Skip to main content

EU AI Act

Summary

The EU AI Act is a risk-based regulatory framework for AI systems placed on the EU market or used in the EU. For enterprise teams, the practical work is to classify AI use cases, identify provider and deployer obligations, prove required controls, and keep evidence current as systems change.

As of May 2026, key obligations are already active: prohibited AI practices and AI literacy obligations have applied since 2 February 2025, and governance plus general-purpose AI model obligations have applied since 2 August 2025. Most remaining rules apply from 2 August 2026, with longer transition periods for some high-risk systems embedded in regulated products.

Why This Matters

  • AI Act readiness affects product launch, vendor selection, model usage, and operating risk.
  • Generative AI programs need evidence of classification, transparency, human oversight, and monitoring.
  • A shared enterprise playbook prevents every product team from interpreting the regulation in isolation.

Core Concepts

  • Risk classification: prohibited, high-risk, limited-risk transparency obligations, general-purpose AI, and lower-risk systems.
  • Role clarity: provider, deployer, importer, distributor, product manufacturer, and affected person.
  • AI literacy: teams using or operating AI need role-appropriate training and awareness.
  • Transparency: users may need clear notice when interacting with AI or AI-generated content.
  • Evidence: maintain technical documentation, logs, risk assessments, incident records, and human oversight decisions.

Use the flow below to sequence EU AI Act readiness before implementation starts.

Diagram

Implementation Steps

  1. Build an intake process that records purpose, users, geography, data categories, model source, and business impact.
  2. Classify each system by AI Act risk category and enterprise role.
  3. Map obligations to concrete controls such as transparency notices, human oversight, logging, data governance, model evaluation, and incident response.
  4. Require release evidence before production deployment for systems with material regulatory impact.
  5. Reassess classification and evidence when the model, workflow, geography, or user population changes.

Enterprise Control Pack

  • Use-case register with owner, role, risk class, and review date.
  • Vendor and model register with contractual obligations and documentation links.
  • AI literacy plan mapped to product, engineering, support, risk, and leadership roles.
  • Transparency and user notice templates for assistants, synthetic content, and decision support.
  • Incident reporting workflow with severity levels, escalation owners, and evidence retention.

Realistic Example

A bank planned to launch an employee copilot and a credit decision support workflow. The employee copilot required transparency notices, AI literacy, monitoring, and baseline logging. The credit workflow required deeper risk classification, human oversight, data quality controls, explainability, and release evidence. Treating both systems differently avoided over-governing low-risk productivity work while keeping high-impact decisions under stricter control.

Senior Tech vs Dev Conversation

Senior Tech: What is the first failure mode for EU AI Act? Dev: Teams treat classification as a legal memo instead of a delivery control. Senior Tech: What prevents that? Dev: A use-case register, release gates, and runtime evidence tied to each obligation.

UX/UI Checklist

  • Show when a user is interacting with AI where transparency obligations apply.
  • Present human review decisions clearly for high-impact workflows.
  • Keep escalation paths visible when confidence, policy, or safety thresholds are breached.
  • Make evidence exportable for legal, risk, audit, and supervisory review.

Common Pitfalls

  • Assuming every AI use case has the same regulatory profile.
  • Forgetting that deployers can have obligations even when a vendor provides the model.
  • Launching pilots without a durable evidence trail.
  • Treating AI Act readiness separately from privacy, cybersecurity, procurement, and model governance.

References and Next Steps