European Union Artificial Intelligence Act
The world's first comprehensive legal framework for AI, categorizing systems by risk.
What Is EU AI Act?
The EU AI Act is a landmark, comprehensive legal framework regulating Artificial Intelligence across the European Union. Unlike voluntary frameworks (like the NIST AI RMF), the EU AI Act is binding law, and non-compliance carries massive financial penalties.
The Act takes a strict, risk-based approach, categorizing AI systems into four tiers: Unacceptable Risk (banned entirely, e.g., social scoring), High Risk (subject to strict conformity assessments before market entry), Limited Risk (subject to transparency requirements), and Minimal Risk (largely unregulated).
It also introduces specific rules for General Purpose AI (GPAI) models—like large language models (LLMs)—requiring providers to maintain technical documentation, comply with EU copyright law, and summarize their training data.
Does EU AI Act Apply to Your Organisation?
Understanding typical procurement requirements and compliance thresholds.
AI Providers Selling to the EU
If you develop an AI system or a GPAI model and place it on the EU market, you bear the primary burden of compliance.
Deployers of High-Risk AI
If you are an EU company using a high-risk AI system (e.g., an AI tool to screen resumes), you have strict monitoring and data governance obligations.
Importers and Distributors
Companies bringing third-country AI systems into the EU must verify that the provider has met all compliance requirements.
- AI systems developed exclusively for military, defense, or national security purposes.
- AI used purely for scientific research and development, prior to being placed on the market.
- Providers of free and open-source AI components (unless they are high-risk or prohibited).
Why EU AI Act Matters in 2026
Understanding the current regulatory pressures and market adoption vectors.
The Law is Passed
The EU AI Act entered into force in 2024. Prohibitions on unacceptable risk systems take effect within 6 months, and GPAI rules take effect within 12 months.
Massive Fines
Fines are staggering: up to €35 million or 7% of global turnover for prohibited AI, and €15 million or 3% for high-risk AI violations.
Market Access Gateway
High-risk AI systems cannot legally be sold in the EU without passing a conformity assessment and bearing the CE marking.
The Requirements
The core security controls and evidence parameters audited for EU AI Act.
How Long Does It Take?
A realistic phase-by-phase implementation roadmap for EU AI Act.
Classification & Scoping
Analyze your AI products against the Act's definitions to determine your risk tier (Unacceptable, High, Limited, Minimal).
Governance & Documentation Build
For high-risk systems, build the required Quality Management System (QMS), compile technical documentation, and implement logging.
Conformity Assessment & CE Marking
Complete the conformity assessment (internal or third-party depending on the system), draw up the EU declaration, and affix the CE mark.
With Existing Certifications
4-6 months: If you already follow ISO 42001 or NIST AI RMF, your internal governance is strong. You will primarily need to format your documentation to meet the specific legal requirements for the CE marking.
Starting from Scratch
9-18 months: Building a compliant Quality Management System and executing a full conformity assessment for a high-risk AI system from scratch is a massive, highly specialized legal and technical effort.
The Mistakes That Delay Most EU AI Act Programs
Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.
Assuming B2B SaaS is low risk
Many AI startups assume they are low risk. But if your SaaS is used for employment screening, credit scoring, or biometric categorization, it is automatically classified as High-Risk.
Carefully review Annex III of the Act. The 'use case' determines the risk, not the underlying technology.
Ignoring 'Deployer' obligations
Even if you don't build the AI, if you are a European company deploying a high-risk AI tool built by someone else, you have strict legal obligations to monitor its use.
Implement an AI vendor risk management program to track which AI tools your employees are using and for what purposes.
Treating it like GDPR
GDPR is about privacy. The AI Act is fundamentally a product safety law (modeled on the New Legislative Framework). It requires engineering-level conformity, not just legal policies.
Compliance must be driven by engineering and product teams, not just the legal department.
Rishabh's Take on EU AI Act
Practitioner Voice“The EU AI Act is terrifying for startups because the compliance burden for 'High-Risk' systems is closer to building medical devices than building SaaS. My first advice: do everything in your power to architect your product so it does not fall into the High-Risk category. If you must build High-Risk AI, you need to implement ISO 42001 immediately. The standards bodies are currently mapping ISO 42001 to the AI Act; adopting the ISO standard now is your best preparation for surviving the legal requirements of the Act.”
Related Resources
Articles, guides, and tools to accelerate your compliance program.
EU AI Act Insights
Read practical security, engineering, and audit management playbooks from the GRC hub.
EU AI Act Checklist
Assess your baseline control posture against EU AI Act criteria in 10 minutes.
Compare Frameworks
Not sure which framework is best for your current situation? Run our intake to see a prioritized recommendation roadmap.
Frequently Asked Questions
Common queries about EU AI Act compliance and certification processes.