EU AI Act

What Is the EU AI Act?

The EU Artificial Intelligence Act (Regulation EU 2024/1689) entered into force on 1 August 2024, making the EU the first jurisdiction in the world to enact a comprehensive, horizontal legal framework for artificial intelligence. Unlike sector-specific AI regulation (such as the algorithmic rules in DORA for financial services), the AI Act applies across all industries and use cases.

The AI Act uses a risk-based classification system: the higher the potential harm of an AI system, the stricter the obligations. This creates four main risk categories.

The Four Risk Categories

1. Unacceptable Risk (Prohibited AI Practices)

These AI applications are banned outright from 2 February 2025:

• Social scoring by public authorities
• Real-time remote biometric identification in public spaces by law enforcement (with narrow exceptions)
• AI that manipulates persons through subliminal techniques or exploits vulnerabilities
• Emotion recognition in workplaces and educational institutions (with limited exceptions)
• Biometric categorisation inferring sensitive characteristics (race, political opinion, religion, sexual orientation)
• AI used to create or expand facial recognition databases through untargeted scraping
• “Predictive policing” based on profiling

2. High-Risk AI Systems

These are permitted but subject to significant pre-market and ongoing obligations. High-risk AI systems include:

• Biometric identification and categorisation
• Critical infrastructure management (energy grids, water, transport)
• Education and vocational training (access, assessment)
• Employment, workers management, and access to self-employment (CV screening, monitoring, task allocation)
• Access to essential private and public services (credit scoring, insurance underwriting, social benefits)
• Law enforcement (risk assessments, evidence reliability, crime prediction)
• Migration, asylum, and border control
• Administration of justice

Obligations for high-risk AI include: risk management system, technical documentation, data governance, transparency and provision of information, human oversight mechanisms, accuracy and robustness, and registration in the EU AI database.

3. Limited Risk — Transparency Obligations

Systems such as chatbots, deepfakes, and AI-generated content must inform users that they are interacting with AI or that content is artificially generated.

4. Minimal Risk

Most current AI applications (spam filters, AI in video games, basic recommendation systems) fall here. No mandatory obligations apply, though voluntary codes of conduct are encouraged.

General-Purpose AI (GPAI) Models

The AI Act introduces specific rules for General-Purpose AI (GPAI) models — large AI models trained on broad data that can perform a wide range of tasks (such as large language models). All GPAI model providers must:

• Provide technical documentation and instructions for use
• Comply with EU copyright law
• Publish summaries of training data

GPAI models with systemic risk (trained using more than 10^25 FLOPs, or otherwise designated) face additional obligations: adversarial testing (red-teaming), serious incident reporting to the European AI Office, and cybersecurity measures.

Compliance Timeline

Obligations by Role

The AI Act distinguishes between providers (those who develop and place AI systems on the market or into service), deployers (those who use AI systems in a professional context), importers, and distributors. Obligations are heaviest for providers, but deployers of high-risk systems also face significant duties around use according to instructions, human oversight implementation, and employee training.

Interaction with GDPR

The AI Act does not replace GDPR. Both apply concurrently when AI processes personal data. A Data Protection Impact Assessment (DPIA) under GDPR Article 35 may be required alongside an AI Act risk assessment. The AEPD is likely to play a role in AI Act enforcement given its existing data protection mandate and the overlap between AI risks and privacy risks.

Enforcement and Penalties

The European AI Office (created within the European Commission) oversees GPAI model compliance. National market surveillance authorities handle product-specific rules; national competent authorities designated by member states handle other obligations. In Spain, the AI Supervisory Authority is being established within the existing regulatory framework.

Penalties:

• Prohibited practices violations: up to €35 million or 7% of global annual turnover
• High-risk system violations: up to €15 million or 3% of global annual turnover
• Incorrect information to authorities: up to €7.5 million or 1.5% of global annual turnover

How BMC Can Help

We advise companies on AI Act risk classification of their current and planned AI systems, deployer obligation mapping, AI governance policy drafting, interaction between AI Act and GDPR compliance programmes, and regulatory affairs strategy for AI product launches in the EU.