What is the EU AI Act?

The EU AI Act is the European Union's regulation governing artificial intelligence. It classifies AI systems by risk — unacceptable, high, limited and minimal — and imposes binding obligations, with the strictest requirements on high-risk systems. It applies to providers and deployers placing AI on the EU market, regardless of where they are based.

Overview

The EU AI Act is the first comprehensive law regulating artificial intelligence. It takes a risk-based approach: the obligations a system must meet scale with the risk it poses to health, safety and fundamental rights.

The four risk tiers

Unacceptable risk — banned practices (e.g. social scoring, certain biometric categorisation).
High risk — permitted but heavily regulated; requires risk management, data governance, technical documentation, human oversight and conformity assessment.
Limited risk — transparency obligations (e.g. telling users they are interacting with AI).
Minimal risk — no specific obligations.

Who it applies to

The Act applies extraterritorially: providers and deployers are in scope if their AI system is placed on the EU market or its output is used in the EU, regardless of where the organization is established.

How it relates to other frameworks

The EU AI Act is binding law. ISO/IEC 42001 and the NIST AI RMF are voluntary frameworks that help you build the processes needed to demonstrate compliance.