EU AI Act Compliance Requirements by Risk Tier

Summary

The EU AI Act (Regulation (EU) 2024/1689) classifies AI systems into four risk tiers — unacceptable (prohibited), high, limited (transparency), and minimal — and imposes obligations proportionate to risk, plus a separate parallel regime for general-purpose AI (GPAI) models. Prohibited practices (Article 5) carry the steepest fines: up to EUR 35 million or 7% of global turnover. The biggest 2026 development is the Digital Omnibus on AI: a Council/Parliament provisional agreement (6-7 May 2026, confirmed by Council 13 May 2026) that postpones high-risk obligations — standalone Annex III systems move from 2 August 2026 to 2 December 2027, and high-risk AI embedded in regulated products (Annex I) moves from 2 August 2027 to 2 August 2028. The agreement replaced the Commission's originally-proposed "conditional trigger" (tied to harmonised-standards readiness) with these fixed dates, kept Article 50 transparency obligations on the 2 August 2026 schedule (with a watermarking grace period to 2 December 2026 for systems already on the market), added a "small mid-cap" carve-out, and deleted EU-database registration for demonstrably non-high-risk Annex III systems. These dates are provisional pending Official Journal publication (expected before 2 August 2026). [src1, src9, src10]

Rule

Organizations that develop, deploy, import, or distribute AI systems in the European Union must classify their systems into one of four risk tiers — unacceptable, high, limited, or minimal — and meet the corresponding obligations under Regulation (EU) 2024/1689 (the EU AI Act). Prohibited practices carry fines up to EUR 35 million or 7% of global annual turnover, whichever is higher. High-risk AI systems require conformity assessments, technical documentation, human oversight, and EU database registration before market placement. General-purpose AI (GPAI) model providers face separate, parallel obligations regardless of the downstream risk tier. [src1, src2]

Evidence

The EU AI Act entered into force on 1 August 2024 and is being enforced in phases: prohibited practices became enforceable on 2 February 2025, GPAI provider obligations on 2 August 2025 (with the Commission's GPAI enforcement powers — information requests, model evaluations, fines — starting 2 August 2026). The Digital Omnibus on AI, proposed by the Commission on 19 November 2025 and the subject of a Council/Parliament provisional agreement on 6-7 May 2026 (confirmed by the Council on 13 May 2026), postponed the high-risk obligations: standalone Annex III high-risk systems now apply from 2 December 2027 (was 2 August 2026) and product-embedded Annex I high-risk systems from 2 August 2028 (was 2 August 2027). The penalty structure remains the most aggressive of any EU digital regulation: up to EUR 35 million or 7% of global turnover for prohibited practices (compared to GDPR's 4%), EUR 15 million or 3% for high-risk and GPAI violations, and EUR 7.5 million or 1% for supplying incorrect information. The Commission published guidelines on prohibited practices in February 2025, and the AI Office became operationally active on 2 August 2025 with exclusive competence over GPAI enforcement — competence the omnibus extends to systems built on GPAI models by the same provider. As of January 2026, the GPAI Code of Practice had been finalized by independent experts; the omnibus reframes codes of practice as soft law rather than binding instruments. Finland became the first EU Member State with full AI Act enforcement powers on 22 December 2025. Italy enacted Law 132/2025, the first national implementing legislation, establishing fines up to EUR 774,685 with business disqualification measures. [src1, src4, src5, src7, src9, src10, src11]

Key Properties

• Legal basis: Regulation (EU) 2024/1689, published 12 July 2024, entered into force 1 August 2024
• Risk tiers: 4 categories — unacceptable (prohibited), high, limited (transparency), minimal (no obligations)
• Prohibited practices: 8 specific AI uses banned outright (Article 5), enforceable since 2 Feb 2025
• Maximum penalty: EUR 35 million or 7% of global annual turnover for prohibited practice violations
• Conformity assessment: Mandatory third-party assessment for high-risk AI systems before market placement
• GPAI threshold: Models trained with >10^25 FLOPs are presumed to pose systemic risk
• AI literacy mandate: All organizations must ensure staff have sufficient AI literacy (Article 4), effective since 2 Feb 2025
• Extraterritorial scope: Applies to providers outside the EU if their AI systems are placed on the EU market

Conditions

• Applies when: The AI system is placed on the EU market, put into service in the EU, or its output is used in the EU — regardless of where the provider is established
• Does NOT apply when: AI systems used exclusively for military or national security purposes; AI used purely for scientific R&D before market placement; or free and open-source AI models (unless classified as high-risk or GPAI with systemic risk)
• Confidence degrades when: The Digital Omnibus high-risk dates remain a provisional agreement until Official Journal publication (expected before 2 Aug 2026) — verify the final adopted text; harmonised standards under the Act have not yet been published; Commission guidance on specific use cases is still pending; enforcement precedents from national authorities have not yet been established

Constraints

• EU jurisdiction only — but has extraterritorial reach for any provider whose AI system is used in the EU market [src1]
• Phased enforcement creates a moving compliance target (post-Digital Omnibus): prohibited practices (Feb 2025), GPAI obligations (Aug 2025, Commission enforcement from Aug 2026), standalone high-risk Annex III (2 Dec 2027), product-embedded high-risk Annex I (2 Aug 2028) [src9, src10]
• The May 2026 high-risk dates are a provisional Council/Parliament agreement, expected in the Official Journal before 2 Aug 2026 — confirm the final adopted text before relying on a deadline [src9]
• Harmonised standards (technical compliance specifications) are still being developed by CEN/CENELEC — compliance is currently assessed against the Act's essential requirements directly [src4]
• SMEs, startups, and (newly) small mid-caps receive reduced fines, simplified technical documentation, and access to regulatory sandboxes [src5, src11]
• Interacts with GDPR, Digital Services Act, Product Safety Regulation, Medical Device Regulation, and Machinery Regulation — compliance with the AI Act does not replace obligations under these frameworks [src1]
• The omnibus deletes the EU-database registration requirement for demonstrably non-high-risk Annex III systems (providers must still document and retain the risk assessment) [src10, src11]

Rationale

The EU AI Act exists to create a harmonised legal framework for trustworthy AI across the single market, balancing innovation with fundamental rights protection. The risk-based approach is deliberately tiered: the higher the potential harm to individuals, the stricter the obligations. This prevents a one-size-fits-all regulatory burden that would stifle low-risk AI innovation while ensuring that AI systems used in critical domains — employment decisions, law enforcement, credit scoring, healthcare triage — meet safety and transparency standards proportionate to their impact. [src1, src8]

Framework Selection Decision Tree

START — User needs AI regulation compliance guidance
├── Which jurisdiction?
│   ├── European Union → EU AI Act ← YOU ARE HERE
│   ├── United States → US Executive Order on AI / NIST AI RMF
│   ├── United Kingdom → UK AI Safety Framework (pro-innovation approach)
│   └── Multiple jurisdictions → Cross-jurisdictional AI compliance comparison
├── What type of AI system?
│   ├── General-purpose AI model (foundation model / LLM)
│   │   ├── Trained with >10^25 FLOPs → GPAI with systemic risk obligations
│   │   └── Below threshold → Standard GPAI obligations (transparency, copyright, documentation)
│   ├── Specific-purpose AI system → Classify by risk tier (see below)
│   └── Open-source model → Exempt unless high-risk or GPAI with systemic risk
├── Risk tier classification?
│   ├── Prohibited (Article 5) → STOP: system cannot be deployed in EU
│   ├── High-risk (Annex I/III) → Full compliance: conformity assessment, documentation, monitoring, registration
│   ├── Limited risk → Transparency obligations: disclose AI use, label deepfakes/generated content
│   └── Minimal risk → No specific obligations (voluntary codes of conduct encouraged)
└── Compliance maturity?
    ├── Existing AI governance program → Audit against EU AI Act requirements
    └── No existing program → Start with risk classification, then build compliance framework

Application Checklist

Step 1: Classify the AI system by risk tier

• Inputs needed: Description of the AI system's purpose, deployment context, and whether it is a safety component of an EU-regulated product
• Output: Risk tier classification (prohibited, high, limited, or minimal) and applicable articles
• Constraint: If the system matches any Article 5 prohibited practice, STOP — the system cannot legally be deployed in the EU. No conformity assessment can override a prohibition. [src1, src3]

Step 2: Identify role-specific obligations

• Inputs needed: Organization's role (provider, deployer, importer, distributor), risk tier from Step 1
• Output: Specific obligation checklist: providers must conduct conformity assessment, create technical documentation, implement risk management and quality management systems; deployers must ensure human oversight, maintain logs, conduct fundamental rights impact assessments for certain high-risk uses
• Constraint: Providers bear primary compliance responsibility. Deployers who substantially modify a system become providers under the Act. [src1, src2]

Step 3: Implement required controls and documentation

• Inputs needed: Obligation checklist from Step 2, technical specifications of the AI system
• Output: Conformity assessment completed, technical documentation package (Articles 8-15 requirements), quality management system, risk management system, CE marking ready, EU database registration prepared
• Constraint: High-risk systems in biometric identification and critical infrastructure (Annex III, areas 1 and 6-8) require third-party conformity assessment by a Notified Body — self-assessment is insufficient for these categories. [src1, src2]

Step 4: Register, deploy, and establish ongoing monitoring

• Inputs needed: Completed conformity assessment, technical documentation, quality management system documentation
• Output: EU database registration, CE marking affixed, post-market monitoring plan, serious incident reporting procedures
• Constraint: Serious incidents must be reported to the relevant national market surveillance authority. High-risk systems must be registered in the EU database before market placement. If harmonised standards are not yet available, seek legal counsel on compliance demonstration methods. [src1, src7]

Anti-Patterns

Wrong: Treating the EU AI Act as a future concern because high-risk obligations were delayed to 2027/2028

Organizations read the Digital Omnibus high-risk postponement (standalone Annex III to Dec 2027, product-embedded to Aug 2028) and assume the whole Act is on hold. In reality, prohibited practices have been enforceable since February 2025, GPAI obligations since August 2025 (with Commission enforcement powers from August 2026), and Article 50 transparency obligations still apply from August 2026. Companies using social scoring, emotion recognition in workplaces, or manipulative AI techniques are already in violation, and the delay does not touch the prohibition or GPAI regimes. [src3, src9, src10]

Correct: Map current AI systems against Article 5 immediately; begin GPAI compliance now

Conduct an inventory of all AI systems in use, classify them against the prohibited practices list (effective since Feb 2025), and ensure GPAI model providers you rely on have met their August 2025 obligations. Build the high-risk compliance program in parallel for the August 2026 deadline. [src1, src4]

Wrong: Assuming open-source AI models are exempt from all obligations

Some organizations believe that because the Act provides exemptions for free and open-source models, they can use any open-source AI without compliance obligations. The exemption does not apply to high-risk AI systems or GPAI models with systemic risk. Deployers of open-source high-risk systems still bear deployer obligations. [src2, src6]

Correct: Evaluate open-source models against high-risk and GPAI criteria before claiming exemption

Check whether the open-source model is classified as high-risk (Annex III) or is a GPAI model exceeding the 10^25 FLOPs threshold. If so, full obligations apply regardless of the license. The open-source exemption covers only minimal- and limited-risk models that are not GPAI with systemic risk. [src1, src6]

Wrong: Equating GDPR compliance with AI Act compliance

Organizations with mature GDPR programs assume their data protection framework satisfies AI Act requirements. While there is overlap (data quality, impact assessments), the AI Act introduces distinct requirements: conformity assessment, CE marking, risk management systems specific to AI, and EU database registration — none of which exist under GDPR. [src4]

Correct: Treat the AI Act as a separate compliance stream that intersects with GDPR

Build dedicated AI Act compliance processes: risk classification, conformity assessment, technical documentation, and post-market monitoring. Leverage existing GDPR data protection impact assessments as inputs to the AI Act's fundamental rights impact assessment, but do not treat them as substitutes. [src1, src4]

Counter-Arguments

• The EU AI Act's risk classification may be overly broad, potentially capturing low-risk systems in the high-risk category. The Annex III list includes entire sectors (education, employment) rather than specific harmful use cases, which could impose disproportionate compliance costs on benign applications. [src4]
• SMEs and startups may face competitive disadvantage against large companies that can absorb compliance costs more easily, despite the reduced-fine provisions and regulatory sandbox access. The technical documentation and conformity assessment requirements demand specialized legal and technical expertise. [src4]
• The 10^25 FLOPs systemic-risk threshold for GPAI is a rough heuristic that may not accurately capture model risk. A model trained below the threshold could still pose systemic risks, while a model above it might be deployed only in low-risk applications. [src6]

Common Misconceptions

Misconception: The EU AI Act only applies to companies based in the EU.
Reality: The Act has extraterritorial reach. Any provider whose AI system is placed on the EU market or whose system's output is used in the EU is subject to the regulation, regardless of where the provider is established. This mirrors GDPR's extraterritorial scope. [src1, src2]

Misconception: All AI systems require conformity assessment under the EU AI Act.
Reality: Only high-risk AI systems require conformity assessment. Minimal-risk systems (the majority of AI applications) face no specific obligations. Limited-risk systems only need to meet transparency requirements. The Act is deliberately tiered to avoid burdening low-risk innovation. [src1, src2]

Misconception: The EU AI Act bans all facial recognition.
Reality: The Act bans real-time remote biometric identification in public spaces for law enforcement, with specific exceptions (locating missing persons, preventing imminent threats, identifying serious crime suspects). Other biometric systems may be permitted but classified as high-risk with corresponding obligations. Untargeted facial image scraping from the internet or CCTV is separately prohibited. [src3, src8]

Misconception: GPAI obligations only apply if the model is deployed as a high-risk system.
Reality: GPAI model providers have standalone obligations (technical documentation, training data summaries, copyright compliance) regardless of the downstream application's risk tier. These apply as a separate layer on top of any high-risk deployment obligations. [src6]

Comparison with Similar Rules

When This Matters

Fetch this when a user asks about EU AI regulation, AI Act compliance requirements, AI risk classification, prohibited AI practices in the EU, GPAI model obligations, AI Act penalties, or how to determine if their AI system is high-risk under EU law. Also relevant when a user is building or deploying AI for the European market and needs to understand regulatory obligations before launch.