The EU AI Act at a Glance
The EU AI Act is Regulation (EU) 2024/1689, adopted June 13, 2024, and entered into force on August 1, 2024. It is the world's first comprehensive AI-specific regulation. Key applicability dates:
- February 2, 2025 — Prohibited AI practices (Article 5) apply. Includes social scoring, real-time biometric identification in public spaces (with narrow exceptions), and manipulation techniques.
- August 2, 2025 — Obligations for general-purpose AI (GPAI) models apply (Chapter V, Articles 51–56), including transparency and copyright compliance.
- August 2, 2026 — Full applicability for high-risk AI system requirements (Annex III), including conformity assessments, risk management, data governance, transparency, human oversight, and post-market monitoring.
Source: Regulation (EU) 2024/1689, Official Journal of the European Union; European Commission, Regulatory Framework for AI.
EU AI Act Risk Tiers Explained
The EU AI Act classifies AI systems into four risk tiers (Articles 5, 6, 50, and Recital 27):
| Risk Tier | Description | Examples | Key Obligations |
|---|---|---|---|
| Unacceptable | AI practices that pose a clear threat to fundamental rights. Banned outright (Article 5). | Social scoring by governments, real-time biometric ID in public (with narrow exceptions), subliminal manipulation, exploitation of vulnerabilities | Prohibited. No compliance path. |
| High-Risk | AI used in sensitive domains listed in Annex III (Article 6). | Employment/hiring tools, credit scoring, law enforcement, migration/asylum, education, critical infrastructure | Conformity assessment, risk management (Art. 9), data governance (Art. 10), transparency (Art. 13), human oversight (Art. 14), accuracy/robustness (Art. 15), post-market monitoring (Art. 72) |
| Limited Risk | AI systems with specific transparency obligations (Article 50). | Chatbots, emotion recognition, deepfake generators, biometric categorization | Disclosure that user is interacting with AI or content is AI-generated. |
| Minimal Risk | All other AI systems (Recital 27). | Spam filters, AI-enabled video games, inventory management | No mandatory requirements. Voluntary codes of conduct encouraged. |
Source: Regulation (EU) 2024/1689, Articles 5, 6, 50, Annex III.
EU AI Act Penalties
The EU AI Act establishes a tiered penalty structure (Article 99):
- Prohibited AI practices — up to €35 million or 7% of total worldwide annual turnover, whichever is higher.
- High-risk AI violations (non-compliance with requirements in Articles 6–49) — up to €15 million or 3% of total worldwide annual turnover.
- Supplying incorrect information to notified bodies or national authorities — up to €7.5 million or 1.5% of total worldwide annual turnover.
For SMEs and startups, the lower of the two amounts applies. Member states can impose their own additional sanctions.
Source: Regulation (EU) 2024/1689, Article 99.
Compliance Crosswalk: EU Concepts to US State Laws
The following table maps core EU AI Act obligations to their closest equivalents in US state law. No US state has enacted a comprehensive risk-tiered AI framework comparable to the EU AI Act; the mapping shows partial overlaps.
| EU AI Act Concept | EU Requirement | Closest US State Analog |
|---|---|---|
| High-risk AI classification | Annex III lists high-risk domains: employment, education, credit, law enforcement, migration, critical infrastructure (Article 6) | Colorado SB 24-205 defines "high-risk AI system" as any system making or being a substantial factor in consequential decisions (employment, education, financial, healthcare, housing, insurance, legal services). Effective June 30, 2026. Full guide. NYC Local Law 144 narrows scope to automated employment decision tools (AEDTs). NYC guide. |
| Impact / conformity assessments | Conformity assessment before placing high-risk AI on market (Articles 9, 43). Risk management system covering risks to health, safety, fundamental rights. | Colorado SB 24-205 requires deployers to complete impact assessments before deployment and after significant updates. Must cover purpose, intended benefits, risks of discrimination, data governance, and human oversight. NYC LL 144 requires annual independent bias audits testing for disparate impact by race/ethnicity and sex. California FEHA regulations (CRD, finalized 2025) require employers using automated decision systems to evaluate for adverse impact. |
| Transparency & disclosure | Users must be informed they are interacting with AI (Article 50). High-risk AI deployers must provide information about system operation (Article 13). | NYC LL 144 requires candidate notification at least 10 business days before AEDT use, plus posting of audit results. Illinois AIVII (820 ILCS 42) requires notice and consent before AI video interviews. Illinois HB 3773 (effective Jan 1, 2026) expands disclosure requirements to all AI-assisted employment decisions. Colorado SB 24-205 requires deployers to notify consumers when a high-risk AI system makes a consequential decision. |
| Human oversight | High-risk AI must allow human oversight; operator can intervene or override (Article 14). | Colorado SB 24-205 requires deployers to provide "meaningful human review" opportunities and appeal rights for adverse AI decisions. NYC LL 144 does not mandate human-in-the-loop but requires disclosure of how AI factors into decisions. |
| Post-market monitoring | Providers must establish post-market monitoring systems proportionate to the AI system and risks (Article 72). Serious incidents must be reported. | Colorado SB 24-205 requires ongoing duty: deployers must update impact assessments when risks change or significant modifications are made. No US state currently mandates formal post-market monitoring comparable to the EU requirement. |
Sources: Regulation (EU) 2024/1689; Colorado SB 24-205; NYC DCWP, Local Law 144 Rules; Illinois AIVII (820 ILCS 42); Illinois HB 3773; California CRD FEHA Regulations.
Effective Dates: Side-by-Side Timeline
| Date | EU AI Act Milestone | US State Milestone |
|---|---|---|
| Aug 1, 2024 | EU AI Act enters into force | — |
| Feb 2, 2025 | Prohibited AI practices apply (Art. 5) | — |
| Jul 5, 2023 | — | NYC Local Law 144 enforcement begins (DCWP) |
| Jan 1, 2020 | — | Illinois AIVII (820 ILCS 42) effective |
| Jan 1, 2026 | — | Illinois HB 3773 (Human Rights Act AI amendments) effective |
| Aug 2, 2025 | GPAI model obligations apply (Chapter V) | — |
| Jun 30, 2026 | — | Colorado SB 24-205 AI Act effective |
| Aug 2, 2026 | Full high-risk AI system rules apply | — |
Sources: EU AI Act, Article 113; NYC DCWP; Colorado General Assembly; Illinois General Assembly.
What This Means for US Companies
Who needs to comply with both frameworks?
The EU AI Act applies to any company that places on the market or puts into service an AI system in the EU, regardless of where the company is established (Article 2). This means:
- US companies with EU customers or operations must comply with the EU AI Act for AI systems used in or affecting people in the EU.
- US companies deploying AI hiring tools in NYC must simultaneously comply with Local Law 144 for NYC-based candidates.
- US companies operating in Colorado face SB 24-205 obligations starting June 30, 2026 — just two months before full EU high-risk rules apply on August 2, 2026.
Practical overlap: A US technology company using AI hiring tools for both EU and US employees would need to conduct conformity assessments under the EU AI Act (Article 43), bias audits under NYC LL 144, and impact assessments under Colorado SB 24-205. The documentation requirements differ, but companies can build a unified compliance framework covering all three.
Key differences to watch
- Scope: The EU AI Act covers all AI across all sectors; US laws are domain-specific (employment, insurance, healthcare).
- Penalties: EU penalties scale to global turnover (up to 7%); US state penalties are fixed amounts ($500–$20,000 per violation).
- Enforcement: The EU AI Act creates the European AI Office for centralized oversight; US enforcement is fragmented across state AGs, DCWP (NYC), and CRD (California).
- Risk classification: The EU uses a mandatory four-tier risk framework; Colorado defines "high-risk" but other US states do not use risk tiers.
Need help mapping EU and US compliance requirements?
Tell us which AI systems you deploy, where you operate, and we'll connect you with a cross-border compliance specialist.
Get Compliance HelpFree consultation request · No obligation