The EU AI Act
Last updated: 2026-05-18
The EU AI Act
The EU AI Act is the first comprehensive legal framework for AI. It covers AI systems placed on the EU market or used in ways that affect people in the EU. That includes non-EU companies if their products reach EU users. This guide covers the key provisions, risk categories, Article 50 transparency obligations (in force August 2, 2026), penalties, and what you should actually be doing now.
Key Provisions
The Act takes a risk-based approach. How much scrutiny your AI system faces depends on what risk category it falls into.
A transparency principle runs through the whole framework: users have a right to know when they're interacting with AI or seeing AI-generated content.
Some uses are outright banned. And high-risk systems have to go through conformity assessments, maintain documentation, and include human oversight.
Risk Categories
Unacceptable risk means banned. This includes social scoring by governments, AI that exploits vulnerabilities to manipulate behavior, and most real-time biometric identification in public spaces.
High risk covers systems used in critical infrastructure, employment decisions, education access, credit and insurance, law enforcement, and similar areas. These require conformity assessments, risk management, technical documentation, and human oversight before deployment.
Limited risk comes with transparency obligations. Chatbots must identify as AI. Deepfakes must be disclosed. Emotion recognition systems must inform users.
Minimal risk covers most general-purpose applications and has few requirements beyond standard good practice.
Who It Affects
Providers who develop or place AI systems on the market have obligations around design, documentation, and transparency.
Deployers who use AI under their own authority have obligations around how they use it, including monitoring and disclosing AI involvement.
Non-EU companies serving EU users are in scope. If you deploy AI to EU residents, you may need to appoint an EU representative.
Article 50: Transparency Obligations
These came into force August 2, 2026.
AI systems that interact directly with people must clearly indicate they are AI at the start of the interaction. The disclosure must be clear, distinct, and accessible, not buried in fine print.
Generative AI output should be marked in a machine-readable format so it's detectable as AI-generated where technically feasible.
Deployers who use AI to create or manipulate images, audio, or video must disclose that the content is artificial. AI-generated text on matters of public interest must be disclosed as such.
Emotion recognition and biometric categorization systems must inform the people they're applied to.
Exceptions exist for law enforcement with proper authorization and for artistic, satirical, or creative works, though disclosure rules still apply in some contexts.
Penalties
Violations of prohibited practices can result in fines up to 35 million EUR or 7% of global annual turnover, whichever is higher. Other violations have lower penalty tiers. Penalties are meant to be proportionate to the size of the company and the severity of the breach.
What to Do Now
Map your AI use first. List every AI system you deploy, what it does, and which risk category it likely falls into.
For customer-facing AI, ensure disclosure is in place. Chatbots and virtual assistants need to identify as AI at first interaction.
If you have high-risk systems, start the documentation and conformity process early. It takes time.
Review your AI vendors. Ask whether they're compliant and request documentation.
Get legal counsel for your specific situation. This guide explains the framework; it doesn't substitute for qualified legal advice.