Regulation
EU AI Act: Risk classes, Deadlines, Obligations
The EU AI Act is Regulation (EU) 2024/1689 on harmonised rules for artificial intelligence. It is the world's first comprehensive AI law, directly applicable in all EU member states, and takes effect in four stages from February 2025 to August 2027. It applies to providers, deployers, importers and distributors of AI systems, regardless of their location.
The four risk classes
Prohibited (Art. 5): practices considered incompatible with EU fundamental rights. Including social scoring by public or private actors, manipulative or exploitative AI, real-time remote biometric identification in publicly accessible spaces (with narrow law-enforcement exceptions), emotion recognition in workplaces and educational institutions, untargeted scraping of facial images. Prohibitions apply since 2 February 2025.
High-risk (Annex III): AI as safety component in critical infrastructure, biometric identification, education and vocational training, employment (selection, evaluation, dismissal), access to essential private and public services (credit scoring, insurance risk assessment), law enforcement, migration/asylum/border control, justice administration and democratic processes, biometric categorisation. Plus Annex I: AI in regulated products (medical devices, machinery, vehicles).
Limited risk (Art. 50): transparency obligations for chatbots (notice of AI interaction), deepfakes (labelling as artificially generated), emotion recognition, biometric categorisation, AI-generated content.
Minimal risk: everything else, voluntary codes of conduct. Most business applications fall here, but classification must still be documented.
Obligations for high-risk system providers
Art. 9: risk-management system across the whole lifecycle, with documented risk analysis, mitigations and tests.
Art. 10: data governance for training, validation and test data. Data must be relevant, representative, free of errors and complete where possible.
Art. 11: technical documentation showing conformity with requirements. Annex IV lists minimum content: description, design choices, training data, test data, validation procedures.
Art. 12: automatic logging of events across the lifecycle.
Art. 13: transparency and provision of information to deployers, including usage instructions.
Art. 14: human oversight. The system must be designed so it can be operated under meaningful human oversight.
Art. 15: accuracy, robustness and cybersecurity. Expected performance is stated in the documentation.
Art. 17-22: quality-management system, conformity assessment, CE marking, EU database registration, post-market monitoring.
Obligations for deployers
Art. 26(1): use AI in line with the provider's instructions.
(2): human oversight by qualified, trained staff.
(4): appropriate input data.
(5): monitoring and reporting of serious incidents and risks to provider and authority.
(6): retention of automatically generated logs for at least 6 months.
(7): information of affected persons.
(11): in employment contexts, workers' representatives must be informed in advance.
Art. 27: Fundamental Rights Impact Assessment (FRIA) by public bodies and private deployers of essential services, before first use.
General-Purpose AI Models (GPAI)
Art. 51-56 govern providers of general-purpose AI models (foundation models such as GPT, Claude, Mistral, Llama). Obligations from August 2025: technical documentation, information to downstream providers, copyright policy, training-data summary. For models with systemic risk (typically above 10^25 FLOPs of training compute) additionally: model evaluation, adversarial testing, serious-incident tracking, cybersecurity protections. The European Commission publishes a list of systemic-risk models.
Timeline
2 February 2025: prohibitions (Art. 5), AI literacy duty (Art. 4) become applicable.
2 August 2025: GPAI obligations, governance structures, sanctioning regime for GPAI.
2 August 2026: Annex III high-risk systems (the majority), Art. 50 transparency obligations, full sanctioning regime.
2 August 2027: Annex I high-risk systems (AI safety components in regulated products).
Practically: every company currently using AI in employment, credit scoring, insurance, education, healthcare or critical infrastructure, or buying such, must be compliant by August 2026. A compliance programme typically takes 9-18 months.
Fines
Prohibited practices: up to 35 M EUR or 7% of global annual turnover.
Provider/deployer obligation breaches: up to 15 M EUR or 3% of global annual turnover.
False or incomplete information to authorities: up to 7.5 M EUR or 1% of global annual turnover.
SMEs and start-ups: the lower amount in each case. Still potentially existential.
What companies should do now
1. Build an AI inventory: which systems are in use, which are being acquired, which are built, classified by risk class with reasoning.
2. Immediately review for Art. 5 prohibitions and discontinue any in-scope use. Prohibitions have been applicable since early 2025.
3. Stand up an AI literacy programme (Art. 4). Mandatory training for staff who operate or own AI systems.
4. Identify high-risk systems, make them compliant or sunset them by August 2026.
5. Review contracts with AI providers for compliance: technical documentation, CE conformity, EU database registration.
6. Document structured decisions for each AI procurement: classification, provider selection, data sources, human oversight, stakeholder alignment, residual risks. That is precisely the function of a decision memo.
DecisionOS and the EU AI Act
DecisionOS structures AI procurement and rollout decisions in a way that supports EU AI Act conformity assessment. Each memo documents classification, weighted criteria (data quality, EU hosting, explainability, logging), dealbreakers, stakeholder alignment across IT, Legal, Data Protection and the business owner, and a Readiness Score. EU-hosted in Nuremberg, Germany. Book a demo at nexalign.io/book.