Guide · EU AI Act

The EU AI Act, explained

You've heard of it. Here's how to actually think about it — without the legalese. Two comparisons do most of the work: it's organised like product-safety law (by risk), and it's a close cousin of GDPR (for AI systems instead of personal data).

Start here

It's product-safety law for AI.

The Act's whole logic is risk-based. It doesn't regulate "AI" as a technology — it regulates what an AI system is used for. The same model is barely touched inside a spam filter and heavily regulated inside a hiring tool. Obligations scale with the risk of the use, not the cleverness of the tech.

If you've ever seen a CE mark on a product, you've already met this idea — the EU regulates a kettle and a surgical robot very differently, for the same reason.

The four tiers

Everything sorts into four levels of risk.

Unacceptable — banned outright Social scoring · real-time biometric surveillance · manipulation of vulnerable people
High risk — allowed, but heavily regulated CV-screening · credit scoring · medical devices · exam marking · access to essential services
Limited risk — just be transparent Chatbots · deepfakes · AI-generated content (people must be told)
Minimal risk — use freely Spam filters · games · most everyday productivity tools

Most AI sits in the bottom two tiers. The Act spends almost all of its weight on the high-risk band.

If you know GDPR…

…you're already halfway there.

GDPR governs what you do with personal data. The AI Act governs what you do with AI systems. A hiring tool is both — and the two laws share the same instincts.

Where they're alike

AspectGDPREU AI Act
Permission principle
GDPRProcessing is banned unless you have a lawful basis for it.
AI ActHigh-risk AI is banned unless it meets a set of requirements first.
Risk assessment
GDPRA data-protection impact assessment (DPIA) for risky processing (Art. 35).
AI ActA fundamental-rights impact assessment (FRIA) for certain high-risk uses (Art. 27).
Human oversight
GDPRA right not to be subject to purely automated decisions (Art. 22).
AI ActA human must oversee high-risk AI, plus a right to an explanation (Arts 26 & 86).
Paper trail
GDPRRecords of your processing activities (Art. 30).
AI ActTechnical documentation and automatic logs (Arts 11 & 12).
Data quality
GDPRPersonal data kept accurate and minimised (Art. 5).
AI ActTraining data that is relevant, representative and as error-free as possible (Art. 10).

On automated decisions, GDPR's Article 22 and the AI Act's Articles 26 & 86 are two doors into the same room — human oversight plus a right to understand the decision. Regulators and courts read this broadly: even an automated score that feeds a human's final call can count.

Where they differ

AspectGDPREU AI Act
What triggers it
GDPRPersonal data is being processed.
AI ActAn AI system is in use — even where no personal data is involved.
Shape
GDPROne regime, with stronger duties for riskier processing.
AI ActFour explicit risk tiers, each with its own obligations.
Who enforces
GDPRData-protection authorities — in Luxembourg, the CNPD.
AI ActThe EU AI Office plus a national competent authority.
Maturity
GDPRIn force since 2018 — settled and tested.
AI ActPhasing in from 2025 — and still being adjusted.
The product-safety parallel

Like CE-marking, but for AI.

A high-risk AI system is treated much like a regulated product. Two roles, two sets of duties:

Provider ≈ manufacturer

Builds it / puts it on the market

  • Run a conformity assessment
  • Write the technical documentation
  • Register it in the EU database
  • Monitor it after launch
Deployer ≈ operator

Uses it in their organisation

  • Follow the provider's instructions
  • Keep a competent human in control
  • Keep logs of what it did
  • Report serious incidents

Where the analogy breaks: the AI Act watches systems after launch more closely than classic product law, and it puts fundamental rights — fairness, non-discrimination — squarely in scope. Open-source is no loophole, either: self-host an open model (say, Mistral) for a high-risk use and you're still the deployer, carrying the full duties — and locality is no loophole either (see running your own AI isn't compliance). Most organisations are deployers, not providers: you're using AI someone else built — though configure, rebrand or repurpose it and the Act can flip you into its provider (see deployer or provider?). Your headline duty is already live — AI literacy for the staff who use it (Article 4), in force since February 2025 — meaning staff who can make informed choices about tools and data, not a generic awareness slide. For a worked sector example — easy wins up to high-risk hiring systems — see AI for HR & talent.

The timeline

It arrives in waves — and one deadline is moving.

  1. 2 Feb 2025 Live now The banned practices and the AI-literacy duty (Art. 4) took effect.
  2. 2 Aug 2025 Live now Rules for general-purpose AI models (the large foundational models) began.
  3. 2 Aug 2026 Next Most of the Act applies: governance, transparency duties and the penalty regime.
  4. 2 Dec 2027 Moving The heaviest high-risk obligations (Annex III) — originally 2 August 2026, now being deferred to this date by the Digital Omnibus package.
The high-risk deadline is moving — carefully. The EU's Digital Omnibus proposes to push the heaviest obligations to December 2027, but it hasn't been published yet. Until it is, August 2026 remains the date that legally counts. The deadline may move; the obligations don't shrink — and your buyers don't wait for application dates.

And the teeth: penalties are set as a share of worldwide annual turnover — up to 7% for banned practices, 3% for high-risk failures, 1% for misleading information (GDPR reaches 4%, and the two stack rather than substitute). For most companies, though, the bigger cost is commercial: the deal that stalls, not the fine that lands.

Where to next

From "does this apply to us?" to evidence.

Knowing the shape of the law is step one. Knowing which of your systems it catches — and what you can show for it — is the work.

The Compliance Accelerator Read the governance guide

Not sure which of your systems the Act catches?

Bring it along. An honest read, no pitch.

Book a discovery call
Keep reading

Related guides

Provider or deployer

Deployer or provider?

Most companies using AI are “deployers”, with manageable duties. But configure, rebrand or repurpose that AI and the Act can treat you as its “provider” — with a manufacturer’s full obligations. The line, and how not to cross it by accident.

Read the guide HR & Talent

AI for HR, talent & L&D

From easy wins to the hiring decisions the AI Act treats as high-risk — and the trap of using a chatbot as a judge.

Read the guide

All guides