Introduction
The EU AI Act is a binding EU regulation that establishes risk-based rules for artificial intelligence systems. It classifies AI by the harm it could cause, imposing strict obligations on high-risk systems while prohibiting the most dangerous uses outright. The regulation applies to any organization that places AI on the EU market or puts it into service within it, regardless of where that organization is headquartered.
Key Takeaways
- The EU AI Act is a binding regulation that introduces a risk-based framework for governing AI systems, applying to any organization placing AI on the EU market or using it within the EU.
- It classifies AI systems into four risk tiers, each with different obligations, ranging from outright bans to minimal or no regulatory requirements.
- Certain AI practices are prohibited entirely due to their potential harm to fundamental rights, with no pathway to compliance.
- High-risk AI systems are allowed but subject to strict requirements, including risk management, data governance, human oversight, and conformity assessments.
- The Act follows a phased implementation timeline, with key obligations already in force and major compliance requirements rolling out through 2026 and beyond.
- Compared to global AI regulations, the EU AI Act stands out for its comprehensive, enforceable, and cross-sector approach.
- Classifying AI systems correctly requires a structured process, including inventorying systems, assessing use cases, applying risk criteria, and mapping obligations.
- Compliance is an ongoing effort, requiring governance structures, monitoring processes, and clear accountability across providers, deployers, and other stakeholders.
- Organizations face key challenges such as building a complete AI inventory, managing overlapping regulations like GDPR and DORA, and addressing third-party AI risks.
- GRC platforms support compliance by enabling AI system tracking, policy mapping, and centralized evidence management for audits and conformity assessments.
- MetricStream’s platform helps organizations integrate AI governance into existing GRC frameworks, supporting continuous compliance and reducing operational complexity.
What Is the EU AI Act?
The EU AI Act, formally adopted as Regulation (EU) 2024/1689, marks a major milestone in AI regulation as the world’s first broad legal framework governing artificial intelligence across industries. Published in the Official Journal of the European Union in July 2024 and effective from 1 August 2024, it introduces a phased implementation model that is already influencing how organizations manage AI risk, development, and oversight.
The Act was designed to address risks that existing EU law was not equipped to handle systematically. Rather than targeting AI by industry or use case in isolation, it takes a horizontal approach, applying across sectors from healthcare and finance to law enforcement and education. Its geographic reach extends well beyond EU borders. Any provider placing an AI system on the EU market, any deployer operating within the EU, and any provider or deployer in a third country whose AI output is used inside the EU falls within its scope. The scale of compliance engagement reflects that reach: by December 2025, more than 230 organizations had signed formal compliance pledges under the EU AI Pact, with more than 3,000 having expressed interest, a signal of how broadly the Act's obligations are being taken seriously across global operations.
The Four Risk Categories Explained
The EU AI Act operates on a risk-based classification model. Every AI system in scope must be assigned to one of the four tiers, each carrying different obligations. The tier that applies to a given system is determined by its intended purpose, deployment context, and the potential severity of harm it could cause to health, safety, or fundamental rights. Here is a brief breakdown of the four categories:
- Unacceptable Risk covers AI practices so harmful to fundamental rights, public safety, and democratic values that the Act prohibits them entirely. These systems are banned from the EU market with no compliance pathway.
- High Risk applies to AI systems that pose significant threats to health, safety, or fundamental rights in defined contexts. These systems may be placed on the market and used, but only after meeting substantial pre-market and ongoing compliance requirements.
- Limited Risk (also described as transparency risk in the Act's regulatory logic) refers to systems that are not considered inherently dangerous but create an information asymmetry between the system and the person interacting with it. Disclosure and labeling obligations apply rather than substantive restrictions.
- Minimal or No Risk covers the majority of commercially deployed AI systems, from spam filters to product recommendation engines. The Act imposes no specific obligations on these systems, though providers and deployers may voluntarily adopt codes of conduct.
The following table summarizes each tier with representative examples and the obligations each triggers:
| Risk Tier | Representative Examples | Key Obligations |
|---|---|---|
| Unacceptable | Government social scoring; real-time biometric surveillance in public spaces; manipulative AI | Prohibited; no compliance pathway |
| High | Credit scoring tools; CV screening systems; medical device AI; critical infrastructure AI; law enforcement risk assessment | Risk management system; technical documentation; data governance; conformity assessment; EU database registration; human oversight |
| Limited | Chatbots; deepfake generators; emotion recognition in permitted contexts | Disclosure to users; labeling of AI-generated content |
| Minimal / No risk | Spam filters; AI-powered search ranking; product recommendations | No specific obligations; voluntary codes of conduct encouraged |
What AI Systems Are Prohibited Under the EU AI Act?
The prohibitions under Article 5 of the EU AI Act have been in force since 2 February 2025. Organizations that have not assessed their AI systems against these provisions may face immediate regulatory exposure. These rules apply to AI practices considered to pose an unacceptable risk to fundamental rights and are banned outright.
The following practices are prohibited:
- Manipulative or deceptive AI systems that deploy subliminal techniques or otherwise distort an individual’s behaviour in ways that impair informed decision-making and are likely to cause harm
- AI systems that exploit vulnerabilities related to age, disability, or socio-economic circumstances, where such exploitation materially influences behaviour and results in harm
- Social scoring systems that evaluate or classify individuals based on behaviour or personal characteristics, leading to unjustified or disproportionate treatment, particularly in public sector contexts
- AI systems used to predict criminal behaviour based solely on profiling, personality traits, or other non-objective characteristics, without a verifiable factual basis
- Untargeted scraping of facial images from the internet or CCTV footage to create or expand facial recognition databases
- Emotion recognition systems used in workplace or educational settings, except where strictly necessary for medical or safety reasons
- Biometric categorisation systems that infer sensitive attributes such as race, religion, political opinions, or sexual orientation
- Real-time remote biometric identification in publicly accessible spaces for law enforcement purposes, except in narrowly defined situations such as preventing imminent threats, locating victims, or investigating serious crimes
High-Risk AI: What Qualifies and What's Required
A system qualifies as high-risk under one of two conditions. It may be a safety component of a product regulated under EU harmonization legislation, such as medical devices, machinery, or aviation equipment, or it may itself be such a regulated product. Alternatively, it may fall within one of the standalone use cases enumerated in Annex III of the Act. The Annex III categories that compliance teams must map against their AI inventory include the following:
- Biometric categorization systems and remote identification beyond prohibited uses
- AI used to manage or operate critical infrastructure, including energy, transport, water, and digital infrastructure
- AI used in educational or vocational training contexts that determines or substantially influences access to education or evaluates students
- Employment and HR tools, including CV screening, recruitment selection systems, promotion decisions, and performance monitoring
- Essential services and benefits, including creditworthiness assessment, life and health insurance risk scoring, and emergency dispatch prioritization
- Law enforcement applications, including individual risk assessment, polygraph tools, crime analytics, and evidence reliability evaluation
- Migration, asylum, and border management tools, including traveler risk profiling
- AI used in the administration of justice and democratic processes
Risk management system: Providers must establish, implement, document, and maintain a risk management system covering the AI system's entire lifecycle. This is an ongoing obligation, not a one-time pre-launch assessment. It requires iterative testing, residual risk evaluation, and post-market monitoring at regular intervals.
Technical documentation: Before placing a high-risk system on the market, providers must prepare documentation demonstrating that the system meets the Act's requirements. This documentation must remain current throughout the system's operational life and must be made available to national competent authorities on request.
Data governance: Training, validation, and testing datasets must meet defined quality criteria. Providers must document data provenance, preparation methodologies, and known limitations, and must implement practices to identify and address biases that could affect the system's output in harmful ways.
Human oversight: High-risk systems must be designed so that natural persons can effectively monitor, intervene in, and override the system's outputs. This is a technical requirement, covering interpretability of outputs, the ability to interrupt the system, and meaningful operator control.
Conformity assessment: Most Annex III high-risk systems require a conformity assessment before market entry, typically completed as a structured self-assessment with documented evidence. Systems that are safety components in Annex I regulated products may require assessment by a notified body.
EU AI Act Timeline and Key Compliance Dates
| Date | Milestone |
|---|---|
| 12 July 2024 | Regulation (EU) 2024/1689 published in the EU Official Journal |
| 1 August 2024 | Act enters into force; all compliance timelines begin |
| 2 February 2025 | Prohibited AI practices (Article 5) and AI literacy obligations (Article 4) apply |
| 2 August 2025 | GPAI model obligations apply; penalty regime in force; AI Office officially operational; national competent authorities must be designated |
| 2 August 2026 | Majority of the remaining provisions apply, including Annex III high-risk AI systems and transparency obligations (Article 50) |
| 2 August 2027 | High-risk AI embedded in Annex I regulated products must comply; existing GPAI models placed on market before August 2025 must comply |
| 31 December 2030 | AI systems forming part of large-scale EU IT systems in freedom, security, and justice must comply |
EU AI Act vs. Other AI Regulations: A Global Comparison
| Dimension | EU AI Act | US (EO 14179, 2025) | UK AI Framework | China AI Regulations |
|---|---|---|---|---|
| Legal basis | Binding horizontal regulation | Executive Order (deregulatory focus) | Principles-based, sector-specific guidance | Binding sector-specific rules |
| Approach | Comprehensive, risk-tiered | Innovation-first; voluntary for private sector | Sector regulator led (FCA, ICO, CMA) | Mandatory registration; algorithmic audits |
| Scope | All sectors; extraterritorial | Federal agencies; state laws vary considerably | All sectors; no unified binding law | Algorithmic recommendation, generative AI, deep synthesis |
| High-risk classification | Mandatory; defined in Annexes I and III | No equivalent classification framework | No mandatory classification | Registration required for certain AI system types |
| Maximum penalties | €35M or 7% of global annual turnover | No federal penalty framework for private sector | No unified penalty regime | Subject to existing sector-specific enforcement |
| GPAI / Foundation models | Explicit Chapter V; systemic risk tier for largest models | No equivalent | No equivalent | Generative AI Measures apply (2023, amended) |
| Primary enforcement body | EU AI Office and national competent authorities | Sector agencies (FTC, FDA, NHTSA, others) | Sector regulators | Cyberspace Administration of China (CAC) |
How to Classify Your AI Systems Under the EU AI Act
The process below applies to any organization that develops or deploys AI systems on or for the EU market.
Step 1: Inventory all AI systems in use or in development
Build a complete register of AI systems across your company, including systems embedded in third-party products or services you procure. Article 3(1) defines an AI system broadly as any machine-based system that infers from inputs how to generate outputs, including predictions, recommendations, and decisions, that can influence real or virtual environments.
Step 2: Identify the intended purpose and deployment context for each system
Risk classification under the Act is use-case-specific, not technology-specific. The same underlying model may be high-risk in one deployment context and minimal-risk in another. Document the intended purpose as the provider or deployer defines it, as that definition is what determines classification.
Step 3: Apply the risk classification criteria in sequence
Check each system against the Article 5 prohibited practices list first. For systems that are not prohibited, assess whether they qualify as high-risk under Annex I or Annex III. Then assess whether transparency obligations under Article 50 apply, as they do for chatbots and deepfake generation tools. Only systems that clear all three checks fall into the minimal-risk tier.
Step 4: Determine the applicable obligation set per tier
High-risk systems require a risk management system, technical documentation, data governance framework, human oversight mechanisms, and conformity assessment. GPAI model providers operate under a separate obligation set defined in Chapter V. Limited-risk systems require specific disclosures. Map each obligation to the internal function responsible for it.
Step 5: Conduct conformity assessment for high-risk systems
For Annex III high-risk systems, a structured internal conformity assessment with documented evidence is the standard pathway. For systems that are safety components in Annex I regulated products, third-party assessment by a notified body may be required. Determine which pathway applies well before the August 2026 deadline.
Step 6: Register high-risk systems in the EU database
Providers of Annex III high-risk systems must register the system in the EU AI database before placing it on the market. Deployers of high-risk systems used in law enforcement or migration management contexts also carry registration obligations.
Step 7: Assign accountability and appoint an AI governance lead
The Act distributes obligations across providers, deployers, importers, and distributors. Establish internal accountability clearly, especially where AI systems are procured from third-party vendors. Many organizations are formalizing this through a Chief AI Officer role or by integrating AI governance into their existing Connected GRC framework.
Step 8: Establish ongoing monitoring and incident reporting
High-risk AI systems require post-market monitoring plans. Providers must report serious incidents and malfunctions to national competent authorities. Embed monitoring into your operational AI governance process rather than treating it as a pre-launch checkpoint.
Unsure how your AI systems are classified under the EU AI Act? Talk to a compliance expert before your deadline. Talk to an Expert
EU AI Act Compliance Challenges
Below are some probable challenges companies might face while enforcing the EU AI Act:
- AI system inventorying at scale: Most companies do not have a complete, current inventory of the AI systems they develop or deploy. The Act's definition of an AI system is deliberately broad, and AI is embedded across functions, including HR, finance, operations, customer service, and supply chain, often through third-party SaaS platforms that may themselves embed AI components. Building and maintaining an accurate inventory is a precondition for every subsequent compliance task, yet it is routinely the hardest to execute at enterprise scale, particularly where AI adoption has outpaced governance.
- Overlapping obligations with GDPR and DORA: The EU AI Act does not operate in isolation. AI systems that process personal data are simultaneously subject to GDPR. AI deployed in financial services must align with the operational resilience requirements under DORA. These frameworks share conceptual territory around data governance, risk management, and incident reporting, but their requirements are not identical, and the definitions they use do not always align. Compliance teams face the challenge of building unified controls that satisfy multiple regimes simultaneously, rather than running parallel programs that duplicate cost and effort without reducing exposure.
- Third-party AI vendor risk: The Act's obligations fall on providers and deployers alike, and deploying a third-party AI system does not transfer compliance responsibility to the vendor. Deployers must verify that the systems they use meet the Act's requirements for their specific deployment context, which includes reviewing technical documentation, conformity assessment records, and data governance practices. Managing this at scale across a complex vendor ecosystem requires structured third-party AI risk management, not contractual representations alone.
How GRC Platforms Support EU AI Act Compliance
Below are some of the ways in which GRC platforms can support EU AI Act Compliance:
- AI risk register and classification workflows: A GRC platform provides a structured environment to build and maintain an AI system inventory, record classification decisions with their evidentiary basis, and track the status of each system against applicable obligations. Automated workflows can guide assessment teams through the Annex I and Annex III classification criteria, flag systems that require deeper review, and generate complete audit trails for each classification decision made.
- Policy mapping to EU AI Act provisions: Mapping internal AI governance policies to specific articles and obligations under the Act is time-intensive when done manually and prone to gaps as regulatory guidance evolves. GRC platforms support policy repositories that link each internal control to the relevant regulatory provisions, with version control, change notifications when guidance is updated, and evidence linkage that connects policy statements to the documented controls that implement them.
- Audit trail and evidence management for conformity assessments. Conformity assessments for high-risk AI systems require organized, retrievable evidence across multiple obligation areas, including risk management records, data governance documentation, test results, and post-market monitoring data. A GRC platform maintains this evidence in a centralized, auditable repository, ensuring it is accessible and traceable when national competent authorities or third-party assessors request it.
Managing AI risk alongside your existing GRC framework? See how MetricStream's AI-first platform keeps you ahead of the curve. Request a Demo
How MetricStream Can Help
Organizations navigating EU AI Act compliance need operational infrastructure that connects AI risk classification to existing risk and compliance workflows, surfaces obligations in time for each phase of the Act's rollout, and maintains the audit evidence required for conformity assessments. MetricStream's Regulatory Compliance Management solution provides that infrastructure, enabling compliance teams to track regulatory obligations at the provision level, map them to internal controls, and monitor compliance status across the organization in real time.
For organizations deploying AI across multiple business units and geographies, MetricStream's Connected GRC platform integrates AI governance with existing third-party risk management, operational risk, and internal audit workflows. The platform's automated workflow capabilities support the recurring monitoring and incident reporting requirements imposed by the Act on high-risk AI deployers, reducing the operational overhead of maintaining continuous compliance in a changing AI landscape.
The EU AI Act is a binding EU regulation that establishes risk-based rules for artificial intelligence systems. It classifies AI by the harm it could cause, imposing strict obligations on high-risk systems while prohibiting the most dangerous uses outright. The regulation applies to any organization that places AI on the EU market or puts it into service within it, regardless of where that organization is headquartered.
- The EU AI Act is a binding regulation that introduces a risk-based framework for governing AI systems, applying to any organization placing AI on the EU market or using it within the EU.
- It classifies AI systems into four risk tiers, each with different obligations, ranging from outright bans to minimal or no regulatory requirements.
- Certain AI practices are prohibited entirely due to their potential harm to fundamental rights, with no pathway to compliance.
- High-risk AI systems are allowed but subject to strict requirements, including risk management, data governance, human oversight, and conformity assessments.
- The Act follows a phased implementation timeline, with key obligations already in force and major compliance requirements rolling out through 2026 and beyond.
- Compared to global AI regulations, the EU AI Act stands out for its comprehensive, enforceable, and cross-sector approach.
- Classifying AI systems correctly requires a structured process, including inventorying systems, assessing use cases, applying risk criteria, and mapping obligations.
- Compliance is an ongoing effort, requiring governance structures, monitoring processes, and clear accountability across providers, deployers, and other stakeholders.
- Organizations face key challenges such as building a complete AI inventory, managing overlapping regulations like GDPR and DORA, and addressing third-party AI risks.
- GRC platforms support compliance by enabling AI system tracking, policy mapping, and centralized evidence management for audits and conformity assessments.
- MetricStream’s platform helps organizations integrate AI governance into existing GRC frameworks, supporting continuous compliance and reducing operational complexity.
The EU AI Act, formally adopted as Regulation (EU) 2024/1689, marks a major milestone in AI regulation as the world’s first broad legal framework governing artificial intelligence across industries. Published in the Official Journal of the European Union in July 2024 and effective from 1 August 2024, it introduces a phased implementation model that is already influencing how organizations manage AI risk, development, and oversight.
The Act was designed to address risks that existing EU law was not equipped to handle systematically. Rather than targeting AI by industry or use case in isolation, it takes a horizontal approach, applying across sectors from healthcare and finance to law enforcement and education. Its geographic reach extends well beyond EU borders. Any provider placing an AI system on the EU market, any deployer operating within the EU, and any provider or deployer in a third country whose AI output is used inside the EU falls within its scope. The scale of compliance engagement reflects that reach: by December 2025, more than 230 organizations had signed formal compliance pledges under the EU AI Pact, with more than 3,000 having expressed interest, a signal of how broadly the Act's obligations are being taken seriously across global operations.
The EU AI Act operates on a risk-based classification model. Every AI system in scope must be assigned to one of the four tiers, each carrying different obligations. The tier that applies to a given system is determined by its intended purpose, deployment context, and the potential severity of harm it could cause to health, safety, or fundamental rights. Here is a brief breakdown of the four categories:
- Unacceptable Risk covers AI practices so harmful to fundamental rights, public safety, and democratic values that the Act prohibits them entirely. These systems are banned from the EU market with no compliance pathway.
- High Risk applies to AI systems that pose significant threats to health, safety, or fundamental rights in defined contexts. These systems may be placed on the market and used, but only after meeting substantial pre-market and ongoing compliance requirements.
- Limited Risk (also described as transparency risk in the Act's regulatory logic) refers to systems that are not considered inherently dangerous but create an information asymmetry between the system and the person interacting with it. Disclosure and labeling obligations apply rather than substantive restrictions.
- Minimal or No Risk covers the majority of commercially deployed AI systems, from spam filters to product recommendation engines. The Act imposes no specific obligations on these systems, though providers and deployers may voluntarily adopt codes of conduct.
The following table summarizes each tier with representative examples and the obligations each triggers:
| Risk Tier | Representative Examples | Key Obligations |
|---|---|---|
| Unacceptable | Government social scoring; real-time biometric surveillance in public spaces; manipulative AI | Prohibited; no compliance pathway |
| High | Credit scoring tools; CV screening systems; medical device AI; critical infrastructure AI; law enforcement risk assessment | Risk management system; technical documentation; data governance; conformity assessment; EU database registration; human oversight |
| Limited | Chatbots; deepfake generators; emotion recognition in permitted contexts | Disclosure to users; labeling of AI-generated content |
| Minimal / No risk | Spam filters; AI-powered search ranking; product recommendations | No specific obligations; voluntary codes of conduct encouraged |
The prohibitions under Article 5 of the EU AI Act have been in force since 2 February 2025. Organizations that have not assessed their AI systems against these provisions may face immediate regulatory exposure. These rules apply to AI practices considered to pose an unacceptable risk to fundamental rights and are banned outright.
The following practices are prohibited:
- Manipulative or deceptive AI systems that deploy subliminal techniques or otherwise distort an individual’s behaviour in ways that impair informed decision-making and are likely to cause harm
- AI systems that exploit vulnerabilities related to age, disability, or socio-economic circumstances, where such exploitation materially influences behaviour and results in harm
- Social scoring systems that evaluate or classify individuals based on behaviour or personal characteristics, leading to unjustified or disproportionate treatment, particularly in public sector contexts
- AI systems used to predict criminal behaviour based solely on profiling, personality traits, or other non-objective characteristics, without a verifiable factual basis
- Untargeted scraping of facial images from the internet or CCTV footage to create or expand facial recognition databases
- Emotion recognition systems used in workplace or educational settings, except where strictly necessary for medical or safety reasons
- Biometric categorisation systems that infer sensitive attributes such as race, religion, political opinions, or sexual orientation
- Real-time remote biometric identification in publicly accessible spaces for law enforcement purposes, except in narrowly defined situations such as preventing imminent threats, locating victims, or investigating serious crimes
A system qualifies as high-risk under one of two conditions. It may be a safety component of a product regulated under EU harmonization legislation, such as medical devices, machinery, or aviation equipment, or it may itself be such a regulated product. Alternatively, it may fall within one of the standalone use cases enumerated in Annex III of the Act. The Annex III categories that compliance teams must map against their AI inventory include the following:
- Biometric categorization systems and remote identification beyond prohibited uses
- AI used to manage or operate critical infrastructure, including energy, transport, water, and digital infrastructure
- AI used in educational or vocational training contexts that determines or substantially influences access to education or evaluates students
- Employment and HR tools, including CV screening, recruitment selection systems, promotion decisions, and performance monitoring
- Essential services and benefits, including creditworthiness assessment, life and health insurance risk scoring, and emergency dispatch prioritization
- Law enforcement applications, including individual risk assessment, polygraph tools, crime analytics, and evidence reliability evaluation
- Migration, asylum, and border management tools, including traveler risk profiling
- AI used in the administration of justice and democratic processes
Risk management system: Providers must establish, implement, document, and maintain a risk management system covering the AI system's entire lifecycle. This is an ongoing obligation, not a one-time pre-launch assessment. It requires iterative testing, residual risk evaluation, and post-market monitoring at regular intervals.
Technical documentation: Before placing a high-risk system on the market, providers must prepare documentation demonstrating that the system meets the Act's requirements. This documentation must remain current throughout the system's operational life and must be made available to national competent authorities on request.
Data governance: Training, validation, and testing datasets must meet defined quality criteria. Providers must document data provenance, preparation methodologies, and known limitations, and must implement practices to identify and address biases that could affect the system's output in harmful ways.
Human oversight: High-risk systems must be designed so that natural persons can effectively monitor, intervene in, and override the system's outputs. This is a technical requirement, covering interpretability of outputs, the ability to interrupt the system, and meaningful operator control.
Conformity assessment: Most Annex III high-risk systems require a conformity assessment before market entry, typically completed as a structured self-assessment with documented evidence. Systems that are safety components in Annex I regulated products may require assessment by a notified body.
| Date | Milestone |
|---|---|
| 12 July 2024 | Regulation (EU) 2024/1689 published in the EU Official Journal |
| 1 August 2024 | Act enters into force; all compliance timelines begin |
| 2 February 2025 | Prohibited AI practices (Article 5) and AI literacy obligations (Article 4) apply |
| 2 August 2025 | GPAI model obligations apply; penalty regime in force; AI Office officially operational; national competent authorities must be designated |
| 2 August 2026 | Majority of the remaining provisions apply, including Annex III high-risk AI systems and transparency obligations (Article 50) |
| 2 August 2027 | High-risk AI embedded in Annex I regulated products must comply; existing GPAI models placed on market before August 2025 must comply |
| 31 December 2030 | AI systems forming part of large-scale EU IT systems in freedom, security, and justice must comply |
| Dimension | EU AI Act | US (EO 14179, 2025) | UK AI Framework | China AI Regulations |
|---|---|---|---|---|
| Legal basis | Binding horizontal regulation | Executive Order (deregulatory focus) | Principles-based, sector-specific guidance | Binding sector-specific rules |
| Approach | Comprehensive, risk-tiered | Innovation-first; voluntary for private sector | Sector regulator led (FCA, ICO, CMA) | Mandatory registration; algorithmic audits |
| Scope | All sectors; extraterritorial | Federal agencies; state laws vary considerably | All sectors; no unified binding law | Algorithmic recommendation, generative AI, deep synthesis |
| High-risk classification | Mandatory; defined in Annexes I and III | No equivalent classification framework | No mandatory classification | Registration required for certain AI system types |
| Maximum penalties | €35M or 7% of global annual turnover | No federal penalty framework for private sector | No unified penalty regime | Subject to existing sector-specific enforcement |
| GPAI / Foundation models | Explicit Chapter V; systemic risk tier for largest models | No equivalent | No equivalent | Generative AI Measures apply (2023, amended) |
| Primary enforcement body | EU AI Office and national competent authorities | Sector agencies (FTC, FDA, NHTSA, others) | Sector regulators | Cyberspace Administration of China (CAC) |
The process below applies to any organization that develops or deploys AI systems on or for the EU market.
Step 1: Inventory all AI systems in use or in development
Build a complete register of AI systems across your company, including systems embedded in third-party products or services you procure. Article 3(1) defines an AI system broadly as any machine-based system that infers from inputs how to generate outputs, including predictions, recommendations, and decisions, that can influence real or virtual environments.
Step 2: Identify the intended purpose and deployment context for each system
Risk classification under the Act is use-case-specific, not technology-specific. The same underlying model may be high-risk in one deployment context and minimal-risk in another. Document the intended purpose as the provider or deployer defines it, as that definition is what determines classification.
Step 3: Apply the risk classification criteria in sequence
Check each system against the Article 5 prohibited practices list first. For systems that are not prohibited, assess whether they qualify as high-risk under Annex I or Annex III. Then assess whether transparency obligations under Article 50 apply, as they do for chatbots and deepfake generation tools. Only systems that clear all three checks fall into the minimal-risk tier.
Step 4: Determine the applicable obligation set per tier
High-risk systems require a risk management system, technical documentation, data governance framework, human oversight mechanisms, and conformity assessment. GPAI model providers operate under a separate obligation set defined in Chapter V. Limited-risk systems require specific disclosures. Map each obligation to the internal function responsible for it.
Step 5: Conduct conformity assessment for high-risk systems
For Annex III high-risk systems, a structured internal conformity assessment with documented evidence is the standard pathway. For systems that are safety components in Annex I regulated products, third-party assessment by a notified body may be required. Determine which pathway applies well before the August 2026 deadline.
Step 6: Register high-risk systems in the EU database
Providers of Annex III high-risk systems must register the system in the EU AI database before placing it on the market. Deployers of high-risk systems used in law enforcement or migration management contexts also carry registration obligations.
Step 7: Assign accountability and appoint an AI governance lead
The Act distributes obligations across providers, deployers, importers, and distributors. Establish internal accountability clearly, especially where AI systems are procured from third-party vendors. Many organizations are formalizing this through a Chief AI Officer role or by integrating AI governance into their existing Connected GRC framework.
Step 8: Establish ongoing monitoring and incident reporting
High-risk AI systems require post-market monitoring plans. Providers must report serious incidents and malfunctions to national competent authorities. Embed monitoring into your operational AI governance process rather than treating it as a pre-launch checkpoint.
Unsure how your AI systems are classified under the EU AI Act? Talk to a compliance expert before your deadline. Talk to an Expert
Below are some probable challenges companies might face while enforcing the EU AI Act:
- AI system inventorying at scale: Most companies do not have a complete, current inventory of the AI systems they develop or deploy. The Act's definition of an AI system is deliberately broad, and AI is embedded across functions, including HR, finance, operations, customer service, and supply chain, often through third-party SaaS platforms that may themselves embed AI components. Building and maintaining an accurate inventory is a precondition for every subsequent compliance task, yet it is routinely the hardest to execute at enterprise scale, particularly where AI adoption has outpaced governance.
- Overlapping obligations with GDPR and DORA: The EU AI Act does not operate in isolation. AI systems that process personal data are simultaneously subject to GDPR. AI deployed in financial services must align with the operational resilience requirements under DORA. These frameworks share conceptual territory around data governance, risk management, and incident reporting, but their requirements are not identical, and the definitions they use do not always align. Compliance teams face the challenge of building unified controls that satisfy multiple regimes simultaneously, rather than running parallel programs that duplicate cost and effort without reducing exposure.
- Third-party AI vendor risk: The Act's obligations fall on providers and deployers alike, and deploying a third-party AI system does not transfer compliance responsibility to the vendor. Deployers must verify that the systems they use meet the Act's requirements for their specific deployment context, which includes reviewing technical documentation, conformity assessment records, and data governance practices. Managing this at scale across a complex vendor ecosystem requires structured third-party AI risk management, not contractual representations alone.
Below are some of the ways in which GRC platforms can support EU AI Act Compliance:
- AI risk register and classification workflows: A GRC platform provides a structured environment to build and maintain an AI system inventory, record classification decisions with their evidentiary basis, and track the status of each system against applicable obligations. Automated workflows can guide assessment teams through the Annex I and Annex III classification criteria, flag systems that require deeper review, and generate complete audit trails for each classification decision made.
- Policy mapping to EU AI Act provisions: Mapping internal AI governance policies to specific articles and obligations under the Act is time-intensive when done manually and prone to gaps as regulatory guidance evolves. GRC platforms support policy repositories that link each internal control to the relevant regulatory provisions, with version control, change notifications when guidance is updated, and evidence linkage that connects policy statements to the documented controls that implement them.
- Audit trail and evidence management for conformity assessments. Conformity assessments for high-risk AI systems require organized, retrievable evidence across multiple obligation areas, including risk management records, data governance documentation, test results, and post-market monitoring data. A GRC platform maintains this evidence in a centralized, auditable repository, ensuring it is accessible and traceable when national competent authorities or third-party assessors request it.
Managing AI risk alongside your existing GRC framework? See how MetricStream's AI-first platform keeps you ahead of the curve. Request a Demo
Organizations navigating EU AI Act compliance need operational infrastructure that connects AI risk classification to existing risk and compliance workflows, surfaces obligations in time for each phase of the Act's rollout, and maintains the audit evidence required for conformity assessments. MetricStream's Regulatory Compliance Management solution provides that infrastructure, enabling compliance teams to track regulatory obligations at the provision level, map them to internal controls, and monitor compliance status across the organization in real time.
For organizations deploying AI across multiple business units and geographies, MetricStream's Connected GRC platform integrates AI governance with existing third-party risk management, operational risk, and internal audit workflows. The platform's automated workflow capabilities support the recurring monitoring and incident reporting requirements imposed by the Act on high-risk AI deployers, reducing the operational overhead of maintaining continuous compliance in a changing AI landscape.
Frequently Asked Questions
The EU AI Act is a binding EU law that regulates artificial intelligence systems based on the risk they pose. It classifies AI into four tiers, prohibits the most harmful uses outright, and requires organizations developing or deploying high-risk AI in the EU to meet specific standards for documentation, oversight, and safety before market entry.
The Act entered into force on 1 August 2024, with obligations applying in phases. Prohibitions on the riskiest AI practices have been applied since February 2025. Obligations for general-purpose AI models have applied since August 2025. Most requirements governing high-risk AI systems apply from August 2026, with rules for AI embedded in regulated products following in August 2027.
Yes. The Act has extraterritorial reach comparable to the GDPR. It applies to providers that place AI systems on the EU market, to deployers operating within the EU, and to providers or deployers based outside the EU if the output of their AI systems is used inside the EU.
The Act classifies AI systems into four tiers: unacceptable risk (prohibited outright), high risk (heavily regulated, requiring conformity assessment and ongoing oversight), limited risk (subject to transparency and disclosure obligations), and minimal or no risk (no specific obligations under the Act). Classification is determined by the system's intended purpose and deployment context, not by the underlying technology alone.
The Act prohibits government social scoring systems, real-time biometric identification of individuals in public spaces by law enforcement (with narrow exceptions), AI that exploits individual vulnerabilities to cause behavioral harm, subliminal manipulation systems, emotion recognition tools used in workplaces and schools outside safety exceptions, predictive policing based purely on profiling, and mass scraping of facial images from public sources to build recognition databases.
The two regulations apply concurrently, and neither displaces the other. AI systems that process personal data must satisfy both frameworks simultaneously. The AI Act draws on GDPR concepts, including data governance, transparency, and retention requirements, but its risk classification and conformity assessment obligations go substantially further
Responsibility is distributed across roles defined by the Act. Providers who develop or place AI on the EU market carry the primary burden for technical and documentation obligations. Deployers who operate AI systems within the EU carry obligations for oversight, monitoring, and end-user transparency. Importers and distributors also carry proportionate responsibilities. Internally, organizations are increasingly appointing Chief AI Officers or AI risk leads to own the governance function and coordinate across legal, technology, and compliance teams.
high-risk under one of two conditions: it is a safety component of a product regulated under EU harmonization legislation, such as a medical device or industrial machinery, or it falls within a specific use case listed in Annex III, including employment AI, credit scoring systems, law enforcement tools, and AI used in critical infrastructure.
A general-purpose AI model (GPAI) is an AI model trained on large volumes of data that can perform a wide range of tasks, such as large language models or multimodal foundation models. The Act imposes a distinct obligation set on GPAI providers, including technical documentation, transparency, and copyright compliance measures. Providers of GPAI models assessed as carrying systemic risk face additional requirements around adversarial testing and incident reporting to the EU AI Office.
