EU AI Act Overview
he EU AI Act applies to any organization whose AI affects people in the EU — regardless of where the company is headquartered. With the August 2026 high-risk enforcement deadline four months away, compliance teams need to understand the four-tier risk structure, which tools qualify as high-risk under Annex III, and what deployer obligations require before the deadline hits.
The EU AI Act: Structure, Tiers, and Who It Covers
The EU AI Act is widely described as a European regulation. That framing is what gets organizations into compliance trouble.
The Act, which became law in August 2024, is the world's first comprehensive legally binding framework for AI governance. It doesn't regulate companies — it regulates AI systems based on where their outputs affect people. Like the General Data Protection Regulation (GDPR) before it, the EU AI Act follows the market, not the manufacturer. A company headquartered in Atlanta, Singapore, or São Paulo is covered if its AI systems affect people in the European Union. The compliance question isn't "are we a European company?" It's "do any of our AI systems affect people in the EU?" For most organizations operating internationally, those are different questions with different answers.
The Act's central design principle is proportionality: the heavier the potential harm, the heavier the obligation. Rather than applying uniform rules to every AI system regardless of what it does, the Act sorts AI into four risk tiers — from outright prohibition to light disclosure requirements — and calibrates compliance obligations accordingly. Understanding that structure is the foundation for every downstream governance decision about AI development, procurement, and deployment.
The Four-Tier Structure
The Act organizes AI systems into four risk tiers. Understanding which tier applies to which tool is the starting point for every compliance decision.
| Tier | Status | Example Use Cases | Key Requirements | Maximum Penalty |
|---|---|---|---|---|
| Tier 1: Prohibited | Banned | Social scoring, workplace emotion recognition, biometric scraping, subliminal manipulation | Immediate halt — these systems cannot be placed on the EU market or used within the EU | €35M or 7% of global annual revenue |
| Tier 2: High-Risk | Permitted — heavily regulated | Hiring AI, credit scoring, insurance underwriting, school admissions, critical infrastructure management | Conformity assessment, technical documentation, human oversight, EU database registration, post-market monitoring | €15M or 3% of global annual revenue |
| Tier 3: GPAI & Frontier Models | Permitted — managed obligations | Large language models (e.g., ChatGPT), image generators, foundation models used across multiple applications | Technical documentation, copyright compliance, training data disclosure; frontier models add red-teaming and incident reporting | €15M or 3% of global annual revenue |
| Tier 4: Transparency | Permitted — disclosure required | Customer service chatbots, AI-generated marketing content, deepfakes, AI-drafted communications | Label chatbots as AI; mark AI-generated content in machine-readable format; disclose deepfakes as synthetic | €7.5M for providing false information |
Tier 1: Prohibited Uses covers AI applications the Act considers incompatible with fundamental rights. These are banned outright — not regulated, not subject to documentation requirements, but forbidden: social scoring systems that evaluate individuals over time to determine their access to services or opportunities; biometric categorization based on sensitive characteristics like race, political opinion, or religious belief; emotion recognition in workplaces and educational settings (with narrow safety exceptions); real-time remote biometric surveillance in public spaces; and untargeted facial scraping to build recognition databases. These prohibitions took effect February 2, 2025. For most corporate organizations, Tier 1 is not where the compliance work concentrates — but any existing tool that matches these descriptions required immediate action by that date.
Tier 2: High-Risk AI is where most compliance activity occurs. High-risk systems are permitted but regulated. The Act's Annex III lists the covered use cases, and several are directly relevant to standard corporate functions: AI used in hiring, screening, or promotion decisions; AI that determines access to education or training; AI used in credit scoring, insurance underwriting, or access to essential private services; AI managing critical infrastructure; and law enforcement tools for risk assessment. High-risk deployers must implement human oversight, maintain technical documentation, conduct conformity assessments, register the system in the EU database, and monitor performance post-deployment. The enforcement deadline for these requirements is August 2, 2026.
Tier 3: General-Purpose AI (GPAI) and Frontier Models addresses foundation model providers — the organizations that build large language models and similar systems. Standard GPAI providers must maintain technical documentation and comply with EU copyright law, including disclosure of training data. Frontier models — defined by training compute exceeding 10²⁵ FLOPs — face additional obligations: mandatory evaluations, adversarial testing (red-teaming), and direct incident reporting to the EU AI Office. These requirements took effect August 2025. Most corporate organizations are GPAI deployers rather than providers, which means the Tier 3 burden falls primarily on their vendors. That doesn't eliminate deployer responsibility — it shifts it toward vendor due diligence.
Tier 4: Transparency Obligations covers lower-risk AI that interacts with people. Chatbots must be labeled as AI unless the context makes it unambiguous. AI-generated content — text, audio, video — must be marked in machine-readable format. Deepfakes must be disclosed as artificially generated. These are the Act's lightest requirements, but they apply broadly to common enterprise tools: customer service chatbots, AI-assisted email drafting, synthetic media in marketing. The enforcement date for most Tier 4 obligations aligns with August 2026.
Extraterritorial Reach: Who the Act Actually Covers
The EU AI Act uses the Market Location Principle: obligations apply when an AI system is placed on the EU market or when its outputs affect people within the EU — regardless of where the system was built, hosted, or operated.
The practical scope is wider than most organizations have mapped. A multinational using a centralized hiring AI for global recruitment is likely a covered deployer if any of those candidates are EU residents. A US insurer with European subsidiaries that uses AI for underwriting decisions is likely covered. A SaaS vendor anywhere in the world selling an AI-enabled HR tool to EU customers is a covered provider. A company with no EU employees but whose AI-generated marketing content reaches EU audiences has Tier 4 transparency obligations.
The Act also distinguishes between providers — organizations that develop or place AI systems on the market — and deployers — organizations that use AI systems in their operations. Most corporate organizations are deployers. The distinction matters because providers and deployers carry different but overlapping obligations. A deployer using a third-party AI tool for hiring decisions doesn't inherit the provider's documentation burden, but does carry human oversight, post-market monitoring, and incident reporting responsibilities of their own.
Penalties are assessed against global revenue, not EU revenue. Non-compliance with prohibited practices carries fines up to €35 million or 7% of total worldwide annual turnover. High-risk non-compliance: up to €15 million or 3% of global annual revenue. That calculation applies to the entire organization, not just the EU portion of its business.
Regulatory requirements in this area are actively evolving. This article reflects the landscape as of April 2026 — verify current obligations with qualified legal counsel before making compliance decisions.
Does the Act Apply to Your Organization?
Determining coverage requires evaluating three factors: what the AI system does, the organization's role as provider or deployer, and whether there is an EU nexus — meaning the system is sold into the EU market or its outputs affect EU residents.
For most organizations, the practical test is simpler: if AI is used for any decision that affects hiring, access to credit, insurance pricing, educational access, or management of services that EU residents depend on, and any of the affected individuals are EU residents, the Act likely applies. That covers a wider slice of international business than most companies have acknowledged.
The Act also applies regardless of whether the AI system is proprietary or purchased. Using a third-party vendor's AI tool for a covered use case makes the organization a deployer with its own compliance obligations — separate from and in addition to whatever the vendor's provider obligations are. Vendor opacity doesn't transfer accountability.
The Implementation Timeline
The Act took effect in phases, with obligations rolling out according to risk tier rather than all at once.
| Milestone | Date | What Became Active |
|---|---|---|
| Prohibited practices ban | February 2, 2025 | Tier 1 banned uses: social scoring, emotion recognition in workplaces, biometric scraping |
| GPAI and governance structures | August 2025 | Tier 3: documentation, copyright compliance, incident reporting for frontier models |
| High-risk and transparency obligations | August 2, 2026 | Tier 2: conformity assessment, human oversight, EU database registration; Tier 4: chatbot labeling, AI content disclosure |
| Full maturity | August 2, 2027 | Tier 2 extended to high-risk AI embedded in regulated products (medical devices, machinery) |
The phased structure matters for governance planning: it means organizations can prioritize Tier 1 and Tier 3 obligations first, then move to the more demanding Tier 2 documentation and conformity requirements as those deadlines approach. Organizations deploying new AI systems — as opposed to systems already in production — do not benefit from transitional grace periods and are subject to full obligations from the point of deployment.
Pro Tip: The EU AI Act's four-tier structure is useful for classification, but the compliance decision that matters most is simpler: does this AI system affect access to jobs, credit, education, or essential services for anyone in the EU? If yes, treat it as Tier 2 until demonstrated otherwise. That single question, asked at intake for every new AI deployment, catches the tools most likely to trigger enforcement — and it's the kind of systematic governance that regulators notice when they ask how your AI program makes decisions.
Continue Learning
This is a free preview module. Method 9 members access the full library of compliance frameworks, assessment tools, and implementation templates.
Explore Membership