The EU AI Act, Explained: What Founders Building AI Actually Need to Know

The EU AI Act is the world’s first comprehensive law governing artificial intelligence. It entered into force on 1 August 2024 (European Commission, 2024) and applies in phases through 2027 and beyond. If your product uses AI and is sold or used in the EU, it is in scope, even if your company sits in London, New York, or anywhere else.

Most explainers of this law are written by law firms, for law firms. They are exhaustive, cautious, and almost unusable if what you actually need to know is: does this apply to me, what does it require, and when do I have to care? This guide answers those three questions in plain English, written for founders who are building AI products rather than litigating them.

Key Takeaways

• The EU AI Act entered into force on 1 August 2024 and applies in phases. Prohibited uses were banned in February 2025, general-purpose AI rules began in August 2025, and the heaviest high-risk obligations arrive across 2026 to 2028.
• It sorts every AI system into one of four risk tiers. The tier, not the technology, decides your obligations.
• The maximum penalty is €35 million or 7% of global annual turnover, whichever is higher, for using a banned AI practice.
• It applies extraterritorially: a non-EU company selling AI into the EU is covered.
• A 2025 simplification package, the Digital Omnibus, has provisionally agreed to postpone several high-risk deadlines, but as of mid-2026 it is not yet formally adopted. Plan against the law as written and track the change.

What is the EU AI Act?

The EU AI Act (formally Regulation (EU) 2024/1689) is a horizontal regulation, which means it applies across every sector rather than to one industry. Its core idea is simple: the more harm an AI system could do, the more rules it has to follow. A spam filter and an AI system that screens job applicants are both AI, but the law treats them completely differently, because the consequences of getting it wrong are completely different.

This is the most important mental shift for a founder. The Act does not regulate “AI” as a single thing. It regulates AI systems by what they are used for and how much risk that use carries. The same underlying model can be unregulated in one product and high-risk in another. Your obligations come from your use case, not your tech stack.

The law is enforced by two layers: the new European AI Office inside the Commission, which oversees general-purpose AI models in particular, and national market surveillance authorities in each member state, which handle enforcement on the ground (European Commission, 2024).

The EU AI Act (Regulation (EU) 2024/1689) is a horizontal law that regulates AI systems by use case and risk level rather than by technology. The same model can be unregulated in one product and high-risk in another, because obligations flow from what the system is used for, not from the algorithm underneath it. It is enforced by the European AI Office and national authorities.

The four risk tiers (this is the part that decides everything)

The Act sorts every AI system into one of four risk categories. Finding your tier is the single most useful thing you can do, because the tier dictates the entire compliance burden.

1. Unacceptable risk (prohibited). A small set of uses are simply banned. These include social scoring by public authorities, manipulative systems that exploit vulnerabilities, and certain biometric categorisation and untargeted facial-recognition scraping. If your product does one of these, there is no compliance path. You stop. These prohibitions took effect on 2 February 2025 (artificialintelligenceact.eu, 2024).

2. High risk. This is the tier that carries real engineering weight. It covers AI used as a safety component of regulated products (medical devices, for example) and AI used in defined sensitive areas: recruitment, credit scoring, essential services, education, law enforcement, and critical infrastructure. High-risk systems must have risk management, data governance, detailed logging, human oversight, transparency, and a conformity assessment before they go to market. If your AI makes or materially influences decisions about people in these areas, assume you are here until proven otherwise.

3. Limited risk (transparency). Most ordinary AI features live here. The main obligation is honesty: tell people when they are interacting with an AI (a chatbot), and label AI-generated or manipulated content. This is a disclosure requirement, not an architecture overhaul.

4. Minimal risk. Everything else, which is the overwhelming majority of AI in software: spam filters, recommendation engines, AI in video games. No obligations under the Act.

Our take: In practice, the entire game for most founders is the line between limited risk and high risk. Build something in healthcare, hiring, or finance and you can cross that line without realising it, because the tier is about the decision the AI influences, not how clever the model is. We have seen teams assume they were building a transparency-tier feature and discover, after the architecture was set, that the use case was high-risk. That is a rebuild, not a disclosure. Map your tier before you design the data model.

When does the EU AI Act actually apply? The timeline

The Act did not switch on all at once. It phases in over several years, and the dates matter because they tell you how much runway you have.

To put the phases in words:

• 1 August 2024: the Act enters into force. The clock starts.
• 2 February 2025: the bans on unacceptable-risk AI take effect, along with new AI-literacy obligations for organisations deploying AI.
• 2 August 2025: the rules for general-purpose AI models (the large foundation models) and the main governance and penalty framework apply.
• 2 August 2026: most high-risk obligations under Annex III (the sensitive use cases like hiring and credit) apply.
• 2 August 2027: the high-risk rules for AI embedded in already-regulated products under Annex I (such as medical devices) apply.

(All dates from artificialintelligenceact.eu, 2024.)

The EU AI Act phases in over three years. Prohibited AI practices were banned on 2 February 2025, general-purpose AI obligations began on 2 August 2025, and the bulk of high-risk obligations were originally set for 2 August 2026 (Annex III use cases) and 2 August 2027 (AI inside regulated products like medical devices). The phased structure gives most products a defined, if shrinking, runway.

The Digital Omnibus: what changed in 2025, and what is still uncertain

Here is where an honest guide has to be careful. In November 2025, the European Commission published a simplification package known as the Digital Omnibus, partly in response to industry pressure that the high-risk deadlines were arriving faster than the supporting technical standards and guidance (White & Case, 2025). The Parliament and Council reached a provisional agreement on it in May 2026.

If adopted as agreed, the Omnibus would push several deadlines back. The high-risk obligations for Annex III use cases would move from August 2026 to December 2027, and the obligations for AI in regulated products like medical devices would move from August 2027 to August 2028 (Gibson Dunn, 2026). It would also add new prohibitions and shift some transparency deadlines.

The critical caveat, as of mid-2026: this is a provisional political agreement, not yet formally adopted or published in the Official Journal. Until it is, the dates in the original law remain the law. The responsible way to plan is to design against the statutory deadlines, treat any relief from the Omnibus as a bonus rather than a baseline, and re-check the status before you make a bet that depends on it.

From our experience: Regulatory timelines move, and the temptation is always to slow down when a deadline slips. That is usually the wrong instinct for a builder. The compliance work that matters (audit trails, data governance, monitoring) is good engineering regardless of the deadline, and it is far cheaper to build in now than to retrofit when the date arrives. We treat the deadline as a planning input, not as permission to defer the architecture. A postponed deadline is more time to do it properly, not a reason to skip it.

What does it cost to get this wrong?

The penalties are deliberately large enough to matter to a global company, and they scale with the severity of the breach.

The headline numbers, all from Article 99 of the Act (2024):

• €35 million or 7% of total worldwide annual turnover, whichever is higher, for using a prohibited AI practice.
• €15 million or 3% for breaching most other obligations, including the high-risk requirements.
• €7.5 million or 1% for supplying incorrect, incomplete, or misleading information to authorities.

There is a meaningful nuance for smaller companies: for SMEs and start-ups, the fine is the lower of the fixed amount or the percentage, not the higher. The law is calibrated so that a global enterprise cannot treat a €35M cap as a rounding error, while a start-up is not instantly destroyed by the same headline figure. It is still very much a number worth not testing.

For context on why this scale of enforcement is credible, look at the precedent next door. Cumulative GDPR fines since 2018 have passed €7.1 billion (DLA Piper GDPR Fines Survey, via Kiteworks, 2026). EU data regulators have shown they will issue large fines, and the AI Act is built on the same enforcement philosophy.

The EU AI Act’s maximum penalty is €35 million or 7% of global annual turnover, whichever is higher, for prohibited AI practices, dropping to €15M/3% for other breaches and €7.5M/1% for misleading information (Article 99). For SMEs and start-ups the lower figure applies. The scale is credible because EU regulators have already issued over €7.1 billion in cumulative GDPR fines since 2018.

Does it apply to my company if I’m not in the EU?

Almost certainly, if you sell into the EU. The Act applies extraterritorially. It covers providers that place AI systems on the EU market regardless of where the provider is established, and it covers deployers located in the EU. It even reaches providers and deployers outside the EU when the output of their AI system is used in the EU.

In practical terms: a US healthcare AI startup with EU hospital customers is in scope. A UK fintech offering AI credit decisions to EU users is in scope. The “we’re not a European company” defence does not work, in the same way it did not work for GDPR. If EU users or EU outputs are part of your product, plan as if the Act applies, because it does.

What this means if you’re building an AI product right now

Strip away the legal detail and the practical playbook is short:

1. Find your tier first. Before you design anything, work out which risk tier each AI feature falls into. This is a half-day exercise that determines the entire compliance burden. Getting it wrong is the expensive mistake.
2. If you’re high-risk, the requirements are architectural. Risk management, data governance, logging, and human oversight are not documents you write at the end. They are properties of the system you have to design in from the start.
3. Build the audit trail now, whatever your tier. The ability to reconstruct and explain an AI decision is the foundation of every high-risk obligation, and it cannot be added retroactively.
4. Treat the timeline as runway, not relief. Deadlines may move with the Omnibus, but the engineering does not get easier by waiting. The cheapest compliant product is the one built compliant.

This is exactly the work we do: turning a regulatory map into an architecture, so the product passes audit because it was built to. If you want to see how that translates into a build, our companion guide on how AI helps with regulatory compliance covers the practical side, and our AI compliance service covers how we deliver it.

Frequently Asked Questions About the EU AI Act

When did the EU AI Act come into force?

The EU AI Act entered into force on 1 August 2024. It applies in phases: prohibited AI practices were banned on 2 February 2025, general-purpose AI rules began on 2 August 2025, and the main high-risk obligations were originally set for 2 August 2026 and 2 August 2027, though a 2025 simplification package has provisionally agreed to push some of those back.

What are the four risk levels of the EU AI Act?

The four tiers are: unacceptable risk (prohibited outright), high risk (heavy obligations including risk management, logging, and human oversight), limited risk (transparency and disclosure duties), and minimal risk (no obligations). Most ordinary software AI is minimal or limited risk. The high-risk tier is where the serious engineering requirements live.

What is the maximum fine under the EU AI Act?

The maximum fine is €35 million or 7% of total worldwide annual turnover, whichever is higher, for using a prohibited AI practice. Other breaches carry up to €15 million or 3%, and supplying misleading information carries up to €7.5 million or 1%. For SMEs and start-ups, the lower of the fixed amount and the percentage applies.

Does the EU AI Act apply to companies outside the EU?

Yes. The Act applies extraterritorially. It covers any provider that places an AI system on the EU market, any deployer located in the EU, and even non-EU providers when their system's output is used in the EU. A non-EU company selling AI into the EU is in scope.

What is the Digital Omnibus and did it delay the AI Act?

The Digital Omnibus is a simplification package the European Commission proposed in November 2025, with a provisional Parliament-Council agreement reached in May 2026. If formally adopted, it would postpone several high-risk deadlines (for example moving Annex III obligations to December 2027 and medical-device AI obligations to August 2028). As of mid-2026 it is not yet formally adopted, so the original statutory deadlines remain the legal baseline until that changes.

The bottom line

The EU AI Act is large, but the part that matters to a builder is small and clear:

• Your risk tier decides everything. Find it before you build, because the tier, not the technology, sets your obligations, and crossing into high-risk after the architecture is set means a rebuild.
• The serious obligations are architectural. Audit trails, data governance, logging, and human oversight are designed in, not documented after, which is why compliance is now a build decision rather than a paperwork task.
• Timelines move, but the engineering doesn’t get easier. Whether the deadline is 2026 or 2028, the cheapest compliant product is the one built compliant from day one.

If you’re building an AI product for a regulated industry and want to know exactly which obligations apply and how to design for them, book a free compliance scoping call. We’ll map your risk tiers and tell you honestly what your build actually needs.