The EU AI Act Explained: A Risk-Based Framework for Trustworthy AI
Understand the EU AI Act's risk-based approach, the four risk tiers, prohibited practices and the compliance timeline every organisation must plan around.
The European Union has delivered the world's first comprehensive law on artificial intelligence. Regulation (EU) 2024/1689 — known simply as the AI Act — sets out harmonised rules designed to make AI in Europe safe, transparent and worthy of trust, without smothering the innovation that makes the technology so valuable. For any business that builds, sells or simply uses AI, understanding this framework is no longer optional. It is the new baseline for operating in the European single market.
This article is the first in our series on the AI Act. Here we explain why the rules exist, how the famous "risk pyramid" works, and the timeline every organisation needs to plan around.
Why Europe needs rules on AI
Most AI systems pose little or no risk and already help solve real societal challenges — from filtering spam to powering medical research. But some systems create risks that existing law cannot fully address. A common example is opacity: it is often impossible to know exactly why an AI system made a particular decision. That makes it hard to tell whether someone was treated unfairly — say, in a hiring process or an application for a public benefit.
The AI Act closes that gap. Rather than regulating the technology itself, it regulates specific uses of AI according to how much harm they could cause. The goal is to give people confidence that AI respects their health, safety and fundamental rights, while giving businesses the legal certainty they need to invest.
A risk-based approach: the four levels
The heart of the AI Act is a simple idea: the higher the risk of harm, the stricter the rules. The legislation sorts AI systems into four tiers.
1. Unacceptable risk — banned outright
Some uses are considered a clear threat to people and are prohibited entirely. The Act bans eight practices, including:
- Harmful AI-based manipulation and deception
- Exploitation of the vulnerabilities of specific groups
- Social scoring by public or private actors
- Predicting an individual's risk of committing a crime based purely on profiling
- Untargeted scraping of the internet or CCTV footage to build facial-recognition databases
- Emotion recognition in workplaces and schools
- Biometric categorisation to infer sensitive characteristics
- Real-time remote biometric identification in public spaces for law enforcement (with narrow exceptions)
These prohibitions have applied since February 2025.
2. High risk — strictly regulated
High-risk systems are those that could seriously affect health, safety or fundamental rights — for example AI in critical infrastructure, education scoring, recruitment tools, credit scoring, or law-enforcement applications. They are permitted, but only under strict obligations such as risk management, high-quality data, activity logging, documentation and human oversight. We cover these requirements in detail in our companion post, High-Risk AI Systems Under the EU AI Act.
3. Transparency (limited) risk — disclosure required
Some systems carry a lighter obligation: tell people what they are dealing with. When you interact with a chatbot, you must be told you are talking to a machine. Providers of generative AI must ensure that synthetic content is identifiable, and certain content — such as deepfakes — must be clearly labelled. These transparency rules take effect in August 2026.
4. Minimal or no risk — no new rules
The vast majority of AI systems used in Europe today — spam filters, AI in video games, inventory optimisation — fall here. The Act adds no new obligations for them.
How it works in practice
For high-risk systems, compliance follows a lifecycle. Providers build conformity in from the start, carry out a conformity assessment, and register the system in an EU database. Once a system is on the market, market surveillance authorities supervise it, deployers ensure human oversight and monitoring, and providers run post-market monitoring. Both providers and deployers must report serious incidents and malfunctions.
The Act also tackles general-purpose AI (GPAI) — the large models that now underpin countless applications. Providers of these models face transparency and copyright obligations, and the most capable models that could pose systemic risks must be assessed and mitigated. We explore GPAI and the new governance system in the third part of this series, General-Purpose AI and Governance.
The timeline you should plan around
The AI Act entered into force in 2024 and applies in phases:
- 2 February 2025 — prohibited practices and AI literacy obligations apply.
- 2 August 2025 — rules on governance bodies, penalties and GPAI model providers take effect.
- 2 August 2026 — the bulk of the regulation applies, including transparency rules and Commission enforcement powers for advanced GPAI models.
- 2 August 2028 and every four years after — the Commission reviews and reports on the framework.
To smooth the transition, the Commission launched the voluntary AI Pact, inviting providers to meet key obligations ahead of time, and an AI Act Service Desk that answers practical questions.
What this means for your organisation
Whether you are a provider or a deployer, three early steps pay off:
- Inventory your AI. Map every system you build or use and classify it against the four risk tiers.
- Build AI literacy. Article 4 already requires that staff who work with AI have an adequate understanding of it.
- Prepare your documentation. High-risk obligations are demanding, and good records take time to assemble.
The AI Act is ambitious, but its logic is approachable: trust scales with risk. Organisations that start mapping and governing their AI now will be ready well before the 2026 deadline — and will earn the trust that comes with it.
Need help making sense of your AI obligations? Get in touch with our team or browse more guides on our blog.