The AI Act, Regulation (EU) 2024/1689, establishes the EU’s comprehensive framework for governing AI with a focus on trust, safety, fundamental rights and human-centric development. It applies risk-based duties to AI developers and deployers, while fitting into a broader EU package that includes the AI Continent Action Plan, the AI Innovation Package and AI Factories.
The law defines 4 levels of risk. Unacceptable-risk systems are banned, including harmful manipulation, exploitation of vulnerabilities, social scoring, certain biometric uses, emotion recognition in workplaces and education institutions, and untargeted scraping to build facial recognition databases. High-risk systems, such as AI used in critical infrastructure, education, employment, essential services, law enforcement, migration, justice and regulated products, face obligations covering risk mitigation, data quality, logging, documentation, deployer information, human oversight, robustness, cybersecurity and accuracy.
Transparency obligations require people to be informed when interacting with systems such as chatbots, and providers of generative AI must make AI-generated content identifiable, with specific labelling for deepfakes and public-interest text. General-purpose AI model providers must meet transparency and copyright-related obligations, with additional risk assessment and mitigation for models that may carry systemic risks.
The AI Act entered into force on 1 August 2024 and is scheduled to be fully applicable on 2 August 2026, with exceptions for prohibited practices and AI literacy from 2 February 2025, GPAI obligations from 2 August 2025, and high-risk AI systems embedded in regulated products until 2 August 2028. A simplification package adopted on 19 November 2025 and politically agreed on 7 May 2026 sets implementation dates for certain high-risk areas from 2 December 2027 and product-integrated systems from 2 August 2028.
