What the EU AI Act Actually Requires of Companies

When the European Union finalised its Artificial Intelligence Act, it did something no major jurisdiction had done before: it wrote a broad, horizontal law for a technology rather than for a single sector. The result is not a ban on artificial intelligence, nor a light-touch code of conduct. It is a graduated system that asks a deceptively simple question of every AI deployment — how much could this hurt someone? — and scales its demands accordingly.

That framing is the key to understanding the Act, and to cutting through the noise around it. It does not care whether a system uses a neural network or a decision tree. It cares about context of use: the same underlying model can be lightly regulated in one application and tightly controlled in another. For anyone following developments in technology, the Act is the template every other government is now studying.

The Risk Pyramid at the Heart of the Law

The Act sorts AI systems into a small number of tiers, and almost everything else follows from where a system lands.

At the top sit prohibited practices — uses considered an unacceptable threat to rights and safety, banned outright. These include social scoring of individuals by public authorities, certain forms of manipulative AI that exploit vulnerabilities, untargeted scraping of facial images to build recognition databases, and most real-time remote biometric identification in public spaces, with narrow law-enforcement exceptions. This list is short and deliberately so.

Below that is the high-risk tier, which carries the bulk of the law’s weight. It covers AI used in domains where a faulty or biased decision can seriously affect a person’s life: hiring and worker management, access to education, creditworthiness and essential services, critical infrastructure, medical devices, and parts of law enforcement and migration. Systems here are not banned, but providers must meet substantial obligations before and after they go to market.

Beneath that are limited-risk systems, which trigger transparency duties rather than full compliance regimes. The rule of thumb is that people should know when they are dealing with a machine. Chatbots must disclose that they are AI; synthetic or manipulated media — deepfakes — must be labelled as such. Finally, the vast majority of everyday AI, from spam filters to game logic, falls into minimal risk and is essentially untouched.

What High-Risk Compliance Demands

For companies, the practical question is rarely “is AI legal?” and almost always “is my system high-risk, and if so, what must I do?” The obligations are detailed, but they cluster into a few recognisable disciplines that any engineer in a regulated industry will find familiar.

Providers of high-risk systems must establish a risk-management process across the system’s lifecycle, use appropriately governed and representative training data to limit bias, and maintain technical documentation thorough enough for regulators to assess compliance. Systems must keep logs for traceability, be designed for meaningful human oversight, and meet standards of accuracy, robustness and cybersecurity proportionate to their purpose.

There is also a deployment-side dimension. Organisations that use high-risk AI, not only those that build it, carry duties to operate systems according to instructions and to monitor them in practice. The Act leans heavily on harmonised technical standards to translate these principles into testable engineering requirements, and on conformity assessments to verify them before a system reaches the market. The European Commission has framed this as building trust as a precondition for adoption rather than an obstacle to it.

The Special Case of General-Purpose AI

The explosion of foundation models forced a late and significant addition to the Act: a distinct regime for general-purpose AI — the large, flexible models that can be adapted to countless downstream tasks. These do not fit neatly into a use-based pyramid, because their use is, by design, open-ended.

So the Act layers obligations directly onto the model providers. General-purpose models face transparency and documentation requirements, including disclosures about training data and measures to respect copyright. Models judged to carry systemic risk — the most capable, widely deployed systems — face additional duties around evaluation, risk mitigation and incident reporting. This is the part of the law most directly relevant to the frontier developers driving today’s debates over AI’s trajectory, and it is where the rulebook is still actively maturing.

Why It Reaches Beyond Europe, and What Comes Next

The Act’s most consequential feature may be its geographic reach. Like the General Data Protection Regulation before it, the law applies based on where a system is used, not where its maker is headquartered. An AI provider anywhere on earth whose output is used in the EU comes within scope. For multinational firms, building two product lines — one compliant, one not — is usually more expensive than simply meeting the higher bar everywhere. That dynamic, often called the “Brussels effect”, is how European rules quietly become global defaults.

The obligations phase in over a staggered timeline rather than arriving all at once, with the prohibitions taking effect earliest and the heaviest high-risk duties later, giving organisations time to adapt. The stakes are considerable: penalties for the most serious violations run to a substantial share of global annual turnover, mirroring the GDPR’s enforcement philosophy. What to watch now is implementation — how harmonised standards, national regulators and the first enforcement cases turn a long legal text into concrete engineering and governance practice. Other jurisdictions, tracked by bodies such as the OECD AI Policy Observatory, are watching the same thing, because whatever Europe settles will shape the rules the rest of the world inherits.

Sources

• European Commission (official AI policy)
• European Parliament
• OECD AI Policy Observatory
• Reuters

Related from Technology