What are the risk categories under the EU AI Act?

The EU AI Act introduces a tiered system to classify AI systems based on the potential harm they could cause. Here’s how the four levels break down:

1. Unacceptable risk – Banned outright

These AI systems pose a clear threat to fundamental rights, safety, and democracy. Examples include:

• Social scoring systems  
• Manipulative or exploitative AI targeting vulnerable groups
• Real-time biometric identification in public spaces (with very limited exceptions)

These systems are explicitly prohibited under the regulation.

2. High-risk – Strict regulations

This category includes AI systems with the potential to significantly impact individuals’ lives or public safety. High-risk systems include:

• AI used in hiring or assessing job candidates
• Biometric identification and facial recognition technologies
• AI in critical infrastructure sectors (e.g., transportation, energy, healthcare)
• Educational tools used for assessment or scoring
• AI systems used in law enforcement or border control

If your AI system falls into one of these domains, you must meet detailed requirements for risk management, documentation, and human oversight.

3. Limited risk – Transparency requirements

These AI systems are generally permitted but must be used with proper disclosure. For example:

• Chatbots that simulate human interaction
• AI-generated media, avatars, or virtual influencers
• Emotion recognition systems used in non-critical contexts

The key requirement is transparency: You must inform users they’re interacting with AI or consuming AI-generated content.

4. Minimal risk – No obligations

These are AI systems with limited impact on rights or safety. Examples include:

• Spam filters
• Product recommendation engines
• AI-enhanced entertainment or video games

While no mandatory obligations apply, the EU encourages voluntary codes of conduct and best practices. 

Which compliance requirements do you need to fulfill? 

Compliance under the EU AI Act depends on how your AI system is classified. If your AI is considered high-risk, you must meet a whole set of requirements before bringing it to market or deploying it internally.   

Key obligations for high-risk AI systems 

Here’s a breakdown of what you’ll need to put in place if your system falls into the high-risk category: 

• Risk management: Implement a documented, continuous risk management process that spans the entire lifecycle of the AI system, from design to deployment and beyond 
• Data governance: Ensure the datasets used are relevant, representative, free from bias, and managed in a way that supports fairness and accuracy 
• Technical documentation: Provide clear, detailed technical files that describe the system’s design, intended purpose, performance metrics, and risks 
• Transparency and explainability: Ensure users and regulators understand how your AI works, including its logic, limitations, and intended outcomes. This also includes clear usage instructions and documentation for deployers 
• Human oversight: AI shouldn’t operate unchecked. Assign qualified personnel to supervise and override AI outputs if needed 
• Post-market monitoring: You’re not off the hook after deployment. You must have a strategy for monitoring performance, detecting failures, and reporting serious incidents 

What about low-risk AI systems? 

Even if your AI is low or limited risk, you’re not entirely exempt. For instance, if you use a chatbot or generate synthetic content, you must inform users they’re interacting with AI—a core part of the Act’s transparency obligations.

Who needs to comply?  

The EU AI Act applies to a broad range of parties involved in the supply chain of AI systems, both within and outside the EU. Specifically, it applies to:

• Providers: Organizations that develop an AI system or place it on the EU market under their own name or brand. This includes in-house development or significant modification of third-party systems
• Deployers: Companies or institutions that use AI systems in the course of their professional activities, whether internally (e.g., HR, finance) or externally (e.g., customer service)
• Importers: Entities that import AI systems developed outside the EU for sale or use within the EU
• Distributors: Organizations that make AI systems available on the EU market without modifying them or assuming provider responsibilities
• Non-EU organizations: Any company (regardless of location) that offers AI systems to users in the EU or whose systems affect individuals within the EU market

So whether you're building from scratch, integrating off-the-shelf models, or using third-party AI within your organization, you have regulatory responsibilities to meet. 

What is the timeline for the implementation of the EU AI Act?  

Timing matters—not all rules kick in at once. Here’s the current rollout schedule:

Key dates to remember:

• August 1, 2024: The AI Act officially enters into force
• February 2, 2025: Bans on prohibited AI systems and AI literacy obligations come into effect
• August 2, 2025: Requirements for general-purpose AI models and AI governance structures begin
• August 2, 2026: Most other obligations, including those for high-risk AI systems, become enforceable
• August 2, 2027: Extended transition period ends for high-risk AI systems embedded in already-regulated products (e.g., medical devices, cars)

If you’re developing or using high-risk AI systems, now is the time to assess your exposure, align processes, and prepare technical documentation to ensure readiness when enforcement begins.

What are the fines for non-compliance with the EU AI Act?

The EU AI Act has a tiered penalty system based on the severity of the violation:

• Prohibited AI: up to €35 million or 7% of the organization’s total worldwide annual turnover, whichever is higher
• Non-compliance with other obligations (e.g., failing to implement oversight or documentation): up to €15 million or 3% of global turnover  
• Supplying incorrect or misleading information: up to €7.5 million or 1% of global turnover

The EU AI Act allows for proportionate penalties for SMEs and startups, but that doesn't mean leniency. All organizations are expected to take compliance seriously, regardless of size. 

How does the EU AI Act differ from GDPR? 

You might be wondering how the EU AI Act connects to the GDPR, especially since many AI systems process personal data. While the two regulations often intersect, they each serve distinct purposes.

The EU AI Act is focused on artificial intelligence systems and models. Its goal is to ensure that AI technologies operate safely, transparently, and in alignment with fundamental rights. It applies to all AI systems, regardless of whether they process personal data. The Act introduces a risk-based framework that includes requirements for risk management, technical documentation, and human oversight.

By contrast, the GDPR is centered on protecting personal data and individual privacy. It governs how personal data is collected, used, stored, and shared and applies only in cases involving such data. It focuses on ensuring that data processing is lawful, fair, and transparent.

The two frameworks often overlap in practice—particularly when high-risk AI systems involve biometric identification, surveillance, or behavioral profiling. In these cases, organizations must ensure that their AI practices comply with both sets of requirements.

Ultimately, the EU AI Act and GDPR are complementary. If your AI systems handle personal data, especially sensitive categories like biometrics, you must align with both regulations to meet legal obligations and build trust with users and regulators.

Next steps: Achieve compliance with the EU AI Act 

Adapting to the EU AI Act is more than a checkbox exercise. It’s an opportunity to strengthen your governance practices and build AI systems that are transparent, trustworthy, and future-ready. Taking a structured approach now can save significant time, effort, and risk down the line.

Why a strategic approach matters

The EU AI Act isn’t something you can tackle overnight. With its layered risk classifications, extensive documentation requirements, and phased rollout of obligations, the regulation introduces a level of complexity that demands foresight. Waiting until the last minute to react to deadlines can leave your teams scrambling, increasing the likelihood of compliance gaps, operational delays, or fines.

That’s why a strategic approach is essential. By mapping your AI use cases, identifying high-risk systems, and building a phased implementation plan, you can stay ahead of requirements and minimize the risk of penalties. A clear strategy helps you break the regulation into manageable steps, assign responsibilities across teams, and build internal readiness at a sustainable pace.

How DataGuard helps you operationalize EU AI Act requirements

DataGuard helps organizations turn regulation into action. From day one, you gain access to pre-built workflows and templates that break down the EU AI Act’s 100+ pages into 50 clearly defined, actionable requirements. 

Our AI-specific risk assessments help you navigate the nuanced obligations across risk tiers, while policy templates and awareness training ensure your team is fully equipped. And as regulations evolve, you’ll stay ahead with expert-led updates and insights—so you remain compliant with confidence.

To learn more, book a call with one of our experts.