The EU AI Act — Europe’s Landmark AI Regulation

Status: 🟩 COMPLETE 🟦 LIVING Tags: EU-AI-Act, regulation, governance, risk, compliance, European-AI-law


What it is

The EU AI Act (Regulation (EU) 2024/1689) is the world’s first comprehensive legal framework for artificial intelligence regulation. Passed by the European Union and entering into force in August 2024, it regulates AI systems used in (or affecting) the EU based on the risk those systems pose.

Think of it like food safety regulation — not banning AI, but requiring different standards of care depending on how dangerous a particular AI application could be.


Why it matters globally (including for Australia)

The EU AI Act matters even if you’re in Australia because:

  1. The Brussels Effect: EU regulations often become de facto global standards. Companies serving global markets (including EU citizens) build EU-compliant products that apply everywhere.
  2. Australian companies operating in Europe (or selling to European customers) must comply.
  3. Australia’s regulatory discussion is influenced by it — policymakers explicitly reference it when designing Australia’s own AI governance.
  4. Major AI providers comply with it — meaning the tools you use from OpenAI, Google, Microsoft, Meta, and others are shaped by EU AI Act requirements.

The risk-based framework (plain English)

The EU AI Act divides AI applications into four risk tiers:

Tier 1: Unacceptable risk — BANNED

These AI applications are prohibited entirely in the EU:

  • Social scoring: Government systems that score citizens’ behaviour to give them advantages or disadvantages in daily life (like China’s social credit system)
  • Real-time remote biometric surveillance in public spaces (with very limited law enforcement exceptions)
  • Subliminal manipulation: AI that manipulates people in ways they can’t detect to change their behaviour harmfully
  • Exploitation of vulnerabilities: AI that targets vulnerable groups (children, people with disabilities) to manipulate them

Tier 2: High risk — Heavily regulated

These AI applications can exist but must meet strict requirements: human oversight, documentation, transparency, accuracy testing, cybersecurity, and registration in an EU database.

High-risk categories include:

  • AI in critical infrastructure (energy, water, transport)
  • AI used in educational assessment (determining who gets admitted to schools)
  • AI in employment (CV screening, performance monitoring, termination decisions)
  • AI in access to essential services (credit scoring, insurance risk assessment)
  • AI in law enforcement (evidence assessment, crime prediction)
  • AI in migration decisions (visa processing, asylum claims)
  • AI in administration of justice (judicial decision support)

Tier 3: Limited risk — Transparency required

AI applications that carry specific transparency risks:

  • Chatbots must disclose that the user is interacting with an AI (not a human) — unless it’s obvious
  • Deepfake images and videos must be labelled as AI-generated
  • AI-generated content designed to influence elections must be disclosed

Tier 4: Minimal risk — Unregulated (for now)

The vast majority of AI applications: spam filters, AI-powered video games, recommendation systems (most e-commerce), content moderation (ordinary), AI writing assistants for personal use.


Requirements for general-purpose AI models (GPAIs)

The EU AI Act has a specific section for “General Purpose AI Models” — large language models like GPT-4, Claude, and Gemini.

All GPAI providers must:

  • Publish technical documentation about the model
  • Provide information to downstream developers about capabilities and limitations
  • Establish policies for AI Act compliance

Providers of GPAI models with “systemic risk” (the most powerful models, above a certain compute threshold) must additionally:

  • Conduct adversarial testing and red-teaming
  • Report serious incidents to the European AI Office
  • Implement cybersecurity protections
  • Assess and mitigate risks at the systemic level

OpenAI, Google, Anthropic, Meta, and Mistral all have models that trigger GPAI requirements.


Timeline and enforcement

DateWhat happens
August 2024AI Act enters into force
February 2025Prohibitions (Tier 1) become enforceable
August 2025Rules for general-purpose AI models become enforceable
August 2026High-risk AI system rules become fully enforceable
August 2027Final provisions complete

The European AI Office

The EU has established a new body — the European AI Office — to:

  • Oversee enforcement of GPAI model requirements
  • Coordinate national enforcement across 27 member states
  • Develop technical standards
  • Maintain the register of high-risk AI systems

Fines and penalties

The EU AI Act carries significant penalties:

  • Tier 1 violations (banned AI): Up to €35 million or 7% of global annual turnover
  • Other violations: Up to €15 million or 3% of global annual turnover
  • Providing incorrect information to authorities: Up to €7.5 million or 1.5% of turnover

These are among the highest regulatory fines globally for technology companies — comparable to GDPR.


How it compares to other AI governance approaches

JurisdictionApproachBinding?
EUComprehensive risk-based legislation✅ Binding law
USExecutive orders; sector-specific guidance; voluntary⚠️ Mostly voluntary
UKPrinciples-based; no dedicated AI law (2025)⚠️ Mostly voluntary
AustraliaVoluntary AI Ethics Framework; Senate inquiry⚠️ Voluntary (2026)
ChinaMandatory regulations for generative AI; different values✅ Binding
CanadaAIDA (Artificial Intelligence and Data Act) in developmentPending

The EU is the most aggressive regulator; Australia is more principles-based and permissive. Many experts expect Australian regulation to move closer to EU standards over time.


What Australian businesses should know

If you sell to EU customers or operate in Europe:

You likely need to assess whether any of your AI use falls into high-risk categories and prepare documentation accordingly.

If you build AI products:

Your products may need GPAI documentation, system logs, and transparency features to be compliant. Get legal advice.

If you’re using AI from EU-compliant providers:

Tools from OpenAI, Microsoft, Google, and Anthropic are being built to EU AI Act compliance standards. This means: better documentation, transparency notices, and user disclosures — which benefit you even as an Australian user.

If you’re in high-risk sectors:

Finance (credit decisions), healthcare (diagnostic AI), employment (CV screening), education (automated assessment) — these are likely to face Australian regulatory scrutiny modelled on EU approaches.


Gotchas

  • The EU AI Act is complex and still being implemented. Many technical standards referenced by the Act are still being developed. “Compliant” in mid-2026 is a moving target.
  • What’s “high risk” is debated. The exact boundaries of what AI applications are “high risk” require legal interpretation. Get specialist advice for specific use cases.
  • GDPR compliance is separate. The EU AI Act works alongside GDPR (data protection), not instead of it. EU-facing AI applications must comply with both.
  • Extraterritorial reach. The EU AI Act applies to AI placed on the EU market or affecting EU citizens, regardless of where the AI provider is based. An Australian company selling AI services to European customers is subject to it.
  • The Australian market is different. Don’t assume EU AI Act compliance means Australian regulatory compliance. Australia’s framework (evolving) has different specifics.

See also


Sources

  • European Parliament — Regulation (EU) 2024/1689 on Artificial Intelligence (the AI Act text)
  • European Commission AI Office: digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
  • Future of Life Institute — EU AI Act summary and analysis
  • Allen & Overy / Norton Rose Fulbright — EU AI Act compliance guides for businesses
  • Australian Attorney-General’s Department — AI regulation review (2024)
  • Deloitte Australia — “Understanding the EU AI Act” (2024)