What is the EU AI Act? Regulations, Requirments & Compliance

The world's first AI law. It applies to every organisation in the EU that uses AI — not just companies that build it. Here's what you need to know, in plain language.

The Short Version

The EU AI Act (Regulation 2024/1689) became law in August 2024. It classifies every AI system by risk level and sets rules accordingly. The higher the risk, the stricter the rules. The main compliance deadline for most organisations is August 2026.

It applies to you if your organisation operates in the EU, uses AI tools in any business process, or if your AI outputs affect EU residents. You don't need to build AI to be affected — using it is enough.

Who Needs to Follow the EU AI Act?

The short answer: anyone in the EU who uses AI — not just companies that build it. More specifically, the Act applies to you if you are:

🏛 An AI Developer or Provider

You build or sell an AI system — in the EU or to EU customers. The strictest obligations apply to you, especially if your system falls into a high-risk category.

💼 An AI Deployer (most businesses)

You use an AI system in your business — even an off-the-shelf tool. If you use AI for HR, customer screening, credit decisions, or any other high-risk purpose, you have compliance obligations too.

🌎 Any EU Organisation

You operate in the EU or your AI outputs affect EU residents. It doesn't matter where the AI is built or where your company is headquartered — if the output reaches someone in the EU, the Act applies.

🪐 Importers & Distributors

You bring AI products from outside the EU into the EU market, or distribute AI systems. You are responsible for ensuring those systems meet the Act's requirements before placing them on the market.

In practice, this means almost every business. If your HR team uses AI to screen CVs, if your finance team uses AI for credit risk, if your customer service runs on a chatbot, if your employees use ChatGPT to process client data — the EU AI Act applies to some degree. The question is not whether it applies, but how much.

Four Risk Levels

Banned

🚫 Prohibited

Outright banned from February 2025. Social scoring, real-time facial recognition in public spaces, AI that manipulates people without their knowledge.

High Risk

⚠️ Strict Rules

Requires documentation, human oversight, and registration before use. Covers HR tools, credit scoring, healthcare AI, education, law enforcement, and critical infrastructure.

Limited Risk

💡 Disclose It

You must tell users they are talking to AI. Applies to chatbots and AI-generated content like deepfakes.

Minimal Risk

✅ No Rules

Most AI tools — spam filters, recommendation engines, productivity AI — fall here. No mandatory requirements.

Key Deadlines

🚫 February 2025

Prohibited AI systems are banned. If you use social scoring, mass biometric surveillance, or manipulative AI — it must stop now.

🤖 August 2025

Rules for general-purpose AI models (GPT-4, Gemini, Claude) take effect. Providers must publish documentation and meet safety standards.

⚠️ August 2026 — Main Deadline

High-risk AI systems must be assessed, documented, and registered. This is the deadline that affects most businesses. Start preparing now.

🕑 August 2027

Older high-risk AI systems already in use before 2026 must be brought into compliance by this date.

The problem most organisations don't realise they have

To comply with the EU AI Act, you need to know which AI tools your employees are using, how they're being used, and whether any fall into high-risk categories. Research shows 68% of employees use AI tools without IT approval. If you don't have visibility into your AI usage, compliance is impossible — not difficult, impossible.

See how our AI Governance service solves this →

What Happens If You Don't Comply

Prohibited AI violations

Up to €35 million or 7% of global turnover — whichever is higher.

High-risk system violations

Up to €15 million or 3% of global turnover — whichever is higher.

Frequently Asked Questions

We're a small business — does this apply to us?

Yes, but with lighter requirements. SMEs get reduced paperwork and access to regulatory sandboxes. The risk-based rules still apply though — if you use high-risk AI (like an AI HR screening tool), you still need to document it and ensure human oversight, regardless of company size.

We use ChatGPT and Copilot — are we affected?

For most general use, no — these fall into minimal or limited risk. But if your team is using them for HR decisions, credit assessments, or medical guidance without oversight or documentation, high-risk obligations may kick in. The question is not which tool, but how it's being used.

How does this connect to NIS2 and GDPR?

NIS2 already requires you to manage cybersecurity risks from all digital tools — including AI. GDPR governs the personal data AI processes. The EU AI Act governs the AI system itself. Most organisations that take AI seriously will need to address all three. The good news: the underlying capability — visibility and documentation — satisfies all of them.

What do high-risk AI systems actually have to do?

Before deploying a high-risk AI system you must: write technical documentation, set up a risk management process, ensure training data quality, build in human oversight, test accuracy and robustness, and register the system in the EU AI Act database. This takes months of preparation — not something you can do the week before the deadline.

Where do I start?

Start by finding out what AI is actually in use across your organisation. Most organisations are surprised by how much they find. From there, classify each tool by risk tier, document usage, and put governance in place. Magic Stone can help with all of this — book a free assessment to get started.

Not Sure Where You Stand on the EU AI Act?

Book a free assessment with Magic Stone. We'll map your AI usage, flag what needs attention, and tell you exactly what compliance looks like for your organisation.

Book an AI Governance Assessmen

Looking for Sales Assistance or have a General Inquiry?

Got a sales question or a general inquiry? Send us a message and we’ll respond as soon as possible.

Please enable JavaScript in your browser to complete this form.
Checkboxes

By submitting this form you agree to our Privacy Policy and consent to Magic Stone Cyber Security storing and processing your information to respond to your enquiry.

Follow us

This will close in 0 seconds

Scroll to Top