Zurück zum Glossar

EU AI Act: Risk Categories, Obligations, and Timeline for Businesses

The EU AI Act is the European Union's first binding legal framework for regulating Artificial Intelligence. It applies not only to companies based in the EU but to any organization that offers, sells, or uses AI products within the EU. The law follows a risk-based approach: obligations are determined by the classification of the respective AI application – ranging from complete prohibitions to minimal transparency requirements.

What is the EU AI Act?

The EU AI Act is an EU-wide legal framework that regulates the development and use of AI systems. Its goal is to ensure an adequate level of protection for safety and fundamental rights, as well as greater legal and planning certainty for organizations. The law became binding on August 1, 2024, and will fully come into force in several stages by 2027.

How Does the EU AI Act Work?

The core principle is the classification of AI applications into four risk categories. Different requirements apply depending on the category:

     
  • Unacceptable Risk (prohibited risk): These applications are completely prohibited. These include systems for cognitive behavioral manipulation, social scoring systems that classify individuals based on behavior or socioeconomic status, and real-time biometric identification in public spaces, such as facial recognition.
    •  
  • High Risk (high risk): AI systems that can affect safety or fundamental rights. This includes, on the one hand, systems in products covered by EU product safety regulations – for example, in areas such as toys, aviation, medical devices, or elevators. On the other hand, it includes systems in sectors like education, law enforcement, or critical infrastructure that require registration in an EU database.
    •  
  • Limited Risk (limited risk): Transparency obligations are paramount here. An example is an AI assistant like ChatGPT. Providers must disclose that content is AI-generated, ensure that no illegal content is produced, and publish summaries of copyrighted training data.
    •  
  • Minimal or No Risk (low or no risk): This category includes most AI systems. No further legal obligations apply to them.

Who is Affected?

The scope of application is deliberately broad. It covers organizations that place AI products on the market in the EU, as well as users of AI products and services within the EU. Companies outside the EU are also subject to the Act if their AI output is intended for use in the EU.

Timeline: Phased Entry into Force

The EU AI Act will not enter into force all at once, but gradually:

     
  • August 1, 2024: Legal framework becomes binding.
    •  
  • February 2, 2025: Prohibitions for certain AI systems and requirements for AI literacy take effect.
    •  
  • August 2, 2025: Rules for GPAI models (General Purpose AI), governance, confidentiality, and sanction mechanisms enter into force.
    •  
  • August 2, 2026: The majority of the remaining provisions apply.
    •  
  • August 2, 2027: All systems without exception must comply with the requirements of the AI Act.

Penalties

Violations can result in significant fines. Breaches of prohibitions can be penalized with up to EUR 35 million or 7% of the worldwide annual turnover – whichever amount is higher. For other provisions, fines of up to EUR 15 million or 3% of the annual turnover apply. Anyone providing incomplete, false, or misleading information to competent authorities risks fines of up to EUR 7.5 million or 1% of the worldwide annual turnover.

Practical Examples and Use Cases

In practice, the EU AI Act specifically impacts various business areas. For example, an AI-powered application screening system can be classified as a High-Risk system if it plays a decisive role in selecting candidates. A customer service chatbot often falls into the Limited Risk category, as transparency obligations are paramount here. AI systems in medical diagnostic applications or aviation can also be considered High Risk because they directly affect safety and fundamental rights. In contrast, many internal automation tools, such as those for text summarization or simple data classification without significant impact on individuals, are often categorized as Minimal or No Risk.

Conclusion

The EU AI Act obliges companies to systematically classify their AI systems according to risk categories and derive specific compliance measures from this. This classification determines the full scope of obligations – from development and market placement to usage. Given the staggered timeline and high penalties, affected organizations should assess the classification of their AI applications early.