Introduction to the EU AI Act
The EU Artificial Intelligence Act, usually shortened to the EU AI Act or AIA, is the world’s first comprehensive legal framework for artificial intelligence, regulating AI based on a risk-based approach. It sits alongside GDPR, UK GDPR and wider data protection rules, rather than replacing them.
The final text of the Regulation was published on 12 July 2024 and entered into force on 1 August 2024, with staggered application dates through to 2027. In this guide, we summarise what the EU AI Act is, who it applies to, and what UK organisations should do now.
Data Privacy Services, the trading name of Data Privacy and Data Security Services Limited, is a UK-based data protection and information security consultancy helping organisations align AI systems with GDPR, UK GDPR and emerging AI regulation.
What is the EU Artificial Intelligence Act (EU AI Act)?
The EU Artificial Intelligence Act is an EU Regulation creating harmonised rules for AI systems placed on, or used in, the EU market. It is a comprehensive regulatory framework designed to encourage trustworthy AU while protecting health, safety, fundamental rights and democratic processes across the European union.
An “AI system” is defined broadly. In plain terms, it is a machine-based system, including machine learning software, that can generate predictions, content, recommendations or decisions for explicit or implicit objectives. These outputs may influence physical or virtual environments.
The EU AI Act also regulates general purpose AI models, including foundation models and some generative AI models. These are AI models capable of performing many different tasks and being integrated into downstream AI applications.
Like GDPR, the artificial intelligence act has extraterritorial reach. Non-EU providers and deployers can be caught where AI outputs are used in the EU, or where global developers or businesses are deploying AI systems impacting EU citizens.
Scope and Extraterritorial Application of the EU AI Act
The Act applies to providers, deployers, importers and distributors of AI systems in the EU, regardless of where the organisation is established. UK-based companies selling, licensing or operating AI systems for EU users, or processing EU personal data through AI, will generally need to assess their role and obligations.
Key operator roles include:
A provider develops, or has developed, an AI system or general purpose ai model and places it on the market under its own name.
A deployer uses an AI system under its authority in a professional context.
An importer places a non-EU provider’s system on the EU market.
A distributor makes an AI system available in the EU without changing its intended purpose.
An authorised representative may be required for some non-EU providers to liaise with national authorities.
There are exemptions for purely personal use, some research and innovation activity before market release, defence and national security. However, GDPR, product safety, contract law and sector rules may still apply to such systems.
Risk-Based Approach: AI Risk Categories under the EU AI Act
The AI Act classifies AI systems into four risk categories: unacceptable risk, high risk, minimal or no risk, and transparency risk. Obligations increase as risk rises.
The four categories are:
Unacceptable risk: banned systems and certain AI practices.
High risk: permitted but heavily regulated systems.
Limited transparency risk: systems requiring disclosure, such as chatbots or deepfakes.
Minimal risk: most low-impact tools, such as spam filters.
Understanding the risk category is the first step in any compliance assessment. It should be documented early, because obligations differ significantly across the AI value chain.
General purpose AI systems and general purpose AI models have additional rules, especially where systemic risk is present. These rules are important for providers of generative AI, large language models, agentic AI and other broad-use tools.
Unacceptable AI Practices (Banned Systems)
From 1 February 2025, certain AI practices are prohibited because they pose unacceptable risk. AI systems classified as unacceptable risk are banned under the AI Act, which includes practices that pose a clear threat to safety, livelihoods, and rights of individuals.
Prohibited AI practices include:
Social scoring by public authorities, including scoring natural persons based on behaviour, socio economic status or personal characteristics.
Untargeted scraping of facial images to build biometric databases.
Manipulation or exploitation of vulnerabilities, including children, disabled people or economically vulnerable groups.
Emotion recognition in workplaces and education institutions.
Predictive policing based solely on profiling, location or personal traits.
Indiscriminate remote biometric identification in publicly accessible spaces.
Limited exceptions apply for some biometric identification used for law enforcement purposes, but only under strict safeguards and prior authorisation. UK and non-EU organisations must ensure these prohibited AI practices are not offered or enabled for EU users.
High-Risk AI Systems (HRAIS)
High-risk systems are allowed, but they are heavily regulated because they can create serious risks to health, safety or fundamental rights. high risk AI systems used in critical infrastructure management, electricity supplies, recruitment, education, credit scoring, border control management, public services and essential private services are key examples.
The EU AI Act classifies high-risk AI systems into two categories: those used in products regulated under EU product safety legislation and those used for specific high-risk purposes that must be registered in an EU database. Product examples include medical devices, machinery, toys, cars, lifts and safety components.
High-risk AI systems, which can pose serious risks to health, safety, or fundamental rights, are subject to strict obligations before they can be marketed, including compliance assessments throughout their lifecycle. High Risk AI systems used in critical infrastructure and essential services require mandatory risk assessments, high-quality data governance, detailed technical documentation, and human oversight.
Providers must implement a risk management system, data governance controls, logging, cybersecurity, accuracy and robustness measures, conformity assessment and CE marking where required. The majority of compliance and documentation responsibilities fall on AI model developers, who must maintain a quality management system and register their models before market placement.
Deployers must use such systems according to instructions, monitor performance, keep records, ensure AI literacy and report serious incidents. High-risk AI systems are subject to extensive obligations, including compliance with EU product safety laws and the requirement to conduct fundamental rights impact assessments before deployment.
General-Purpose AI Models and Systemic Risk
general purpose AI models are AI models that can support many downstream uses, such as large language models, image generators and other foundational models that power broad, multiple tasks. These models may sit underneath many separate ai applications.
Regular GPAI models: From 1 August 2025, providers must prepare technical documentation, share technical information with downstream providers, comply with EU copyright law, and publish training data summaries. The Act requires foundational models to comply with EU copyright laws, publish detailed training data summaries, and meet specific cybersecurity standards.
GPAI models with systemic risk: More powerful models crossing compute or capability thresholds face extra duties. Foundational models that power broad, multiple tasks face distinct compliance rules, including mandatory model evaluation and adversarial testing for systemic risks. Providers must perform systemic risk assessments, report serious incidents to the European AI office, strengthen cybersecurity and mitigate risks across the value chain.
UK developers offering foundation models into the EU should assess whether their tools fall within the GPAI and systemic risk definitions, as well as GDPR and broader data protection duties.
Limited Transparency Risk and Minimal/No-Risk AI
Some systems are neither banned nor high-risk, but still have transparency obligations. The AI Act introduces specific disclosure obligations to ensure that users are informed when interacting with AI systems, such as chatbots, to preserve trust.
Providers of generative AI must ensure that AI-generated content is identifiable and clearly labeled, particularly for deep fakes and content intended to inform the public on matters of public interest. The transparency rules of the AI Act will come into effect in August 2026, requiring compliance from AI providers regarding the labeling of AI-generated content, including AI generated content.
Minimal Risk applications, like video game AIs and spam filters, are mostly unregulated under the Act but developers are encouraged to follow voluntary codes of conduct. The majority of AI systems currently in use in the EU fall into the minimal or no risk category, which does not have specific regulatory requirements under the AI Act. most AI systems still remain subject to GDPR, consumer protection and security laws where personal data is involved.
Timeline: When Do EU AI Act Obligations Apply?
Although the Regulation entered into force on 1 August 2024, its key provisions apply in phases. This gives EU member states, regulators and organisations time to prepare.
The main dates are:
1 February 2025: bans on unacceptable AI practices and some ai literacy requirements start to apply.
1 August 2025: core rules for general-purpose AI models begin, especially documentation, copyright and transparency.
1 August 2026: most high-risk AI system obligations and limited-risk transparency rules apply.
1 August 2027: certain obligations for high-risk AI linked to sectoral product legislation have extended deadlines.
The European Commission’s AI Act overview explains the phased approach and governance structure. Organisations should not wait until the final date, because inventories, risk assessments, technical documentation and governance controls often take months.
Governance, Enforcement and the EU AI Office
The governance model combines EU-level coordination with national enforcement. The European commission coordinates implementation, while the new ai office plays a central role in general purpose AI oversight.
The AI Office will issue guidance, coordinate GPAI enforcement, support codes of practice and help maintain the EU database for high-risk systems. The European AI office is especially relevant for providers of powerful GPAI models.
National competent authorities and market surveillance bodies in each Member State will supervise high-risk systems, handle complaints and monitor post-market compliance. They may work alongside data protection authorities where AI processing affects personal data.
The EU AI Act establishes regulatory sandboxes, which are controlled testing environments run by national competent authorities, allowing developers to trial AI systems under supervision before market release. Member States are encouraged to set up regulatory sandboxes under coordinated EU rules, with small and medium sized enterprises (SMEs) and start ups receiving priority access to test their AI systems in a compliant setting. The regulatory sandboxes aim to support innovation in AI while maintaining necessary safeguards, ensuring that AI systems are tested in conditions that closely simulate real-world scenarios.
Penalties and Enforcement Risk
Non-compliance can lead to substantial fines. Penalties for non-compliance with the EU AI Act can range from EUR 7.5 million or 1.5% of worldwide annual turnover to EUR 35 million or 7% of worldwide annual turnover, depending on the type of noncompliance.
For noncompliance with prohibited AI practices, organizations can be fined up to EUR 35 million or 7% of worldwide annual turnover, whichever is higher. For most other violations, including noncompliance with the requirements for high-risk AI systems, organizations can be fined up to EUR 15 million or 3% of worldwide annual turnover, whichever is higher.
The supply of incorrect, incomplete, or misleading information to authorities can result in organizations being fined up to EUR 7.5 million or 1% of worldwide annual turnover, whichever is higher. Regulators may also order corrective measures, withdrawal from the market or suspension of deployment, which can be more disruptive than the fine itself.
Interaction with Data Protection, GDPR and Fundamental Rights
The EU AI Act does not replace GDPR, UK GDPR or existing data protection law. It operates alongside them, with a strong focus on fundamental rights, fairness, security and accountability.
Common overlap points include lawful basis for training data and inference data, purpose limitation, data minimisation, pseudonymisation, encryption, accuracy, retention and security of processing. These are already familiar GDPR principles, but AI often makes them harder to evidence.
AI-specific concerns include profiling, automated decision-making, bias, meaningful human review and explainability. Recruitment AI, credit scoring, biometric identification and ai systems used in public services can trigger both GDPR DPIAs and AI Act fundamental rights impact assessments.
A joined-up assessment is often the most efficient route. It helps organisations avoid duplicated work and gives regulators evidence that risks have been considered properly.
Practical Compliance Steps for Organisations Using AI Systems
Start with an AI inventory. Identify all AI systems and AI models in use or planned, including vendor recruitment tools, chatbots, fraud detection, analytics, LLM tools and embedded software.
Next, classify each system against the risk categories. Record whether the system is unacceptable risk, high risk, transparency risk or minimal risk, and document the reasoning.
Map your role for each system. A business may be a deployer for one tool, a provider for another, and part of the wider AI value chain for a third.
Then build practical AI governance. This should include policies, approval routes, human oversight, logs, monitoring, incident reporting, supplier due diligence and staff training. For high-risk systems, add lifecycle risk management, data quality checks, bias testing, cybersecurity controls and post-market monitoring.
Where ISO 27001, GDPR audits or security audits already exist, integrate AI controls into those frameworks rather than creating a separate compliance silo.
How Data Privacy Services Supports EU AI Act and AI Data Protection Compliance
Data Privacy Services specialising in GDPR, data protection, information security and AI-specific data protection consultancy for organisations operating in, or with, the UK and EU.
Our AI consultancy services focus on the practical privacy and regulatory risks that arise in AI projects. This includes lawful basis for training and operational data, automated decision-making and rights to human intervention, data minimisation, encryption, discrimination and bias risks, and transparency to data subjects and users.
A typical AI project may include:
Full-scope review of the planned or existing AI system, including data flows, AI models and intended use cases.
Assessment of applicable legislation, including the EU AI Act, GDPR, UK GDPR and sectoral rules.
Identification of whether certain AI systems are high-risk, GPAI-related or subject to transparency duties.
Completion of risk assessments, including DPIAs and, where needed, AI or fundamental rights impact assessments.
Practical recommendations covering legal basis, transparency wording, human review, data governance, retention and audit trails.
We also support implementation. That can include user-facing notices, AI literacy tools, decision-making workflows, review processes, logging, ISO 27001-aligned audit trails and post-implementation reviews.
You can learn more about our service on our AI consultancy services page. Organisations can also engage Data Privacy Services for DPO as a Service, CISO-as-a-Service, GDPR audits, security audits and AI-focused consultancy. Contact us for a free initial discussion about your AI project or request a GDPR and AI readiness review.
Key Takeaways for UK and EU-Facing Organisations
The EU AI Act is already in force and will progressively apply from February 2025 through 2026–27.
It introduces a risk-based framework for AI systems, banning some AI practices and heavily regulating high-risk systems, general purpose AI and systemic risk models.
UK organisations offering AI systems or AI-enabled services into the EU will often be directly in scope, in addition to GDPR and UK data protection duties.
Early work on AI inventories, risk classification, governance, DPIAs and fundamental rights assessments will reduce future enforcement risk.
Partnering with a specialist consultancy such as Data Privacy Services can help organisations manage AI regulation and data protection together, rather than treating them as separate projects.
If your organisation is using, buying or building AI, now is the time to review your systems, document your risks and close any compliance gaps before the main deadlines arrive.