities of specific groups; AI-based social scoring by public authorities; most real-time remote biometric identification in public spaces for law enforcement purposes; and AI used to infer emotions in workplace or educational settings. Violations of the prohibitions carry the highest fines: up to €35 million or 7% of worldwide annual turnover, whichever is higher.
High-Risk AI: Obligations in Practice
For businesses deploying high-risk AI, the practical compliance burden is substantial. You must implement a quality management system covering data governance, technical documentation, and record-keeping. The AI system must be registered in the EU database for high-risk AI before it is placed on the market or put into service. Users of high-risk AI (not just developers) have their own obligations — including implementation of human oversight measures and monitoring of system performance after deployment. Supply chain complexity is significant: businesses that deploy AI systems built on third-party foundation models need to understand how their supplier's compliance obligations interact with their own.
General Purpose AI and Foundation Models
The AI Act introduced specific obligations for providers of general-purpose AI (GPAI) models — the large language models and other foundation models that underpin many downstream AI applications. All GPAI providers must maintain technical documentation, comply with EU copyright law, and publish a summary of training data. Providers of GPAI models with systemic risk (defined by training compute thresholds) face additional requirements including adversarial testing, incident reporting to the European AI Office, and cybersecurity obligations. This affects providers like OpenAI, Google, Anthropic, and Meta offering models in the EU — and businesses that integrate these models into their products inherit some compliance obligations as downstream deployers.