# What is the EU AI Act? Europe's Artificial Intelligence Regulation Explained in 5 Minutes
What is the EU AI Act? Discover the world's first AI regulation: who it applies to, what obligations it creates, and the key timeline. A clear, accessible guide.
What is the EU AI Act? Discover the world's first AI regulation: who it applies to, what obligations it creates, and the key timeline. A clear, accessible guide.
Reading time: 6 min
Artificial intelligence is everywhere. In recruitment tools, customer service chatbots, credit scoring systems, medical software. And since August 1, 2024, it has been governed by the world's first regulation dedicated exclusively to AI: the EU AI Act.
But what exactly is it? Who does it apply to? What does it change in practice? This guide gives you a clear overview in five minutes — no unnecessary jargon.
The AI Act in One Sentence
The AI Act (EU Regulation 2024/1689) is the world's first comprehensive legal framework dedicated exclusively to artificial intelligence. Adopted by the European Parliament in June 2024 and entering into force on August 1, 2024, it imposes rules proportionate to the risk level of each AI system used or placed on the market in Europe.
In plain terms: the more your AI can harm people, the heavier your obligations.
Why Europe Created This Regulation
AI is not inherently dangerous. But some uses are — or can be. A CV screening algorithm that discriminates. An opaque credit scoring system. A medical AI that makes an incorrect diagnosis. A facial recognition application used for mass surveillance.
Before the AI Act, these uses were only regulated in a fragmented way — through the GDPR, product liability directives, or sector-specific legislation. The AI Act creates a unified framework applicable across the entire European market — and beyond.
The ambition is twofold: protecting citizens' fundamental rights while enabling responsible innovation. A difficult balance, but a necessary one.
How the AI Act Works: The Risk-Based Approach
The regulation does not govern AI in general. It governs AI systems based on their level of risk. Four levels exist:
1. Unacceptable Risk — Prohibited
These are practices that Europe considers incompatible with its fundamental values. They have been outright prohibited since February 2, 2025:
- General social scoring of citizens by public authorities
- Subliminal manipulation targeting a person's vulnerabilities
- Exploitation of vulnerable groups (children, elderly, people with disabilities)
- Real-time biometric identification in public spaces (with narrow exceptions)
- Emotion inference in workplaces or educational establishments
2. High Risk — Heavily Regulated
These systems can have a significant impact on people's lives. They are listed in Annex III of the regulation and cover notably:
- Recruitment and human resources management
- Credit decisions and financial services
- Medical devices and clinical decision support
- Education and vocational training
- Essential public services (water, gas, electricity)
- Law enforcement and justice
- Migration and border management
For these systems, obligations are substantial: technical documentation, risk management, data governance, human oversight, and registration in an EU database.
3. Limited Risk — Transparency Obligations
Chatbots, text generators, deepfake tools. These systems must simply clearly inform their users that they are interacting with an AI or viewing artificially generated content.
4. Minimal Risk — Free to Use
Spam filters, content recommendation systems, AI-powered video games. No specific obligations under the AI Act.
Who Does the AI Act Apply To?
This is where many organizations get it wrong: the AI Act does not only target tech giants. It applies to any organization that:
- Develops an AI system (provider)
- Uses an AI system in a professional context (deployer)
- Imports or distributes an AI system on the European market
And its reach is extraterritorial: a US, Korean or Japanese startup that offers an AI tool to European businesses or citizens is subject to the AI Act — exactly as the GDPR applied to personal data processing.
In practice, this means the vast majority of businesses using SaaS tools with AI features (CRM with scoring, automated recruitment tools, customer service chatbots) are deployers under the AI Act, with their own specific obligations.
The Implementation Timeline
The AI Act applies progressively:
| Date | What Enters into Force |
|---|---|
| August 1, 2024 | Official entry into force |
| February 2, 2025 | Prohibitions (unacceptable risk) + literacy obligation (Art. 4) |
| August 2, 2025 | Obligations for GPAI models (GPT, Claude, Gemini…) |
| August 2, 2026 | Obligations for high-risk systems (Annex III) |
| August 2, 2027 | Obligations for high-risk systems linked to regulated products (Annex I) |
Note: The European Commission proposed a delay of certain deadlines in late 2025 via the Digital Omnibus. Check the latest updates to follow the evolution of this timeline.
What Are the Penalties for Non-Compliance?
The AI Act provides a progressive penalty regime, comparable to — or exceeding — the GDPR:
- Up to €35 million or 7% of global annual turnover for prohibited practices
- Up to €15 million or 3% of global annual turnover for non-compliance of high-risk systems
- Up to €7.5 million or 1% of global annual turnover for providing inaccurate information to authorities
For SMEs and startups, the lower of the two thresholds applies. This is not a guarantee of leniency — it's a proportionality mechanism.
AI Act and GDPR: Two Distinct but Complementary Regulations
The GDPR governs personal data processing. The AI Act governs artificial intelligence systems. The two frequently overlap — particularly because many AI systems process personal data.
The CNIL (France's data protection authority) has confirmed that the AI Act is a complement to the GDPR, not a replacement. Organizations will often need to comply with both simultaneously.
Where to Start?
Three simple steps to begin your AI Act compliance journey:
- Map your AI systems: list all AI-powered tools you use or develop — including third-party SaaS tools.
- Classify their risk level: for each system, determine whether it falls under Annex III or another category.
- Identify your role: are you a provider (you develop), a deployer (you use), or both? Your obligations differ depending on your status.
This is exactly what DILAIG. does: in 20 minutes, our guided audit gives you a compliance score out of 100 and generates the first regulatory documents you need.
Want to know if your organization is affected by the AI Act? Run your free diagnostic on DILAIG.