QuiverSphere QUIVERSPHERE SUBSCRIBE
QuiverSphere
← Guides AI

EU AI Act Explained: Risk Tiers & Timelines | QuiverSphere

The EU AI Act is the world's first comprehensive AI law. Learn the four risk tiers, GPAI rules, compliance obligations, and enforcement timelines.

27 June 2026 · 9 min read

The European Union’s Artificial Intelligence Act is the world’s first comprehensive, horizontal legal framework for AI. Adopted by the European Parliament in March 2024 and published on July 12, 2024, the Act entered into force on August 1, 2024. It applies a tiered, risk-proportionate approach — regulating AI systems according to the harm they could cause rather than the technology itself. For developers, enterprises, and policymakers operating globally, this law is not optional.

What Is the EU AI Act?

The EU AI Act (Regulation (EU) 2024/1689) is a single-market regulation binding across all 27 EU member states. It applies not only to companies based in the EU but to any provider or deployer whose AI systems affect people inside the EU — making its reach genuinely global.

The Act was proposed by the European Commission in April 2021. Nearly three years of negotiations, accelerated by the public debut of large language models, produced a text covering both narrow AI applications and foundation models. Enforcement runs through a European AI Office, national competent authorities in each member state, and a newly created AI Board.

Unlike sector-specific laws such as GDPR or MiCA, the AI Act cuts horizontally across industries — health, finance, transport, law enforcement, education, and more.

The Four Risk Tiers

The Act’s organizing principle is a four-level risk pyramid. Every AI system or application must be mapped to one of these tiers.

1. Unacceptable Risk — Prohibited

These practices are banned outright because they are deemed incompatible with EU values and fundamental rights:

  • Social scoring by public authorities: AI that evaluates individuals’ trustworthiness based on behavior or personal characteristics, producing detrimental treatment.
  • Real-time remote biometric identification in public spaces: Law enforcement use of live facial recognition, with narrow court-authorized exceptions for specific serious crimes.
  • Subliminal manipulation: Systems that exploit subconscious vulnerabilities to influence behavior harmfully.
  • Exploitation of vulnerabilities: AI targeting children, elderly, or disabled people based on their vulnerabilities.
  • Emotion recognition in workplaces and education: Inferring emotional states in professional or academic settings, with limited exceptions.
  • Untargeted facial recognition database scraping: Building or expanding databases by indiscriminate scraping of the internet or CCTV footage.

Prohibited practices were the first provisions to apply, from February 2, 2025.

2. High Risk — Stringent Obligations

High-risk AI systems can be marketed but carry a substantial compliance burden before and after deployment. The Act identifies two categories:

Annex I — regulated products: AI systems embedded in products already subject to EU safety legislation, including medical devices, machinery, aviation components, motor vehicles, and toys.

Annex II — eight standalone domains:

  1. Biometric identification and categorization
  2. Management of critical infrastructure (energy grids, water, transport)
  3. Education and vocational training
  4. Employment, worker management, and recruitment
  5. Essential private and public services (credit scoring, benefits)
  6. Law enforcement
  7. Migration, asylum, and border control
  8. Administration of justice and democratic processes

Providers of high-risk systems must:

  • Implement a risk management system throughout the lifecycle
  • Conduct data governance procedures to minimize bias in training datasets
  • Maintain technical documentation and logs
  • Enable human oversight mechanisms
  • Achieve a defined level of accuracy, robustness, and cybersecurity
  • Register in a public EU database before placing on the market

Deployers must conduct a fundamental rights impact assessment and monitor systems in use. High-risk obligations apply in full from August 2, 2026.

3. Limited Risk — Transparency Obligations

Systems in this tier pose modest risks but must be transparent with users. Chatbots must identify as AI. Deepfakes must be labeled. Emotion-recognition outputs must be disclosed to the individuals they are applied to. These are the lightest obligations and cover a large portion of consumer-facing AI products.

4. Minimal Risk — Voluntary Codes

The vast majority of AI applications — spam filters, inventory tools, recommendation engines outside sensitive domains — fall here. No mandatory obligations apply, though providers are encouraged to follow voluntary codes of conduct.

GPAI: Rules for General-Purpose AI Models

One of the Act’s most consequential additions is Title VIII on General-Purpose AI (GPAI) models — large foundation models trained on broad data that serve many downstream purposes: language models, image generators, and multimodal systems.

Two Tiers Within GPAI

All GPAI model providers must:

  • Maintain technical documentation
  • Comply with EU copyright law (including transparency about training data)
  • Publish a summary of training content

GPAI models with systemic risk face additional obligations. Systemic risk is presumed when a model is trained using more than 10^25 floating-point operations (FLOPs) — a threshold that currently captures only the most capable frontier models. Providers can also be designated by the Commission on other grounds. For context on why compute scale matters economically, see our guide on AI Inference Costs Explained: Why Running AI Is Expensive.

For models above the threshold, obligations include:

  • Performing model evaluations (including adversarial testing)
  • Assessing and mitigating systemic risks
  • Reporting serious incidents to the AI Office without undue delay
  • Ensuring cybersecurity protections

Energy and environmental reporting are expected to feature in the GPAI codes of practice — see our guide on Data Center Transparency and AI’s Environmental Impact.

The GPAI provisions apply from August 2, 2025 — one year after entry into force. Providers of models released before that date have until August 2, 2027 to comply if the model has been significantly modified or remains actively marketed.

Enforcement, Governance, and Penalties

Who Enforces the Act?

  • European AI Office: Oversees GPAI models, coordinates enforcement across member states, and can conduct its own investigations into frontier models.
  • National Competent Authorities (NCAs): Each member state designates one or more authorities. These agencies supervise high-risk system providers and deployers within their jurisdiction.
  • AI Board: An advisory body of NCA representatives and Commission officials that ensures consistent interpretation and cross-border coordination.

Penalties

The penalty structure is deliberately asymmetric to deter the most serious violations:

ViolationMaximum Fine
Prohibited practices€35 million or 7% of global annual turnover (whichever is higher)
Other non-compliance (high-risk, GPAI)€15 million or 3% of global annual turnover
Providing incorrect information€7.5 million or 1.5% of global annual turnover

For SMEs and startups, fines are proportionate to their size. The Commission retains direct enforcement authority over GPAI providers with systemic risk, giving it a tool to act against large model developers without depending on individual member states.

Application Timeline at a Glance

DateWhat Applies
August 1, 2024Act enters into force
February 2, 2025Prohibited practices banned; AI literacy obligations for staff begin
August 2, 2025GPAI model rules apply; codes of practice finalized
August 2, 2026High-risk obligations fully apply; governance bodies operational
August 2, 2027AI embedded in EU product-safety-regulated products (medical devices, aviation) must comply; GPAI transitional period ends

The Brussels Effect: Global Reach of the AI Act

The EU has a track record — through GDPR, competition law, and product safety rules — of shaping global standards by virtue of market size and regulatory ambition. The AI Act is already producing a “Brussels Effect” in several observable ways.

First, multinationals are building compliance for EU rules globally. Maintaining separate product configurations by jurisdiction is expensive; applying the stricter standard everywhere is cheaper. This was GDPR’s mechanism, and AI Act compliance teams are following the same logic. For more on how large companies are shaping policy, see our guide on Big Tech’s Influence on AI Regulation and Policy.

Second, other jurisdictions are referencing the risk-based framework. The UK, Canada, and numerous US state-level bills have incorporated risk-tiering language that echoes Brussels. Our AI Regulation Tracker 2026 maps the full legislative landscape globally.

Third, the 10^25 FLOP compute threshold has become a de facto reference point in policy conversations well beyond the EU.

What It Means for Builders and Deployers

For AI Developers and Providers

  • Map your systems to the risk tier before launch. Annex II domain categories are the first checkpoint.
  • Technical documentation is a legal artifact. Maintain it throughout the development lifecycle, not as a post-hoc exercise.
  • For GPAI: assess whether training compute crosses the 10^25 FLOP threshold and, if so, begin adversarial testing and incident-reporting infrastructure.
  • Copyright and training data: document data provenance — the Act’s transparency requirements interact with evolving EU copyright litigation.

Cybersecurity obligations apply to all high-risk systems. For a practical framework, see our Enterprise AI Security: The Complete 2026 Guide.

For Enterprise Deployers

  • Conduct fundamental rights impact assessments before deploying any high-risk system.
  • Assign human oversight responsibilities explicitly in contracts with providers.
  • Log and monitor outputs of high-risk systems for drift and unexpected behavior.
  • Liability can attach to deployers, not only providers, when a system is used outside its intended purpose or without adequate oversight.

For Users and Civil Society

Individuals may complain to their national competent authority about non-compliant AI systems. High-risk systems affecting credit, hiring, or benefits must disclose that AI was used and, in some cases, explain the outcome.

Limitations and Open Questions

The AI Act is not a static text. Key elements remain delegated to secondary legislation and industry-developed codes of practice:

  • GPAI codes of practice are being developed by the AI Office with industry and civil society input, with a target of August 2025 finalization.
  • Harmonized technical standards for high-risk systems are being developed by European standards bodies CEN/CENELEC and ETSI.
  • Regulatory sandboxes — supervised real-world testing environments — must be established by member states, with priority access for SMEs and startups.

Enforcement quality will vary by member state, at least initially — NCAs have differing resources and technical capacity, a familiar challenge from GDPR implementation.

Key Takeaways

  • The EU AI Act is the world’s first comprehensive horizontal AI law, applying to any provider or deployer whose systems affect people in the EU.
  • It uses a four-tier risk framework: prohibited practices (banned), high risk (full compliance), limited risk (transparency only), and minimal risk (voluntary codes).
  • Penalties reach up to €35 million or 7% of global annual turnover for the most serious violations.
  • The Act is producing a global Brussels Effect, influencing AI regulation in the UK, Canada, and US state legislatures.
  • Compliance is a lifecycle responsibility for both providers and deployers, not a one-time certification.
  • Secondary legislation, codes of practice, and harmonized standards continue to fill in operational details through 2025–2026.

Last updated: June 2026