The EU AI Act is the world's first comprehensive horizontal AI law. It entered into force on August 1, 2024, but its obligations apply on a staggered schedule that runs through August 2027. The provisions most relevant to US companies — prohibited practices, general-purpose AI (GPAI) rules, and high-risk system obligations — are coming into force in 2025 and 2026.
This guide explains what the EU AI Act actually requires, who it applies to, the four risk tiers, the fines, and what US-based companies must do to comply when offering AI products or services in the European Union.
EU AI Act Timeline: When Each Provision Applies
The Act's obligations are phased in over three years from the August 1, 2024 entry into force. The key milestones:
| Date | What Applies | Status |
|---|---|---|
| Aug 1, 2024 | Regulation entered into force | Enacted |
| Feb 2, 2025 | Prohibited AI practices (Article 5) and AI literacy duties (Article 4) apply | In force |
| Aug 2, 2025 | GPAI model obligations, governance bodies, penalty regime (Articles 53, 99) apply | In force |
| Aug 2, 2026 | General application date — most high-risk AI system rules apply | Upcoming |
| Aug 2, 2027 | High-risk rules apply to AI components of products already regulated by EU product safety legislation (Annex I) | Upcoming |
Primary source: Regulation (EU) 2024/1689 (EUR-Lex).
The Four Risk Tiers
The Act takes a risk-based approach. Every AI system used or placed on the market in the EU falls into one of four tiers, and the obligations scale with the risk level.
Tier 1: Unacceptable Risk — Prohibited (Article 5)
Banned outright since Feb 2, 2025. These uses are prohibited regardless of who deploys them:
- Subliminal, manipulative, or deceptive techniques that materially distort behavior and cause significant harm.
- Exploitation of vulnerabilities of specific groups (age, disability, socio-economic status) causing significant harm.
- Social scoring by public authorities leading to detrimental treatment of individuals in contexts unrelated to where the data was generated.
- Real-time remote biometric identification in publicly accessible spaces by law enforcement (narrow exceptions for serious crimes).
- Predictive policing based solely on profiling of natural persons.
- Untargeted scraping of facial images from the internet or CCTV to build facial recognition databases.
- Emotion recognition in workplaces and educational institutions (with medical and safety exceptions).
- Biometric categorization to deduce race, political opinions, trade-union membership, religion, sex life, or sexual orientation.
Tier 2: High Risk (Articles 6–49)
Strict compliance from Aug 2, 2026. AI systems are "high-risk" if they are either (a) safety components of products already covered by EU product safety legislation in Annex I (medical devices, machinery, toys, etc.) or (b) listed in Annex III, which covers:
- Biometric identification and categorization of natural persons.
- Critical infrastructure management (water, gas, electricity, traffic).
- Education and vocational training (admissions, scoring, proctoring).
- Employment, workers management, and access to self-employment (recruitment, evaluation, promotion, termination).
- Access to and enjoyment of essential private and public services (credit scoring, insurance pricing, public benefits eligibility, emergency dispatch).
- Law enforcement (risk assessment of individuals, lie detectors, evidence reliability).
- Migration, asylum, and border control.
- Administration of justice and democratic processes.
High-risk providers must establish a risk management system, ensure training data governance, maintain technical documentation, enable record-keeping, provide transparency to deployers, ensure human oversight, and meet accuracy, robustness, and cybersecurity standards. Most must complete a conformity assessment before placing the system on the market and register it in the EU database.
Tier 3: Limited Risk — Transparency Obligations (Article 50)
Applies from Aug 2, 2026. Lower-stakes systems with specific transparency duties:
- AI systems interacting with natural persons must disclose that they are AI (unless obvious from context).
- Emotion recognition and biometric categorization systems must inform exposed individuals.
- Deepfakes and AI-generated text on matters of public interest must be labeled as artificially generated.
- Providers of GPAI systems must mark synthetic content in a machine-readable format.
Tier 4: Minimal Risk
No mandatory obligations. The vast majority of AI uses (spam filters, AI-enabled video games, recommendation systems on small platforms) fall into this tier. Providers are encouraged to adopt voluntary codes of conduct but face no Act-specific requirements.
General-Purpose AI (GPAI) Models — Article 53
GPAI obligations are the part of the Act most likely to affect US foundation model developers — OpenAI, Anthropic, Google, Meta, Mistral, and others. These obligations applied from August 2, 2025.
All GPAI providers must:
- Maintain up-to-date technical documentation about the model.
- Provide information and documentation to downstream providers building systems on the model.
- Establish a policy to comply with EU copyright law.
- Publish a sufficiently detailed summary of training content.
GPAI models with "systemic risk" (currently defined as those trained with compute exceeding 1025 FLOPs) face additional obligations: model evaluations including adversarial testing, systemic-risk assessment and mitigation, serious incident tracking and reporting to the AI Office, and state-of-the-art cybersecurity protections.
Primary source: European Commission — AI regulatory framework.
Fines and Enforcement
The penalty regime mirrors GDPR's structure and is among the strictest in any digital regulation worldwide. Penalties scale with the severity of the violation and the size of the offender:
| Violation Type | Maximum Fine |
|---|---|
| Prohibited AI practices (Article 5) | €35 million or 7% of worldwide annual turnover, whichever is higher |
| Other violations (high-risk obligations, transparency, GPAI, etc.) | €15 million or 3% of worldwide annual turnover, whichever is higher |
| Supplying incorrect, incomplete, or misleading information | €7.5 million or 1% of worldwide annual turnover, whichever is higher |
For SMEs and start-ups, the lower of the two amounts applies. Enforcement is shared between national market surveillance authorities and the European AI Office for GPAI matters.
Need Help With AI Compliance?
Connect with a compliance specialist who understands your state's AI regulations.
Thanks. Your request has been received.
A compliance specialist will review your request and reach out within 1 business day.
Who Must Comply — Extraterritorial Scope
The Act applies to (Article 2):
- Providers placing AI systems on the EU market or putting them into service in the EU, regardless of where the provider is established.
- Deployers of AI systems located in the EU.
- Providers and deployers outside the EU when the output of the AI system is used in the EU.
- Importers, distributors, and authorized representatives.
The output rule is the broadest extraterritorial trigger. A US SaaS company whose model produces outputs consumed by an EU user can fall within scope even without a European office. Most foreign providers must appoint an EU-based authorized representative before placing a high-risk system on the EU market (Article 22).
EU AI Act vs US State AI Laws
The biggest practical difference for US companies is structure. The EU AI Act is one horizontal regulation that classifies AI systems by risk and assigns obligations based on that classification. US state laws are sector-specific (hiring, healthcare, insurance), narrow (deepfakes, chatbots, watermarking), or sub-national (California, Colorado, Texas, New York).
The closest US analog is Colorado's AI Act (SB 24-205), which uses a risk-management framework for "high-risk AI systems" and takes effect June 30, 2026. California's stack — SB 53 (frontier AI), AB 2013 (training data), SB 942 (watermarking), CCPA ADM regulations — covers many of the same surfaces piecemeal. New York's RAISE Act mirrors California SB 53.
For a direct side-by-side, see our EU AI Act vs US State Laws compliance crosswalk.
What US Companies Should Do Now
- Inventory every AI system that touches an EU user, employee, customer, or output. Map each one to a risk tier.
- Confirm nothing falls within Article 5. Prohibited practices have been live since February 2025; existing systems used for things like emotion recognition in the workplace must be retired or restructured immediately.
- For GPAI use or development, check your contract chain. If you are a deployer building on a foundation model, the provider should be supplying technical documentation, training-data summaries, and copyright-policy statements under Article 53. Get those in writing.
- For high-risk systems, start conformity assessment work now. The August 2, 2026 date is binding. Documentation, risk management, post-market monitoring, and CE marking processes typically take 6–12 months.
- Appoint an EU-based authorized representative if you are a non-EU provider of a high-risk system.
- Train staff on AI literacy (Article 4 obligation since February 2025).
Sources and Further Reading
- Regulation (EU) 2024/1689 — Official Journal (EUR-Lex)
- European Commission — AI regulatory framework
- European AI Office
- Future of Life Institute — AI Act overview
Internal links: EU AI Act vs US State Laws compliance crosswalk · Colorado AI Act compliance guide · California AI laws complete guide · Frontier AI Tracker · AI Disclosure Tracker.