What is the EU AI Act?
The EU AI Act (Regulation (EU) 2024/1689) is the world’s first comprehensive law regulating artificial intelligence. It entered into force in August 2024 and applies in stages. The Act classifies AI systems by risk level, from prohibited practices to strictly regulated high-risk systems, with lighter transparency duties for uses such as chatbots.
The risk-based approach
The Act regulates uses rather than the technology itself. Practices judged unacceptable, such as social scoring by public authorities, are banned outright. High-risk systems face strict requirements covering risk management, data quality, documentation, human oversight and monitoring; this tier includes AI used for creditworthiness assessment, recruitment, and safety components of regulated products. Limited-risk systems carry transparency duties, meaning users must know they are interacting with AI. Minimal-risk uses, which are the vast majority, carry no new obligations.
The key dates
The Act entered into force on 1 August 2024. Prohibitions and AI-literacy obligations have applied since 2 February 2025, and obligations for general-purpose AI models since 2 August 2025. Most remaining requirements, including those for Annex III high-risk systems, apply from 2 August 2026, and certain rules for AI embedded in regulated products follow in 2027. Planning against these dates now costs far less than retrofitting compliance later.
What enterprises should do now
First, inventory your AI systems and determine your role for each; most companies are deployers, with lighter duties than providers. Second, flag any use that could be high-risk, such as AI involved in hiring or credit decisions. Third, meet the obligations that already apply: staff AI literacy and the prohibited-practices check. Fourth, ask your vendors for technical documentation. All of this is ordinary AI governance done early, which is why the Act is best approached as a governance program rather than a legal scramble.
Does the AI Act apply to companies outside the EU?
Yes, in many cases. Like GDPR, it has extraterritorial reach: providers placing AI systems on the EU market and organisations whose AI output is used in the EU fall in scope, wherever they are established.
What are the penalties?
The highest tier, for prohibited AI practices, reaches 35 million euros or 7% of global annual turnover, whichever is higher. Lower tiers apply to other violations. The reputational cost of a public enforcement action may exceed the fine itself.
If we use ChatGPT or Claude, are we a "provider"?
Normally no. An organisation using a vendor’s AI system is a deployer, with lighter obligations such as appropriate use, human oversight and staff training. You can become a provider if you place a system on the market under your own brand or substantially modify one, so assess this case by case.
- AI governanceAI governance is the set of policies, roles, processes and technical controls an organisation puts in place so that AI is used safely, legally and accountably. It defines which tools are approved, who may use them with which data, how usage is monitored, and how risks are assessed before a use case goes to production.
- Shadow AIShadow AI is the use of AI tools inside an organisation without the knowledge or approval of IT and security teams. Typical examples include employees pasting company data into personal chatbot accounts, unvetted AI browser extensions, and AI features wired into business workflows outside any oversight.
- LLM red teamingLLM red teaming is the structured, adversarial testing of AI systems. Testers deliberately attack a model or AI application with jailbreaks, prompt-injection payloads, data-extraction attempts and abuse scenarios in order to find failures before real users or attackers do.
Deploy AI with confidence
Code75 implements production AI across enterprise teams, with the security testing and governance to match. You will talk to an engineer.