EU AI Act

EU AI Act Explained: Scope, Risk Tiers, Deadlines & Penalties

Regulation (EU) 2024/1689 is the EU's comprehensive AI law. This guide explains who it applies to, how AI systems are classified by risk, when the obligations take effect, and what the fines are for getting it wrong.

By the NormScout Compliance Team · Updated July 2026 · 9 min read

Reviewed against the official EUR-Lex texts.

← Back to Blog

The EU Artificial Intelligence Act, Regulation (EU) 2024/1689, sets a single rulebook for AI placed on or used in the EU. The principle behind it is straightforward: obligations scale with the risk a system poses, not with the technology behind it. For most product teams the work that follows is narrower than the headlines suggest. The systems that do fall in scope, however, carry concrete, auditable duties — and a conformity assessment standing between them and the market.

Settle this first: does your product contain an "AI system" as defined in Article 3, and does it reach users in the EU? If both are yes, the rest of the Act is a question of which tier applies, not whether you are in scope.

Who is in scope

The Act attaches duties to roles, and one organisation can hold several at once. The provider — whoever develops a system and puts it on the market under their own name — carries the bulk of the obligations. A deployer uses a system in a professional capacity and has a lighter but real set of duties. Importers and distributors sit in between, responsible for checking that what they place or make available is compliant. Providers of general-purpose AI models are handled separately again, under Chapter V.

Where you are based does not decide it. A provider established outside the EU is caught where its system is placed on the EU market, and equally where the system's output is used in the EU even though the system itself runs elsewhere.

The four risk tiers

Classification is the load-bearing decision in the whole regime; nearly every obligation downstream depends on it.

TierExamplesWhat's required
UnacceptableSocial scoring, manipulative or exploitative systems, untargeted facial-recognition scraping, most live remote biometric ID in public spacesProhibited under Article 5
HighAI used in employment, creditworthiness, education, essential services, law enforcement, critical-infrastructure safety (Annex III)Full control set, conformity assessment, CE marking
LimitedChatbots, emotion recognition, AI-generated or synthetic contentTransparency: disclose the AI, label synthetic media
MinimalSpam filters, AI in games, the long tail of everyday AINo specific obligations

If you land in the high-risk tier

An Annex III high-risk system cannot be placed on the market until a defined set of controls is in place and documented. In practice that means a risk-management system maintained across the lifecycle (Art. 9); data governance over the training, validation and test sets (Art. 10); technical documentation to Annex IV plus automatic logging (Arts. 11–12); instructions that let a deployer operate the system safely (Art. 13); human oversight that is genuine rather than a nominal "human in the loop" (Art. 14); and demonstrated accuracy, robustness and cybersecurity (Art. 15). Conformity is then assessed, and the system carries CE marking like any other regulated product.

Deadlines

DateWhat applies
1 August 2024Regulation enters into force
2 February 2025Article 5 prohibitions apply
2 August 2025General-purpose AI model obligations apply
2 August 2026Main high-risk and transparency obligations apply
2 August 2027High-risk AI embedded in other regulated products

The staggered dates matter for planning. The prohibitions and the GPAI rules are already live; the weight of the high-risk regime lands on 2 August 2026, which is the date most roadmaps should be working back from (see the European Commission's implementation timeline).

Penalties

Fines are set as the higher of a fixed ceiling or a share of worldwide annual turnover (Article 99). Prohibited practices sit at the top: €35 million or 7%. Most other breaches, such as a missing risk-management system or inadequate documentation, fall to €15 million or 3%. Supplying incorrect or misleading information to authorities is capped at €7.5 million or 1.5%. For SMEs and start-ups the lower figure of each pair applies, rather than the higher.

Where NormScout fits

Scoping and classification are where most teams stall, because the answer turns on the use case, the sector and the deployment rather than on the model itself. NormScout works through those questions and returns a per-article assessment against the AI Act text, naming the obligations that apply to your system and the gaps against each. Run the free assessment for a defensible starting point.

Frequently asked questions

What is the EU AI Act?

Regulation (EU) 2024/1689, the EU's horizontal law for artificial intelligence. It regulates AI by risk rather than by sector. A short list of practices is banned outright, high-risk systems must meet a defined set of controls before they reach the market, and lighter transparency rules cover chatbots and synthetic media. Most AI carries no specific obligation at all.

Does the EU AI Act apply to my product?

It applies if your product contains an AI system as defined in Article 3 and is placed on or used in the EU. That includes cases where the system runs abroad but its output is used inside the EU. No AI component, no AI Act. The duties themselves depend on whether you are the provider, deployer, importer or distributor.

What are the risk tiers under the EU AI Act?

There are four. Unacceptable-risk practices such as social scoring and untargeted facial-recognition scraping are prohibited under Article 5. High-risk systems, broadly the Annex III uses like employment, creditworthiness, education and critical-infrastructure safety, carry the full compliance set. Limited-risk systems such as chatbots owe transparency. Everything else is minimal-risk and unregulated.

When do the EU AI Act obligations take effect?

It entered into force on 1 August 2024 and applies in stages. The Article 5 prohibitions have applied since 2 February 2025, obligations for general-purpose AI models since 2 August 2025, and the main high-risk and transparency obligations from 2 August 2026, with high-risk AI embedded in other regulated products following on 2 August 2027.

What are the penalties for breaching the EU AI Act?

Up to €35 million or 7% of worldwide annual turnover, whichever is higher, for prohibited practices; up to €15 million or 3% for breaching most other obligations; and up to €7.5 million or 1.5% for giving authorities incorrect information. For SMEs and start-ups, the lower figure of each pair applies.

How do I check whether my AI product is compliant with the EU AI Act?

NormScout's free assessment establishes whether the Act applies and at what risk tier, then checks your product against the relevant articles and lists the gaps. Each point is traced to the EUR-Lex text, so the result is something you can hand to legal counsel or a notified body.

Sources & references

  1. Regulation (EU) 2024/1689, Artificial Intelligence Act (full text, EUR-Lex)
  2. European Commission, AI Act: regulatory framework and implementation timeline

This guide draws on the official regulation texts and European Commission guidance linked above. It is general information, not legal advice.