EU AI Act

The EU AI Act is the world's first comprehensive legislation regulating artificial intelligence. The law entered into force on August 1, 2024 and introduces a risk-based framework that categorizes AI systems into four categories: unacceptable risk (prohibited), high risk (strictly regulated), limited risk (transparency requirements) and minimal risk (free to use). The goal is to stimulate innovation while protecting fundamental rights and the safety of EU citizens.

To understand the EU AI Act, you first need to know the core concepts. An AI system is defined as a machine-based system that, with varying degrees of autonomy, can generate outputs such as predictions, recommendations or decisions. The law distinguishes between providers (developers who place AI on the market) and deployers (organizations that use AI). There are also specific definitions for GPAI (general-purpose AI) like ChatGPT.

The EU AI Act uses a risk-based approach with four categories. Unacceptable risk: prohibited applications like social scoring and manipulative AI. High risk: strictly regulated systems in critical sectors like HR, education and healthcare. Limited risk: systems with transparency requirements like chatbots. Minimal risk: most AI applications, free to use. The classification determines which obligations apply.

Compliance with the EU AI Act requires a systematic approach. For high-risk AI, you need to implement a risk management system, prepare technical documentation, ensure data governance and arrange human oversight. There are also specific obligations such as the FRIA (Fundamental Rights Impact Assessment) and conformity assessments. A good AI governance structure within your organization is essential.

The EU AI Act has different impacts per sector. The financial sector faces overlap with EBA guidelines. The public sector must pay extra attention to fundamental rights. Startups and SMEs get proportionate requirements. For each sector: inventory your AI systems, determine the risk class and start with compliance preparation.

Enforcement of the EU AI Act is coordinated by the European AI Office at EU level and national supervisors in each member state. In the Netherlands this is the Algorithm Supervisor. Fines are significant: up to €35 million or 7% of global annual turnover for prohibited practices, up to €15 million or 3% for other violations. Incident reporting is mandatory for serious malfunctions.

Since February 2, 2025, all organizations using AI are required to ensure their staff is sufficiently AI literate. This applies to everyone working with AI, regardless of the risk class of the AI system. AI literacy includes the ability to understand, critically evaluate and responsibly use AI. Organizations must develop policies and offer training.

GPAI (General-Purpose AI) like ChatGPT, Claude and Gemini get specific rules from August 2025. Providers must be transparent about training data, respect copyright and provide technical documentation. For models with systemic risk (>10²⁵ FLOPs) extra requirements apply. The EU is working on a Code of Practice that providers must follow.