The EU Artificial Intelligence Act, Regulation (EU) 2024/1689, sets a single rulebook for AI placed on or used in the EU. The principle behind it is straightforward: obligations scale with the risk a system poses, not with the technology behind it. For most product teams the work that follows is narrower than the headlines suggest. The systems that do fall in scope, however, carry concrete, auditable duties — and a conformity assessment standing between them and the market.
Who is in scope
The Act attaches duties to roles, and one organisation can hold several at once. The provider — whoever develops a system and puts it on the market under their own name — carries the bulk of the obligations. A deployer uses a system in a professional capacity and has a lighter but real set of duties. Importers and distributors sit in between, responsible for checking that what they place or make available is compliant. Providers of general-purpose AI models are handled separately again, under Chapter V.
Where you are based does not decide it. A provider established outside the EU is caught where its system is placed on the EU market, and equally where the system's output is used in the EU even though the system itself runs elsewhere.
The four risk tiers
Classification is the load-bearing decision in the whole regime; nearly every obligation downstream depends on it.
| Tier | Examples | What's required |
|---|---|---|
| Unacceptable | Social scoring, manipulative or exploitative systems, untargeted facial-recognition scraping, most live remote biometric ID in public spaces | Prohibited under Article 5 |
| High | AI used in employment, creditworthiness, education, essential services, law enforcement, critical-infrastructure safety (Annex III) | Full control set, conformity assessment, CE marking |
| Limited | Chatbots, emotion recognition, AI-generated or synthetic content | Transparency: disclose the AI, label synthetic media |
| Minimal | Spam filters, AI in games, the long tail of everyday AI | No specific obligations |
If you land in the high-risk tier
An Annex III high-risk system cannot be placed on the market until a defined set of controls is in place and documented. In practice that means a risk-management system maintained across the lifecycle (Art. 9); data governance over the training, validation and test sets (Art. 10); technical documentation to Annex IV plus automatic logging (Arts. 11–12); instructions that let a deployer operate the system safely (Art. 13); human oversight that is genuine rather than a nominal "human in the loop" (Art. 14); and demonstrated accuracy, robustness and cybersecurity (Art. 15). Conformity is then assessed, and the system carries CE marking like any other regulated product.
Deadlines
| Date | What applies |
|---|---|
| 1 August 2024 | Regulation enters into force |
| 2 February 2025 | Article 5 prohibitions apply |
| 2 August 2025 | General-purpose AI model obligations apply |
| 2 August 2026 | Main high-risk and transparency obligations apply |
| 2 August 2027 | High-risk AI embedded in other regulated products |
The staggered dates matter for planning. The prohibitions and the GPAI rules are already live; the weight of the high-risk regime lands on 2 August 2026, which is the date most roadmaps should be working back from (see the European Commission's implementation timeline).
Penalties
Fines are set as the higher of a fixed ceiling or a share of worldwide annual turnover (Article 99). Prohibited practices sit at the top: €35 million or 7%. Most other breaches, such as a missing risk-management system or inadequate documentation, fall to €15 million or 3%. Supplying incorrect or misleading information to authorities is capped at €7.5 million or 1.5%. For SMEs and start-ups the lower figure of each pair applies, rather than the higher.
Where NormScout fits
Scoping and classification are where most teams stall, because the answer turns on the use case, the sector and the deployment rather than on the model itself. NormScout works through those questions and returns a per-article assessment against the AI Act text, naming the obligations that apply to your system and the gaps against each. Run the free assessment for a defensible starting point.