Skip to content
EU AI Act · Orientation for companies

The EU AI Act, explained without the legalese

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive law governing artificial intelligence. It came into force on 1 August 2024 and sorts AI systems into four risk classes — from banned practices to high-risk applications with strict obligations, all the way down to systems with minimal requirements. The more risk a system carries, the more rules apply.

Risk-class quick check → Book an intro call

If you use or build AI in your company, the EU AI Act now sets the ground rules — and it applies across the entire EU. The good news: it doesn't treat every chatbot like a self-driving car. Instead, it follows a risk-based approach, so most everyday applications carry few or no extra obligations. The work concentrates where it matters: systems that can affect people's rights, safety, or livelihoods.

The obligations don't all land at once. They phase in between 2025 and 2027, which gives you time to figure out where your AI fits in and what you actually need to do. The catch is that the heavy hitters — the rules for high-risk AI — take real effort to implement, so "we'll deal with it later" is a risky plan.

On this page we walk you through the timeline, the four risk classes, and concrete to-dos — separately for companies that use AI and for those that develop or offer it. This is meant to give you orientation and a starting point, not a substitute for legal advice.

Timeline & deadlines

As of: June 2026
  1. 1 August 2024 in force

    Regulation enters into force

    Regulation (EU) 2024/1689 — the EU AI Act — officially takes effect. The obligations themselves phase in over the following years, giving companies time to prepare.

  2. 2 February 2025 in force

    Bans and AI literacy

    AI practices with unacceptable risk are now prohibited. At the same time, the duty to ensure AI literacy kicks in: staff who work with AI need a basic understanding of it.

  3. 2 August 2025 in force

    General-purpose AI and governance

    Obligations for general-purpose AI models (GPAI) apply, the governance structure and national authorities go live, and the rules on penalties become applicable.

  4. 2 August 2026 upcoming

    The bulk of the obligations

    Most of the rules now apply — above all the strict requirements for high-risk AI systems listed in Annex III, such as HR and recruitment, creditworthiness checks, and critical infrastructure.

  5. 2 August 2027 upcoming

    High-risk AI in regulated products

    The rules extend to high-risk AI used as a safety component in products that are already regulated under existing EU law (Annex I).

The four risk classes

Unacceptable

Banned practices

Some uses of AI are off the table entirely because they pose an unacceptable risk to people's rights. They have been prohibited across the EU since February 2025.

e.g. Social scoring by public authorities, manipulative or exploitative systems, untargeted scraping of facial images, emotion recognition in the workplace and in education, and certain real-time remote biometric identification in public spaces.

High

High-risk AI

Allowed, but only under strict conditions: risk management, data governance, technical documentation, logging, transparency, human oversight, accuracy, robustness, cybersecurity — and a conformity assessment before going to market.

e.g. Biometrics, critical infrastructure, education and vocational training, employment and recruitment (HR), access to essential services such as creditworthiness checks, law enforcement, migration and asylum, and the justice system.

Limited

Transparency obligations

Lower-risk systems come with a simple rule: people should know when they're dealing with AI, not a human. AI-generated or manipulated content has to be labelled.

e.g. Chatbots and voice assistants that interact with people, plus deepfakes and synthetic text or images that need to be clearly marked as AI-generated.

Minimal

Minimal risk

The vast majority of AI applications fall here. They carry no special obligations under the AI Act — you can use and build them freely.

e.g. Spam filters, AI in video games, recommendation features, and most everyday productivity and automation tools.

Risk-class quick check

Four short questions for a solid first classification of your AI project under the EU AI Act.

1 of 4

Are you using or planning AI for something that could be prohibited? (e.g. social scoring, emotion recognition at work, untargeted face scraping, manipulative systems)

If you use AI (deployer)

Most companies fall into this group: you buy or subscribe to AI tools and put them to work, rather than building the models yourself. Your obligations are lighter than a provider's, but they're not zero — especially if a tool ends up in a high-risk area like HR or credit decisions. Here's where to start.

  • Build an inventory: list which AI tools you actually use, who uses them, and for what. You can't classify risk on systems you don't know about.
  • Sort each use case into a risk class. Pay special attention to anything touching hiring, performance reviews, access to services, or biometrics — that's where high-risk rules and bans live.
  • Make sure your people have basic AI literacy. Since February 2025, staff working with AI need a working understanding of what these systems can and can't do.
  • For high-risk systems, ensure genuine human oversight — a person who can understand, check, and override the AI's output, not just rubber-stamp it.
  • Follow the provider's instructions for use and keep the required logs. As a deployer you're responsible for operating the system the way it was designed to be operated.
  • Be transparent with the people affected: tell users when they're interacting with a chatbot, and label AI-generated or manipulated content.
  • Check the data you feed in. Even as a user, you're responsible for not running prohibited use cases — and for respecting GDPR alongside the AI Act.

If you develop or offer AI (provider)

If you build AI systems, train models, or put your name on an AI product placed on the EU market, you carry the heaviest set of obligations — particularly for high-risk systems. The work is substantial, so it pays to bake compliance into your development process early rather than bolting it on at the end.

  • Classify your system honestly and early. If it lands in the high-risk category under Annex III, plan for the full obligation set from the start of development.
  • Set up a risk management system that runs across the entire lifecycle — identify, assess, and mitigate risks continuously, not just once at launch.
  • Get your data governance in order: training, validation, and test data need to be relevant, representative, and as free of errors and bias as feasible.
  • Produce the technical documentation and build in logging, so the system's behaviour can be traced and audited throughout its operation.
  • Design for human oversight, accuracy, robustness, and cybersecurity — and document how you achieve each of these.
  • Run the required conformity assessment before placing a high-risk system on the market, and keep it conformant after launch.
  • If you offer a general-purpose AI model (GPAI), prepare for the specific GPAI obligations that have applied since August 2025, including technical documentation and transparency about training data.

Checklist: what to watch out for

  • Do you have a complete inventory of every AI system you use or build?
  • Have you assigned each system to a risk class — unacceptable, high, limited, or minimal?
  • Are you sure none of your use cases fall under the banned practices?
  • Have your employees who work with AI received basic AI literacy training?
  • For limited-risk systems: do you clearly tell people when they're talking to a chatbot or seeing AI-generated content?
  • For high-risk systems: is real human oversight in place — someone who can check and override the AI?
  • Do you know your role for each system — are you the provider, the deployer, an importer, or a distributor?
  • For providers of high-risk AI: is the risk management, documentation, and conformity assessment underway?
  • Have you mapped the deadlines (Feb 2025, Aug 2025, Aug 2026, Aug 2027) against your own systems?
  • Are you handling the AI Act and GDPR together rather than as two separate projects?
Download checklist
The extended compliance checklist with explanations – with our logo, to tick off and take away.

Frequently asked questions about the EU AI Act

What is the EU AI Act?

The EU AI Act is Regulation (EU) 2024/1689, the world's first comprehensive law for artificial intelligence. It came into force on 1 August 2024 and uses a risk-based approach: AI systems are sorted into four risk classes, and the obligations grow with the level of risk a system poses to people's rights and safety.

When does the EU AI Act apply?

The EU AI Act applies in stages. The bans on unacceptable AI practices and the AI literacy duty have applied since 2 February 2025. Obligations for general-purpose AI and the governance structure followed on 2 August 2025. The bulk of the rules — especially for high-risk AI under Annex III — apply from 2 August 2026, and high-risk AI in already-regulated products follows on 2 August 2027.

What are the four risk classes?

The EU AI Act defines four risk classes. Unacceptable risk means the practice is banned. High risk means strict obligations like risk management, documentation, human oversight, and a conformity assessment. Limited risk means transparency obligations, such as telling people they're dealing with AI. Minimal risk, where most applications sit, comes with no special requirements.

Which AI practices are banned?

AI practices with unacceptable risk are prohibited across the EU since February 2025. These include social scoring by public authorities, manipulative or exploitative systems, untargeted scraping of facial images, emotion recognition in the workplace and in education, and certain real-time remote biometric identification in public spaces.

Does the EU AI Act apply to my company if we only use AI tools?

Yes, the EU AI Act can apply to you even if you only use AI rather than build it. As a deployer you have obligations — for example ensuring AI literacy among staff, providing human oversight for high-risk systems, being transparent with affected people, and never running a prohibited use case. Your duties are lighter than a provider's, but they're real, especially in sensitive areas like HR or creditworthiness checks.

What's the difference between a provider and a deployer?

A provider develops an AI system or model, or places it on the EU market under their own name, and carries the heaviest obligations — particularly for high-risk systems. A deployer (also called an operator or user) puts an existing AI system to use in their own operations and has a lighter but still meaningful set of duties. Importers and distributors have their own roles as well.

What are the penalties for breaking the EU AI Act?

Penalties under the EU AI Act are tiered. The most serious — using a prohibited AI practice — can cost up to 35 million euros or 7% of total worldwide annual turnover, whichever is higher. Other violations are subject to lower, graduated fines depending on the type of breach.

What is AI literacy and who needs it?

AI literacy means a basic, working understanding of how AI systems behave — their capabilities, their limits, and the risks they bring. Since 2 February 2025, companies have to make sure that staff who work with AI have this competence. It doesn't require everyone to become a data scientist; it's about people understanding enough to use AI responsibly.

Not sure where your AI fits in?

As a Munich agency for web development and AI integration, we help you map your AI systems, sort them into the right risk classes, and build solutions that hold up — technically and in terms of compliance. Reach out at info@rocket-monkeys.com for a no-pressure intro call.

Book an intro call
⚠️ Important note: This page is for information and orientation only and does not constitute legal advice. The EU AI Act is complex and how it applies depends on your specific situation. For binding assessments, please consult a lawyer specialising in IT law or your data protection officer.