Blog

EU AI Act: What Every Business Needs to Know

A plain-language guide to the EU AI Act for business leaders: the risk categories, compliance requirements, implementation timeline, and what you need to do if your company operates in the EU.

Phos Team ·
AI Strategy

The EU AI Act is the world’s first comprehensive AI regulation. If your organization uses AI systems that affect EU residents, you need to understand what it requires and whether you are already out of compliance.

What the EU AI Act is

The EU AI Act is a regulation that classifies AI systems by risk level and applies proportionate requirements to each category. It applies to providers and deployers of AI systems that affect people in the EU, regardless of where the provider or deployer is based.

The Act covers the full AI lifecycle: development, deployment, and ongoing operation. It creates obligations not just for companies that build AI but for companies that use AI built by others.

The four risk categories

The Act organizes AI systems into four risk tiers. The tier determines what compliance requirements apply.

Prohibited AI

A small set of AI applications is banned outright. These include AI systems used for:

  • Real-time remote biometric identification of individuals in publicly accessible spaces by law enforcement (with narrow exceptions)
  • Social scoring systems that evaluate citizens based on personal characteristics
  • AI that exploits vulnerabilities of specific groups (age, disability, socioeconomic status) to manipulate behavior
  • AI systems that use subliminal techniques to distort behavior in harmful ways

These prohibitions apply regardless of how the AI is used or who uses it. Any business deploying AI in these categories faces the highest level of penalty.

High-risk AI

This is the most significant category for most businesses. High-risk AI systems face detailed compliance requirements. The category includes AI systems in these eight domains:

  • Biometric identification and categorization (beyond real-time public surveillance)
  • Management of critical infrastructure (water, gas, electricity, transport, financial markets)
  • Education and vocational training (access decisions, performance evaluation)
  • Employment, worker management, and access to self-employment (recruitment, task allocation, monitoring)
  • Access to essential private services and public services (credit scoring, insurance, social benefits)
  • Law enforcement (risk assessment, polygraph, evidence evaluation)
  • Migration, asylum, and border control management
  • Administration of justice and democratic processes

If your organization uses AI in any of these areas to affect EU residents, you are operating under the high-risk requirements.

Limited-risk AI

AI systems with limited risk face transparency requirements. The primary obligation is to inform users when they are interacting with AI. Chatbots and other conversational AI must identify themselves as AI systems.

Deepfake content must be labeled as artificially generated. AI-generated text published for public purposes must be disclosed where technically feasible.

Minimal-risk AI

The majority of AI applications fall here. AI used for spam filtering, inventory management, price optimization, and most business productivity tools are in this category. The Act imposes no specific requirements, though other regulations like GDPR may still apply.

High-risk system compliance requirements

Organizations deploying high-risk AI systems must meet a detailed set of requirements before deployment and maintain them throughout operation.

Risk management system. A documented, iterative risk management process for the AI system, covering identification, evaluation, and mitigation of risks throughout the lifecycle.

Data governance documentation. Documentation of training, validation, and testing datasets, including data provenance, characteristics, and evidence that datasets meet quality criteria.

Technical documentation. Comprehensive technical documentation enabling authorities to assess compliance. This must be maintained and updated as the system evolves.

Automatic logging. High-risk AI systems must maintain automatic logs of their operation to enable monitoring and post-market surveillance.

Transparency to users. Users of high-risk AI systems must receive clear information about what the system does, its capabilities and limitations, and the measures in place for human oversight.

Human oversight. High-risk AI systems must be designed to allow effective human oversight. Individuals responsible for oversight must be able to understand the system’s behavior and intervene when necessary.

Accuracy, robustness, and cybersecurity. High-risk AI systems must meet defined accuracy thresholds, be robust against errors and inconsistencies, and be protected against security threats.

Conformity assessment. Before deploying a high-risk AI system in the EU, providers must complete a conformity assessment demonstrating compliance with these requirements. For some categories, this requires a third-party notified body. For others, self-assessment is permitted.

EU database registration. High-risk AI systems must be registered in the EU AI database before deployment.

Implementation timeline

The EU AI Act entered force in August 2024. Different provisions apply at different points in the implementation schedule.

Prohibited AI provisions applied from February 2026. Most businesses that need to act on these already have.

General purpose AI model requirements have been in effect since August 2026.

High-risk AI system requirements in Annex I (safety components for regulated products) apply from August 2026. High-risk AI system requirements in Annex III (the broader list including employment, credit, and education AI) apply from August 2026 as well.

Obligations for AI systems already deployed continue to phase in through 2027.

What businesses need to do now

If you operate AI systems that affect EU residents, take these steps now.

Step 1: Build an AI inventory. List every AI system your organization uses that could affect EU residents. Include vendor-provided AI tools, not just systems you built.

Step 2: Classify each system. Apply the Act’s risk categories to each system. Identify any prohibited uses for immediate remediation. Identify all high-risk systems for compliance program development.

Step 3: Assess compliance gaps for high-risk systems. For each high-risk system, assess whether you meet the requirements: risk management documentation, technical documentation, logging, transparency, human oversight, and accuracy standards.

Step 4: Develop remediation plans. For each gap, assign an owner and a timeline. High-risk systems already deployed that do not meet requirements need immediate remediation plans.

Step 5: Establish ongoing compliance processes. Compliance with the Act is not a one-time exercise. Build the monitoring, documentation maintenance, and review processes that keep you compliant as systems and regulations evolve.

For a detailed compliance checklist, see EU AI Act compliance checklist.

Frequently asked questions

Does the EU AI Act apply to US-based companies?

Yes, if those companies deploy AI systems that affect EU residents. The Act applies based on where the AI’s effects are felt, not where the company is located. Any company with EU customers, employees, or users is potentially within scope.

What are the penalties for non-compliance?

Penalties vary by violation type. The highest fines apply to prohibited AI use: up to 35 million euros or 7% of worldwide annual revenue, whichever is higher. Violations of high-risk system requirements: up to 15 million euros or 3% of worldwide annual revenue. Providing incorrect information to authorities: up to 7.5 million euros or 1.5% of worldwide annual revenue.

What is a “provider” vs a “deployer” under the Act?

A provider is a company that develops or places an AI system on the market or into service. A deployer is a company that uses an AI system developed by someone else in a professional context. Most businesses are deployers. Both have obligations under the Act, but providers carry the primary compliance obligations for their systems.

Is your organization compliant with the EU AI Act?

The Act is not future legislation. It is current law, with high-risk system requirements applying in 2026. Organizations that have not begun their compliance programs are already behind.

Path one: run a compliance assessment. An AI audit maps your AI systems against EU AI Act requirements and identifies your compliance gaps with a prioritized remediation plan.

Path two: work with Phos AI Labs. If you want expert help building an EU AI Act compliance program for your organization, Phos AI Labs is a CCA-F certified Claude implementation partner. Thirty minutes, no deck. Start here.

Related articles

Related articles

EU AI Act High-Risk AI Systems: Are You Affected?

EU AI Act High-Risk AI Systems: Are You Affected?
Explainable AI (XAI): Why Transparency Matters for Business

Explainable AI (XAI): Why Transparency Matters for Business
First-Mover Advantage in AI: Is Timing Your AI Strategy Critical?

First-Mover Advantage in AI: Is Timing Your AI Strategy Critical?
The 5 Phases of AI Transformation for Business

The 5 Phases of AI Transformation for Business
The Four AI Strategy Phases Mid-Market Companies Must Follow

The Four AI Strategy Phases Mid-Market Companies Must Follow
The Four Phases of a Phos AI Labs Engagement

The Four Phases of a Phos AI Labs Engagement

The fastest way to know whether we're the right fit, is a conversation.

STEP 1/2 · ABOUT YOU