What Is the EU AI Act?

The EU AI Act is the European Union’s regulation governing the development and use of artificial intelligence. It is the first law of its kind anywhere in the world, and like much EU regulation before it, its influence reaches well beyond the EU’s borders.

It is a substantial piece of legislation — 113 articles and thirteen annexes — and it is deliberately comprehensive. Rather than banning or blessing AI wholesale, it sorts AI systems into tiers of risk and attaches obligations to each. The higher the potential for harm, the heavier the requirements. Most everyday uses of AI carry few or no obligations at all.

The Act entered into force on 1 August 2024, but its requirements arrive in waves. The first prohibitions took effect in February 2025; rules for general-purpose AI models followed in August 2025; and the bulk of the high-risk obligations were originally due from 2 August 2026 — though, as covered below, that date has since been pushed back under a 2026 reform package. This phasing is deliberate, and it mirrors how financial regulators have historically introduced rules: announce early, let the market adjust, then begin enforcing in earnest.

EU AI Act Risk Categories: The Four Tiers Explained

The Act’s central idea is a sliding scale. You are almost always allowed to use AI — the question the regulation asks is how much you let it decide on its own, and in what context. Systems fall into one of four tiers.

Unacceptable Risk (Prohibited Practices)

A small set of uses are banned because the EU considers them a clear threat to people’s rights. These include AI for social scoring, subliminal or manipulative techniques designed to distort behaviour, exploiting the vulnerabilities of specific groups, and emotion recognition in the workplace or educational settings. These prohibitions have been in force since February 2025.

High Risk

This is the tier that most regulated businesses need to think hardest about. High-risk systems are not banned, but they carry the heaviest obligations: conformity assessments, technical documentation, logging, risk management, and — crucially — meaningful human oversight. The Act lists the areas that qualify, including employment and worker management, credit scoring and insurance, biometrics, critical infrastructure, education, law enforcement, and migration.

A useful way to think about high-risk AI is to treat it as you would a capable but junior employee. You have just hired a very smart graduate. Would you let them present the company strategy directly to the CEO, unsupervised, on their first week? Of course not — you would put layers of review around them. The Act is asking for the same instinct: you can delegate the work to AI, but you cannot delegate the accountability. Someone senior still has to be in the loop.

Limited Risk

For lower-stakes systems, the obligation is mainly transparency. People should know when they are interacting with an AI rather than a human, and certain AI-generated content should be labelled as such. A customer-service chatbot is the classic example.

Minimal Risk

The vast majority of AI applications sit here and carry no specific obligations under the Act. Spam filters, recommendation engines in low-stakes contexts and AI in video games are typical examples.

EU AI Act vs GDPR: What’s the Same and What’s Different

Most organisations already have a mental model for EU regulation, and it is GDPR. The comparison is a helpful starting point — both are EU laws with extraterritorial reach, both treat the handling of information as the common ground, and both carry fines pegged to global turnover. But the differences matter.

GDPR is largely about acting on data: you hold information about people, and the law governs what you may legitimately do with it. The AI Act is more about outcomes and oversight: data goes in, the AI reasons and concludes, and the regulation focuses on whether you have kept proper control over the decisions that result. You cannot simply outsource the decision to the machine and walk away.

The headline difference is the size of the stick. GDPR’s maximum fine is 4% of global annual turnover. For the most serious breaches of the AI Act — engaging in a prohibited practice — the ceiling rises to €35 million or 7% of global annual turnover, whichever is higher. Breaches of high-risk obligations can reach €15 million or 3%, and supplying incorrect information to authorities can cost €7.5 million or 1%.

Who Does the EU AI Act Apply To?

The Act applies to a wide range of organisations across the AI value chain, and its reach is not limited to companies based in the EU. The two roles that matter most for the average business are provider and deployer.

Does the EU AI Act Apply to UK Businesses?

In practice, that means a UK company selling AI-enabled software to EU customers, or using AI to make decisions about people located in the EU, should assume it needs to comply. UK businesses should also keep an eye on the parallel domestic picture, where regulators are tightening expectations around automated decision-making and “meaningful human involvement” in their own right.

Providers vs Deployers: What’s Your Role?

A provider develops an AI system (or has one developed) and places it on the market under its own name. A deployer uses an AI system in the course of its business. Many companies are both, depending on the system. Your obligations differ by role, so the first step in any compliance effort is working out which hat you are wearing for each AI system you touch.

Compliance Timeline: Key Dates and What They Mean

The Act’s obligations arrive in stages — and in May 2026 those stages were re-sequenced. The timeline below shows the current planning baseline, including the changes made under the Digital Omnibus (explained in the next section). Dates marked † were revised by the May 2026 provisional agreement and are not yet final law.

Has the EU AI Act Been Delayed? The 2026 Digital Omnibus, Explained

The reason for the delay is practical rather than political cold feet: the technical standards, tools and guidance that businesses need to actually demonstrate compliance with the high-risk regime were running late, and it is difficult to hold firms to a deadline when the yardstick they will be measured against does not yet exist. The legislators chose to fix firm new dates anyway, rather than make them float with the standards, so that businesses get the certainty they were asking for.

Two cautions matter here. First, this is a provisional agreement: it only becomes law once it is formally adopted and published in the Official Journal, which is expected before August 2026. Treat December 2027 as your planning baseline — it is what the AI Office and the major law firms are working to — but do not treat it as settled until it is. Second, a delay is not a reprieve. The high-risk work cannot be compressed into the final months, the obligations already in force are being actively monitored, and there are two genuinely new deadlines in December 2026. The Omnibus is a change to the sequence, not a reduction in scope.

What the Enforcement Phase Means in Practice

For its first couple of years, the AI Act has largely been something to read about. As each deadline lands, it becomes something firms are actually examined against. This is the standard pattern for regulators: they announce a rule, give the market time to adjust, and then steadily raise the likelihood of enforcement. We have watched it happen with outsourcing regulation, with DORA, and with GDPR before that.

The first audits will be a learning process for everyone, regulators included. But the direction of travel is clear, and it rewards the same thing every mature regulatory regime rewards: evidence. If something goes wrong, you want to be able to walk an examiner back through the decision — what the AI was asked, what it produced, who reviewed it, and why the next step was approved. That means observability and an audit trail you can actually retrieve, not a screenshot lost in someone’s personal chat history.

It is worth being honest about what regulation is for. The point is not to stop problems from ever happening — problems always happen. The point is to reduce them, and to be able to show that when something went wrong, you had acted in good faith with the right checks and balances in place. That is what good governance looks like, and it is what an audit is really testing.

Human-in-the-Loop: The Core Compliance Requirement

If there is a single idea at the heart of the high-risk regime, it is this: a human must remain genuinely accountable for what the AI decides. Importantly, “meaningful human involvement” means more than rubber-stamping. A reviewer needs real authority and discretion to override the AI’s output — clicking “approve” on everything the machine produces does not count.

There is a practical tension here that is worth naming. If AI does all the gathering and analysis and the human only signs off, you can erode the very judgement the oversight depends on; reviewing fifty AI-generated outputs a day is a different job from doing the work yourself. The design challenge is to keep the human meaningfully in the loop without making their role a formality.

A workable pattern is to bookend the process: let AI do the heavy lifting in the middle — collecting data, summarising, cross-referencing, even handing off between agents — but require a human decision at the points that matter, and journal everything along the way. The agents can talk to each other; the accountable person still owns the outcome, and the record proves it.

AI Literacy and Governance: What the Act Requires of Your Organisation

Since February 2025, organisations have been expected to ensure their people have a sufficient level of AI literacy — enough understanding to use these systems responsibly and spot when something is off. It is easy to treat this as another box-ticking exercise, a quarterly e-learning module clicked through at speed. The organisations that get value from it will treat it as a genuine capability investment, because a workforce that understands how AI actually behaves makes better decisions and fewer expensive mistakes.

The other half of the picture is stating a position. The worst stance an organisation can take is no stance at all. “We don’t use AI” is rarely true in practice — if you have not given your people a policy, they are using it anyway and quietly editing out the tell-tale signs. We saw exactly this with cloud and SaaS a decade ago: shadow adoption races ahead of governance, and the companies that struggled were the ones that failed to get in front of it. Far better to set a clear, sensible policy on what is and isn’t acceptable, and bring AI use into the open where it can be governed.

Penalties for Non-Compliance

The fines are tiered to match the severity of the breach:

In each case the regulator takes the higher of the fixed sum or the percentage (with a lower cap for SMEs and start-ups). But the financial penalty is not the whole story. Where a prohibited practice is involved, authorities also have the power to order mitigations and, in the most serious cases, to pull a system from the EU market entirely. For a business that depends on that system, the operational consequence can dwarf the fine.

Practical Steps to Prepare Now

Compliance is less daunting if you treat it as an extension of governance you probably already do for your critical systems. A sensible sequence:

1. Inventory where you use AI. You almost certainly maintain a register of your critical applications. Your AI inventory is a step down from that: of the systems you already catalogue, which now contain AI, and which of those are making or shaping decisions?
2. Classify each system by risk. Map your AI uses against the four tiers. Most will be minimal or limited risk; focus your effort on anything that touches the high-risk areas.
3. State a clear AI policy. Set out what your people may and may not do with AI, and bring shadow usage into the open. A stated position beats a vacuum every time.
4. Invest in AI literacy. Make sure the people relying on these tools understand how they behave — and how they fail.
5. Build oversight and audit trails. Ensure high-risk decisions have a meaningful human in the loop and that you can retrieve the record of what happened, why, and who approved it — potentially years later.
6. Assess your vendors. If a supplier’s AI feeds your decisions, their compliance becomes your problem. Fold AI into your third-party risk assessments.
7. Brief the board. Accountability sits at the top. Make sure leadership understands the exposure and the plan.

The Role of Purpose-Built Platforms in Compliance

Much of what the Act asks for — human-in-the-loop oversight, retrievable audit trails, clarity over where data sits — is hard to retrofit onto a patchwork of personal AI accounts and spreadsheets. If a decision was made in someone’s personal chatbot and that person has since left, the model could have been right and you still fail the audit, because you cannot recall it. Platforms designed with these controls built in — such as Brooklyn — reduce that burden by logging interactions, enforcing review at the points that matter, and keeping data within known boundaries. The tool is not the point of the regulation, but the right tooling makes complying with it considerably less painful.

Frequently Asked Questions

What Is the EU AI Act in Simple Terms?

It is the EU’s law for regulating artificial intelligence. It sorts AI systems into four risk tiers and attaches obligations to each, so that higher-risk uses face stricter controls while everyday uses face few or none. It is the first comprehensive AI law in the world.

What Are the Four Risk Categories Under the EU AI Act?

Unacceptable risk (banned), high risk (heavily regulated but permitted), limited risk (transparency obligations only) and minimal risk (no specific obligations). The tier determines how much oversight and documentation a system requires.

Does the EU AI Act Apply to UK Businesses After Brexit?

Yes, in many cases. If your AI system’s output is used in the EU or affects people there, the Act can apply regardless of where you are based — the same extraterritorial reach that GDPR has.

When Does EU AI Act Enforcement Begin?

It is phased. The bans on prohibited practices and the AI literacy duty have applied since February 2025, and the rules for general-purpose AI since August 2025. The main high-risk obligations were due from August 2026 but, under a provisional reform agreed in May 2026, are now set to apply from 2 December 2027 (and 2 August 2028 for AI built into regulated products). Those revised dates are not yet final law.

What Are the Penalties for Non-Compliance?

Up to €35 million or 7% of global annual turnover for prohibited practices, €15 million or 3% for high-risk or GPAI breaches, and €7.5 million or 1% for supplying incorrect information — whichever figure is higher in each case.

What Does “Human-in-the-Loop” Mean Under the EU AI Act?

It means a person with genuine authority must oversee high-risk AI decisions and be able to override them. Rubber-stamping an AI output does not satisfy the requirement; the human involvement has to be meaningful.

Do I Need an AI Inventory for My Organisation?

In practice, yes. You cannot classify or govern AI you have not catalogued. Start from your existing critical-systems register and identify which applications now contain AI and which are making decisions.

How Does the EU AI Act Compare to GDPR?

Both are extraterritorial EU laws with turnover-based fines. GDPR governs what you do with personal data; the AI Act governs how AI decisions are made and overseen. The AI Act’s top fine (7%) is higher than GDPR’s (4%).

What’s the Difference Between a Provider and a Deployer?

A provider develops an AI system and places it on the market under its own name. A deployer uses an AI system in its business. Obligations differ by role, and many organisations are both.

How Do I Prepare for an EU AI Act Audit?

Inventory and classify your AI, set a clear policy, invest in literacy, and put meaningful human oversight and retrievable audit trails around high-risk decisions — so you can show, after the fact, what happened and why.