EU AI Act — in force since August 2024
The EU AI Act regulates your AI product. Not your company.
The EU AI Act is the world’s first comprehensive binding regulation governing artificial intelligence. It came into force on 1 August 2024 and applies in phases — with prohibited-practice rules already enforceable since February 2025, GPAI obligations since August 2025, and high-risk system requirements landing in August 2026.
Most organisations are approaching EU AI Act compliance at the wrong level. They are auditing their company, their policies, their governance frameworks. The Act is written around the product — the specific AI system you are building, shipping, and deploying. That distinction determines what you actually need to do, what documents you actually need to produce, and what a regulator will actually ask for when they come.
European Compliance Suite provides lawyer-built EU AI Act compliance services for AI product teams, non-EU providers, and organisations navigating the Act’s phased obligations. We assess AI systems at the product level, act as EU Authorised Representative for non-EU providers, and provide the documentation frameworks that hold up when they are tested.
Find out how the EU AI Act applies to your product
A lawyer-built assessment of one AI system — risk classification, Article 5 screen, full obligation map, audit-ready compliance record.
How AI Act works: One set of rules that already applies to you.
The EU AI Act classifies every AI system into one of four risk tiers. The tier determines your obligations — but Article 5 prohibited practices apply to every system regardless of classification, and they have been enforceable since February 2025.
Prohibited practices — Article 5
Eight categories of AI use that are banned outright across the EU. These include subliminal manipulation, social scoring, real-time biometric identification in public spaces, and emotion recognition in workplaces and educational institutions. Any AI system that touches these categories is non-compliant regardless of its technical sophistication or commercial success. There is no transition period and no exemption for non-EU providers.
High-risk AI systems — Annex III
AI systems used in employment, credit, education, biometrics, critical infrastructure, law enforcement, migration, and administration of justice. High-risk systems face the Act’s most demanding obligations: technical documentation, conformity assessment, EU AI database registration, post-market monitoring, and human oversight requirements. Most obligations apply from 2025, 7.critical deadline extended to 2027.
Limited-risk AI systems
AI systems that interact with humans — chatbots, emotion-recognition tools, deepfake generators — must disclose their AI nature to users. Transparency obligations apply from August 2026.
Minimal-risk AI systems
No mandatory obligations under the Act. The majority of AI systems fall here. A documented determination that your system is minimal risk is itself a useful compliance record — particularly for investor and acquirer due diligence.
Who the EU AI Act applies to
The Act applies based on where your AI system is used, not where your company is incorporated. This is the same extraterritorial logic the EU applied to GDPR — and enforcement followed.
| Company type | In scope? | Key obligation triggered |
|---|---|---|
| EU-based AI provider | Yes | Full provider obligations including technical documentation, conformity assessment, registration |
| UK company with EU users | Yes — post-Brexit, treated as third-country provider | Authorised Representative appointment for high-risk systems |
| US company with EU SaaS subscribers | Yes | Authorised Representative appointment for high-risk systems |
| Swiss company with EU enterprise clients | Yes | Authorised Representative appointment for high-risk systems |
| Indian AI exporter with EU deployments | Yes | Authorised Representative appointment for high-risk systems |
| Ukrainian AI company with EU contracts | Yes | Authorised Representative appointment for high-risk systems |
| Canadian company with EU API users | Yes | Authorised Representative appointment for high-risk systems |
| EU-based deployer using third-party AI | Yes | Deployer obligations — fundamental rights impact assessment, human oversight, transparency to users |
| Non-EU deployer whose AI output reaches EU users | Yes — output test applies | Deployer obligations where output is used in the Union |
| Company with zero EU users and no EU commercial activity | No | None — but document this determination |
Making an AI system available free of charge to EU users counts as placing it on the market.
The Authorised Representative requirement
Article 22 of the EU AI Act requires non-EU providers of high-risk AI systems to appoint a named Authorised Representative established inside the EU before placing the system on the EU market. This is not an administrative step to complete once revenues justify it. It is a precondition for compliant market access.
The Authorised Representative is named in your technical documentation and registered in the EU AI database. They are the point of contact for every EU market surveillance authority that has questions about your system. They must maintain a copy of your technical documentation and declaration of conformity. They must cooperate with authorities on request. They must be capable of taking corrective action where required.
A registered address in an EU member state does not satisfy this requirement. A letterbox service cannot maintain technical documentation, cannot respond substantively to a regulatory authority, and cannot take corrective action. An Authorised Representative that exists only on paper leaves a non-EU provider in exactly the same legal exposure as having no representative at all — and it is the kind of non-compliance that surfaces immediately when an authority makes a substantive enquiry.
European Compliance Suite acts as EU Authorised Representative for non-EU AI providers under Article 22. We are a law firm established in the EU, with direct knowledge of your product and the legal standing to respond to EU authorities meaningfully. The appointment is executed within three to five working days of instruction and carries a fixed annual fee with no hourly billing.
The penalty for operating without a compliant AR when one is required reaches €15 million or 3% of global annual turnover. The AR appointment costs €2,400 per year.
What EU AI Act compliance requires in practice
Obligations vary by risk tier and role. These are the requirements that apply most commonly to AI product teams and non-EU providers.
Authorised Representative appointment (Article 22) — non-EU providers of high-risk systems must appoint a named EU-established AR before placing the system on the market. practical, transparent, and compliant — so your team stays productive without compromising data security.
Article 5 prohibited-practice screen — every AI system must be assessed against the eight prohibited-practice categories before deployment. This is not optional and applies regardless of risk tier, company size, or establishment.
Risk classification — every AI system must be classified against the Act’s four-tier framework. Classification determines every subsequent obligation. An incorrect classification — particularly assuming minimal risk without systematic assessment — is the most common and most consequential EU AI Act compliance error.
Role determination — every organisation interacting with an AI system must establish whether it is a provider, deployer, importer, distributor, or combination. The role determines which obligations apply and where accountability sits. Many organisations are providers and deployers simultaneously for different systems.
Technical documentation (Annex IV) — high-risk providers must produce and maintain a technical file covering system design, development methodology, training data, performance metrics, risk management, and post-market monitoring. This is the document a notified body or market surveillance authority will examine first.
Conformity assessment — high-risk systems must undergo conformity assessment before being placed on the market. Most systems can self-certify; some require assessment by an EU-recognised notified body. The assessment must be documented and updated when the system changes materially.
EU AI database registration — high-risk systems must be registered in the EU’s public AI database before market placement. Non-EU providers register through their Authorised Representative.
EU declaration of conformity — providers of high-risk systems must issue a written declaration that the system meets all applicable requirements. This is a legal act — issuing one without the underlying evidence is itself a violation.
Post-market monitoring (Article 72) — high-risk providers must maintain a post-market monitoring system that actively collects and analyses data on system performance after deployment. This is ongoing — not a one-time exercise.
Serious incident reporting (Article 73) — providers and deployers must report serious incidents to national market surveillance authorities. Serious incidents include deaths, serious injuries, and significant disruptions to critical infrastructure.
Human oversight (Article 14) — high-risk systems must be designed to enable human monitoring, intervention, and override. This is a design requirement — it must be built into the system, not added as a policy after the fact.
Transparency to users (Article 13) — deployers and users of high-risk systems must receive sufficient information about the system’s capabilities, limitations, and oversight requirements to use it responsibly.
One engagement. Every EU AI Act obligation mapped.
A lawyer-built EU AI Act product assessment covering risk classification, Article 5 screen, full obligation map, role determination, gap analysis, and audit-ready compliance record — for one AI system, at a fixed price.
| Product | What it covers | Price |
|---|---|---|
| EU AI Act Product Assessment | Risk classification, Article 5 screen, obligation map, role determination, Living Compliance File™ | €1,250 |
| Cross-Framework AI Product Assessment | EU AI Act plus GDPR, CRA, and every other regime that applies — mapped together | €4,950 |
| EU AI Act Authorised Representative | Named EU lawyer on your documentation, authority correspondence, annual review | €2,400/year |
| EU AI Act Compliance Template Pack | Annex IV template, risk register, FRIA, data governance checklist, transparency disclosures | €499 |
Frequently Asked Questions About EU AI Act
What is EU AI Act
The EU AI Act is the world’s first comprehensive binding regulation governing artificial intelligence. It was adopted by the European Parliament in March 2024, entered into force on 1 August 2024, and applies in phases through to 2027. It classifies AI systems into four risk tiers — prohibited, high-risk, limited-risk, and minimal-risk — and imposes obligations on providers, deployers, importers, and distributors based on the risk tier and role. It applies extraterritorially — reaching any AI system used in the EU regardless of where the provider is established.
When does the EU AI Act apply? What are the key dates?
Article 5 prohibited-practice prohibitions have applied since 13 February 2025. GPAI model obligations have applied since 2 August 2025. High-risk system obligations — including technical documentation, conformity assessment, EU AI database registration, and the Authorised Representative requirement — apply from 2 August 2026. High-risk AI systems covered by existing EU product safety legislation have until 2 August 2027. There is no grace period for prohibited practices, and no exemption for non-EU providers on any timeline.
Does the EU AI Act apply to my company if we are based outside the EU?
Yes, if your AI system’s output reaches EU users. The Act applies to providers placing AI systems on the EU market and to deployers using AI systems within the Union, regardless of where those providers or deployers are established. This extraterritorial scope applies equally to UK companies post-Brexit, US companies, Swiss companies, Indian companies, Ukrainian companies, and any other non-EU provider. The Act follows the product, not the company’s address.
What is the difference between a provider and a deployer under the EU AI Act?
A provider develops an AI system or has one developed and places it on the market under its own name. A deployer uses an AI system under its own authority in a professional context. The distinction matters because provider and deployer obligations differ significantly — providers bear the primary technical, documentation, and conformity assessment burden; deployers bear human oversight, fundamental rights impact assessment, and transparency obligations. Many organisations are both simultaneously for different systems.
How do I know if my AI system is high-risk under the EU AI Act?
A provider develops an AI system or has one developed and places it on the market under its own name. A deployer uses an AI system under its own authority in a professional context. The distinction matters because provider and deployer obligations differ significantly — providers bear the primary technical, documentation, and conformity assessment burden; deployers bear human oversight, fundamental rights impact assessment, and transparency obligations. Many organisations are both simultaneously for different systems.
What is an EU AI Act Authorised Representative?
An Authorised Representative under Article 22 is a lawyer or firm established in an EU member state, appointed by a non-EU provider to act as their legal point of contact for EU regulatory authorities. The AR is named in the provider’s technical documentation and EU AI database registration. They receive authority correspondence, maintain a copy of technical documentation, and cooperate with market surveillance authorities on request. The appointment is a legal precondition for non-EU providers of high-risk AI systems placing systems on the EU market.
What is the difference between the EU AI Act and GDPR?
GDPR governs the processing of personal data — it applies when your organisation handles information about identifiable individuals. The EU AI Act governs the AI system itself — its risk classification, technical documentation, transparency, human oversight, and conformity assessment obligations. The two regimes overlap significantly for AI products that process personal data, but they are distinct laws with distinct obligations, distinct regulators, and distinct enforcement mechanisms. Compliance with GDPR does not satisfy EU AI Act obligations, and vice versa.
What are the EU AI Act fines for non-compliance?
Fines are tiered by violation type. Prohibited-practice violations under Article 5 carry fines of up to €35 million or 7% of global annual turnover, whichever is higher. Other high-risk system violations carry fines of up to €15 million or 3% of global annual turnover. Providing incorrect or misleading information to authorities carries fines of up to €7.5 million or 1% of global annual turnover. These apply to non-EU companies and are enforced through national market surveillance authorities and, for GPAI providers, the EU AI Office directly.
What are the EU AI Act fines for non-compliance?
Fines are tiered by violation type. Prohibited-practice violations under Article 5 carry fines of up to €35 million or 7% of global annual turnover, whichever is higher. Other high-risk system violations carry fines of up to €15 million or 3% of global annual turnover. Providing incorrect or misleading information to authorities carries fines of up to €7.5 million or 1% of global annual turnover. These apply to non-EU companies and are enforced through national market surveillance authorities and, for GPAI providers, the EU AI Office directly.
What is a general-purpose AI model under the EU AI Act?
A general-purpose AI model is an AI model trained on large amounts of data, capable of performing a wide range of tasks, and made available to other providers to integrate into their own systems. Large language models, foundation models, and multimodal models typically qualify. GPAI providers face transparency, copyright compliance, and technical documentation obligations. Those whose models are identified as presenting systemic risk face additional safety testing, adversarial testing, and incident reporting requirements. GPAI obligations have applied since August 2025.
How does the EU AI Act interact with the Cyber Resilience Act?
The Cyber Resilience Act applies to products with digital elements — software and hardware products connected to networks or other devices. Most AI systems delivered as software products are in scope of both the AI Act and the CRA simultaneously. The CRA imposes security-by-design obligations, vulnerability handling requirements, and incident reporting duties that sit alongside and sometimes overlap with the AI Act’s technical robustness and post-market monitoring requirements. A cross-framework assessment maps where one piece of evidence satisfies both regimes and where they pull in different directions.
How do I start EU AI Act compliance for my AI product?
Four steps in order. First, screen your product against Article 5 prohibited practices — this is the highest-stakes determination and it applies now. Second, determine your risk classification against Annex III. Third, establish your role — provider, deployer, or both. Fourth, if you are a non-EU provider of a high-risk system, appoint an EU Authorised Representative before August 2026. Everything else — technical documentation, conformity assessment, registration — flows from your classification and role. A lawyer-built product assessment covers all four steps in a single engagement and delivers an audit-ready compliance record you can act on immediately.