On August 1, 2024, the European Union's AI Act — the world's first comprehensive AI regulation — officially entered into force. By February 2025, the first provisions became enforceable. If you're building anything with AI, whether you're in Europe or not, this law will affect you. Here's what you actually need to know, stripped of the legal jargon and panic.
The Risk-Based Framework
The AI Act doesn't regulate "AI" as a single category. It classifies AI systems by risk level, and each level comes with different obligations:
Unacceptable risk (banned): Social scoring systems by governments. Real-time biometric surveillance in public spaces (with narrow exceptions for law enforcement). AI that manipulates people's behavior in ways that cause harm. Emotion recognition in workplaces and schools.
High risk (heavily regulated): AI used in hiring and recruitment. Credit scoring and insurance. Medical devices. Law enforcement and border control. Critical infrastructure management. Educational assessment and grading. These systems must meet strict requirements for data quality, documentation, human oversight, accuracy, and robustness.
Limited risk (transparency required): Chatbots must disclose that users are interacting with AI. AI-generated content must be labeled. Deepfakes must be clearly identified.
Minimal risk (no specific obligations): Spam filters, AI in video games, inventory management. The vast majority of AI applications fall here.
The General-Purpose AI Rules
The most debated provisions target "general-purpose AI models" — meaning foundation models like GPT-4, Claude, Gemini, and Llama. All GPAI providers must:
- Maintain technical documentation about how the model was trained
- Provide information to downstream deployers so they can comply with the Act
- Comply with EU copyright law (specifically the text and data mining opt-out)
- Publish a sufficiently detailed summary of training data
Models deemed to pose "systemic risk" — roughly, any model trained with more than 10^25 FLOPs of compute — face additional obligations including adversarial testing, incident reporting, and cybersecurity measures.
What This Means If You're a Developer
If you're building applications on top of foundation models (which is most AI developers right now), your obligations depend on what you're building:
Building a chatbot? You need to tell users they're talking to AI. That's about it.
Building a hiring tool? You're in high-risk territory. You need a conformity assessment, detailed documentation, human oversight mechanisms, and ongoing monitoring. This isn't trivial.
Building an AI feature for a consumer app? Probably minimal risk, but you should document what you're doing in case the classification is challenged.
The key principle: the developer who deploys the AI system in a high-risk context bears the compliance burden, not the model provider. If you use GPT-4 to build a medical diagnostic tool, OpenAI's compliance doesn't cover you. You need your own.
The Global Ripple Effect
The EU AI Act matters beyond Europe for the same reason GDPR did: the "Brussels effect." Any company serving EU customers must comply. And once you've built compliance into your product for Europe, you tend to apply the same standards everywhere — it's cheaper than maintaining separate versions.
California, Canada, Brazil, and several other jurisdictions are drafting AI regulations heavily influenced by the EU's approach. The AI Act is becoming the de facto global template, whether the rest of the world likes it or not.
The Enforcement Question
A law is only as strong as its enforcement. The AI Act imposes fines up to 35 million euros or 7% of global annual turnover — significantly higher than GDPR. But GDPR enforcement was slow and uneven, and there's reason to expect similar challenges with AI regulation. The newly established EU AI Office has limited staff, and the technical complexity of auditing AI systems far exceeds anything regulators have dealt with before.
For now, the smart move for developers is straightforward: know which risk category your application falls into, document your decisions, implement human oversight where required, and keep an eye on enforcement actions as they start rolling in.