Back to glossary

Term

EU AI Act (KI-Verordnung)

Regulation (EU) 2024/1689 is the EU's first comprehensive law on artificial intelligence. It regulates AI systems by risk in four tiers, from prohibited practices to minimal risk, and sets obligations for providers and deployers.

EU AI Act — explained in detail

The EU AI Act (officially Regulation (EU) 2024/1689) is the world’s first comprehensive legal framework for artificial intelligence. It entered into force on 1 August 2024 and applies in stages. Its goal is a single legal framework that protects fundamental rights, safety and trust without stifling innovation.

At its core is a risk-based approach with four tiers:

  1. Prohibited practices (unacceptable risk): Banned uses include social scoring by or on behalf of public authorities, manipulative systems that deliberately subvert behaviour, and certain forms of real-time remote biometric identification. These bans have applied since 2 February 2025.
  2. High-risk AI: Systems in sensitive areas (e.g. hiring, credit scoring, critical infrastructure, medical devices). They face strict obligations such as risk management, data governance, logging, technical documentation and human oversight.
  3. Limited risk: Mainly transparency obligations apply here — for example disclosing that users are interacting with an AI (chatbots) and labelling AI-generated or manipulated content (deepfakes).
  4. Minimal risk: The majority of everyday AI applications. No specific obligations apply; voluntary codes of conduct are encouraged.

Obligations for providers, deployers and GPAI

The regulation distinguishes mainly between providers (who develop and place an AI system on the market) and deployers (who use an AI system under their own responsibility). Providers carry the bulk of conformity, documentation and assessment obligations; deployers must use systems as intended, ensure human oversight and maintain transparency.

A distinct category is GPAI models (General-Purpose AI, models with a broad range of uses such as large language models). Providers of such models must supply technical documentation, provide information to downstream providers, respect copyright and publish a summary of training data. Models with systemic risk face additional duties. GPAI obligations have applied since 2 August 2025.

Timeline (as of June 2026)

  • 1 August 2024: Entry into force.
  • 2 February 2025: Prohibited practices and AI literacy obligation.
  • 2 August 2025: Obligations for GPAI models.
  • 2 August 2026: Start of full application (governance, penalties).
  • 2 August 2027: Deadline for GPAI models placed on the market before August 2025.
  • 2 December 2027 (provisional): Deferred deadline for high-risk Annex III systems under the Digital Omnibus proposal (political agreement of 7 May 2026, formal adoption still pending).

Infringements can be fined up to EUR 35 million or 7 percent of worldwide annual turnover — whichever is higher.

Example / practical relevance

A company uses a commercial language model (LLM) via an API to pre-sort customer enquiries and draft replies. Here the company is typically the deployer, while the model provider is the GPAI provider.

In practice, the key points are:

  • Transparency: End customers should be able to recognise that they are interacting with an AI or that content was AI-assisted.
  • Check the use case: Does the AI merely assist with text (limited/minimal risk) or does it make consequential decisions about people, e.g. in recruitment (potentially high-risk)? The use case determines the obligation tier, not the technology itself.
  • AI literacy: Staff operating AI need an adequate basic understanding (Art. 4).
  • Consider data protection: The AI Act does not replace the GDPR; both apply in parallel.

Distinction from similar terms

  • GDPR: The General Data Protection Regulation governs the processing of personal data. The AI Act regulates AI systems as products. Both can apply at the same time but do not fully overlap.
  • Cloud Act (USA): A US law on governmental data access. It is not a risk-classification system for AI but concerns data sovereignty with US providers.
  • Ethics guidelines / voluntary codes: Unlike the AI Act, they are not legally binding; the AI Act is directly applicable EU law.

Sources

  • Regulation (EU) 2024/1689 (EU AI Act), EUR-Lex: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202401689
  • AI Act — Shaping Europe’s digital future, European Commission: https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai

Entdecke mehr

Themenuebersicht