EU AI Act:
complete guide
2026

Regulation EU 2024/1689 — the AI Act — entered into force on 1 August 2024 and will change how European organisations develop and use artificial intelligence. This guide covers everything you need to know: what it is, who it affects, what it requires and when.

1. What the AI Act is and why it was created

Regulation EU 2024/1689, officially known as the EU AI Act, is the world's first comprehensive legal framework governing artificial intelligence systems. Adopted by the European Parliament on 13 March 2024 and published in the Official Journal of the EU on 12 July 2024, it entered into force on 1 August 2024.

The European Commission developed this regulation from a straightforward premise: artificial intelligence produces concrete effects on people's lives — it can deny a loan, influence a medical diagnosis, determine whether a candidate is called to interview. Without rules, these effects occur without transparency, without accountability and without any right of recourse.

The AI Act does not ban AI. It does not restrain innovation as a matter of principle. Instead, it introduces a risk-based approach: the greater the potential harm a system can cause, the stricter the rules governing it. A spam filter and a credit scoring system cannot be treated the same way.

The founding principle: proportionality to risk

The philosophy underlying the AI Act is straightforward: obligations must be proportional to potential harm. An AI system that recommends music playlists does not require the same safeguards as one that assesses a person's creditworthiness or supports a medical diagnosis.

This approach has important practical consequences for organisations: before knowing what you must do, you need to know which AI systems you use and which risk category they fall into. The inventory is the mandatory first step.

2. Who it applies to: providers, deployers
and the line between them

The AI Act distinguishes between different roles with very different obligations. Understanding which role your organisation occupies is the second step — after the inventory — in any compliance journey.

When a deployer becomes a provider

This is the most common trap. Many organisations consider themselves simple software users, but are reclassified as providers — with all the heavier obligations — in three situations:

• Substantial modification: if you fine-tune a third-party model, modify its weights, add significant decision-making logic, or use the system for purposes other than those intended by the original supplier.
• White labelling: if you put your own brand on a third-party AI system and commercialise it as your own.
• Internal development: if you build an AI system in-house for your own use (even non-commercial), you are the provider of that system.

Does the AI Act apply outside the EU?

Yes, with extraterritorial effect. The AI Act applies to anyone who:

• Places an AI system on the European market, regardless of where they are based
• Puts an AI system into service in the EU
• Whose AI system produces effects on natural persons in the EU, even if the provider is located outside Europe

In practice: using AWS, Azure or Google Cloud as infrastructure, or purchasing models from non-EU providers, does not exempt an organisation from compliance. It is the point of use — and the impact on people — that determines applicability.

3. The four risk levels
with concrete examples

The heart of the AI Act is its four-level classification. Every AI system falls into one category, and obligations flow from that category. Classification is not automatic: it requires a case-by-case assessment, although Annex III of the Regulation provides explicit lists for high-risk systems.

Who determines the risk category?

For high-risk systems, Annex III of the Regulation provides an explicit sector-by-sector list. For all others, it is the provider or deployer who must assess and document the classification. There is no authority that pre-certifies a category: responsibility lies with the organisation and will be verified ex post by national supervisory authorities (in the UK context, sector-specific regulators such as the FCA, ICO or MHRA may be relevant depending on the domain).

GPAI models: a special category

General Purpose AI (GPAI) models — such as GPT-4, Claude and Gemini — are subject to separate rules. From 2 August 2025, their providers must comply with transparency obligations, technical documentation requirements and copyright rules. Models with exceptional systemic capabilities (above 10²⁵ training FLOPs) carry additional obligations: adversarial evaluation, systemic risk management and incident reporting.

4. Timeline: the deadlines
you cannot miss

The AI Act did not come into force all at once. The deadlines are staggered to give organisations time to adapt — but some have already passed.

5. Concrete obligations
for organisations

Obligations vary significantly depending on your role (provider or deployer) and the risk level of the system. Here is a structured overview.

Obligations for everyone — already in force

AI Literacy (Art. 4): every organisation must ensure that staff who use AI systems have an adequate level of understanding of those systems' capabilities, limitations and risks. This is not about training everyone as a data scientist: it is role-calibrated operational awareness. The procurement manager who uses a scoring tool must understand what that tool does and where its limits lie. The CEO must understand the strategic and regulatory implications.

Obligations for deployers of high-risk systems (August 2026)

Obligations for providers of high-risk systems (August 2026)

6. Penalties

The AI Act provides for a proportionate penalty regime modelled on the GDPR. Penalties are imposed by national supervisory authorities and apply to both organisations and responsible individuals.

How it works for SMEs: the lower of the fixed amount and the turnover percentage applies. An SME with €2M turnover faces up to €60,000 for non-compliance with high-risk system obligations — not ruinous, but sufficient to make compliance a rational investment relative to the risk.

7. How to get started:
practical first steps

An AI Act compliance journey naturally structures itself into phases. You do not need to do everything at once — but you need to start now, because the time available is shorter than it appears.

Weeks 1–2: AI Inventory

Map all software your organisation uses that contains AI components or probabilistic logic. Not only systems that are obviously "AI" — also CRMs with scoring, dynamic pricing tools, HR software with automated ranking. Ask operational teams: they often use AI-enabled tools without being explicitly aware of it.

Weeks 3–4: Risk classification

For each system in the inventory, determine the risk level. Check whether it falls within Annex III (explicit high risk). Determine your role for each system (provider or deployer). Document the classification with supporting rationale.

Month 2: Gap analysis

For each high-risk system, identify what is missing relative to applicable obligations. Create a prioritised list of gaps to address, with owners and internal deadlines.

Months 3–6: AI Literacy and governance

Launch the AI Literacy training programme (already mandatory). Define internal governance: who is responsible for AI compliance, who approves new tools, how incidents are managed.

Months 6–12: Implementation

Implement the missing measures: human oversight, log retention, technical documentation, vendor assessment. For providers: establish the risk management system and structured technical documentation.

8. Sector-specific
deep dives

This guide is the starting point. For each high-risk sector we have developed specific resources with detailed obligations, concrete examples, downloadable checklists and document templates.

This guide is provided for informational purposes only and does not constitute legal advice. Source: Reg. EU 2024/1689. For organisation-specific decisions, please consult a qualified professional. Updated February 2026. © 2026 euaiact.pro — Gianluca Capuzzi.