Introduction to the EU AI Act¶
What is the EU AI Act?¶
The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) is the world's first comprehensive legal framework specifically designed to regulate artificial intelligence systems. Adopted on 13 June 2024 and published on 12 July 2024, it represents a landmark achievement in AI governance.
Historical Context¶
Timeline of Development¶
| Date | Milestone |
|---|---|
| April 2021 | European Commission proposes AI Act |
| December 2023 | Political agreement reached (EU institutions) |
| March 2024 | European Parliament approval |
| May 2024 | Council of the EU adoption |
| July 2024 | Publication in Official Journal |
| August 2024 | Entry into force |
| 2025-2027 | Phased implementation |
Why the AI Act?¶
The regulation addresses several key concerns:
- Market Fragmentation - Different national AI rules were creating barriers to the EU internal market
- Fundamental Rights - Need to protect EU citizens' rights in the age of AI
- Innovation Support - Create a legal framework that enables trustworthy AI development
- Global Leadership - Position EU as leader in ethical AI governance
- Risk Management - Address potential harms from AI systems
Core Principles¶
The AI Act is built on several foundational principles:
1. Risk-Based Approach¶
AI systems are classified by risk level:
- Unacceptable Risk → Prohibited
- High Risk → Strict requirements and oversight
- Limited Risk → Transparency obligations
- Minimal Risk → No obligations (voluntary codes of conduct)
2. Human-Centric AI¶
AI systems should: - Respect human dignity and autonomy - Operate under human oversight - Support human well-being - Be trustworthy and safe
3. Proportionality¶
Requirements are calibrated to the level of risk: - Higher risk = stricter obligations - Lower risk = lighter-touch regulation
4. Innovation-Friendly¶
The Act includes mechanisms to support innovation: - Regulatory sandboxes - SME support measures - Codes of conduct - AI literacy programs
Regulatory Structure¶
13 Chapters¶
The Act is organized into 13 chapters:
| Chapter | Topic | Key Focus |
|---|---|---|
| I | General Provisions | Scope, definitions, AI Office |
| II | Prohibited Practices | Unacceptable AI applications |
| III | High-Risk AI | Requirements and obligations |
| IV | Transparency | Disclosure requirements |
| V | General-Purpose AI | Foundation models |
| VI | Innovation Support | Sandboxes, SME measures |
| VII | Governance | AI Board, authorities |
| VIII | EU Database | Registration system |
| IX | Post-Market Monitoring | Surveillance and enforcement |
| X | Codes of Conduct | Voluntary standards |
| XI | Delegation | Commission powers |
| XII | Penalties | Fines and sanctions |
| XIII | Final Provisions | Entry into force, amendments |
13 Annexes¶
Annexes provide detailed lists and technical specifications:
- Annex I - AI techniques and approaches
- Annex II - Union harmonization legislation
- Annex III - High-risk AI systems
- Annexes IV-XIII - Technical requirements, documentation, conformity assessment
Who is Regulated?¶
Operators in the AI Value Chain¶
The Act applies to several types of operators:
Providers 🏢 - Develop or have AI systems developed - Place systems on the market or put into service - Primary obligation holders
Deployers 🎯 - Use AI systems under their authority - Subject to specific due diligence and transparency requirements
Distributors 📦 - Make AI systems available on the market - Verification and cooperation obligations
Importers 📥 - Bring AI systems from third countries into EU - Ensure compliance before placing on market
Authorized Representatives 👔 - Act on behalf of providers located outside EU - Designated by non-EU providers
Territorial Scope¶
The AI Act has broad extraterritorial reach:
✅ Applies to: - Providers in the EU - Deployers in the EU - Providers/deployers outside EU if output used in EU
❌ Does NOT apply to: - Military, defense, national security uses - Research and development (not placed on market) - Purely personal non-professional use
Key Obligations by Category¶
Prohibited AI Systems (Article 5)¶
Certain AI practices are completely banned: - Manipulative techniques exploiting vulnerabilities - Social scoring by public authorities - Real-time remote biometric identification in public (with narrow exceptions) - Emotion recognition in workplace/education (with exceptions)
High-Risk AI Systems (Articles 6-51)¶
High-risk systems must comply with: - Risk management systems - Data governance requirements - Technical documentation - Record-keeping and logging - Transparency and information to users - Human oversight - Accuracy, robustness, and cybersecurity - Conformity assessment - Registration in EU database
General-Purpose AI Models (Articles 53-56)¶
Foundation models and GPAI face requirements including: - Technical documentation - Transparency (training data, model info) - Copyright compliance - Additional obligations for systemic risk models
Implementation Timeline¶
The AI Act has a phased implementation to allow time for compliance:
Key Dates¶
August 2024 February 2025 August 2025 August 2026 August 2027
| | | | |
| | | | |
Entry into Prohibited GPAI rules High-risk Full
Force practices apply obligations implementation
apply apply
6 months (Feb 2025): Prohibited practices
12 months (Aug 2025): General-purpose AI rules
24 months (Aug 2026): High-risk AI obligations
36 months (Aug 2027): Extended compliance for certain systems
Enforcement and Penalties¶
Penalties (Article 99)¶
Serious violations can result in substantial fines:
- Up to €35 million or 7% of global turnover (prohibited practices)
- Up to €15 million or 3% of global turnover (high-risk violations)
- Up to €7.5 million or 1.5% of global turnover (other violations)
For SMEs and startups, fines are capped at lower percentages.
Enforcement Authorities¶
- Member State authorities - Primary enforcement
- AI Office - Supervise general-purpose AI models
- AI Board - Coordination and consistency
- European Commission - Overall supervision
Relationship with Other EU Laws¶
The AI Act is part of a broader digital regulatory framework:
Complementary Regulations¶
- GDPR - Personal data protection
- DSA - Platform and service provider obligations
- DMA - Gatekeeper platform rules
- NIS2 - Cybersecurity requirements
- Product Safety Directives - Sector-specific rules
Interaction Principles¶
- AI Act is complementary, not replacing existing law
- GDPR continues to apply to personal data processing
- Sector-specific rules remain applicable
- AI Act adds AI-specific requirements
Next Steps for Organizations¶
Immediate Actions¶
- Assess your AI systems - Identify which systems fall under the Act
- Classify by risk - Determine if systems are high-risk, limited risk, etc.
- Map obligations - Understand requirements for each system
- Gap analysis - Identify compliance gaps
- Develop action plan - Prioritize implementation steps
Resources on This Site¶
- How to Use - Navigate this site effectively
- Key Concepts - Understand fundamental terms
- Compliance Checklist - Step-by-step guide
- Articles - Full regulatory text
- Cross-References - Connections to other laws
About This Annotated Edition¶
This site provides:
✅ Complete official text (all 114 articles, 138 recitals, 13 annexes)
✅ Cross-references to related provisions and regulations
✅ Commentary framework for analysis and interpretation
✅ Practical implementation guidance
✅ Search functionality across all content
✅ Regular updates as guidance emerges
Ready to explore? → View Articles | Browse Recitals | Compliance Guide