EU AI Act

EU AI Act Explained in Plain English

By Daman David Pant May 2026 10 min read

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive legal framework for artificial intelligence. It applies to any organisation that develops, deploys, imports, or distributes AI systems that affect people in the European Union: regardless of where the organisation is based.

If you're preparing for the AIGP exam, the EU AI Act is one of the most heavily tested topics. Here's what you need to know, in plain language.

The Core Idea: Risk-Based Regulation

The EU AI Act doesn't ban most AI: it classifies AI systems by risk level and applies proportionate obligations. The higher the potential harm, the stricter the rules. There are four tiers.

Tier 1: Unacceptable Risk

Prohibited AI Practices

Banned outright. These systems pose an unacceptable threat to fundamental rights and human dignity.

Tier 2: High Risk

Regulated: Conformity Assessment Required

Permitted but subject to strict obligations before they can be deployed. Must be registered in an EU database.

Tier 3: Limited Risk

Transparency Obligations Only

Minimal requirements: mainly transparency (e.g. telling users they're interacting with an AI).

Tier 4: Minimal Risk

No Specific Obligations

Spam filters, AI in video games, recommendation engines. No regulation required under the Act.

Prohibited AI Practices (Tier 1)

These are banned from August 2026 onwards. They include:

Social scoring by governments: using AI to score citizens based on social behaviour
Real-time remote biometric identification in public spaces for law enforcement (with narrow exceptions)
Subliminal manipulation: AI that exploits subconscious vulnerabilities to influence behaviour
Exploitation of vulnerabilities: targeting people based on age, disability, or socioeconomic status
Emotion recognition in workplaces and schools
Untargeted scraping of facial images to build recognition databases
Predictive policing based solely on profiling

Exam tip: A common trap is classifying social scoring as "high-risk" rather than "prohibited." It is banned outright: not regulated with extra requirements.

High-Risk AI Systems (Tier 2)

High-risk AI systems can be deployed but require substantial compliance work. High-risk categories include:

AI in critical infrastructure (energy, water, transport)
Education and vocational training (e.g. automated exam marking, admissions)
Employment (recruitment, performance monitoring, promotion decisions)
Essential private and public services (credit scoring, insurance underwriting, benefits assessment)
Law enforcement (risk assessments, evidence evaluation)
Migration and asylum (border control AI, visa assessment)
Administration of justice

Obligations for High-Risk Systems

Requirement	What It Means in Practice
Risk management system	Ongoing identification and mitigation of risks throughout the lifecycle
Data governance	Training data must be relevant, representative, and free from bias
Technical documentation	Full documentation before deployment and kept up to date
Transparency & instructions	Users must be given clear information about the system's purpose and limitations
Human oversight	Humans must be able to intervene and override AI decisions
Accuracy, robustness & cybersecurity	Systems must meet performance standards throughout their lifecycle
Conformity assessment	Third-party or self-assessment to verify compliance before market placement
Registration	Must be registered in the EU AI database before deployment

GPAI Models: A Separate Category

General Purpose AI (GPAI) models: like large language models: have their own set of rules under the Act. All GPAI model providers must:

Maintain technical documentation
Comply with EU copyright law
Publish summaries of training data

GPAI models deemed to present systemic risk (trained with over 10^25 FLOPs) face additional requirements including adversarial testing and serious incident reporting.

Who Does the EU AI Act Apply To?

The Act has broad extraterritorial reach. It applies to:

Providers: organisations that develop or have AI systems developed and place them on the EU market
Deployers: organisations that use AI systems in their operations within the EU
Importers and distributors: those who bring AI systems into the EU market

This means a US company with no EU office is still subject to the Act if its AI affects EU citizens.

Timeline

Date	What Comes Into Force
August 2024	Act enters into force
February 2025	Prohibited practices provisions apply
August 2025	GPAI model obligations apply
August 2026	High-risk AI system obligations apply (most provisions)
August 2027	Obligations for certain high-risk systems in Annex I apply

What This Means for the AIGP Exam

The EU AI Act is one of the most tested areas in the AIGP exam. Focus on:

Correctly classifying AI systems into the right risk tier (especially distinguishing prohibited from high-risk)
Knowing the specific obligations for high-risk systems
Understanding GPAI model rules and the systemic risk threshold
Knowing the roles of providers, deployers, importers, and distributors
Being able to apply the Act to scenario-based questions

Test your EU AI Act knowledge

Practice with 200 scenario-based questions including a full EU AI Act domain: free, no payment needed.

Start Free Practice Quiz →