Guide · AI Governance

What Is the EU AI Act?

Published 15 July 2026

The EU AI Act is the European Union's risk-based regulation governing artificial intelligence: it bans a short list of AI uses outright, imposes strict governance obligations on "high-risk" systems, requires transparency for a middle tier, and leaves everything else unregulated. It entered into force on 1 August 2024 and is the world's first comprehensive, cross-sector AI law.

The Four Risk Tiers

The Act's entire structure rests on classifying an AI system by the risk it poses, then scaling obligations accordingly — not by industry, not by technology type, but by consequence.

The EU AI Act's Risk Tiers

Unacceptable Risk — Prohibited. Social scoring, manipulative or deceptive AI that distorts behaviour, real-time facial recognition in public spaces (with narrow law-enforcement exceptions), emotion recognition in workplaces and schools, and biometric categorisation inferring sensitive attributes. Banned outright since 2 February 2025.

High Risk. Annex III use cases — recruitment and hiring, education and exam-scoring, credit-scoring and insurance pricing, critical infrastructure safety, migration/asylum/border control — plus AI safety components in already-regulated products (Annex I: medical devices, lifts, toys). Providers must run a risk-management system, govern their training data, maintain technical documentation and audit trails, enable human oversight, and meet accuracy and cybersecurity standards.

Limited Risk — Transparency. Chatbots and deepfakes. The obligation is disclosure: users must be told they're interacting with AI or AI-generated content.

Minimal Risk. Everything else — spam filters, video game AI. Unregulated.

General-Purpose AI Gets Its Own Track

Foundation models — the GPT, Claude, and Gemini class of system — don't fit neatly into the four risk tiers, so the Act handles them separately. Every General-Purpose AI (GPAI) provider must document their training process, respect EU copyright law, and publish a summary of the data used to train the model. Models trained with more than 10^25 FLOPs of compute are additionally classified as carrying "systemic risk" and face further obligations: adversarial testing, tracking of serious incidents, and cybersecurity safeguards.

The Timeline — And Why It Changed in 2025

The Act entered into force on 1 August 2024, with obligations phasing in over several years rather than landing all at once. Two deadlines have already passed and are in force today: the ban on prohibited practices took effect on 2 February 2025, and GPAI obligations took effect on 2 August 2025.

The original plan set 2 August 2026 as the date high-risk obligations became fully applicable. That changed. A simplification amendment — the "AI omnibus," adopted 19 November 2025 with political agreement reached 7 May 2026 — pushed the high-risk deadlines back: Annex III systems now have until 2 December 2027, and Annex I systems embedded in regulated products until 2 August 2028.

This is a live, moving target, not a fixed date to plan around once and forget — exactly the kind of regulatory drift that a governance function needs to be tracking on an ongoing basis rather than treating as a one-time compliance project.

A Practical Example

A mid-sized financial services firm builds an AI tool to screen loan applications. On its face, this looks like an efficiency project. Under the Act, it's a high-risk classification: credit-scoring systems sit in Annex III. That triggers the full obligation stack — a documented risk-management process, data governance covering the training set, technical documentation a regulator can audit, a human reviewer who can meaningfully override the system's output (not just rubber-stamp it), and demonstrated accuracy and robustness testing.

This is precisely where AI governance and the Three Control Taxonomies intersect with the Act's own language: Article 14's human oversight requirement is not a suggestion, it's a binding obligation for exactly this class of system, and it maps directly onto the HITL/HILE/HOTL framework a firm needs to have already built before the classification even becomes an issue at audit or procurement time.

What This Means for SMEs

Most SMEs assume a regulation this size is built for large enterprises and doesn't really apply to them. That assumption is wrong on two counts. First, the Act applies by function, not by headcount — a 20-person startup that builds or deploys a recruitment-screening tool, a credit-scoring model, or any other Annex III use case is in scope regardless of size. Second, the Act itself recognises this and builds in real relief: Article 62 requires member states to give SMEs and startups priority access to regulatory sandboxes, reduce conformity-assessment fees "proportionately to their size, market size and other relevant indicators," and provide standardised documentation templates and dedicated guidance channels through the AI Office — support measures that only take effect from 2 August 2026, so most SMEs don't yet know they exist.

The bigger risk for an SME is rarely the compliance cost once you know what's required. It's not knowing you're in scope at all until a larger customer's procurement team asks for evidence you don't have.

That last point is the commercial angle worth taking seriously. Large enterprise buyers are increasingly building AI Act compliance into their own vendor due-diligence — an SME that can produce a documented risk-management process and a human-oversight record before being asked wins the contract that a competitor, scrambling to assemble the same evidence after the fact, does not. This is the same Trust Premium dynamic that shows up everywhere else in AI governance: proving verification, not just doing it, is what gets paid for.

What This Means for Corporates

For a large enterprise, the Act is rarely a single-tool problem — it's an inventory problem. A corporate typically runs dozens or hundreds of AI use cases across HR, finance, marketing, customer service, and operations simultaneously, built partly in-house and partly bought from vendors (many of them SMEs). Each one needs to be classified against the risk tiers independently, because "we use AI responsibly" as a company-wide claim means nothing to a regulator asking about one specific hiring tool in one specific business unit.

The practical requirement is an enterprise-wide AI register: what systems exist, who owns each one, which risk tier it falls into, and what evidence exists for each of the high-risk obligations — risk management, data governance, technical documentation, human oversight, and audit trails. Without that register, "are we compliant?" is not an answerable question, no matter how much good work is happening inside individual teams.

The fines scale with global turnover, not with the size of the specific business unit that got it wrong — up to 7% of group revenue for a single prohibited-practice violation anywhere in the organisation.

That asymmetry is why the obligation increasingly lands on a named governance function — a Chief AI Officer, an AI council, or an extension of existing model-risk-management teams in regulated sectors — rather than being left to whichever team happened to build the tool. It also means vendor management matters as much as internal development: a corporate that doesn't verify its SME suppliers' AI Act readiness is carrying that supplier's compliance gap as its own risk.

FAQ

Does the EU AI Act apply outside the EU?
Yes. It has extraterritorial reach, applying to any provider or deployer whose AI system's output is used within the EU regardless of where the provider is established — the same market-access logic as GDPR.

Does the Act treat small businesses differently from large enterprises?
Yes, on paper: Article 62 mandates priority sandbox access, proportionate fee reductions, and standardised documentation templates for SMEs and startups, effective from 2 August 2026. In practice, obligations still apply by use case, not by company size — an SME building or deploying a high-risk system carries the same substantive obligations as a corporate doing the same thing, just with lighter-weight compliance tooling and lower fees.

What counts as a "high-risk" AI system?
Annex III use cases (recruitment, education, credit-scoring, critical infrastructure, migration/border control) plus Annex I safety components in already-regulated products (medical devices, lifts, toys).

Is ChatGPT or other general-purpose AI covered?
Yes, under the separate GPAI track — documentation, copyright compliance, and training-data summaries for all GPAI providers, with extra obligations for models above the systemic-risk compute threshold.

What happens if an organisation doesn't comply?
Fines up to €35 million or 7% of global annual turnover for prohibited practices, and up to €15 million or 3% of turnover for high-risk and GPAI violations.

When do the high-risk obligations actually take effect?
Annex III systems: 2 December 2027. Annex I systems in regulated products: 2 August 2028. Both dates were pushed back from the original 2 August 2026 by the 2025/2026 "AI omnibus" amendment. The prohibited-practices ban and GPAI obligations are already in force today.

The Act rewards organisations that treat AI governance as infrastructure, not paperwork assembled the week before an audit. See the Glossary for the related terms, or the Three Control Taxonomies for the governance model that operationalises Article 14's human oversight requirement in practice.

Author & ESG / AI Governance Advisor

Across genres and disciplines, the same instrument recurs: a record that survives suppression, a silence that finally speaks, a ledger made to answer for itself. Nadeem Shakoor writes and advises from the conviction that these are not separate practices — they are one discipline, applied at different registers.

— N. Shakoor