The Complete EU AI Act Guide

What is the EU AI Act?

The EU AI Act (Regulation (EU) 2024/1689) establishes harmonized rules for the development, deployment, and use of artificial intelligence systems within the European Union.

The regulation takes a risk-based approach, categorizing AI systems into four tiers with different requirements for each. The higher the risk, the stricter the rules.

Who Must Comply with the EU AI Act?

The EU AI Act applies to multiple parties in the AI value chain:

Providers (Developers)

Companies that develop AI systems or have them developed, and place them on the market or put them into service under their own name or trademark.

• AI startups building products
• SaaS companies with AI features
• Enterprises developing internal AI tools
• Companies using third-party AI and rebranding it

Deployers (Users)

Organizations that use AI systems under their authority, except for purely personal use.

• Companies using AI hiring tools
• Banks using AI for credit decisions
• Healthcare providers using AI diagnostics
• Any business using AI that affects customers or employees

Importers and Distributors

Companies that bring AI systems into the EU market or make them available within the EU.

The Four Risk Levels Explained

The EU AI Act categorizes AI systems into four risk tiers. Each tier has different compliance requirements.

1. Unacceptable Risk (Prohibited)

These AI practices are banned entirely. No compliance pathway exists — they simply cannot be used.

• Social scoring: Evaluating people based on social behavior or personality characteristics for detrimental treatment
• Real-time biometric identification: Facial recognition in public spaces (with limited law enforcement exceptions)
• Emotion recognition in workplace/education: AI that infers emotions of employees or students
• Cognitive manipulation: AI designed to manipulate vulnerable groups (children, elderly, disabled)
• Biometric categorization: Inferring sensitive characteristics like race, religion, or sexual orientation from biometric data
• Predictive policing: Assessing likelihood of individuals committing crimes based on profiling
• Facial recognition database scraping: Building databases from untargeted internet or CCTV scraping

2. High-Risk

AI systems with significant potential impact on health, safety, or fundamental rights. These face the most comprehensive compliance requirements.

Requirements for high-risk AI:

• Risk management system (continuous, documented)
• Data governance practices
• Technical documentation
• Record-keeping and logging
• Transparency and user information
• Human oversight measures
• Accuracy, robustness, and cybersecurity standards
• Conformity assessment
• EU database registration
• Post-market monitoring

3. Limited Risk

AI systems that interact with people or generate content, requiring transparency obligations.

• Chatbots: Must inform users they're interacting with AI
• Emotion recognition systems: Must inform subjects (when not prohibited)
• Deepfakes and synthetic content: Must be labeled as AI-generated
• AI-generated text: Must disclose AI involvement when published as factual content

4. Minimal Risk

AI systems with no specific regulatory requirements under the EU AI Act.

• Spam filters
• AI in video games
• Inventory management systems
• Most recommendation systems
• Internal analytics tools

Key Deadlines You Cannot Miss

The EU AI Act is being implemented in phases. Here are the critical dates:

General-Purpose AI (GPAI) Requirements

If you use or provide foundation models like GPT-5.2, Claude 4.5, Gemini 3.0, Llama 4, or similar large language models, additional rules apply.

For All GPAI Models:

• Technical documentation
• Information for downstream providers
• Copyright compliance documentation
• Training data summary publication

For GPAI with Systemic Risk:

Models with significant capabilities face additional requirements:

• Comprehensive model evaluation and testing
• Risk assessment and mitigation
• Incident reporting to authorities
• Cybersecurity protections

Penalties for Non-Compliance

The EU AI Act includes significant penalties for violations:

For SMEs and startups, penalties are calculated as the higher of the fixed amount or revenue percentage, but with proportionality considerations.

How to Achieve EU AI Act Compliance

Compliance with the EU AI Act requires a systematic approach. Here's a practical roadmap:

Step 1: Inventory Your AI Systems

Create a complete inventory of all AI systems in your organization:

• What AI systems do you develop or use?
• What is each system's purpose?
• What data does it process?
• Who does it affect?
• Where are affected users located?

Step 2: Classify Each System by Risk Level

For each AI system, determine its risk classification:

• Is it on the prohibited list? → Stop using it immediately
• Does it fall into Annex III high-risk categories? → High-risk requirements apply
• Does it interact with users or generate content? → Limited-risk transparency rules apply
• None of the above? → Minimal risk, no specific requirements

Step 3: Gap Analysis

For high-risk and limited-risk systems, assess your current state against requirements:

• Do you have technical documentation?
• Is there a risk management system in place?
• Are human oversight measures defined?
• Do you have data governance policies?
• Are logging and record-keeping enabled?

Step 4: Implement Required Measures

Based on your gap analysis, implement the necessary compliance measures for high-risk and limited-risk systems.

Step 5: Ongoing Compliance

EU AI Act compliance is not a one-time project:

• Monitor systems for changes in risk profile
• Update documentation as systems evolve
• Conduct regular risk assessments
• Stay informed about regulatory guidance
• Report incidents when required

Common Questions About the EU AI Act

Does the EU AI Act apply to US companies?

Yes. If your AI system serves EU users or makes decisions affecting EU residents, you must comply regardless of where your company is headquartered.

What if I use third-party AI (like OpenAI or AWS)?

You may still have compliance obligations as a "deployer." The responsibility depends on how you use the AI and what decisions it influences. Using a third-party model doesn't automatically transfer your compliance burden to them.

Is my chatbot high-risk?

Probably not. Most customer service chatbots are "limited risk" — requiring only transparency disclosures (telling users they're talking to AI). However, if your chatbot makes consequential decisions (like approving applications or providing medical advice), it could be classified higher.

What's the difference between GDPR and the EU AI Act?

GDPR focuses on personal data protection. The EU AI Act focuses on AI system safety and fundamental rights. They complement each other — you likely need to comply with both if you process EU personal data using AI.

Can I self-certify for high-risk AI?

For most Annex III high-risk systems, yes — you can conduct a self-assessment (conformity assessment based on internal control). However, some high-risk systems require third-party assessment by a notified body.

What about AI I use internally (not customer-facing)?

If internal AI systems fall into high-risk categories (like AI for employee performance evaluation or hiring), compliance requirements still apply. The classification is based on the AI's function, not whether it's internal or external.

Why Compliance Matters Beyond Avoiding Fines

While penalties are significant, there are strategic reasons to prioritize EU AI Act compliance:

How Protectron.ai Helps

Achieving EU AI Act compliance can feel overwhelming — hundreds of pages of regulation, complex requirements, and tight deadlines. Protectron.ai simplifies the process: