EU AI Act (May 2026)
TL;DR: The world\'s first major horizontal AI law. Risk-tiered: unacceptable practices banned (Feb 2025), high-risk systems subject to full conformity (Aug 2026-27), limited-risk gets transparency obligations, minimal-risk gets nothing. Extraterritorial reach, and any AI used in the EU is in scope. Fines up to 7% of global turnover.
Timeline
| Date | Event |
|---|---|
| August 2024 | EU AI Act entered into force |
| February 2025 | Prohibited AI practices (Art. 5) enforceable |
| August 2025 | General-purpose AI model obligations begin (Art. 51-55), governance bodies established |
| August 2026 | High-risk AI obligations enforceable for systems listed in Annex III |
| August 2027 | All remaining high-risk obligations enforceable (Annex I products) |
Four risk tiers
Unacceptable risk
Banned outright. Social scoring, manipulative AI, real-time biometric ID in public spaces (with narrow exceptions), emotion recognition in workplace + education, untargeted scraping for facial recognition databases.
Examples: Prohibited from February 2025.
High risk
Permitted but subject to the full conformity regime. technical documentation, data governance, transparency, human oversight, accuracy + robustness + cybersecurity (Articles 9-15), conformity assessment, CE marking, post-market monitoring.
Examples: Biometric ID, critical infrastructure, education, employment, essential services, law enforcement, migration, justice. Plus Annex I product safety regimes (medical devices, machinery, etc.).
Limited risk
Transparency obligations only, users must know they are interacting with AI, content must be labelled as AI-generated, deepfakes must be disclosed.
Examples: Chatbots, AI-generated content, emotion recognition (non-prohibited contexts), biometric categorisation.
Minimal risk
No obligations. Voluntary codes of conduct encouraged.
Examples: Most general-purpose AI applications: spam filters, AI in video games, basic productivity AI.
High-risk AI obligations (Articles 9-15)
High-risk AI systems must satisfy seven articles covering the full lifecycle. design, development, deployment, operation. The conformity assessment requires evidence against each of these.
| Article | Obligation | Detail |
|---|---|---|
| Art. 9 | Risk management system | Continuous, iterative risk management throughout the AI system's lifecycle. |
| Art. 10 | Data and data governance | Training, validation, and testing datasets must be relevant, representative, free of errors, and complete. |
| Art. 11 | Technical documentation | Documentation per Annex IV; purpose, design, training data, performance, risks, mitigation. |
| Art. 12 | Record-keeping (logs) | Automatic logs of events during operation, retained per regulatory requirement. |
| Art. 13 | Transparency to users | Instructions for use, clear info on capabilities and limitations, accuracy levels, human oversight measures. |
| Art. 14 | Human oversight | Effective human oversight by qualified persons, and ability to monitor, interpret, intervene, override, halt. |
| Art. 15 | Accuracy, robustness, cybersecurity | Appropriate level of accuracy, robustness to errors and inconsistencies, cybersecurity against adversarial attempts. |
General-purpose AI model obligations
Articles 51-55 cover general-purpose AI models, frontier LLMs in particular. Most obligations apply to every GPAI; some additional obligations apply only to models above a systemic-risk threshold (10^25 FLOPS of training compute).
Technical documentation (all GPAI)
Training methodology, architecture, intended uses, capabilities, limitations, evaluation results.
Information to downstream providers
Documentation enabling deployers to comply with their own obligations.
Copyright policy
Policy to comply with EU copyright law, including the rights-reservation opt-out under DSM Directive Art. 4(3).
Training data summary
Sufficiently detailed summary of training data made public.
Systemic risk evaluation (GPAI > 10^25 FLOPS)
Model evaluation, adversarial testing, risk assessment for systemic risk (large frontier models).
Cybersecurity protection (systemic risk GPAI)
Adequate level of cybersecurity for models and their physical infrastructure.
Incident reporting (systemic risk GPAI)
Serious incidents reported to the AI Office without undue delay.
FAQ
What is the EU AI Act?
The EU AI Act is the European Union's comprehensive regulation on artificial intelligence. It entered into force in August 2024, with obligations phased in through 2027. It is the world's first major horizontal AI law, structured around a risk-tiered approach: unacceptable risk (banned), high risk (full conformity regime), limited risk (transparency only), and minimal risk (no obligations).
When does the EU AI Act take effect?
Phased enforcement. Prohibited practices: February 2025. General-purpose AI obligations: August 2025. High-risk obligations under Annex III: August 2026. Full high-risk obligations including Annex I product safety regimes: August 2027. Most organisations target full conformity by mid-2026 to absorb the transition.
Does the EU AI Act apply to companies outside the EU?
Yes. extraterritorial reach via Article 2. Any AI system whose output is used in the EU, or whose provider places it on the EU market, is in scope. This includes US-based SaaS companies serving EU customers, model providers whose APIs are accessed from the EU, and any business with EU operations.
What is a "high-risk" AI system under the EU AI Act?
Two routes to high-risk. Annex III lists specific use cases: biometric ID, critical infrastructure, education, employment, essential services, law enforcement, migration / border control, and justice. Annex I covers AI used as a safety component of products already regulated under EU product safety law, medical devices, machinery, toys, lifts, etc. High-risk AI must satisfy Articles 9-15 obligations plus conformity assessment.
What are the EU AI Act fines?
Three tiers. Up to €35M or 7% of global annual turnover (whichever is higher) for prohibited practices. Up to €15M or 3% for non-compliance with most other obligations. Up to €7.5M or 1.5% for supplying incorrect information. National competent authorities enforce: local fines can stack.
What is a general-purpose AI model under the AI Act?
A GPAI model is one that "displays significant generality" and can perform a wide range of tasks; frontier LLMs (Claude Opus 4.7, GPT-5.5, Gemini 3.1 Pro, DeepSeek V4 Pro, Grok 4, Llama 4) all qualify. GPAI providers have specific obligations including technical documentation, downstream-provider information, copyright policy, and a training data summary. Models exceeding 10^25 FLOPS of compute used for training trigger additional systemic-risk obligations.
How do I prepare my AI system for the EU AI Act?
Six steps. (1) Inventory every AI system and assign a risk tier per Annex III + Annex I. (2) For high-risk: stand up the Article 9-15 control set (risk mgmt, data governance, technical docs, logs, transparency, human oversight, accuracy/robustness/cybersecurity). (3) Conformity assessment, and internal control or Notified Body depending on type. (4) CE marking + EU Declaration of Conformity. (5) Post-market monitoring + incident reporting. (6) Register high-risk systems in the EU database.
What is the role of the AI Office?
The European AI Office, established within the European Commission, oversees implementation of the AI Act, particularly GPAI obligations. It develops codes of practice, evaluates systemic-risk GPAI models, handles incident reports, and coordinates with national competent authorities. Established mid-2024, fully operational from 2025.
How does the EU AI Act interact with GDPR?
They overlap but do not duplicate. GDPR governs personal data processing (lawful basis, data subject rights, automated decision-making under Article 22). The AI Act governs AI systems specifically. data governance, transparency, oversight, accuracy. Most high-risk AI systems must satisfy both, plus sector overlays (DSA, DMA, financial regulation, etc.).
What tools help with EU AI Act compliance?
Three layers. Policy / GRC: Credo AI, Holistic AI, Trustible, Saidot, built specifically for AI Act conformity. Gateway: Swfte, Portkey, TrueFoundry enforce ZDR, audit log, model allowlist, per-team budgets at request time, producing the Art. 12 logs and Art. 13 transparency evidence. Eval / monitoring: Swfte, LangSmith, Langfuse, Arize, Galileo provide the ongoing accuracy + robustness evidence required by Art. 15.
Prepare for the EU AI Act on a runtime that already supports it
Article 12 logs, Article 13 transparency, Article 15 accuracy + robustness evidence: produced as a byproduct of running on Swfte.
Free tier · OpenAI-compatible API · SOC2 Type II · On-prem available