Licentium

AI Regulation Hub

European Union

The EU AI Act (Regulation (EU) 2024/1689) is a horizontal, risk-based framework that bans unacceptable-risk AI, heavily regulates high-risk AI, and applies transparency and governance duties to lower-risk systems. It is being rolled out in stages between 2024 and 2027.

Key provisions

Prohibited AI practices

In force

Bans on manipulative AI, exploitation of vulnerabilities, certain social scoring, untargeted facial-image scraping, certain workplace and education emotion recognition, and most real-time remote biometric identification. Applies from 2 February 2025.

AI literacy duty

In force

Providers and deployers must ensure staff and persons dealing with AI on their behalf have sufficient knowledge of AI, its risks, limitations and proper use. Applies from 2 February 2025.

General-purpose AI (GPAI) obligations

In force

GPAI providers must prepare technical documentation, give downstream providers information, adopt a copyright policy and publish a training-data summary. GPAI models with systemic risk have additional evaluation, mitigation, incident-reporting and cybersecurity duties. Applies from 2 August 2025.

Governance & penalty framework

In force

European AI Office and national authorities, with penalty rules of up to EUR 35M / 7% turnover for prohibited-AI breaches and EUR 15M / 3% for many other breaches. Applies from 2 August 2025.

High-risk AI obligations

Draft

Risk management, data governance, technical documentation, transparency, human oversight, accuracy, robustness, cybersecurity, conformity assessment, CE marking and post-market monitoring for AI used in biometrics, critical infrastructure, education, employment, essential services, credit, insurance, law enforcement, migration, justice and democratic processes. Applies from 2 August 2026.

Product-related high-risk AI rules

Draft

Specific high-risk rules for AI as a safety component of certain regulated products. Applies from 2 August 2027.

Detailed overview

The European Union regulates artificial intelligence through the EU AI Act, formally Regulation (EU) 2024/1689. The AI Act is a horizontal legal framework, which means that it applies across sectors rather than only to one industry. It follows a risk-based model: AI uses that create the highest risks are banned, high-risk AI systems are allowed only under strict compliance duties, and lower-risk AI systems usually face transparency and governance obligations.

The AI Act entered into force on 1 August 2024 and applies in stages. Prohibited AI practices and AI literacy duties started applying on 2 February 2025. Governance, general-purpose AI and certain penalty-related provisions started applying on 2 August 2025. Most other obligations apply from 2 August 2026, while some product-related high-risk AI rules apply from 2 August 2027.

Who is covered

An AI system under the AI Act is a machine-based system designed to operate with varying levels of autonomy and capable of generating outputs such as predictions, recommendations, content or decisions that may influence physical or digital environments. A provider is the person or company that develops or places an AI system or general-purpose AI model on the market under its own name or trademark. A deployer is the professional user of an AI system. For example, a company that buys and uses an AI recruitment tool is normally a deployer, while the company that developed and markets the tool is normally the provider.

Prohibited AI practices

The AI Act prohibits certain AI practices because they are considered to create unacceptable risk. These include manipulative or deceptive AI that materially distorts behaviour, exploitation of vulnerabilities, certain forms of social scoring, some predictive policing, untargeted scraping of facial images to create facial-recognition databases, certain emotion-recognition systems in workplaces and education, and certain biometric categorisation or real-time remote biometric identification practices.

High-risk AI

A high-risk AI system is not banned, but it is heavily regulated. AI can be high-risk if it is used as a safety component of certain regulated products or if it falls within listed high-impact areas. These areas include biometric identification, critical infrastructure, education, employment, access to essential services, creditworthiness assessment, life and health insurance risk assessment, law enforcement, migration and border control, administration of justice and democratic processes. Some narrow systems may be excluded from the high-risk category if they only perform limited procedural or preparatory tasks and do not materially influence decisions, but AI used for profiling natural persons remains treated strictly where the AI Act classifies it as high-risk.

Providers of high-risk AI must implement a full compliance framework before placing the system on the EU market or putting it into service. This includes risk management, quality management, data governance, technical documentation, record-keeping, transparency instructions, human oversight, accuracy, robustness, cybersecurity, conformity assessment, EU declaration of conformity, CE marking and registration where required. Providers must also monitor the system after deployment and take corrective action where the system no longer complies.

Deployers of high-risk AI must use the system according to the provider's instructions, assign appropriate human oversight, monitor system operation, keep logs where required, ensure that input data is relevant and sufficiently representative where they control the input data, and notify the provider or authorities if they identify serious risks or incidents. Where high-risk AI is used in the workplace, workers and worker representatives must be informed before use. Public authorities and certain private deployers, including some financial and insurance deployers, may also need to conduct a fundamental rights impact assessment before using high-risk AI.

Transparency, deepfakes and GPAI

The AI Act also regulates transparency. Users must normally be informed when they interact with an AI system unless this is obvious from the circumstances. AI-generated or manipulated content may need to be marked as artificially generated or manipulated. A deepfake is AI-generated or manipulated image, audio or video content that resembles existing persons, objects, places or events and could falsely appear authentic. Deepfakes must generally be disclosed as artificial or manipulated unless a legal exception applies.

A general-purpose AI model, or GPAI model, is an AI model capable of performing a wide range of tasks and being integrated into many different systems. Large language models are typical examples. GPAI providers must prepare technical documentation, provide information to downstream providers, adopt a copyright-compliance policy and publish a summary of training content. GPAI models with systemic risk face additional duties, including model evaluation, systemic-risk assessment and mitigation, serious-incident reporting and cybersecurity measures.

AI literacy

AI literacy is a separate obligation. Providers and deployers must take measures to ensure that staff and other persons dealing with AI systems on their behalf have sufficient knowledge of AI, including its risks, limitations and proper use. This duty is practical rather than theoretical: companies using AI should train relevant teams according to their role, the type of AI used and the possible impact on affected persons.

Governance and penalties

EU Member States must designate national competent authorities, including notifying authorities and market-surveillance authorities. The European AI Office has a central role for general-purpose AI models, while national authorities enforce most AI-system obligations.

Penalties are high. Breaches of prohibited AI rules may lead to fines up to EUR 35 million or 7% of worldwide annual turnover, whichever is higher. Breaches of many other AI Act obligations may lead to fines up to EUR 15 million or 3% of worldwide annual turnover.

Supplying incorrect, incomplete or misleading information to authorities may lead to fines up to EUR 7.5 million or 1% of worldwide annual turnover. For SMEs and start-ups, the AI Act provides adjusted caps. The European Commission may also fine providers of general-purpose AI models up to EUR 15 million or 3% of worldwide annual turnover for certain breaches.

Practical requirements & details

The bullets below summarise key obligations directly under Regulation (EU) 2024/1689 (the EU AI Act). Article references are to the consolidated text.

Scope and extraterritorial reach

  • Applies to providers placing AI systems or general-purpose AI (GPAI) models on the EU market, regardless of where the provider is established (Art. 2(1)(a)).
  • Applies to deployers (professional users) with a place of establishment or location in the EU (Art. 2(1)(b)).
  • Extraterritorial reach: applies to providers and deployers based outside the EU where the AI output is used inside the EU (Art. 2(1)(c)).
  • Excludes: military, defence and national-security AI; pure R&D not placed on the market; certain free and open-source AI (subject to GPAI carve-outs); and purely personal, non-professional use.

Risk tiers

  • Unacceptable risk (Art. 5) — banned outright.
  • High-risk (Art. 6 + Annex III) — covers AI in biometrics, critical infrastructure, education, employment, access to essential services, credit, life and health insurance pricing, law enforcement, migration, justice and democratic processes; full provider and deployer compliance code applies.
  • Limited risk — transparency obligations only (Art. 50).
  • Minimal risk — no AI Act obligations.

Provider duties for high-risk AI (Chapter III, Section 2)

  • Establish, document and maintain a risk-management system covering the entire AI lifecycle (Art. 9).
  • Data governance: training, validation and testing datasets must be relevant, representative, sufficiently free of errors and complete in view of the intended purpose (Art. 10).
  • Prepare technical documentation demonstrating conformity and keep it up to date (Art. 11 + Annex IV).
  • Automatic logging of events for traceability over the system's lifetime (Art. 12).
  • Provide deployers with clear instructions for use — including accuracy, robustness and cybersecurity metrics, foreseeable misuse risks, and human oversight measures (Art. 13).
  • Build in human oversight measures so a natural person can effectively oversee the system in use (Art. 14).
  • Ensure appropriate accuracy, robustness and cybersecurity for the intended purpose (Art. 15).
  • Put a quality management system in place (Art. 17).
  • Complete the applicable conformity assessment, issue an EU declaration of conformity, affix the CE marking and register the system in the EU database (Arts. 43–49).

Deployer duties for high-risk AI (Art. 26)

  • Use the system in accordance with the provider's instructions for use.
  • Assign human oversight to natural persons with the necessary competence, training and authority.
  • Monitor operation; suspend use and notify the provider and the market-surveillance authority if a serious incident or fundamental-rights risk arises.
  • Workplace AI: inform workers and worker representatives before the system is used.
  • Public-sector deployers and certain private deployers (notably banking and insurance) must complete a Fundamental Rights Impact Assessment (FRIA) before first use (Art. 27).
  • Where the system makes decisions that produce legal effects on a natural person, inform that person before deployment.

General-purpose AI (GPAI) (Chapter V)

  • All GPAI providers: maintain technical documentation, supply downstream providers with integration information, adopt a copyright-compliance policy, and publish a sufficiently detailed summary of training content (Art. 53).
  • GPAI with systemic risk — presumed where training compute exceeds 10²⁵ FLOPs or where the Commission designates the model — carries additional obligations: model evaluation, systemic-risk assessment and mitigation, serious-incident reporting to the AI Office, and adequate cybersecurity (Art. 55).
  • Free and open-source GPAI models are partly carved out (Art. 53(2)), unless they qualify as systemic-risk GPAI.

Transparency to users (Art. 50)

  • AI systems interacting with natural persons (chatbots, agents): disclose that the user is interacting with AI, unless obvious from context or covered by a law-enforcement exception.
  • AI-generated or manipulated synthetic content (audio, image, video, text): mark outputs in a machine-readable format as artificially generated or manipulated.
  • Deepfakes (image, audio or video content resembling real people, places or events): must be disclosed as artificially generated or manipulated, with limited artistic/creative exceptions.
  • AI-generated text published to inform the public on matters of public interest: disclosure required, unless the content was human-reviewed and is under editorial responsibility.

Penalties (Arts. 99–101)

  • Prohibited-AI breaches: up to EUR 35 million or 7% of total worldwide annual turnover, whichever is higher.
  • Breach of other AI Act obligations (high-risk duties, GPAI duties, etc.): up to EUR 15 million or 3%.
  • Supplying incorrect, incomplete or misleading information to authorities: up to EUR 7.5 million or 1%.
  • SMEs and start-ups: the lower of the two amounts applies (Art. 99(6)), softening the absolute fine cap.
  • GPAI-specific fines imposed by the Commission: up to EUR 15 million or 3% of worldwide annual turnover (Art. 101).

Phased application timeline (Art. 113)

  • 1 August 2024 — Regulation enters into force.
  • 2 February 2025 — Prohibited practices (Chapter II) and the AI literacy duty (Art. 4) apply.
  • 2 August 2025 — Governance bodies, notified-body designation, GPAI rules (Chapter V), and most of the penalty regime apply.
  • 2 August 2026 — Most other provisions apply, including high-risk AI rules for the Annex III use cases (employment, education, credit, biometrics, etc.).
  • 2 August 2027 — High-risk AI rules apply to AI as a safety component of products covered by EU harmonisation legislation (Annex I — e.g. medical devices, machinery, toys).

Each of the following EU and EEA jurisdictions has its own dedicated entry covering national implementation, designated authorities and sector-specific nuances:

Italy

France

Germany

Spain

Netherlands

Portugal

Greece

Finland

Poland

Malta

Ireland

Sweden

Czechia

Denmark

Estonia

Austria — national EU AI Act implementation

Belgium — national EU AI Act implementation

Luxembourg — national EU AI Act implementation

Lithuania — national EU AI Act implementation

Latvia — national EU AI Act implementation

Slovenia — national EU AI Act implementation

Slovakia — national EU AI Act implementation

Romania — national EU AI Act implementation

Bulgaria — national EU AI Act implementation

Hungary — national EU AI Act implementation

Croatia — national EU AI Act implementation

Cyprus — national EU AI Act implementation

Ready to launch without the regulatory guesswork?

Book a 30-minute consultation. We'll map your AI or licensing path and tell you exactly what's required, in plain language.

Get Started