The EU AI Act is the world's first comprehensive legal framework for artificial intelligence — and it carries penalties of up to €35 million or 7% of global turnover for the most serious violations. Whether you're building AI systems, deploying third-party AI tools, or simply using AI-powered software in your business, this regulation almost certainly applies to you.
This guide cuts through the legal jargon and gives you a clear, practical picture of what the EU AI Act requires, when it applies, and what you should be doing right now.
Key dates: The EU AI Act entered into force on 1 August 2024. Prohibitions on unacceptable-risk AI took effect from 2 February 2025. Rules for high-risk AI systems apply from August 2026. General-purpose AI model obligations apply from August 2025.
What Is the EU AI Act?
The EU AI Act (Regulation 2024/1689) is a horizontal regulation that applies across all sectors and industries. Unlike the GDPR — which focuses on data — the AI Act focuses on AI systems themselves: how they are designed, tested, deployed, and monitored.
It adopts a risk-based approach, meaning obligations scale with the potential harm an AI system could cause. The higher the risk, the stricter the rules.
The Four Risk Tiers
| Risk Level | What It Means | Examples | Obligation |
|---|---|---|---|
| Unacceptable | Poses clear threat to people's rights | Social scoring, real-time biometric surveillance, subliminal manipulation | Banned outright |
| High Risk | Significant risk to health, safety, or fundamental rights | CV screening, credit scoring, medical devices, recruitment tools, border control | Strict conformity requirements |
| Limited Risk | Transparency concerns | Chatbots, deepfakes, emotion recognition | Transparency disclosures |
| Minimal Risk | Little to no risk | Spam filters, AI in video games, basic recommendation engines | No specific obligations |
What Does "High-Risk" Actually Mean for Your Business?
If your business deploys AI in any of the following areas, you are almost certainly operating a high-risk AI system:
- Screening job applications or ranking candidates
- Making or informing decisions about credit, insurance, or loans
- AI used in education or vocational training (e.g. marking, proctoring)
- AI in healthcare diagnostics or treatment recommendations
- AI used to manage or operate critical infrastructure
- AI systems used by law enforcement or immigration authorities
For high-risk systems, the Act requires businesses to implement risk management systems, use high-quality training data, maintain technical documentation, ensure human oversight, and register the system in the EU database before deployment.
General-Purpose AI (GPAI) Models: A New Category
One of the Act's most significant additions is a dedicated framework for General-Purpose AI models — large foundation models like GPT-4, Claude, Gemini, and their fine-tuned derivatives. If you are fine-tuning or redistributing such models, specific obligations apply from August 2025:
- Maintaining technical documentation about training processes
- Publishing summaries of training data (copyright-relevant content)
- Implementing policies to comply with EU copyright law
- For "systemic risk" models (trained on >10²⁵ FLOPs): adversarial testing, incident reporting, cybersecurity measures
Fine-tuning matters here. If you fine-tune a foundation model on proprietary data and deploy it commercially, you may take on obligations as a "provider" under the Act — even if the base model was developed by someone else.
What Businesses Should Do Right Now
1. Conduct an AI Inventory
Map every AI system your business uses, builds, or deploys. Include internal tools, third-party software, and any AI features embedded in your products. For each one, assess which risk tier it falls into.
2. Classify Your Risk Level
Work through Annex III of the Act (or work with a compliance specialist) to formally classify each system. This is not a one-time exercise — new AI deployments require fresh classification.
3. Establish a Governance Framework
High-risk AI requires documented governance: a risk management system, data governance policies, human oversight procedures, and incident logging. Even if your AI is limited-risk, documenting your approach demonstrates good faith to regulators.
4. Prepare Technical Documentation
The Act specifies detailed technical documentation requirements. This includes model architecture descriptions, training data information, performance benchmarks, and intended use cases. Start building this documentation now — retrofitting it later is expensive.
5. Review Supplier Contracts
If you use AI provided by a third party, review your contracts. Obligations can flow down the supply chain, and you need clear agreement on who bears responsibility for compliance.
The Penalties — And Why They Matter
The EU AI Act creates a tiered penalty structure:
- Prohibited AI practices: Up to €35 million or 7% of global annual turnover
- Other violations (high-risk requirements): Up to €15 million or 3% of global annual turnover
- Providing incorrect information to authorities: Up to €7.5 million or 1.5% of global annual turnover
SMEs and startups benefit from reduced penalties relative to larger companies, but the risk remains significant. Regulators have explicitly signalled that enforcement will be active, not passive.
Extraterritorial Reach
Like the GDPR, the EU AI Act has extraterritorial reach. If your AI system affects people in the EU — even if your business is based in the UK, US, or elsewhere — the Act may apply to you. Post-Brexit UK businesses serving EU customers need to pay particular attention.
The Opportunity Hidden in Compliance
It's tempting to view the EU AI Act purely as a compliance burden. But businesses that get ahead of it will gain a genuine competitive advantage: customers and partners increasingly demand trustworthy, explainable AI. Early compliance signals maturity, builds trust, and reduces the risk of expensive remediation later.
AI governance done well also improves your AI systems themselves — better data practices, clearer documentation, and human oversight loops tend to produce more reliable, higher-performing models.
Need Help Navigating the EU AI Act?
Fine-Tuners offers EU AI Act gap assessments, risk classification, and full implementation support — so you can focus on building great AI while we handle compliance.
Book a Free Consultation →