EU AI Act Complete Guide

EU AI Act Complete Guide

The EU’s Artificial Intelligence Act, explained the way you’d explain it to someone who actually has to comply with it.

What Is the EU AI Act?

The world’s first comprehensive law regulating artificial intelligence.

The EU AI Act (Regulation 2024/1689) is the European Union’s binding legal framework for artificial intelligence. It entered into force on 1 August 2024, and rather than switching on all at once, it applies in stages – prohibited practices and AI-literacy duties came first, general-purpose AI (GPAI) model rules followed in August 2025, and the bulk of the remaining obligations were due in August 2026.

Learn more about EU AI act in this video:

That timeline shifted in May 2026. EU negotiators reached a provisional political agreement on a package known as the Digital Omnibus on AI, which pushes back several deadlines – most significantly, high-risk system obligations under Annex III, deferred from August 2026 to December 2027. The deal still needs formal adoption, but it’s the figure organisations are now planning against.

KEY TERMS TO KNOW Provider – the entity that develops an AI system or has it developed, and places it on the market. Deployer – the entity using an AI system under its own authority, other than for personal use. GPAI model – a general-purpose AI model, like a foundation model, capable of a wide range of tasks. AI Office – the EU body overseeing GPAI obligations and coordinating enforcement across Member States.

 

Like the GDPR before it, the Act reaches beyond EU borders: it applies to any provider or deployer whose AI system is placed on the EU market or affects people located in the EU, regardless of where the company itself is headquartered.

Related reading: The Four Risk Tiers  ·  High-Risk AI Systems  ·  EU AI Act Penalties

How GCAI helps: GCAI builds your AI system inventory and assigns a provider/deployer role to each one before classification starts, since the obligations differ sharply depending on which role you hold.

The Four Risk Tiers

Every AI system the Act covers falls into one of four categories, and the category decides everything else.

The Act’s structure is built around a risk pyramid. Classification comes first, and it determines whether a system can be deployed at all, and if so, what documentation, oversight, and registration it needs. Misclassifying a system – in either direction – carries real cost: treating a high-risk system as minimal-risk invites enforcement, while over-classifying a genuinely low-risk tool adds compliance burden with no benefit.

Tier	Examples	Treatment
Unacceptable risk	Social scoring, manipulative or exploitative AI, real-time public biometric ID	Banned outright, with narrow law-enforcement exceptions
High risk	Hiring tools, credit scoring, critical infrastructure, biometric categorisation	Conformity assessment, documentation, oversight before market entry
Limited risk	Chatbots, emotion-recognition tools, deepfake generators	Transparency obligations – users must know they’re interacting with AI
Minimal risk	Spam filters, recommendation engines, most everyday AI tools	No specific obligations under the Act

 

A 2026 industry survey found a striking gap in self-assessment: roughly a third of EU AI startups expected their own systems to be classified high-risk, against the European Commission’s own estimate that only 5 to 15 percent of systems will actually fall into that tier – a sign that many organisations are erring toward over-caution without formal guidance.

Related reading: What Is the EU AI Act?  ·  High-Risk AI Systems  ·  Prohibited AI Practices

How GCAI helps: GCAI runs each system in your inventory through the Article 6 classification logic individually, so you’re not guessing at a tier or defaulting to the most conservative one out of caution.

Prohibited AI Practices

A short list of uses that are simply illegal, with no compliance path available.

Article 5 of the Act bans a specific set of AI practices outright – not regulated, not subject to a conformity assessment, just prohibited. These have been enforceable since 2 February 2025, which makes Article 5 the longest-active part of the Act and the one already drawing regulatory investigations.

BANNED UNDER ARTICLE 5 Subliminal or manipulative techniques that materially distort behaviour and cause harm Exploiting vulnerabilities tied to age, disability, or social or economic situation Social scoring of individuals by public authorities Real-time remote biometric identification in public spaces (narrow law-enforcement exceptions apply) AI-generated child sexual abuse material and non-consensual intimate imagery

 

That last category is new: the Digital Omnibus amendments add AI-generated CSAM and non-consensual intimate material to the Article 5 list, with the prohibition taking effect on 2 December 2026. Violating Article 5 carries the Act’s single highest penalty tier – there’s no documentation or remediation path that cures a prohibited practice, only cessation.

Related reading: The Four Risk Tiers  ·  EU AI Act Penalties  ·  EU AI Act Timeline & Key Dates

How GCAI helps: GCAI screens new and existing AI use cases against the Article 5 list before anything else, since this is the one category where remediation isn’t an option — only withdrawal is.

High-Risk AI Systems

The Act’s most demanding obligations, and the ones most affected by the 2026 timeline changes.

High-risk systems split into two groups that the Act treats differently. Annex I covers AI embedded as a safety component in products already regulated elsewhere – medical devices, toys, lifts, radio equipment. Annex III covers standalone, use-based high-risk applications: biometric identification, critical infrastructure, education and vocational training, employment and worker management, access to essential services like credit scoring, law enforcement, migration, and the administration of justice.

Obligation	Who it falls on
Risk management system	Provider – maintained throughout the system’s lifecycle
Data governance	Provider – training, validation, and testing data quality
Technical documentation	Provider – architecture, training data, testing results
Conformity assessment	Provider – before the system enters the EU market
Human oversight design	Provider – built in so a human can intervene or override
Fundamental Rights Impact Assessment	Deployer – specific to certain public-sector and credit/insurance uses

 

 

 

Under the May 2026 Digital Omnibus agreement, Annex III obligations move from 2 August 2026 to 2 December 2027 – a 16-month deferral – and Annex I obligations move from 2 August 2027 to 2 August 2028. The definition of “safety component” was also narrowed: a system that only assists users or optimises performance, without creating a health or safety risk if it fails, no longer automatically qualifies as high-risk.

Related reading: The Four Risk Tiers  ·  Prohibited AI Practices  ·  EU AI Act Timeline & Key Dates

How GCAI helps: GCAI builds the technical documentation and risk management system for each high-risk use case against the Annex III criteria, with the December 2027 deadline as the working target.

General-Purpose AI (GPAI) Models

Foundation models run on their own track, separate from the four-tier risk pyramid.

GPAI models – the foundation models behind tools like large language models – aren’t classified into the same risk tiers as application-level AI systems. Instead, the Act sets a dedicated regime for GPAI providers that’s been in force since 2 August 2025, regardless of where the model is hosted or trained.

Providers must maintain technical documentation, publish a summary of training content, respect EU copyright law, and put in place a policy to comply with it. Models classified as carrying “systemic risk” – broadly, those trained above a defined compute threshold – face additional duties: model evaluation, adversarial testing, incident reporting to the AI Office, and cybersecurity protections for the model and its infrastructure.

THE GPAI CODE OF PRACTICE A voluntary framework published by the AI Office in mid-2025 Covers transparency, copyright, and safety/security commitments Signing it creates a presumption of conformity with the relevant obligations The closest thing to a safe harbour currently available under the Act

 

Models already on the EU market before August 2025 weren’t given an automatic pass – they’re required to be fully compliant by 2 August 2027, closing what was otherwise a multi-year gap for incumbent providers.

Related reading: What Is the EU AI Act?  ·  EU AI Act Penalties  ·  EU AI Act Timeline & Key Dates

How GCAI helps: GCAI reviews whether signing the GPAI Code of Practice makes sense for your model’s risk profile, and builds the documentation set either way so the presumption of conformity holds up under scrutiny.

 

EU AI Act Timeline & Key Dates

A phased rollout that the 2026 Digital Omnibus has now reshaped twice in one year.

Date	What applies
1 Aug 2024	Act enters into force; the countdown for every later deadline begins
2 Feb 2025	Prohibited practices (Article 5) become enforceable
2 Aug 2025	GPAI model rules apply; AI Office and governance bodies stood up
2 Feb 2026	Commission guidelines on Article 6 high-risk classification due
2 Dec 2026	New Article 5 prohibitions (AI-generated CSAM, non-consensual imagery) take effect; deferred deadline for synthetic-content labelling
2 Dec 2027	Annex III high-risk obligations apply (deferred from Aug 2026)
2 Aug 2027	GPAI models on the market before Aug 2025 must be fully compliant
2 Aug 2028	Annex I high-risk (product-embedded) obligations apply (deferred from Aug 2027)

 

Treat these dates as the current planning anchors rather than fixed certainties: the Digital Omnibus package is a provisional political agreement as of May 2026, and still requires formal adoption by the Council and Parliament before it’s legally binding.

Related reading: High-Risk AI Systems  ·  Prohibited AI Practices  ·  EU AI Act Penalties

How GCAI helps: GCAI tracks the Digital Omnibus’s progress toward formal adoption and adjusts your compliance roadmap the moment a deadline firms up, rather than building against a date that might still move.

EU AI Act Penalties

A three-tier fine structure that exceeds the GDPR’s maximum at the top end.

Article 99 sets penalties on a sliding scale tied to the severity of the violation, calculated as whichever is higher between a fixed euro amount and a percentage of global annual turnover – with one important exception for smaller companies.

Violation type	Maximum penalty
Prohibited practices (Article 5)	€35 million or 7% of global turnover
High-risk system requirements (Articles 8–15) and deployer duties	€15 million or 3% of global turnover
Supplying false or misleading information to authorities	€7.5 million or 1% of global turnover

 

For SMEs and startups, Article 99(6) flips the calculation: the fine is the lower of the two amounts rather than the higher. A startup with €3 million in annual turnover facing a Tier 1 violation would be capped at 7 percent of that turnover – around €210,000 – rather than the full €35 million ceiling. It’s a meaningful concession, but a six-figure fine can still be existential for an early-stage company.

Enforcement splits between national market surveillance authorities, who handle most violations, and the European Commission’s AI Office, which deals directly with GPAI model obligations and can request model access, demand mitigations, or order a model withdrawn from the EU market.

Related reading: High-Risk AI Systems  ·  General-Purpose AI (GPAI) Models  ·  EU AI Act FAQ

How GCAI helps: GCAI prioritises remediation against Article 5 and high-risk Article 8–15 exposure first, since those tiers carry the steepest penalties and the least room for a good-faith defence.

EU AI Act FAQ

The questions that come up most once the basics are out of the way.

Does the Act apply to companies outside the EU? Yes. Like the GDPR, it applies extraterritorially – if your AI system is placed on the EU market or affects people in the EU, the Act applies regardless of where your company is based.

What changed with the Digital Omnibus? A provisional agreement reached in May 2026 pushes the Annex III high-risk deadline from August 2026 to December 2027, the Annex I deadline from August 2027 to August 2028, narrows the definition of “safety component,” and adds AI-generated CSAM and non-consensual intimate imagery to the Article 5 prohibited list. It’s still pending formal adoption.

Is my chatbot or AI tool automatically high-risk? Not necessarily, and most aren’t. The European Commission estimates only 5 to 15 percent of AI systems will be classified high-risk, even though a recent startup survey found self-assessments running well above that. Classification depends on the specific use case under Annex III, not the underlying technology.

Are the prohibited practices already enforceable? Yes – Article 5 has been in force since 2 February 2025, making it the longest-active part of the Act, and regulators have already opened initial investigations under it.

What should we be doing right now? Build a complete inventory of every AI system you provide or deploy, classify each one under Article 6, and screen everything against the Article 5 prohibited list first, since that’s the one category with no compliance path – only withdrawal.

Related reading: What Is the EU AI Act?  ·  EU AI Act Timeline & Key Dates  ·  EU AI Act Penalties

How GCAI helps: GCAI’s EU AI Act readiness review can answer most of the questions above for your specific systems in a single working session, including whether the Digital Omnibus timeline changes shift anything for you.