EU AI Law

The EU AI Act: A Landmark Regulatory Framework

The EU AI Act (Regulation 2024/1689) represents the world’s first comprehensive horizontal regulation of artificial intelligence, establishing a unified legal framework across all 27 member states. Adopted after intensive trilogue negotiations in December 2023 and published in the Official Journal in August 2024, the Act follows a risk-based approach that categorises AI systems into four tiers: unacceptable risk, high risk, limited risk, and minimal risk. The graduated framework imposes obligations proportionate to the level of risk an AI system presents to health, safety, and fundamental rights.

The Act applies extraterritorially, covering providers and deployers established outside the EU where the output of the AI system is used in the Union. Enforcement is phased, with prohibitions on unacceptable-risk systems taking effect six months after entry into force, general-purpose AI rules taking effect after twelve months, and high-risk obligations applying over a twenty-four-to-thirty-six-month transition period.

Risk Classification and Prohibited Practices

Unacceptable risk AI systems are prohibited outright. The Act bans: (1) AI systems that deploy subliminal or manipulative techniques causing harm; (2) AI systems that exploit vulnerabilities due to age, disability, or socioeconomic circumstance; (3) social scoring by public or private actors; (4) real-time remote biometric identification in publicly accessible spaces for law enforcement, subject to narrow exceptions for specific serious crimes with judicial authorisation; (5) predictive policing based solely on profiling; (6) emotion recognition in workplaces and educational institutions; (7) untargeted scraping of facial images from the internet or CCTV footage to build facial recognition databases; and (8) AI systems that categorise individuals based on biometric data to infer race, political opinion, or other protected characteristics.

High-Risk AI Systems

AI systems classified as high risk include those used as safety components of regulated products (machinery, medical devices, toys, aviation) and standalone AI systems deployed in critical areas including employment, education, credit scoring, access to essential services, law enforcement, migration and border control, and administration of justice. High-risk systems must comply with obligations across the system lifecycle: establishing a risk management system; maintaining high-quality, representative training data; creating technical documentation; designing for transparency and human oversight; achieving accuracy and robustness; and undergoing conformity assessment.

Providers of high-risk AI systems must implement a quality management system, register their systems in the EU database, and conduct post-market monitoring. For most high-risk systems, conformity assessment is self-declared; for systems used as safety components of regulated products, third-party assessment by a notified body is required.

Governance: AI Board and AI Office

The Act establishes a two-tier governance structure. The European AI Board, composed of member state representatives, ensures consistent application of the Act across the Union, issues opinions and recommendations, and facilitates cooperation among national market surveillance authorities. The AI Office, established within the European Commission, oversees the regulation of general-purpose AI models, coordinates enforcement, and maintains the EU AI database. The AI Office has direct supervisory powers over providers of general-purpose AI models, including the authority to conduct evaluations, request information, and impose fines.

General-Purpose AI and the Code of Practice

General-purpose AI models—those trained on large-scale data and capable of performing a wide range of tasks—are subject to additional obligations. Providers of such models must maintain technical documentation, comply with copyright-related transparency requirements, and publish a summary of training data. Models that pose systemic risk, determined by a quantitative threshold (cumulative compute exceeding 10²⁵ FLOPs) or Commission designation, face enhanced obligations including model evaluation, adversarial testing, incident reporting, and cybersecurity protections.

The Code of Practice on General-Purpose AI, adopted in 2025, translates statutory obligations into specific commitments covering transparency, risk mitigation, and governance. The Code serves as a template for compliance that may become presumptively valid through a standards harmonisation process coordinated by the European Committee for Standardization (CEN/CENELEC).

AI Liability and Product Liability

The AI Liability Directive (proposal 2022/0303) addresses the particular difficulty of proving fault in AI-caused harm. The Directive introduces a presumption of causality where the defendant’s non-compliance with legal obligations (including the AI Act) contributed to the harm and where the claimant shows it was disproportionately difficult to prove causation. The Directive applies to non-material harm caused by AI systems and complements the amended Product Liability Directive, which extends strict liability to AI systems, treating software updates, digital training data, and autonomous post-market learning as relevant factors in determining defectiveness.

A defendant may avoid liability by showing that the harm was caused by the AI system’s behaviour after it was placed on the market, provided the defendant maintained adequate post-market monitoring. This development risk defence is more restrictive than the general product liability defence, reflecting the distinctive characteristics of AI.

Fundamental Rights Impact Assessments

The AI Act requires deployers of high-risk AI systems that are public bodies or that provide public services to conduct a fundamental rights impact assessment (FRIA) before deployment. The FRIA must assess the system’s impact on fundamental rights protected by the EU Charter, identify risks, and describe mitigation measures. Article 27 of the Act specifies the mandatory content of the FRIA. The Commission has issued guidance on FRIA methodology, and the Fundamental Rights Agency has published practical templates.

Standards and Harmonisation

The Act relies heavily on harmonised standards developed by CEN and CENELEC to provide presumptions of conformity. The European Commission issued standardisation requests to CEN/CENELEC covering risk management, data governance, transparency, human oversight, accuracy, and robustness. The standards development process has been closely watched, as compliance with harmonised standards provides a safe harbour for conformity assessment. Where standards are insufficient or unavailable, the Commission may adopt common specifications.

International Cooperation: EU-US Trade and Technology Council

The EU has pursued international AI governance alignment through the EU-US Trade and Technology Council (TTC), which established dedicated working groups on AI standards, risk management, and research cooperation. The TTC’s AI Roadmap has produced joint mapping of risk management approaches, shared terminology, and pilot projects on AI for public health and climate. The EU has also contributed to the Council of Europe Framework Convention on Artificial Intelligence, Human Rights, Democracy, and the Rule of Law, which creates binding international obligations for states that ratify it.

Relationship with Existing EU Law

The AI Act operates alongside and complements existing EU legal instruments. The General Data Protection Regulation continues to apply to AI processing of personal data, with the AI Act providing additional requirements for high-risk systems. The Digital Services Act imposes separate algorithmic transparency obligations on very large online platforms, and the Digital Markets Act regulates gatekeeper platforms’ use of AI. The sectoral legislation for medical devices, machinery, and motor vehicles has been amended to incorporate AI-specific requirements.

Outlook

The EU AI Act establishes a comprehensive regulatory baseline that is likely to influence global AI governance. Its risk-based classification, conformity assessment procedures, and governance structure create a detailed compliance framework that will be elaborated through standards, delegated acts, and enforcement practice over the coming years. The Act’s extraterritorial reach and market-access leverage give it a Brussels-effect dynamic comparable to the GDPR’s global influence.