Skip to main content

01 · Regulation Overview

Sources

What it is

Regulation (EU) 2024/1689 — the world's first comprehensive legal framework on AI. Adopted 13 June 2024, published in the Official Journal 12 July 2024, in force 1 August 2024. Full title: "laying down harmonised rules on artificial intelligence" (the Artificial Intelligence Act).

Structure: ~180 recitals, 113 articles, 13 annexes. Amends several prior EU regulations (machinery, transport, product safety directives).

Core logic: risk-based approach

Four tiers, descending from most to least regulated:

TierWhat it coversConsequence
Unacceptable risk8 banned practices in force; Omnibus adds new intimate-image/CSAM prohibitions from 2 December 2026 after OJ publicationProhibited outright. Fines up to €35M / 7% global turnover
High riskAnnex I (safety products) + Annex III (sector use cases)Conformity assessment, technical documentation, human oversight
Limited riskChatbots, deepfake generatorsMust disclose AI nature to users (transparency only)
Minimal / no riskSpam filters, video-game AI, etc.Unregulated — voluntary codes of conduct only

Who must comply

RoleObligation levelGeographic scope
Providers (developers)Heaviest — risk management, technical docs, conformityAnywhere, if system used in EU
Deployers (professional users)Lighter — human oversight, monitoring, incident reportingLocated in EU, or output used in EU
Importers & distributorsVerify provider compliance before marketEU market

Key definitions

TermDefinition
AI systemMachine-based system that operates with varying autonomy, infers from inputs to generate outputs (predictions, content, recommendations, decisions) that can influence physical or virtual environments
ProviderEntity that develops and places an AI system on the market or puts it into service
DeployerEntity that uses an AI system in a professional context — not the end user
GPAI modelModel trained on large data via self-supervision, capable of a wide range of tasks, integrable into downstream systems
Systemic riskRisk arising from GPAI models with compute > 10²⁵ FLOPs or designated high-impact capability by the Commission

Relationship to GDPR

The AI Act doesn't replace GDPR. They overlap where AI processes personal data. DPAs are recommended as market surveillance authorities for rights-impacting high-risk AI. Fines can stack.

The Digital Omnibus amendment (2025–2026)

Proposed by the Commission on 19 November 2025; provisional agreement reached on 6–7 May 2026; Coreper confirmed the agreement on 13 May 2026; Parliament adopted its first-reading position on 16 June 2026; Council gave final approval on 29 June 2026. The act still needs signature and Official Journal publication before the amendments have legal effect. The final PE-CONS 30/26 text would:

  • apply Chapter III, Sections 1–3 to Annex III high-risk systems from 2 December 2027 and Annex I high-risk systems from 2 August 2028;
  • add Article 5 prohibitions for AI systems generating/manipulating non-consensual intimate material or child sexual abuse material, applying from 2 December 2026;
  • reinforce AI Office powers for AI systems under Article 75 supervision;
  • extend simplified technical documentation and some penalty proportionality provisions to SMEs/start-ups and small mid-cap enterprises (SMCs);
  • move national AI regulatory sandboxes to 2 August 2027 and allow an EU-level AI Office sandbox for Article 75 systems.
FormatLink
HTML (English)EUR-Lex HTML
PDF (authentic OJ)EUR-Lex PDF
CELEX (all languages)CELEX:32024R1689