EU AI Regulation (AI Regulation)
AI is becoming increasingly prevalent in our daily lives—and with that come growing risks. When machines are involved in decisions affecting people, generate content that is deceptively real, or influence sensitive areas such as employment, health, and safety, the consequences can be severe. This is why the AI Regulation was created: to define clear boundaries, prevent misuse, and protect people from the risks of problematic AI applications. At the same time, it aims to ensure that innovation within the EU remains possible, but on a reliable, human-centered basis. In this way, the regulation creates a framework in which progress does not come at the expense of fundamental rights, security, and trust.
Artificial Intelligence Act
The current EU AI Regulation is officially known as Regulation (EU) 2024/1689 (Artificial Intelligence Act / AI Regulation), was adopted on June 13, 2024, published in the Official Journal of the EU on July 12, 2024, and entered into force on August 1, 2024. It was created to establish a uniform single-market legal framework for human-centered and trustworthy AI, to promote innovation, and at the same time to protect health, safety, and fundamental rights. It covers AI systems and general-purpose AI models that are placed on the market, put into service, or whose output is used in the EU. This applies even if the provider is based in a third country.

What are the guidelines of the AI Regulation, and what requirements must be met?
The prohibited practices under Article 5 include, among other things, harmful manipulation and deception, harmful exploitation of vulnerabilities, social scoring, certain AI-based crime predictions, the indiscriminate harvesting of facial images from the internet or CCTV for facial recognition databases, emotion recognition in the workplace and in educational institutions, biometric categorization to derive sensitive characteristics, and certain real-time remote biometric applications for law enforcement purposes. These prohibitions have been in effect since February 2, 2025.
High-risk AI is subject to requirements regarding risk management, data quality/data governance, technical documentation, logging, transparency/information for operators, human oversight, as well as accuracy, robustness, and cybersecurity. Providers of such systems must also, among other things, have a quality management system in place, conduct a conformity assessment prior to placing the product on the market, issue an EU declaration of conformity, and affix the CE marking.
Certain low-risk AI systems are subject to transparency requirements: Anyone offering a system that interacts directly with humans must ensure that the individual involved recognizes that they are interacting with AI; for systems that generate synthetic audio, image, video, or text content, the outputs must be machine-readable and recognizable as artificially generated or manipulated.
In addition, the requirement for AI literacy has been in effect since February 2, 2025: Providers and operators must do their utmost to ensure that their staff and other persons acting on their behalf possess a sufficient level of AI literacy, taking into account knowledge, experience, training, and the operational context.
Additional requirements have been in effect since August 2, 2025, for general-purpose AI models (GPAI), including technical documentation, sharing information with downstream providers, a copyright policy, and a public summary of the training data; in cases of systemic risk, additional requirements include model evaluations, adversarial testing, risk mitigation, reporting of serious incidents, and cybersecurity measures.
4 Practical Examples
Case Study 1: Emotion recognition in job applications. An AI system evaluates applicants’ facial expressions or voices to draw conclusions about their emotions or suitability. This is prohibited under Article 5 of Chapter II of the AI Regulation.
Case Study 2: AI for Candidate Selection / Resume Screening. The use of AI in employment, human resources management, and access to self-employment is considered a sensitive, high-risk area. Such a system cannot simply be deployed “live”; rather, it requires, among other things, risk management, documentation, logs, information for the operator, human oversight, and a conformity assessment prior to being placed on the market.
Case Study 3: Website Chatbot. A company uses an AI chatbot for customer service. In such cases, users must generally be able to recognize that they are interacting with an AI system. This is a typical example of the transparency requirement and falls under the category of limited risk.
Case Study 4: AI Image/Text Generator. When a system generates synthetic images, audio, video, or text, the regulation requires that these outputs be labeled in such a way that they are recognizable as artificially generated or manipulated.
How strictly must the AI Regulation be complied with?
The AI Regulation is not a voluntary code of conduct, but a binding EU regulation. It will be implemented in phases: prohibitions and AI competence requirements have been in effect since February 2, 2025, GPAI rules since August 2, 2025, most other obligations starting August 2, 2026, and for high-risk AI in certain regulated products, an extended deadline applies until August 2, 2027.
It is also enforceable: market surveillance authorities can require corrective actions and—if a system is noncompliant—demand that it be brought into compliance, withdrawn from the market, or recalled. The deadline may be set by the authority and shall be no later than the shorter of 15 business days or the relevant deadline under product liability law.
The rules regarding prohibited practices are particularly strict: The Commission’s guidelines explicitly state that the prohibitions themselves have direct effect and that affected parties can enforce them in national courts and seek interim measures.
That might sound bad at first, but don’t worry—it just calls for a little common sense. It should be clear to everyone that using AI to oppress, discriminate against, or manipulate people is prohibited. It’s the same as with everything else in life, whether it involves AI or not. Another point is the area of high-risk AI: when sensitive data is processed in medicine, strict attention must be paid to data protection and confidentiality. AI systems such as chatbots or similar tools should be clearly labeled as AI, and text, images, videos, music, etc., generated by AI should be labeled accordingly.
Where exactly does the current AI regulation apply?
The legally binding core is the European Union market. The Regulation applies to providers who place AI systems or GPAI models on the market or put them into service in the European Union, to operators established in the European Union, and also to providers or operators from third countries if the output of their AI system is used in the European Union. The official title also includes the addition “Text with EEA relevance.”
The regulation therefore does not apply solely to physical products. A system may also be placed on the Union market via an API, the cloud, online access, direct download, or embedded in physical products.
What happens if you work with companies outside the EU or use their models?
If an EU company uses a model from a non-EU provider, the EU company may, depending on its role, be considered a deployer and thus be subject to the AI Regulation itself. At the same time, the non-EU provider may also be subject to the Regulation if it makes an AI system or GPAI model available on the EU market or if the output of its system is used in the EU.
The following applies to non-EU providers of GPAI models: Before placing their products on the EU market, they must generally appoint an authorized representative in the EU. The same applies to non-EU providers of high-risk AI systems before making them available on the EU market.
If personal data is processed in the course of the collaboration, the GDPR continues to apply. The EDPB emphasizes that a legal basis under data protection law may be required for the development and use of AI models, and that a model trained using unlawfully processed personal data may compromise the lawfulness of its use unless it has been effectively anonymized.
What are the potential consequences of failing to comply with the AI Regulation?
The regulation provides for sanctions and other enforcement measures, which must be effective, proportionate, and dissuasive; these may include warnings and non-monetary measures. In addition, authorities may require corrective action, market withdrawal, or recall in cases of non-compliance.
The maximum fines are set forth in Article 99:
- up to EUR 35 million or 7% of global annual turnover, whichever is higher, for violations of the prohibited practices set forth in Article 5;
- up to EUR 15 million or 3% of global annual turnover for violations of key obligations by suppliers, authorized representatives, importers, distributors, operators, or notified bodies, as well as violations of transparency obligations;
- up to EUR 7.5 million or 1% of global annual turnover for providing false, incomplete, or misleading information to authorities or notified bodies.
In addition, affected individuals may file a complaint with the relevant market surveillance authority. For certain high-risk AI decisions, there is also a right to a clear and meaningful explanation of the decision-making process.
Real-world examples of violations that can result in severe consequences
- Emotion recognition in recruiting: The Commission’s guidelines explicitly state that the use of emotion-recognition AI during the recruiting process is prohibited.
- Emotion recognition in the workplace: According to the guidelines, certain practices are prohibited, such as systems that analyze voice and video to determine emotional states in hybrid teams, as well as the use of such systems during the probationary period or for monitoring employees.
- Biometric categorization based on presumed political orientation: The guidelines cite as a prohibited example a system that uses biometric data from photos to categorize individuals on a social media platform based on their presumed political orientation in order to send them targeted political messages.
- Non-targeted scraping of facial images: It is prohibited to non-selectively extract facial images from the internet or CCTV footage for the purpose of creating or expanding facial recognition databases.
What questions should I ask myself before using an AI tool in my company?
For every specific AI tool or AI workflow in your company, first check:
- Is it even an AI system or a GPAI model as defined by the regulation?
- Does the use case fall under "prohibited," "high risk," "transparency," or "minimal risk"?
- Do I process personal data, and does the GDPR apply in this case?
- Am I using a non-EU provider via API/cloud, which means that third-country obligations apply?
- Do I just need transparency notices—or do I also need documentation, logs, human oversight, and conformity assessment?
A brief example of compliance with the AI Regulation
A German company uses a U.S. LLM via API for a customer service chatbot on its website. The company is proceeding correctly if it
(a) defines its role as an operator,
b) determines whether the case involves only transparency or is a high-risk case, c) clearly informs users that they are interacting with AI,
d) trains employees in AI literacy and documents these measures,
e) additionally complies with GDPR requirements regarding personal data, and
(f) if the GPAI model is provided by a third-country provider, ensures that the relevant GPAI and agent obligations are met.
For a standard website chatbot, this would typically be more of a transparency and governance issue; for an AI system used for candidate screening or credit decisions, however, significantly stricter high-risk requirements would generally apply.
If you still have questions, concerns, or are overly skeptical about AI, why not check out our training courses? You might find something that’s right for you.