On August 1, 2024, the EU AI Act (Regulation (EU) 2024/1689) entered into force — the world's first supranational law comprehensively regulating artificial intelligence. Implementation is phased: prohibited use cases took effect February 2025, General Purpose AI (GPAI) rules from August 2025, and all high-risk AI provisions fully apply from August 2026. Any company worldwide offering AI services to EU users must achieve compliance by end of 2026.
1. Core Framework: Risk-Based Classification
The Act's central design principle is the Risk-Based Approach, classifying AI systems into four tiers by potential harm:
Tier 1: Unacceptable Risk (Banned)
These AI applications are completely prohibited in the EU, with fines up to 7% of global annual turnover:
- Social credit scoring systems: Evaluating citizens by behavior and providing differential treatment
- Real-time remote biometric identification: Live facial recognition in public spaces (narrow law enforcement exceptions exist)
- Subliminal manipulation: AI exploiting subconscious weaknesses to influence behavior
- Emotion inference at workplaces/schools: Systems inferring employees' or students' emotions
- Predictive policing based solely on profiling: Predicting criminal tendencies without concrete behavioral evidence
- Mass unauthorized facial image scraping: Building facial recognition databases from internet or CCTV without consent
Tier 2: High Risk (Strict Regulation)
Must pass conformity assessment, register in the EU database, undergo continuous monitoring, and maintain detailed technical documentation:
- AI for recruitment and CV screening
- Student examination assessment AI
- Credit scoring and insurance pricing AI
- Medical diagnostic assistance AI
- Critical infrastructure management AI (power grid, water, transport)
- Migration and asylum processing AI
- Judicial decision support AI
Tier 3: Limited Risk (Transparency Obligations)
Must disclose "you are interacting with AI" to users — applies to chatbots, AI-generated text/image/video tools (deepfakes must be labeled), and emotion recognition systems.
Tier 4: Minimal Risk (Free Use)
The vast majority of AI applications — spam filters, e-commerce recommendations, AI game NPCs — face no specific obligations. Voluntary codes of conduct are encouraged.
2. General Purpose AI (GPAI): How ChatGPT and Claude Are Regulated
The Act dedicates a chapter to General Purpose AI Models (GPAI) — covering large foundation models like GPT-4, Claude, and Gemini. Key obligations (since August 2025):
- Training data transparency: Must publish a summary of training data, enabling copyright holders to identify use of their content
- Technical documentation: Maintain detailed documentation of model capabilities, limitations, and known risks
- Systemic risk assessment (high-capability models): Models trained with compute exceeding 10²⁵ FLOPs must conduct adversarial testing (Red Teaming) and report serious incidents to the EU AI Office
- Cybersecurity measures: Implement appropriate protections for the model itself
3. Fines: The Graduated Penalty Structure
| Violation | Max Fine (Enterprise) | Max Fine (SME/Individual) |
|---|---|---|
| Using prohibited AI applications | 7% of global annual turnover (or €35M, whichever is higher) | €7.5M |
| Other obligation violations | 3% of global annual turnover (or €15M, whichever is higher) | €3.75M |
| Providing incorrect information | 1% of global annual turnover (or €7.5M, whichever is higher) | €1.5M |
Basing fines on global turnover means penalties far exceed EU-local revenue. At Microsoft's ~$245B annual revenue (FY2024), the theoretical maximum fine could reach $17 billion.
4. Impact on Non-EU Companies
The Act applies extraterritorially: any company offering AI to EU users — regardless of headquarters — must comply. This means:
- SaaS platform operators: If EU users interact with AI features (AI customer service, recommendations), assess whether those qualify as high-risk
- Hardware manufacturers: AI-enabled devices exported to the EU (AI cameras, smart appliances) must verify embedded AI compliance
- AI model developers: If your model is used by EU-based operators, you must provide adequate technical documentation
- Third-party API integrators: While primary liability lies with AI providers, integrators must verify that AI components meet requirements
5. Technical Compliance in Practice
Explainability
High-risk AI must explain decisions to affected individuals. Black-box models require interpretability methods (e.g., LIME, SHAP) to meet this requirement.
Data Governance Documentation
Training data needs full provenance records, bias test results, and quality assessments. Structure these as Data Cards in JSON format for ease of audit submission.
Continuous Monitoring and Incident Reporting
Serious incidents (deaths, serious injuries, or significant fundamental rights violations) must be reported to the competent authority within 15 days.
Human Oversight
High-risk AI output must not fully replace human judgment. Systems must be designed to allow human intervention, override, or shutdown.
6. EU AI Act vs. GDPR
Both apply simultaneously — they are complementary, not duplicative:
- GDPR: Governs the collection, processing, and storage of personal data
- EU AI Act: Governs the design, testing, and deployment of AI systems that use personal data
- High-risk AI systems involving personal data must satisfy both — an AI hiring tool must comply with GDPR's data processing rules AND the Act's bias testing and explainability requirements
Summary
- The EU AI Act is the world's first comprehensive AI regulation, fully effective August 2026, binding on any company serving EU users
- Risk tiers: Banned (social credit/real-time facial recognition) → High-risk (hiring/medical/credit) → Limited risk (chatbots) → Minimal risk (most applications)
- GPT-4, Claude, Gemini and similar foundation models must provide training data transparency since August 2025; high-capability models need Red Teaming
- Maximum fine is 7% of global annual turnover — potentially billions for large tech companies
- Any company with EU users and AI features should immediately assess compliance needs, focusing on data governance, explainability, and human oversight mechanisms