Regulation (EU) 2024/1689

EU AI Act

The rules for AI are already in force

The EU has written the world's first comprehensive AI law. It does not regulate the technology: it regulates what you use it for. Build AI, buy AI, or just let your team use it, and some of it is about you.

Your chatbot must say it's a bot, from August 2026Screening CVs with AI, that's high-riskSocial scoring, banned outrightEmotion recognition at work, bannedDeepfakes must be labeled, every single oneUp to 7% of global turnover, the ceiling for finesYou don't have to build AI, using it is enoughNot an EU company? Covered if your AI reaches the EUCredit scoring by AI, high-riskYour staff use AI daily, the law expects trainingBuying AI does not outsource the responsibilityGeneral-purpose models, regulated since 2025The bans are live, since February 2025Most AI is barely touched, if you know your tier Your chatbot must say it's a bot, from August 2026Screening CVs with AI, that's high-riskSocial scoring, banned outrightEmotion recognition at work, bannedDeepfakes must be labeled, every single oneUp to 7% of global turnover, the ceiling for finesYou don't have to build AI, using it is enoughNot an EU company? Covered if your AI reaches the EUCredit scoring by AI, high-riskYour staff use AI daily, the law expects trainingBuying AI does not outsource the responsibilityGeneral-purpose models, regulated since 2025The bans are live, since February 2025Most AI is barely touched, if you know your tier
AI Act

(noun, EU law)Regulation (EU) 2024/1689

The world's first comprehensive law on artificial intelligence. It regulates AI by what you use it for, not by how clever the technology is: the riskier the use, the stricter the rules.

Already in force, arriving in waves, and written for those who build AI and those who merely use it.

Same family GDPR, CE marking, product safety law. Same logic, new subject.

00 / The concept

One law, sorted by risk

Most technology laws regulate the thing. The AI Act regulates the situation: the same model that drafts your newsletter, unregulated, becomes high-risk the moment it starts screening job applications. What counts is what the system is used for, on whom, and what happens to them.

Everything else in the Act follows from that one move. Every use of AI lands in one of four tiers, and each tier carries its own rulebook: from nothing at all, to a duty of honesty, to heavy paperwork, to an outright ban.

Fig. 00 / Four tiers, one pyramid
Prohibitedbanned since 2 Feb 2025
High-riskhiring · credit · examsstrict duties, 2027 / 2028
Transparencychatbots · synthetic mediadisclose, from 2 Aug 2026
Minimal riskspam filters · games · most AIno new duties
hiring · credit · exams chatbots · synthetic media spam filters · games · most AI PROHIBITED banned since 2 Feb 2025 HIGH-RISK strict duties, 2027 / 2028 TRANSPARENCY disclose, from 2 Aug 2026 MINIMAL RISK no new duties FEWER SYSTEMS, STRICTER RULES
01 / Who it covers

It covers you, probably

The Act sorts everyone around an AI system into roles. Two matter for most companies. The provider builds or sells the system and carries the heavy duties. The deployer uses it at work and carries fewer, but real ones: use the system as instructed, keep a human meaningfully in charge, train the people who run it.

And the law reaches beyond the union: it follows the output. A tool built elsewhere, whose results are used in Europe, is covered. "We are not an EU company" is not an exemption. Ask anyone who met the GDPR.

Fig. 01 / Two roles, two rulebooks
YOU BUILD OR SELL ITPROVIDERthe heavy rulebook:design, test, document, register
YOU USE IT AT WORKDEPLOYERthe working rulebook:oversight, instructions, training

also covered: importers and distributors, and anyone whose system's output is used in the EU

YOU BUILD OR SELL IT PROVIDER the heavy rulebook: design, test, document, register YOU USE IT AT WORK DEPLOYER the working rulebook: oversight, instructions, training also covered: importers and distributors, and anyone whose system's output is used in the EU
02 / The four tiers

From banned to barely touched

Find your use case in this row and you know most of what the law wants from you. The tier follows the use, not the vendor's marketing.

banned

Unacceptable

Uses the EU decided no safeguard can fix: social scoring, manipulation that causes harm, emotion recognition at work or school, scraping faces off the internet.

illegal since 2 Feb 2025
strict duties

High-risk

AI deciding over lives and livelihoods: hiring, credit, exams, medical devices, infrastructure. Allowed, but under the full rulebook, tested and documented.

applies 2 Dec 2027 / 2 Aug 2028
disclose

Transparency

AI a person might mistake for a human, or content that might pass as real: chatbots, deepfakes, synthetic media. The duty is honesty: say so, label it.

applies 2 Aug 2026
carry on

Minimal

Spam filters, recommendations, AI in games, your drafting assistant. The vast majority of systems. No new obligations beyond the laws that always applied.

no AI Act duties

The same model can sit in three tiers in the same week. It is never "is this AI regulated", always "is this use regulated".

03 / The red lines

Eight practices are simply off the table

The prohibited tier is short, specific, and already law, since 2 February 2025. No conformity assessment, no consent checkbox, no contract clause makes these legal.

social scoring harmful manipulation and deception exploiting age, disability or hardship predicting crime from profiles untargeted face scraping emotion recognition at work and school biometric sorting by race, belief or orientation live remote face ID in public spaces

added May 2026, compliance by 2 Dec 2026

generators of non-consensual intimate imagery and CSAM

If the use is on this list, the paperwork question never arises. It is simply illegal.

A few narrow exceptions exist, mostly medical, safety and tightly-fenced law enforcement cases. If you think you are the exception, that is precisely when to bring a lawyer.

04 / High-risk

Where the rulebook gets heavy

High-risk does not mean scary technology. It means consequential decisions about people: who gets the job, the loan, the diploma, the visa, the treatment. The Act lists the territory in two annexes: standalone systems in sensitive areas, and AI inside products that already need a CE mark.

standalone uses (Annex III)

hiring & worker management credit scoring life & health insurance pricing education & exams essential public services critical infrastructure biometric identification law enforcement migration & borders justice & elections

AI inside regulated products (Annex I)

medical devices machinery vehicles toys lifts aviation

Providers of these systems owe the full program: risk management, data governance, technical documentation, logging, human oversight, accuracy and cybersecurity, then a conformity assessment, a CE mark, and registration in the EU database, before the system reaches the market.

Deployers owe a working version: follow the instructions for use, assign trained human oversight, monitor the system in operation, and tell the people it affects. Public bodies, banks and insurers add a fundamental-rights impact assessment.

05 / The honesty rules

From August 2026, AI stops passing as human

The transparency tier is the deadline that touches almost everyone, because almost everyone now ships a chatbot or publishes generated content. From 2 August 2026: a chatbot must say it is one. A deepfake must be labeled as synthetic. AI-generated audio, image and video must carry a machine-readable mark, so tools and platforms can recognize it.

The duty is light, and that is the point: not less AI, just honest AI.

If a person could reasonably mistake it for the real thing, they have a right to know it is not.

Systems already on the market before 2 August 2026 get a grace period on the machine-readable marking, until 2 December 2026. The disclosure duties themselves are not postponed.

06 / The timeline

Two waves have landed. The next hits in weeks.

The Act entered into force on 1 August 2024 and applies in stages. The bans and the AI-literacy duty are live. The model rules are live. The honesty rules arrive in August 2026, the high-risk program in 2027 and 2028.

Fig. 02 / The waves, and where you are standing
AUG 2024 in force FEB 2025 bans + AI literacy AUG 2025 GPAI rules + fines YOU ARE HERE JUN 2026 AUG 2026 honesty rules DEC 2026 new ban + marking DEC 2027 high-risk, Annex III AUG 2028 high-risk in products

Dates updated 7 May 2026: the EU's "Digital Omnibus" agreement moved the high-risk deadlines from 2026/2027 to December 2027 and August 2028, and added the new ban. Formal adoption is expected before August 2026; the new dates bind once published in the Official Journal.

07 / The stakes

What ignoring it costs

€35M / 7%prohibited practices
€15M / 3%most other breaches
€7.5M / 1%misleading the authorities

Fixed sum or share of global annual turnover, whichever is higher. For small and medium companies, the lower of the two applies. National authorities enforce most of it; the Commission's AI Office watches the general-purpose models. The fine schedule has been in place since August 2025.

The quieter cost arrives earlier: procurement questionnaires, due-diligence checklists, enterprise customers asking for your tier. Compliance is becoming a sales document.

08 / What it means for you

Four sentences to retire this year

"we just use ChatGPT"

Users have duties too

Using AI at work makes you a deployer. A lighter rulebook than a builder's, but a rulebook: oversight, instructions, and people who know what the tool can and cannot do.

"it's a big-tech law"

It sorts by use, not by size

A ten-person firm screening CVs with AI sits in high-risk territory. A tech giant's spam filter sits in minimal. Your size shapes the fine, not the duty.

"nothing applies yet"

Two waves already landed

The bans and the AI-literacy duty have applied since February 2025, the model rules since August 2025. The honesty rules arrive in August 2026.

"we're not in the EU"

The law follows the output

Sell into Europe, serve European users, or let your system's results be used there, and you are in scope. The GDPR taught everyone this lesson once already.

09 / What to do now

Six moves, none of them dramatic

For most companies this is not a compliance emergency. It is an afternoon of honesty about where AI already lives in the business, then a habit of keeping that picture current.

01

Inventory

List every AI system in the building: the ones you built, the ones you bought, the ones inside other tools, and the ones staff use quietly.

02

Classify

Sort each use against the four tiers. Most land in minimal. The ones touching hiring, money, safety or students deserve a closer look.

03

Know your role

Provider, deployer, importer or distributor, per system. The duties follow the role, and one company can hold several at once.

04

Train your people

The AI-literacy duty already applies. Whoever runs or oversees an AI system should understand what it does, what it gets wrong, and when to overrule it.

05

Ask your vendors

Which tier, what documentation, who carries the provider duties. Buying AI does not transfer the deployer's share of the responsibility.

06

Write it down

An AI policy, a named owner, and a record of the above. When a customer or an authority asks, the answer should already exist.

This page is orientation, not legal advice. If your inventory turns up high-risk territory, bring counsel.

eu-ai-act: where do you stand?

eu-ai-act:~$want a second pair of eyes on your AI map?

MethodKit helps teams get onto the same page about how they actually work, including the AI now woven into it. The inventory, the tiers, the roles: it is a mapping exercise, and mapping is what we do. Leave your email below and the conversation starts.

prefer email? ola@methodkit.com