Guide
What is the EU AI Act?
A guide to Regulation (EU) 2024/1689 - the world's first comprehensive AI law - and what it means for your organisation.
What is the EU AI Act?
The EU AI Act (officially Regulation (EU) 2024/1689) is the European Union's first comprehensive law regulating artificial intelligence. Think of it as the GDPR for AI - a legal framework that governs how AI systems can be developed, deployed, and used within the EU.
It was adopted by the European Parliament in March 2024 and entered into force in August 2024. Obligations begin phasing in from February 2025, with the toughest rules for high-risk AI systems taking full effect in August 2026.
Why does it exist?
The EU AI Act was created to address three core problems:
- Safety. AI systems can cause real harm - biased hiring, unsafe medical decisions, discriminatory credit scoring. The Act requires providers to assess and mitigate these risks before deployment.
- Trust.People need to know when they're interacting with an AI, how decisions are made, and that they can challenge them. The Act mandates transparency and human oversight.
- Level playing field. Without common rules, companies that cut corners on safety gain a competitive advantage. The Act sets a single standard across all 27 EU member states.
Who does it apply to?
The Act applies to two main groups:
- Providers- organisations that develop or deploy AI systems placed on the EU market, regardless of where they're based. If your AI system affects people in the EU, you're in scope.
- Deployers - organisations that use an AI system in a professional capacity within the EU. Even if you bought the system from someone else, you have compliance obligations.
There are limited exemptions for purely personal use, research, and national security.
The four risk levels
The Act uses a risk-based approach. It doesn't regulate all AI equally - the obligations scale with the potential for harm.
Unacceptable risk (banned)
AI systems that pose a clear threat to safety, livelihoods, or rights are prohibited. This includes social scoring by governments, real-time biometric surveillance in public spaces (with narrow exceptions), and AI that manipulates vulnerable groups.
High risk (regulated)
This is where most of the compliance burden lives. High-risk includes AI used in critical infrastructure, education, employment, law enforcement, migration, access to essential services, and systems that profile individuals. Providers must implement risk management, technical documentation, human oversight, accuracy and cybersecurity measures, and register in an EU database.
Limited risk (transparency)
Systems like chatbots and deepfake generators must inform users they're interacting with AI or that content has been AI-generated. No further obligations.
Minimal risk (unregulated)
The vast majority of AI systems - spam filters, recommendation engines, AI-enabled video games - are not regulated under the Act. A voluntary code of conduct is encouraged.
What you need to do (high-risk)
If your AI system is classified as high-risk, you need to:
- Establish a risk management system(Article 9) - identify, assess, and mitigate risks continuously throughout the system's lifecycle.
- Create technical documentation (Article 11) - a detailed description of the system, its design, development process, training data, testing results, and cybersecurity measures.
- Provide transparency (Article 13) - tell users what the system does, its limitations, and how to exercise oversight.
- Enable human oversight (Article 14) - design the system so humans can monitor, override, or stop it when needed.
- Implement a quality management system (Article 17) - document your processes, assign responsibility, and maintain audit trails.
- Register in the EU database - before placing your system on the market.
- Draw up an EU Declaration of Conformity and affix the CE marking.
That's a lot of paperwork. That's exactly what Evideva is built for - it generates the documentation you need from a guided questionnaire.
Deadlines & enforcement timeline
If you're reading this in mid-2026, the August 2026 deadline is imminent. Time is short.
What happens if you don’t comply?
Fines under the EU AI Act are substantial:
- Up to €35 million or 7% of global annual turnover - for violations of banned AI practices.
- Up to €15 million or 3% of global annual turnover - for failing to meet high-risk obligations (documentation, risk management, etc.).
- Up to €7.5 million or 1.5% of global annual turnover - for supplying incorrect information to authorities.
Fines are the upper bound. National regulators (like Ireland's DPC or Germany's BSI) will enforce the rules, and they have wide discretion. But the message is clear: this is not optional.
Official resources
- Full text of Regulation (EU) 2024/1689
The official legal text on EUR-Lex. All 459 articles and 13 annexes.
- Artificial Intelligence Act - High-level summary
A readable, section-by-section breakdown of the Act with timeline visualisations.
- European Commission Q&A on the AI Act
Official FAQ from the European Commission covering scope, obligations, and enforcement.
- EU Digital Strategy - AI regulatory framework
The Commission's policy page with additional guidance and updates.
Ready to get compliant?
Evideva generates all the documentation you need. Start with a free risk check - no account required.