EU AI Act

The EU AI Act (Regulation EU 2024/1689) is a legal framework approved on 1 August 2024. It applies to anyone who builds, deploys, imports, or distributes AI systems within the European Union — and even to non-EU companies whose AI serves EU users.

The regulation organizes AI into risk categories:

• Unacceptable risk: Banned entirely (e.g., government social scoring, manipulative AI targeting vulnerable groups).
• High risk: Subject to strict requirements like human oversight, data quality standards, and conformity assessments (e.g., AI in medical devices or hiring).
• Limited risk: Must be transparent — users need to know they're interacting with AI (e.g., chatbots, deepfakes).
• Minimal risk: No specific obligations (e.g., spam filters).
• General-purpose AI (GPAI): Models like GPT-4 must meet transparency and documentation rules.

Understanding this regulation matters because non-compliance can lead to serious penalties. Depending on the violation, fines can reach up to €35 million or 7 percent of global annual turnover, whichever is higher, with lower caps for other types of breaches.

Beyond penalties, the Act sets an important global benchmark for responsible AI governance. Whether you are a startup building an AI chatbot or a large enterprise deploying automated decision-making systems, understanding these rules helps you build trust, reduce legal risk, and design AI that respects people’s rights.

‌

If you develop or use AI tools in the EU market, you need to determine which category your system falls into and comply with the relevant obligations. For example, a company using AI for recruitment, which is typically high risk, must implement risk management measures, ensure data quality, provide human oversight, and maintain technical documentation.

Key practical steps include:

• Classify your AI system according to the Act’s risk tiers.

• Meet transparency obligations, including informing users when they interact with AI where required.

• Conduct impact assessments where relevant, especially for high-risk use cases.

• Stay aware of the rollout timeline, since some obligations apply before full applicability in August 2026.

• Use regulatory sandboxes, where available, to test innovative AI systems in a controlled environment.

‌

Imagine a SaaS company that offers an AI-powered tool to help HR teams screen job applicants. Under the Act, this is typically a high-risk use case because it affects access to employment.

Here is what the company must do:

• Risk management: Establish processes to identify and reduce bias or other harms.

• Data quality: Use relevant, representative, and properly governed data.

• Transparency: Inform affected people that AI is being used where required.

• Human oversight: Ensure a human can review or override the AI’s recommendations.

• Documentation: Keep technical records showing compliance with the Act.

If the company fails to meet these obligations, it may face significant fines. If it follows them, it can build a fairer and more trustworthy hiring process.

‌