EU AI Act

the regulation everyone claims to be ready for and nobody has actually read all 144 pages of, featuring four risk tiers, six operator roles, and a compliance timeline designed to ensure you're always one deadline behind.

"our chief legal officer said we're fully compliant with the EU AI Act. i asked which of our systems are high-risk. she said 'we'll get to that.' the deadline is in two months."
"we spent six months building an AI governance framework. then someone actually read Article 6 and realised half our systems need conformity assessments we haven't started."
"the board asked for a one-page summary of the EU AI Act. i gave them one page. they asked why it was so vague. because it's 144 pages of regulation on one page, that's why."
Share this one
Canonical Definition

Regulation (EU) 2024/1689. Risk-based AI legislation establishing a harmonised framework for the placing on the market, putting into service, and use of artificial intelligence systems in the European Union. Application: (a) Chapters I–II (definitions, prohibited practices) from February 2025; (b) General-Purpose AI model obligations from August 2025; (c) Article 6(2) high-risk AI systems from August 2026; (d) Article 6(1) high-risk systems embedded in regulated products from August 2027. Penalties up to €35 million or 7% of global annual turnover.

Why It Matters

The EU AI Act is not another voluntary framework you can shelve next to your ethics principles. It is binding regulation with extraterritorial reach, enforcement teeth, and fines that scale to global revenue. Any organisation that places an AI system on the EU market or whose AI system’s output is used within the EU falls within scope — regardless of where the organisation is headquartered.

The structural challenge is not reading the regulation. It is operationalising it. The Act introduces a new taxonomy of obligations that cuts across legal, technical, and organisational functions: risk classification, conformity assessment, technical documentation, post-market monitoring, incident reporting, and fundamental rights impact assessments. None of these can be accomplished by a single department. All of them require evidence.

Most organisations are not behind because they ignored the regulation. They are behind because they underestimated the operational complexity. A compliance programme that lives in a slide deck is not a compliance programme. It is a liability in waiting.

The Stress Test

A national market surveillance authority requests your conformity documentation for a high-risk AI system deployed in credit scoring. You need to produce: a risk management system operated throughout the AI system’s lifecycle, technical documentation per Annex IV, data governance records, logging records, a declaration of conformity, and evidence of your quality management system. You have 30 days.

Your legal team has a gap analysis from 2024. Your AI team has model cards. Your compliance team has a risk register that does not mention AI. Nobody has a conformity assessment. The documentation that exists was written for different audiences, in different formats, by different teams who did not coordinate. Thirty days is not enough to create a governance programme. It is enough to discover you do not have one.

In the Wild

Enforcement — Italy, 2024
Garante vs. ChatGPT: The First Temporary Ban

The Italian Data Protection Authority (Garante) temporarily banned ChatGPT in March 2023, citing violations of GDPR principles including lawful basis for processing training data, transparency obligations, and lack of age verification. OpenAI was required to implement corrective measures before restoring service. In January 2024, the Garante opened a formal investigation, and in December 2024 fined OpenAI €15 million for GDPR violations related to ChatGPT’s data processing practices.

The first enforcement action against a major AI provider was not under the AI Act. It was under existing data protection law. Organisations waiting for AI Act deadlines to start governing AI are already late.

Risk Classification — Netherlands, 2020–2025
SyRI: When Algorithmic Welfare Fraud Detection Violated Human Rights

The System Risk Indication (SyRI) system, used by the Dutch government to detect welfare fraud, was struck down by the District Court of The Hague in February 2020 for violating Article 8 of the European Convention on Human Rights. The court found that the system’s lack of transparency and disproportionate impact on lower-income neighbourhoods could not be justified. Under the EU AI Act, systems used by public authorities for social benefit decisions would classify as high-risk under Annex III, requiring fundamental rights impact assessments, transparency obligations, and human oversight.

SyRI was built, deployed, and operated for years before a court stopped it. The AI Act is designed to ensure the assessment happens before deployment, not after harm.

Compliance Readiness — Cross-sector, 2025
The Article 6 Classification Gap

A 2025 survey by the Centre for Information Policy Leadership (CIPL) found that fewer than 20% of organisations had completed a formal AI system inventory — the prerequisite for risk classification under Article 6. Without an inventory, organisations cannot determine which systems are high-risk, which obligations apply, or which deadlines they face. Many organisations reported treating the AI Act as a “2027 problem” without recognising that GPAI obligations applied from August 2025 and prohibited practices from February 2025.

You cannot classify what you have not inventoried. You cannot comply with obligations you have not mapped. The timeline does not wait for readiness.

How to Govern It

The EU AI Act is not a compliance checkbox. It is an operating model transformation.

Within the AI Control Index, EU AI Act governance is the central thread connecting all six layers and five shields:

  • Strategy (L1) — AI system inventory, risk classification per Article 6, and operator role determination per Article 3. This is the foundation. Every downstream obligation depends on getting classification right.
  • GRC (S1) — Evidence Factory for conformity assessment documentation, quality management system records, incident reporting workflows, and regulatory change tracking as the Act’s delegated acts and harmonised standards evolve.
  • Ethics & Fairness (L2) — Fundamental Rights Impact Assessments (FRIAs) for high-risk systems, bias testing, and non-discrimination controls required under Article 9’s risk management obligations.
  • Data (L6) — Data governance per Article 10, training data documentation, data quality criteria, and lawful basis alignment with GDPR where personal data is involved.
  • Observability (S4) — Post-market monitoring per Article 72, logging per Article 12, and incident detection and reporting per Article 73.

When It’s Relevant

Every organisation that develops, deploys, imports, or distributes AI systems within the European Union — or whose AI systems produce outputs consumed in the EU. The extraterritorial scope (Article 2) means non-EU providers are in scope if their system is placed on the EU market or its output is used within the EU.

Urgency is highest when:

  • Your organisation has not completed an AI system inventory
  • You deploy AI in any Annex III high-risk category (credit scoring, recruitment, law enforcement, education, critical infrastructure)
  • You use general-purpose AI models and have not assessed GPAI obligations effective August 2025
  • You fine-tune or significantly modify a vendor model, potentially triggering provider obligations
  • You operate across multiple EU member states with different national implementation approaches

See this control in the framework. EU AI Act compliance is operationalised across L1, S1, L2, L6, and S4 in the AI Control Index v6.0.

Open Framework →

Making your AI Act position defensible? See the practical workflow for classifying systems, mapping the obligations, and recording the evidence and owners.

EU AI Act readiness →

Related Terms

References

  1. [1] European Parliament and Council of the European Union (2024) Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). Official Journal of the European Union, L series, 12 July 2024.
  2. [2] European Commission (2025) Guidelines on prohibited artificial intelligence practices. C/2025/971, 4 February 2025.
  3. [3] Garante per la protezione dei dati personali (2024) Decision regarding OpenAI, December 2024. Available at: garanteprivacy.it.
  4. [4] District Court of The Hague (2020) NJCM c.s. v. De Staat der Nederlanden (SyRI), ECLI:NL:RBDHA:2020:1878, 5 February 2020.
  5. [5] Centre for Information Policy Leadership (2025) Organisational Readiness for the EU AI Act: Survey Results. CIPL, Hunton Andrews Kurth.
  6. [6] Veale, M. and Zuiderveen Borgesius, F. (2021) ‘Demystifying the Draft EU Artificial Intelligence Act’, Computer Law Review International, 22(4), pp. 97–112. doi: 10.9785/cri-2021-220402.
  7. [7] European AI Office (2025) General-Purpose AI Code of Practice — First Draft. European Commission, May 2025.

AI Control Index v6.0 · Glossary · June 2026 · i-DEPOT 158508 (BOIP) · CC BY-NC-ND 4.0

By Jeroen Janssen, Apparens