Executive Summary
The European Union’s Artificial Intelligence Act (AI Act) represents the first global regulatory framework for AI. Passed in August 2024, it establishes clear rules to balance innovation with safety, ensuring that AI systems protect fundamental rights while encouraging trustworthy technological growth.
This document provides companies with:
- A breakdown of the AI Act’s objectives and scope
- A risk-based framework for classifying AI systems
- Detailed obligations for high-risk applications and General Purpose AI (GPAI)
- The timeline for implementation and phased compliance deadlines
- Financial penalties for non-compliance
- Practical steps for preparing organisations
- Frequently asked questions from the business community
Introduction: Why the AI Act Matters
Artificial Intelligence is no longer a niche innovation; it is embedded in finance, healthcare, education, law enforcement, and daily consumer experiences. While opportunities are immense, so are the risks: bias, surveillance, manipulation, and safety concerns.
The EU AI Act addresses these issues by:
- Safeguarding citizens’ rights and freedoms
- Increasing public trust in AI technologies
- Providing a harmonised regulatory framework for innovation across Europe
The Act applies not only to EU-based organisations, but also to non-EU companies offering AI systems to European users, making it globally impactful.
The Risk-Based Classification of AI Systems
The Act categorises AI systems according to their risk levels, assigning obligations proportionate to potential harm.
| Risk Level | Examples | Regulatory Requirements |
| Minimal | Spam filters, video games | No specific obligations |
| Limited | Chatbots, simple recommendation engines | Transparency: users must be informed that they are interacting with AI |
| High-Risk | Medical diagnostics, recruitment software, credit scoring, educational assessments, and critical infrastructure | Strict compliance: risk management, documentation, quality data, human oversight, security testing |
| Unacceptable | Social scoring, manipulative AI, mass biometric surveillance | Prohibited outright |
Additionally, General Purpose AI (GPAI) systems (e.g., large language models) face extra transparency and reporting duties.
High-Risk Systems: Stricter Standards
High-risk AI systems are subject to the toughest compliance requirements. Key obligations include:
- Risk management framework with continuous monitoring
- High-quality training data to prevent bias and inaccuracies
- Technical documentation and traceability records
- Human oversight mechanisms to avoid automation bias
- Conformity assessments performed by independent third parties
Examples of high-risk use cases:
- AI in medical devices
- Automated recruitment platforms
- Creditworthiness checks
- Predictive policing and border control technologies
4. Prohibited Practices
Certain applications of AI are deemed unacceptable due to risks to safety, democracy, and dignity. These are banned entirely:
- Manipulative AI that exploits behaviour to cause harm
- Social scoring systems rank citizens
- Exploitation of vulnerable groups, including children
- Biometric mass surveillance in public spaces (with rare, regulated exceptions for law enforcement)
5. Responsibilities Along the AI Value Chain
The Act assigns responsibilities across all actors involved:
- Providers (developers): Ensure design, compliance, and documentation
- Importers: Verify onthat ly compliant AI is introduced to the EU market
- Distributors: Monitor and act if non-compliance is detected
- Deployers (users): Operate systems responsibly, guarantee oversight, and report incidents
👉 In short, accountability is shared across the ecosystem—not just limited to developers.
6. Implementation Timeline
The law introduces phased deadlines to give businesses time to adapt:
| Milestone | Deadline | Applies To |
| Entry into force | Aug. 1, 2024 | All stakeholders |
| Prohibited practices removed | Feb. 2025 | Providers of banned AI |
| GPAI rules applied | Aug. 2025 | GPAI providers & users |
| Full compliance required | Aug. 2026 | The majority of organisations |
| Additional time for regulated high-risk AI | Aug. 2027 | e.g., medical technology |
Transition periods range from 6 months to 3 years, depending on the category.
7. Enforcement and Penalties
The AI Act enforces compliance with substantial penalties:
- Up to €35 million or 7% of annual global turnover – for using prohibited AI
- Up to €15 million or 3% of turnover – for violations of high-risk obligations
- Up to €7.5 million or 1% of turnover – for false or misleading reporting
SMEs and startups may face adjusted fines, but liability remains strict.
8. Preparing Your Organisation
To prepare for compliance, organisations should take the following strategic actions:
- Conduct an AI inventory – identify all current and planned systems
- Classify risks – categorise systems according to the EU framework
- Update technical documentation – ensure traceability and transparency
- Establish monitoring systems – track risks and incidents continuously
- Train teams – equip staff in IT, legal, and compliance with updated knowledge
- Define responsibilities – assign clear roles for oversight and reporting
Business Opportunities Beyond Compliance
While compliance demands investment, the Act also presents opportunities:
- Building trust through safe, transparent AI
- Gaining a competitive advantage by early compliance
- Reducing reputational and legal risks
- Attracting investors and partners who value responsible innovation
The AI Act is not only a legal necessity, but also a strategic differentiator.
Frequently Asked Questions (FAQ)
Q: Does the AI Act apply to non-EU companies?
A: Yes, any organisation offering AI systems to EU users falls under its scope.
Q: Are all AI systems heavily regulated?
A: No. Only high-risk systems and GPAI face strict obligations. Minimal-risk AI remains largely unaffected.
Q: Is biometric surveillance always prohibited?
A: It is banned except in limited cases related to law enforcement.
Q: What are the consequences of ignoring the Act?
A: Severe fines and reputational risks, up to 7% of annual global turnover.
Q: When should companies start compliance measures?
A: Immediately. Deadlines for prohibited systems begin in February 2025.
Conclusion
The EU AI Act is not just a regulatory hurdle – it sets the foundation for responsible, trustworthy, and future-proof AI adoption. Companies that act proactively will not only avoid penalties but also position themselves as leaders in the global AI marketplace.
The era of unregulated AI experimentation is ending. The future belongs to organisations that embrace compliance as a strategic advantage.
