AI Governance in the European Union: The EU AI Act Explained

This article describes the EU AI Act as enacted and the implementation timeline through to 2027. Implementation guidance, technical standards, and regulatory body interpretations continue to develop. Businesses with EU AI Act obligations should monitor updates from the European Commission and the AI Office. This article does not provide legal advice; EU-qualified counsel should be consulted for compliance obligations specific to your situation.

The EU AI Act: Structure and Scope

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024. It applies to providers who place AI systems on the EU market, deployers who use AI systems in the EU, and importers and distributors of AI systems intended for the EU market. Extraterritorial application means businesses based outside the EU can be subject to the Act if their AI systems affect people in the EU.

The Act defines an AI system as: a machine-based system designed to operate with varying levels of autonomy that may exhibit adaptiveness after deployment, and that infers from inputs how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.

The Four Risk Tiers

The EU AI Act organises AI systems into four risk categories, each with different obligations:

• Unacceptable risk (prohibited): AI systems that pose unacceptable risks are banned. Prohibited practices include: real-time biometric identification in public spaces by law enforcement (with narrow exceptions), social scoring by public authorities, manipulation of behaviour through subliminal techniques, and exploitation of vulnerable groups. These prohibitions applied from 2 February 2025.
• High risk: AI systems in designated high-risk categories face the most extensive obligations. High-risk categories include: AI used in critical infrastructure, educational and vocational training, employment decisions (recruitment, performance, termination), access to essential services (credit, insurance, healthcare), law enforcement, migration and border control, and administration of justice. Obligations for high-risk systems include: risk management systems, data governance requirements, technical documentation, transparency to deployers, human oversight measures, accuracy and robustness requirements, and registration in the EU AI database before deployment. High-risk system obligations applied from 2 August 2026.
• Limited risk: AI systems with specific transparency risks have targeted obligations. AI chatbots must disclose that users are interacting with an AI. AI-generated content designed to be perceived as real (deepfakes) must be labelled. These obligations have applied from August 2026.
• Minimal risk: Most AI systems fall in this category (AI spam filters, AI-enabled video games, AI recommendation engines in general use). No specific requirements apply, though voluntary codes of conduct are available.

General Purpose AI Models (GPAI)

The EU AI Act includes a specific framework for General Purpose AI (GPAI) models, which are AI models trained on large amounts of data and capable of performing a wide range of tasks. This framework is directly relevant to providers and deployers of large language models.

GPAI providers face transparency and technical documentation obligations. GPAI models with systemic risk (defined by threshold compute capacity used in training) face additional requirements including model evaluation, adversarial testing, incident reporting, and cybersecurity measures. The AI Office at the European Commission oversees GPAI model regulation. GPAI obligations applied from 2 August 2025.

Implementation Timeline

The EU AI Act's requirements apply in phases:

• 2 February 2025: Prohibited practices (unacceptable risk) prohibited.
• 2 August 2025: GPAI model obligations apply. AI literacy obligation for providers and deployers applies (organisations must ensure staff have adequate AI literacy).
• 2 August 2026: High-risk AI system obligations apply. Limited risk transparency obligations apply.
• 2 August 2027: High-risk AI systems that are safety components of products (under existing product safety legislation) face full obligations.

Current enforcement and implementation guidance is published by the European Commission AI Office: digital-strategy.ec.europa.eu.

GDPR and the EU AI Act: Parallel Frameworks

The EU AI Act does not replace GDPR. Both frameworks apply in parallel when AI systems process personal data about EU individuals.

Key interactions between the frameworks:

• Lawful basis: GDPR requires a lawful basis for processing personal data. AI systems training on personal data must identify a lawful basis, typically legitimate interests, consent, or contract. The EU AI Act does not provide an additional lawful basis for GDPR purposes.
• Automated decision-making: GDPR Article 22 rights regarding automated decision-making overlap with EU AI Act high-risk categorisation for AI systems making employment, credit, and similar decisions. Both sets of obligations apply.
• Data governance: EU AI Act data governance requirements for high-risk systems (training data quality, relevance, and representativeness) supplement GDPR's data minimisation and accuracy principles.
• Enforcement: National data protection authorities (DPAs) enforce GDPR. National market surveillance authorities and the AI Office enforce the EU AI Act. Coordinating compliance across both frameworks requires attention to both enforcement structures.

The European Data Protection Board (EDPB) has published guidance on GDPR and AI interactions: edpb.europa.eu.

What This Means for Businesses Outside the EU

The EU AI Act has extraterritorial effect. Businesses outside the EU are subject to the Act if they place AI systems on the EU market or use AI systems that affect people in the EU. This is directly parallel to GDPR's extraterritorial scope.

For Australian, US, and UK businesses:

• If you develop AI systems used by EU customers, you are a provider under the Act and face provider obligations for those systems.
• If you use high-risk AI systems in your EU operations, you are a deployer and face deployer obligations.
• If your AI system falls in the high-risk category, you must register it in the EU AI database before placing it on the EU market.
• Non-EU providers can designate an authorised representative established in the EU to act as the point of contact for compliance purposes.

The extraterritorial reach means the EU AI Act is the framework with the widest global compliance footprint for any business with EU market exposure.

Australian Businesses and EU AI Act Obligations

Australian businesses that develop or deploy AI systems used by EU individuals are within scope of the EU AI Act as providers or deployers. This applies regardless of where the business is based. Australian businesses also face their own domestic privacy obligations under the Privacy Act 1988 when AI systems process personal information about Australians: AI and the Privacy Act in Australia. For the practical data question that affects most Australian businesses using AI tools day-to-day: What Happens to Your Customer Data in ChatGPT.

When did the EU AI Act come into force?

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024. Its requirements apply in phases: prohibited practices from 2 February 2025, GPAI model obligations from 2 August 2025, and high-risk AI system obligations from 2 August 2026. Some provisions applying to high-risk AI systems that are safety components of products under existing legislation apply from 2 August 2027. Current implementation guidance is published by the European Commission AI Office.

Does the EU AI Act apply to businesses outside the EU?

Yes. The EU AI Act has extraterritorial application. It applies to providers who place AI systems on the EU market, deployers who use AI systems in the EU, and importers and distributors of AI systems for the EU market, regardless of where those organisations are based. This is structurally similar to GDPR's extraterritorial scope. Businesses outside the EU that develop AI systems used by EU individuals, or that use AI systems in their EU operations, are within scope.

What is a high-risk AI system under the EU AI Act?

The EU AI Act defines high-risk AI systems as those in specific categories listed in Annex III of the Act. These include: AI used as safety components in critical infrastructure, AI in educational and vocational training assessment, AI in employment (recruitment, performance evaluation, termination), AI in access to essential services (credit, insurance, emergency services), AI in law enforcement, migration and border control, and AI in administration of justice. High-risk AI systems face the most extensive obligations including conformity assessment, technical documentation, registration in the EU AI database, and ongoing monitoring requirements.

What are the penalties for non-compliance with the EU AI Act?

The EU AI Act establishes a tiered penalty structure. Violations of prohibited AI practices (unacceptable risk) can attract fines of up to EUR 35 million or 7% of global annual turnover, whichever is higher. Violations of other obligations (high-risk system requirements, GPAI model obligations) can attract fines of up to EUR 15 million or 3% of global turnover. Providing incorrect or misleading information to authorities can attract fines of up to EUR 7.5 million or 1.5% of global turnover. SME and startup penalties are capped at the lower of the applicable tier or the absolute EUR amount.

How does the EU AI Act interact with GDPR?

The EU AI Act and GDPR apply in parallel. The AI Act does not replace GDPR for AI systems that process personal data. GDPR obligations including lawful basis, data minimisation, transparency, and automated decision-making rights continue to apply. The EU AI Act adds additional requirements for high-risk AI systems on data governance, technical documentation, and human oversight. The EDPB has published guidance on how the two frameworks interact. Where both apply, businesses must satisfy both sets of requirements.