EU AI Act Reference

Regulatory Overview

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive legal framework for artificial intelligence. Adopted in 2024, it establishes harmonised rules for the development, placement on the market, and use of AI systems within the European Union.

How to use this reference page

Understand whether you are in scope

Use the role and risk sections to decide if you act as provider, deployer, importer, distributor, or GPAI provider for a given system.

Translate law into priorities

The timeline and penalties help non-legal teams understand which deadlines are already active and which preparations cannot wait.

Anchor product decisions in articles

The article references make it easier to explain internally why a workflow, document, or control exists in ActLoom at all.

Best use of this page	What it helps you decide
Scoping and triage	Whether a system is likely prohibited, high-risk, limited-risk, minimal-risk, or GPAI-related
Role assignment	Whether your organisation acts as provider, deployer, importer, distributor, or GPAI provider for a given system
Timing and urgency	Which deadlines are already active and what work cannot be postponed
Internal explanation	Why certain product workflows, controls, or exports exist in ActLoom in the first place

Key principles

Risk-Based Approach

Obligations are proportional to the level of risk the AI system poses to health, safety, and fundamental rights.

Technology Neutral

The regulation applies to AI systems regardless of the underlying technology or method used.

Extraterritorial Scope

Applies to any provider or deployer whose system is used in or affects persons in the EU.

Prohibited

Banned practices

High-Risk

Full compliance controls

Limited-Risk

Transparency only

Minimal-Risk

No mandatory obligations

← Higher riskLower risk →

← More obligationsFewer obligations →

Fig 20. The EU AI Act regulatory framework — four risk tiers with proportional obligations.

Risk Categories in Detail

A detailed breakdown of each risk tier, associated AI Act articles, and real-world examples:

Risk Level	Articles	Examples	Obligations
🔴 Prohibited	Art. 5	Social scoring by governments, real-time biometric ID in public spaces (without exceptions), manipulative AI targeting vulnerabilities	Banned — must cease use
🟠 High-Risk	Art. 6, Annex I/III	Recruitment screening, credit scoring, critical infrastructure management, law enforcement tools, education admission	Full compliance: risk management, data governance, technical docs, logging, transparency, human oversight, accuracy/robustness
🟡 Limited-Risk	Art. 50	Chatbots, emotion recognition systems, deepfake generators, AI-generated content	Transparency obligation: inform users they interact with AI
🟢 Minimal-Risk	—	Spam filters, AI in video games, inventory management	No mandatory obligations (voluntary codes encouraged)

🔴 Prohibited

Art. 5

• Social scoring
• Real-time biometric surveillance
• Manipulation targeting vulnerabilities

Banned — cease use

🟠 High-Risk

Art. 6, Annex III

• Recruitment screening
• Credit scoring
• Critical infrastructure

7+ full compliance controls

🟡 Limited-Risk

Art. 50

• Chatbots
• Emotion recognition
• Deepfake generators

Transparency obligation

🟢 Minimal-Risk

—

• Spam filters
• AI in games
• Inventory management

Voluntary codes

Fig 21. AI Act risk pyramid — from prohibited practices at the top to minimal-risk systems at the base.

Obligations by Role

The AI Act assigns different obligations depending on your role in the AI value chain:

Role	Definition	Key Obligations
Provider	Develops or commissions an AI system and places it on the market	Risk management, technical documentation, conformity assessment, EU database registration, post-market monitoring
Deployer	Uses an AI system under its authority (not for personal use)	Fundamental Rights Impact Assessment, human oversight measures, input data quality, inform affected persons
Importer	Places a non-EU provider's AI system on the EU market	Verify conformity assessment, CE marking, keep documentation accessible
Distributor	Makes an AI system available on the EU market	Verify CE marking, storage conditions, alert authorities of non-compliance
GPAI Provider	Provides General-Purpose AI models	Technical documentation, training data transparency, copyright policy, safety evaluations (systemic risk models)

Multiple roles possible

An organisation can hold multiple roles simultaneously. For example, a company that builds its own recruitment AI and also uses a third-party chatbot is both a Provider and a Deployer.

Fast applicability check

List every AI system you build, place on the market, or operate for EU-facing users.
For each one, ask whether you control the intended purpose or only use a third-party system.
Check whether the use case falls in Annex III high-risk areas or only triggers transparency duties under Article 50.
Document your role per system, because obligations change materially between provider and deployer.

Timeline & Deadlines

The AI Act enters into force through a phased timeline. Missing deadlines exposes organisations to significant penalties.

Phase 1February 2, 2025

Prohibited Practices & AI Literacy

Ban on prohibited AI practices takes effect. All operators must ensure sufficient AI literacy among staff.

Phase 2August 2, 2025

GPAI Obligations

General-Purpose AI model providers must comply with transparency and documentation requirements.

Phase 3August 2, 2026

High-Risk Systems (Major Deadline)

Full obligations for high-risk AI systems activate, including risk management, data governance, technical documentation, and conformity assessment.

Phase 4August 2, 2027

Remaining Obligations

All remaining provisions become applicable, including obligations for AI systems in Annex I.

Feb
2025

Phase 1

Prohibited Practices

✅ Active

Aug
2025

Phase 2

GPAI Obligations

✅ Active

Aug
2026

Phase 3

High-Risk Systems

⏳ 155 days

Aug
2027

Phase 4

Full Application

📅 Future

Fig 22. Complete enforcement timeline — phased rollout from 2025 to 2027 with key obligation milestones.

August 2026 — Critical deadline

The August 2, 2026 deadline is the most impactful for SMEs. High-risk AI system obligations activate, and non-compliance can result in fines of up to EUR 15M or 3% of global annual turnover.

Penalties

The AI Act establishes a tiered penalty structure based on the severity of the infringement:

Violation Type	Maximum Fine	% of Global Turnover	Examples
Prohibited practices	EUR 35,000,000	7%	Operating a banned AI system (social scoring, unauthorised biometric surveillance)
High-risk non-compliance	EUR 15,000,000	3%	Failing to implement required risk management, missing technical documentation
False information to authorities	EUR 7,500,000	1.5%	Providing incorrect information in conformity declarations or to notified bodies

SME impact example

A startup with EUR 10M annual revenue using a non-compliant recruitment AI faces potential fines of EUR 300,000 (3% of turnover). For comparison, typical SaaS net margins are 10–20%, meaning a single fine could wipe 1.5–3 years of profits.

Tier 1

€35M

or 7% global turnover

Prohibited practices

Tier 2

€15M

or 3% global turnover

High-risk non-compliance

Tier 3

€7.5M

or 1.5% global turnover

False information

Example: Company with €10M revenue → High-risk non-compliance = €300,000 fine (3% turnover)

Fig 23. Fine structure — three tiers of penalties with proportional impact on different company sizes.

How teams usually use this reference with the product

Read this page when a system is newly added and the team is unsure whether the use case is actually regulated.
Use it alongside AI Systems and Compliance docs when stakeholders challenge why a workflow exists.
Revisit the timeline section before major launch or procurement milestones so deadlines are not treated as abstract.
Use the role and penalties sections to align product, legal, and leadership on which obligations the company truly owns.

Related Sections

AI Systems

Go here when the legal question must be turned into an actual system record, role, and classification decision.

Compliance Assessment

Use this when you need to convert the reference view into scored obligations, gaps, and remediation.

Use Cases

Read this when the legal framework needs to be placed inside a real onboarding, audit, or incident workflow.

Feature Index

Use this when the regulatory topic is clear but the owning feature or module is not.

Ready to get started?

Join hundreds of companies using ActLoom to simplify AI Act compliance. Start your free assessment today — no credit card required.

Start Free Assessment View Pricing

Questions? Contact us at support@actloom.com

Best use of this page

What it helps you decide

Scoping and triage

Whether a system is likely prohibited, high-risk, limited-risk, minimal-risk, or GPAI-related

Role assignment

Whether your organisation acts as provider, deployer, importer, distributor, or GPAI provider for a given system

Timing and urgency

Which deadlines are already active and what work cannot be postponed

Internal explanation

Why certain product workflows, controls, or exports exist in ActLoom in the first place

Risk Level

Articles

Examples

Obligations

🔴 Prohibited

Art. 5

Social scoring by governments, real-time biometric ID in public spaces (without exceptions), manipulative AI targeting vulnerabilities

Banned — must cease use

🟠 High-Risk

Art. 6, Annex I/III

Recruitment screening, credit scoring, critical infrastructure management, law enforcement tools, education admission

Full compliance: risk management, data governance, technical docs, logging, transparency, human oversight, accuracy/robustness

🟡 Limited-Risk

Art. 50

Chatbots, emotion recognition systems, deepfake generators, AI-generated content

Transparency obligation: inform users they interact with AI

🟢 Minimal-Risk

—

Spam filters, AI in video games, inventory management

No mandatory obligations (voluntary codes encouraged)

Role

Definition

Key Obligations

Provider

Develops or commissions an AI system and places it on the market

Risk management, technical documentation, conformity assessment, EU database registration, post-market monitoring

Deployer

Uses an AI system under its authority (not for personal use)

Fundamental Rights Impact Assessment, human oversight measures, input data quality, inform affected persons

Importer

Places a non-EU provider's AI system on the EU market

Verify conformity assessment, CE marking, keep documentation accessible

Distributor

Makes an AI system available on the EU market

Verify CE marking, storage conditions, alert authorities of non-compliance

GPAI Provider

Provides General-Purpose AI models

Technical documentation, training data transparency, copyright policy, safety evaluations (systemic risk models)

Timeline & Deadlines

The AI Act enters into force through a phased timeline. Missing deadlines exposes organisations to significant penalties.

Phase 1February 2, 2025

Prohibited Practices & AI Literacy

Ban on prohibited AI practices takes effect. All operators must ensure sufficient AI literacy among staff.

Phase 2August 2, 2025

GPAI Obligations

General-Purpose AI model providers must comply with transparency and documentation requirements.

Phase 3August 2, 2026

High-Risk Systems (Major Deadline)

Full obligations for high-risk AI systems activate, including risk management, data governance, technical documentation, and conformity assessment.

Phase 4August 2, 2027

Remaining Obligations

All remaining provisions become applicable, including obligations for AI systems in Annex I.

Feb
2025

Phase 1

Prohibited Practices

✅ Active

Aug
2025

Phase 2

GPAI Obligations

✅ Active

Aug
2026

Phase 3

High-Risk Systems

⏳ 155 days

Aug
2027

Phase 4

Full Application

📅 Future

Fig 22. Complete enforcement timeline — phased rollout from 2025 to 2027 with key obligation milestones.

August 2026 — Critical deadline

The August 2, 2026 deadline is the most impactful for SMEs. High-risk AI system obligations activate, and non-compliance can result in fines of up to EUR 15M or 3% of global annual turnover.

Violation Type

Maximum Fine

% of Global Turnover

Examples

Prohibited practices

EUR 35,000,000

Operating a banned AI system (social scoring, unauthorised biometric surveillance)

High-risk non-compliance

EUR 15,000,000

Failing to implement required risk management, missing technical documentation

False information to authorities

EUR 7,500,000

1.5%

Providing incorrect information in conformity declarations or to notified bodies