A Lawyer’s Guide to the EU AI Act

When does the EU AI Act go into effect?

The EU AI Act took effect in August 2024, with enforcement rolled out in phases.

By February 2025, bans on prohibited AI practices – such as social scoring and manipulative biometric systems – entered into force, along with a requirement for providers and deployers to begin ensuring a “sufficient level” of AI literacy among staff and relevant personnel.

In May 2025, the European Commission published a voluntary code of practice for providers of general-purpose AI (models designed for broad, cross-sector use). The code also addresses general-purpose AI models with systemic risks, referring to those that could cause widespread harm if misused.

Here are some key milestones attorneys should track:

• August 2, 2025: Rules for general-use AI models take effect for any models not already on the market, and EU member states must designate enforcement authorities and communicate penalty frameworks by this date.
• August 2, 2026: Most core obligations take effect, including for high-risk AI in areas such as hiring, health care, and education – categories defined under Article 6. Regulators are still expected to clarify this provision, which sets the criteria for classifying AI systems as high-risk.
• August 2, 2027: The grace period for current AI systems ends. By then, providers of general-purpose AI models already on the market before August 2, 2025, must comply. The law also covers high-risk AI systems embedded in products, such as toys and radio equipment, where those products are subject to third-party conformity assessments under existing EU legislation.
• December 31, 2030: AI used in large-scale IT systems placed on the market before August 2, 2027, must also comply with the AI Act.

Beyond these core timelines, further implementation measures are underway: Between 2025 and 2027, the European Commission will issue secondary legislation to clarify compliance.

During this period, the EU will release further harmonized standards – developed by European standards organizations (CEN, CENELEC, and ETSI, specifically) –  to translate broad regulatory requirements into concrete technical specifications in areas such as data governance, transparency, and human oversight. Adhering to these standards gives companies a “presumption of conformity” with the EU AI Act.

Finally, while the EU AI Act applies across all industries and is not sector-specific, it imposes stricter rules based on the level of risk associated with how AI is used.

How are AI systems classified under the act?

The EU AI Act classifies AI systems into four risk categories, based on intended purpose and potential impact: unacceptable risk, high risk, limited risk, and minimal risk. These categories drive legal obligations for entities across the AI value chain.

1. Unacceptable risk

AI systems deemed unacceptable risk are completely banned under the EU AI Act. These include systems that manipulate people’s behavior, take advantage of vulnerable groups, or use biometric data to guess sensitive traits like race. Also banned are real-time facial recognition systems used in public spaces by law enforcement; systems that rank people based on behavior or personality (known as social scoring); and AI that tries to detect emotions in schools or workplaces.

2. High risk

High-risk AI systems are not banned, but they are the most heavily regulated under the EU AI Act. They’re considered high risk because they can significantly impact people’s safety, rights, or access to services. Examples include AI used for biometric identification, emotion recognition, and categorization; safety systems in critical infrastructure; and education-related AI that may affect someone’s academic or career path. Other cases include AI for hiring, managing workers, credit scoring, insurance pricing, and tools used in legal processes, such as drafting court rulings.

High-risk classification under the AI Act is governed by Article 6. This determination is based on an AI system’s intended purpose and its potential impact on individuals, with Annex III listing specific high-risk use cases. Further guidance from the European Commission is expected by early 2026 to support consistent implementation.

3. Limited risk

Limited-risk AI systems interact directly with people – for example, chatbots or tools that create synthetic content like deepfakes.

4. Minimal risk

Minimal-risk AI systems cover applications – such as AI in video games or spam filters – that do not fall into the other risk categories.

How are general-purpose AI models classified?

General-purpose AI models (GPAIs), such as large language models, fall outside the act’s four-tier risk structure. When the act was first proposed in 2021, GPAIs were not addressed, as the technology was still emerging. With the rise of tools like ChatGPT, lawmakers later introduced a separate framework to account for their role. Because GPAIs can be built into many types of AI systems, they can fall under any of the four risk categories – depending on how they’re used. They also carry their own distinct set of obligations, particularly if deemed to pose systemic risk.

What are the compliance obligations for each risk category?

The core principle of the EU AI Act is straightforward: The higher the risk, the stricter the rules. Accordingly, compliance obligations increase with the potential impact of an AI system.

Here’s what’s required at each risk level:

Unacceptable-risk: These AI systems are strictly prohibited in the EU. These bans became enforceable on February 2, 2025, roughly six months after the regulation took effect.

High-risk: These AI systems must implement a quality management system aligned with Article 17, register in the EU’s public database, and, if based outside the EU, appoint an EU representative. These systems also require conformity assessments before entering the EU market and ongoing monitoring after deployment. In all, providers must manage risks, use high-quality training data, and maintain detailed records along with transparency measures to inform users.

Limited-risk: These AI systems have basic transparency rules. Users must be informed – through labels, notices, or other clear messages – when they’re interacting with an AI system, such as a chatbot or when content like a deepfake has been created or manipulated by AI.

Minimal-risk: These AI systems, like spam filters or AI in video games, aren’t subject to strict rules under the EU AI Act. However, providers are encouraged to follow voluntary codes of conduct or best practices suggested by industry groups or the European Commission.

General-purpose AI: GPAIs face distinct obligations under the act. Models trained with less than 10 septillion floating point operations (10²⁵ FLOPs) must provide documentation and summaries of their training data. Those exceeding that threshold are presumed to pose systemic risk and must implement risk management steps like model evaluations.

What should attorneys advise for compliance readiness?

The AI Act introduces distinct obligations that go beyond existing digital regulations. As a result, organizations must treat AI compliance as a standalone effort, with its own processes.

Attorneys should first advise clients to conduct an AI system inventory and classification exercise: Identify all AI systems across the organization – from internal to third-party applications – and classify each under the act’s four-tier risk framework. Organizations that leverage GPAI must also assess whether those models fall under GPAI-specific obligations. Furthermore, clients must identify their role in the AI value chain and their EU nexus.

With this foundational insight, legal teams should next review AI governance frameworks, including human oversight protocols. Within vendor management and procurement contracts, organizations should ensure agreements require compliance with the EU AI Act. They must also align data governance and data protection impact assessments (DPIAs) with the GDPR, as many high-risk AI systems process personal data and trigger overlapping obligations.

Next, it’s important to conduct AI risk assessments and compliance gap analyses. Assess each system’s risk level and potential impact. Review how internal records are handled, then compare current practices against the AI Act’s requirements. Thereafter, close any compliance gaps.

With this clear snapshot, implement staff training on AI ethics and regulatory obligations, in keeping with the act’s call for AI literacy across staff and industry partners. Training should be role-specific – for example, legal guidance for counsel and practical instruction for product teams. Assign oversight to an entity, such as a compliance officer, to keep literacy on track.

How does the EU AI Act intersect with the GDPR, DSA, and other EU digital laws?

The EU AI Act doesn’t operate in isolation – it intersects with other major EU digital regulations.

Since the GDPR took effect in 2018, EU lawmakers have introduced additional regimes, including the Data Governance Act (effective 2023), the Digital Markets Act (2023), the Digital Services Act (2024), and the upcoming Data Act (effective September 2025). Together, these frameworks raise critical questions about legal precedence and compliance across regimes.

Here’s a look at some of these frameworks – and how they interact with the EU AI Act.

GDPR and the AI Act

Organizations must navigate overlapping obligations under the GDPR and the EU AI Act – a task that becomes especially tricky when conducting data protection impact assessments.

A core tension arises in the handling of sensitive personal data, such as race or health status. Under GDPR (Article 9, specifically), processing such data requires a clear legal basis, such as explicit consent or a substantial public interest. By contrast, Article 10(5) of the EU AI Act permits its use when “strictly necessary” to detect or correct bias in high-risk AI systems.

This regulatory gap creates uncertainty over which legal standard governs. For now, GDPR remains the governing framework. That means organizations must still identify a valid Article 9 basis – even when the goal is to reduce algorithmic bias or inaccuracies in AI systems.

DSA and the AI Act

The Digital Services Act (DSA) and the EU AI Act operate as parallel regulatory regimes. Yet, each addresses digital risk from a different angle.

The DSA categorizes obligations by service type and platform scale, with the strictest requirements for very large online platforms (VLOPs). The DSA also applies to all regulated providers – regardless of AI use – and requires the mitigation of systemic risks, including harm to public welfare. Meanwhile, the AI Act classifies AI systems into four risk categories, with stricter requirements for higher-risk systems, and ties “systemic risk” specifically to GPAI models.

While the DSA governs platform operations, and the AI Act regulates how AI is deployed, both impose transparency obligations. As a result, platforms using AI in customer-facing functions – such as automated content moderation – may face dual compliance with both regulations.

NIS2 and EU AI Act

The EU’s updated Network and Information Security Directives (NIS2) significantly raises the bar for cybersecurity governance, with stricter requirements for management accountability, supply chain risk oversight, and incident reporting. Enforcement is also significant: Essential entities face fines up to 2% of global annual turnover; for important entities fines are up to 1.4%.

For legal teams, it’s crucial to view NIS2 and the EU AI Act as distinct, not interchangeable. NIS2 does not mandate “explainability” – informing users how automated decisions are reached. That duty lies with the EU AI Act, which mandates user rights, particularly for high-risk systems.

These different requirements make a multilayered compliance strategy critical – one that meets the demands of both cybersecurity resilience and responsible AI governance.