What is the EU AI Act?

The EU AI Act is the first comprehensive cross-sectoral statute regulating artificial intelligence in any major jurisdiction. Its formal title is Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence. It was published in the Official Journal of the European Union on 12 July 2024 and entered into force twenty days later, on 1 August 2024.

The regulation takes a risk-based approach. It bans a short list of "unacceptable risk" practices under Article 5 — including untargeted scraping of facial images to build recognition databases, social scoring by public authorities, emotion recognition in workplaces and schools (with narrow exceptions), and real-time remote biometric identification in publicly accessible spaces for law enforcement. These prohibitions became applicable on 2 February 2025.

"High-risk" AI systems — defined in Annex III and including systems used in biometric identification, critical infrastructure, education, employment, essential services, law enforcement, migration, and administration of justice — must undergo conformity assessment, maintain risk management systems, ensure data governance, keep technical documentation, log automatically, provide transparency to deployers, allow human oversight, and meet accuracy, robustness, and cybersecurity requirements (Articles 8 through 15). Providers must register them in an EU database before placing them on the market (Article 71).

The Act regulates general-purpose AI (GPAI) models under Chapter V. All GPAI providers must publish a sufficiently detailed summary of training content and respect EU copyright law. GPAI models classified as having "systemic risk" — initially those trained with more than 10^25 floating-point operations of compute — face additional obligations including model evaluation, adversarial testing, serious-incident reporting, and cybersecurity protection (Article 51, Article 55). Obligations for GPAI providers became applicable on 2 August 2025.

Enforcement is layered. The European AI Office, established within the European Commission's DG CNECT in February 2024, supervises GPAI providers directly. National competent authorities supervise high-risk systems in each member state. The European Artificial Intelligence Board coordinates across member states. Maximum administrative fines under Article 99 are EUR 35 million or 7% of total worldwide annual turnover for prohibited practices, EUR 15 million or 3% for most other violations, and EUR 7.5 million or 1% for supplying incorrect information.

The application timeline is staggered: prohibitions and AI literacy obligations from 2 February 2025; GPAI rules and governance from 2 August 2025; the bulk of high-risk obligations from 2 August 2026; and remaining high-risk obligations covering AI embedded in regulated products (Annex I) from 2 August 2027. The Act applies extraterritorially to providers placing AI systems on the EU market and to deployers and providers outside the EU whose system outputs are used in the EU (Article 2).