Does the EU AI Act apply to companies outside Europe?

Yes. The EU AI Act applies to any provider or deployer of AI systems that place systems on the EU market or whose systems affect people located in the EU — regardless of where the provider is based. A US startup whose product is used by European customers must comply. This is the same extraterritorial effect that GDPR established for data protection, and it makes the EU AI Act effectively a global regulation for any organisation at commercial scale.

What AI systems are classified as high-risk under the EU AI Act?

High-risk AI systems are those used in safety-critical products (medical devices, aircraft, machinery), biometric identification, critical infrastructure management, educational assessment, employment decisions (CV screening, hiring, performance management), access to essential services (credit scoring, insurance), law enforcement, border management, and democratic processes. If your AI system makes or substantially influences decisions in any of these domains, it is likely high-risk and subject to extensive compliance requirements.

What is the difference between limited risk and high-risk AI under the Act?

Limited-risk AI systems (chatbots, synthetic content generators, emotion recognition systems) face only transparency obligations: they must disclose to users that they are AI, label AI-generated content, or inform users when emotion recognition is active. High-risk AI systems face extensive requirements: risk management systems, data governance, technical documentation, human oversight mechanisms, accuracy testing, logging, and conformity assessment before deployment. The compliance burden for high-risk systems is substantially greater.

What are the penalties for violating the EU AI Act?

Penalties are tiered by violation severity. Using prohibited AI practices (social scoring, real-time biometric surveillance) can result in fines up to €35 million or 7% of global annual turnover. Non-compliance with requirements for high-risk systems or GPAI model obligations carries fines up to €15 million or 3% of global annual turnover. Providing false information to authorities carries up to €7.5 million or 1.5% of turnover. For large technology companies, these can reach billions of euros — making proactive compliance essential.

How does the EU AI Act compare to US AI regulation?

The EU takes a comprehensive, risk-based legislative approach with specific obligations, enforcement mechanisms, and penalties — applicable across all sectors and use cases. The US relies on sectoral agency authority: the FDA, SEC, FTC, and EEOC each apply existing authority to AI within their domains, without a unified federal framework. The practical result is that EU compliance is more legally certain (clearer rules) but more prescriptive, while US compliance is more flexible but more ambiguous. Most global organisations build to the EU standard and adapt for local US requirements.

← AI Engineering Studio

AI & Automation·10 min read·June 19, 2026

⚖️ EU AI Act and AI Governance: What Engineers Building AI Systems Need to Know

The EU AI Act entered into force in August 2024 and applies globally to any organisation serving European users. This guide explains the four risk tiers, what counts as high-risk AI, conformity assessment requirements, technical documentation obligations, penalties, and how the US, UK, and China are approaching AI governance differently.

The World's First Comprehensive AI Law Is in Effect

On August 2, 2024, the European Union's Artificial Intelligence Act entered into force — the first comprehensive regulatory framework for AI in history. By August 2026, most of its core provisions are fully applicable. Whether your organisation is headquartered in Berlin or San Francisco, the EU AI Act matters to you: any company that offers AI-powered products or services to European users must comply. With the EU representing roughly 450 million consumers and 27 national markets, this effectively makes the EU AI Act a global regulation for any organisation operating at scale.

This is not a compliance checkbox. The EU AI Act is a fundamental shift in how AI systems must be designed, documented, and governed. Engineers who build AI systems — not just lawyers and compliance officers — need to understand its requirements, because many of the obligations (technical documentation, risk management systems, accuracy testing, human oversight mechanisms) are engineering responsibilities, not policy ones.

The Four-Tier Risk Classification

The EU AI Act's core architecture is a risk-based classification system. AI systems are categorised into four tiers based on the potential harm they can cause, with regulatory requirements escalating at each level.

Tier 1: Unacceptable Risk (Prohibited)

These AI applications are banned outright. The prohibition took effect February 2025. Banned practices include: social scoring systems by governments or public authorities; real-time biometric surveillance in public spaces (with narrow law enforcement exceptions); AI systems that manipulate human behaviour in ways that cause harm or exploit psychological vulnerabilities; systems that exploit the vulnerabilities of specific groups (children, people with disabilities); and AI-based subliminal advertising that influences decisions without the person's awareness.

Tier 2: High-Risk AI (Extensive Requirements)

High-risk AI systems face the most demanding compliance requirements, which became fully applicable in August 2026. High-risk categories include:

AI used as safety components in products covered by existing EU product legislation (machinery, medical devices, aviation, vehicles)
Biometric identification and categorisation systems
Management and operation of critical infrastructure (water, gas, electricity, traffic)
Education and vocational training (determining access to institutions, assessing students)
Employment and worker management (CV screening, hiring decisions, performance monitoring)
Access to essential private services and public services (credit scoring, insurance)
Law enforcement (risk assessment, polygraphs, evaluating evidence)
Migration and border management
Administration of justice and democratic processes

Tier 3: Limited Risk (Transparency Obligations)

Chatbots must disclose to users that they are interacting with AI. Systems that generate synthetic content (deepfakes, AI-generated images, video) must label it as AI-generated. Emotion recognition systems must inform users they are being analysed. These obligations are designed to prevent deception, not restrict use.

Tier 4: Minimal Risk (No Specific Requirements)

Most general-purpose AI applications fall here: spam filters, AI-powered games, inventory management systems, recommendation systems for content. No specific regulatory obligations apply, though the Act encourages voluntary codes of conduct.

High-Risk AI: What Engineering Teams Must Deliver

If your AI system falls into a high-risk category, the engineering obligations are substantial. The Act requires:

Risk management system: Documented identification and analysis of known and foreseeable risks, implemented throughout the development lifecycle and updated post-deployment as new risks are identified.
Data governance: Training, validation, and test datasets must meet quality criteria relevant to the intended purpose. Data must be relevant, representative, and free of known errors. Data biases that could lead to discrimination must be identified and mitigated.
Technical documentation: Comprehensive documentation describing the system's intended purpose, design specifications, training methodology, validation and testing results, and performance metrics. This must be produced before deployment and kept current throughout the system's lifecycle.
Transparency and provision of information: Systems must include instructions for use, including performance limitations, known risks, and conditions under which the AI may fail to perform as intended.
Human oversight: High-risk systems must be designed to allow human oversight and intervention. This means implementing override mechanisms, ensuring that outputs are interpretable by human reviewers, and designing systems that can be paused, corrected, or disabled.
Accuracy, robustness, and cybersecurity: Systems must achieve appropriate levels of accuracy for their intended purpose, be resilient against errors and inconsistencies, and include measures against adversarial attacks.
Logging: Automatic logging of events sufficient to enable post-hoc monitoring, including at minimum the period of use, the database queried, input data matches, and the identity of persons involved in verification.

General-Purpose AI Model (GPAI) Obligations

The Act introduces specific obligations for providers of general-purpose AI models — the foundation models like GPT-5, Claude, and Gemini that power downstream applications. Since August 2025, GPAI providers must: maintain technical documentation, provide information to downstream deployers about the model's capabilities and limitations, comply with EU copyright rules, and publish a summary of training data used.

GPAI models classified as posing systemic risks face additional requirements. The threshold is based on the computing power used during training: currently set at models trained with more than 10²⁵ FLOPs. Models above this threshold must undergo model evaluation, adversarial testing (red-teaming), incident tracking and reporting, and implement adequate cybersecurity protections. This directly affects the largest frontier models from OpenAI, Google, Anthropic, and Meta.

Conformity Assessment and CE Marking

Before a high-risk AI system can be deployed in the EU, it must undergo a conformity assessment — a structured evaluation demonstrating that the system meets all applicable requirements. For most high-risk AI systems, conformity assessment is self-assessment: the provider conducts the assessment against the Act's requirements, maintains documentation, and issues an EU Declaration of Conformity. For AI systems in safety-critical domains already covered by existing EU product legislation (medical devices, machinery, aviation), conformity assessment may require third-party notified body involvement.

Systems that pass conformity assessment receive a CE marking and are registered in the EU database for high-risk AI systems before deployment. This database is publicly accessible, enabling market surveillance authorities to identify deployed high-risk systems.

Penalties for Non-Compliance

The EU AI Act penalties are structured by violation severity:

Violations involving prohibited AI practices: Up to €35 million or 7% of global annual turnover, whichever is higher
Non-compliance with requirements for high-risk systems, GPAI obligations, or other provisions: Up to €15 million or 3% of global annual turnover
Providing incorrect, incomplete, or misleading information to authorities: Up to €7.5 million or 1.5% of global annual turnover

For large technology companies, these figures can reach billions of euros. The regulation also grants EU member states the ability to impose additional penalties at the national level, and allows individuals to seek redress through national courts when high-risk AI systems violate their rights.

The Global Regulatory Landscape

The EU AI Act is the most comprehensive AI regulation globally, but it operates within a broader international governance context:

United States: No comprehensive federal AI legislation as of 2026. The US approach is sectoral and agency-led: the FDA regulates AI in medical devices; the SEC addresses AI in financial markets; the FTC enforces consumer protection against deceptive AI; the EEOC monitors AI in employment decisions. Several states (California, Colorado, Illinois) have enacted targeted AI legislation. The result is a patchwork of sector-specific requirements that is more fragmented and less predictable than the EU's approach.

United Kingdom: Positioned as a pro-innovation alternative, the UK empowers existing regulators to apply five core AI principles (safety, transparency, fairness, accountability, contestability) rather than creating new AI-specific legislation. The UK's AI Safety Institute conducts technical evaluations of frontier models. This principles-based approach is designed for flexibility but provides less legal certainty than the EU's rules-based framework.

China: Has enacted targeted AI regulations addressing algorithmic recommendation systems, generative AI services, and deep synthesis (deepfakes). Generative AI services must ensure content aligns with "core socialist values" and must implement content moderation. These regulations emphasise content control and national security alongside more conventional data protection concerns.

The practical global compliance strategy is the "Brussels effect": build your AI governance framework to the EU AI Act standard (the highest applicable bar), then adapt for local requirements. Organisations achieving EU compliance are typically 80% of the way toward compliance in other jurisdictions. The EU AI Act is becoming the de facto global baseline — similar to how GDPR shaped global data privacy practice.

What Engineering Teams Should Do Now

The compliance process for engineering teams follows five steps:

Inventory: Document all AI systems your organisation builds or uses. For each, identify the intended purpose, the data sources, and the decisions it influences.
Classify: Apply the Act's four risk tiers to each system. Most are minimal risk. Flag any that touch employment, credit, education, law enforcement, critical infrastructure, biometrics, or safety.
Gap analysis: For high-risk systems, compare current documentation, testing, and oversight mechanisms against the Act's requirements. Most gaps will be in technical documentation, logging, and human oversight mechanisms.
Implementation: Build the required risk management system, update data governance processes, create technical documentation, implement logging, and add human oversight mechanisms. These are engineering tasks, not just policy tasks.
Ongoing monitoring: The Act requires post-market monitoring. Establish automated monitoring for performance degradation, bias drift, and adverse events. Maintain the documentation current as the system evolves.

The engineering reality is that high-quality AI systems — well-documented, rigorously tested, with clear failure modes and human oversight — align naturally with the Act's requirements. The compliance burden is primarily administrative for teams already following engineering best practices. For teams that have not been documenting their AI systems systematically, the Act provides a useful forcing function to do so.

Topics covered

EU AI ActAI regulationAI governancehigh-risk AIprohibited AIAI Act complianceEU AI Act engineeringAI conformity assessmentAI risk tiersGPAI model obligationsAI technical documentationAI Act penaltiesUS AI Executive OrderUK AI governanceChina AI regulationBrussels effect AIAI ethics compliancebiometric AI regulationAI Act 2024responsible AI deployment

🛠️ Related Free Tools

Put this knowledge to work on your iPhone

Browse our full catalog of professional iOS apps — from electrical code tools to AI builders.

Browse All 95+ Apps