Detailed overview
The European Union regulates artificial intelligence through the EU AI Act, formally Regulation (EU) 2024/1689. The AI Act is a horizontal legal framework, which means that it applies across sectors rather than only to one industry. It follows a risk-based model: AI uses that create the highest risks are banned, high-risk AI systems are allowed only under strict compliance duties, and lower-risk AI systems usually face transparency and governance obligations.
The AI Act entered into force on 1 August 2024 and applies in stages. Prohibited AI practices and AI literacy duties started applying on 2 February 2025. Governance, general-purpose AI and certain penalty-related provisions started applying on 2 August 2025. Most other obligations apply from 2 August 2026, while some product-related high-risk AI rules apply from 2 August 2027.
Who is covered
An AI system under the AI Act is a machine-based system designed to operate with varying levels of autonomy and capable of generating outputs such as predictions, recommendations, content or decisions that may influence physical or digital environments. A provider is the person or company that develops or places an AI system or general-purpose AI model on the market under its own name or trademark. A deployer is the professional user of an AI system. For example, a company that buys and uses an AI recruitment tool is normally a deployer, while the company that developed and markets the tool is normally the provider.
Prohibited AI practices
The AI Act prohibits certain AI practices because they are considered to create unacceptable risk. These include manipulative or deceptive AI that materially distorts behaviour, exploitation of vulnerabilities, certain forms of social scoring, some predictive policing, untargeted scraping of facial images to create facial-recognition databases, certain emotion-recognition systems in workplaces and education, and certain biometric categorisation or real-time remote biometric identification practices.
High-risk AI
A high-risk AI system is not banned, but it is heavily regulated. AI can be high-risk if it is used as a safety component of certain regulated products or if it falls within listed high-impact areas. These areas include biometric identification, critical infrastructure, education, employment, access to essential services, creditworthiness assessment, life and health insurance risk assessment, law enforcement, migration and border control, administration of justice and democratic processes. Some narrow systems may be excluded from the high-risk category if they only perform limited procedural or preparatory tasks and do not materially influence decisions, but AI used for profiling natural persons remains treated strictly where the AI Act classifies it as high-risk.
Providers of high-risk AI must implement a full compliance framework before placing the system on the EU market or putting it into service. This includes risk management, quality management, data governance, technical documentation, record-keeping, transparency instructions, human oversight, accuracy, robustness, cybersecurity, conformity assessment, EU declaration of conformity, CE marking and registration where required. Providers must also monitor the system after deployment and take corrective action where the system no longer complies.
Deployers of high-risk AI must use the system according to the provider's instructions, assign appropriate human oversight, monitor system operation, keep logs where required, ensure that input data is relevant and sufficiently representative where they control the input data, and notify the provider or authorities if they identify serious risks or incidents. Where high-risk AI is used in the workplace, workers and worker representatives must be informed before use. Public authorities and certain private deployers, including some financial and insurance deployers, may also need to conduct a fundamental rights impact assessment before using high-risk AI.
Transparency, deepfakes and GPAI
The AI Act also regulates transparency. Users must normally be informed when they interact with an AI system unless this is obvious from the circumstances. AI-generated or manipulated content may need to be marked as artificially generated or manipulated. A deepfake is AI-generated or manipulated image, audio or video content that resembles existing persons, objects, places or events and could falsely appear authentic. Deepfakes must generally be disclosed as artificial or manipulated unless a legal exception applies.
A general-purpose AI model, or GPAI model, is an AI model capable of performing a wide range of tasks and being integrated into many different systems. Large language models are typical examples. GPAI providers must prepare technical documentation, provide information to downstream providers, adopt a copyright-compliance policy and publish a summary of training content. GPAI models with systemic risk face additional duties, including model evaluation, systemic-risk assessment and mitigation, serious-incident reporting and cybersecurity measures.
AI literacy
AI literacy is a separate obligation. Providers and deployers must take measures to ensure that staff and other persons dealing with AI systems on their behalf have sufficient knowledge of AI, including its risks, limitations and proper use. This duty is practical rather than theoretical: companies using AI should train relevant teams according to their role, the type of AI used and the possible impact on affected persons.
Governance and penalties
EU Member States must designate national competent authorities, including notifying authorities and market-surveillance authorities. The European AI Office has a central role for general-purpose AI models, while national authorities enforce most AI-system obligations.
Penalties are high. Breaches of prohibited AI rules may lead to fines up to EUR 35 million or 7% of worldwide annual turnover, whichever is higher. Breaches of many other AI Act obligations may lead to fines up to EUR 15 million or 3% of worldwide annual turnover.
Supplying incorrect, incomplete or misleading information to authorities may lead to fines up to EUR 7.5 million or 1% of worldwide annual turnover. For SMEs and start-ups, the AI Act provides adjusted caps. The European Commission may also fine providers of general-purpose AI models up to EUR 15 million or 3% of worldwide annual turnover for certain breaches.