What the AI Act is
The EU AI Act is the world's first comprehensive AI regulation. It entered into force on 1 August 2024 and applies in phases through 2027. It regulates AI systems by the risk they pose to people, and it applies to any organisation placing AI systems on the EU market or using their outputs in the EU, wherever that organisation is based, in the same extraterritorial spirit as GDPR.
The four risk tiers
- Unacceptable risk: banned. Social scoring, manipulative systems exploiting vulnerabilities, untargeted facial-image scraping and similar practices. These prohibitions have applied since 2 February 2025.
- High risk: heavily regulated. AI in hiring and worker management, credit scoring, insurance pricing, education, critical infrastructure, medical devices, law enforcement. These systems require risk management, data governance, technical documentation, logging, human oversight and conformity assessment.
- Limited risk: transparency duties. Chatbots must disclose they are AI; synthetic media must be labelled.
- Minimal risk: no new obligations. Spam filters, recommendation engines, most internal tooling.
The deadlines that matter
The obligations phase in: prohibitions and AI-literacy duties from February 2025, obligations for general-purpose AI models from August 2025, the bulk of high-risk obligations from August 2026, with an extended transition for high-risk AI embedded in regulated products into 2027. Penalties scale to the severity of the breach, with the largest fines reserved for prohibited practices, reaching into percentages of global annual turnover.
What most companies get wrong
The common mistake is assuming the Act is someone else's problem, a vendor's, a big tech company's. If your HR team uses an AI screening tool, you are a deployer of a high-risk system, with your own obligations around oversight and monitoring, even though you built nothing. The second mistake is treating compliance as a legal document exercise: most of the real obligations, logging, evaluation, human oversight, data governance, are engineering work.
A sensible compliance path
- Inventory. List every AI system you build, buy or embed. Shadow AI counts.
- Classify. Map each system to a risk tier. Most will be minimal risk; the handful that are not get the attention.
- Close the gaps. For high-risk systems, build the documentation, logging, oversight and evaluation the Act requires, into the system, not into a binder.
- Govern ongoing. New systems enter through the same classification gate, and monitoring covers drift as well as outages.
The strategic read
For companies that were building AI responsibly anyway, the Act largely codifies existing good practice, and being demonstrably compliant is becoming a sales asset in European procurement. Digital Colliers builds AI systems with these obligations designed in, and our EU AI Act compliance service covers the classification and gap-closing work described above.
