The EU AI Act Explained: What Developers Need to Know

The World's First Comprehensive AI Law

The EU AI Act, which entered into force in August 2024, is the world's first comprehensive regulatory framework for artificial intelligence. If you develop, deploy, or use AI systems in ways that affect people in the European Union — even if your company is headquartered elsewhere — you need to understand it. This article provides a practical overview for developers and technical teams.

The Risk-Based Framework

The Act organizes AI systems into four risk tiers:

  • Prohibited AI: Flatly banned. Includes: real-time biometric surveillance in public spaces (limited exceptions), social scoring systems, exploitation of vulnerabilities, emotion recognition in workplaces and schools, AI that manipulates behavior through subliminal techniques.
  • High-risk AI: Permitted but heavily regulated. Includes: safety components of critical infrastructure, AI in medical devices, biometric identification, AI in employment decisions, credit scoring, immigration, law enforcement, judicial decisions. Must meet requirements for data governance, transparency, human oversight, accuracy, and robustness. Must register in an EU database before deployment.
  • Limited risk AI: Transparency obligations. Chatbots must disclose that users are talking to AI. Deepfakes must be labeled. No substantive pre-deployment requirements.
  • Minimal risk AI: AI spam filters, AI chess games, etc. No additional obligations.

General Purpose AI (GPAI) Models

A significant addition to the Act covers "general-purpose AI models" — foundation models like GPT-4, Claude, and Llama. All GPAI models must: provide technical documentation, comply with EU copyright law, publish summaries of training data. "Systemic risk" GPAI models (those above 10^25 FLOPs training compute threshold, roughly GPT-4-scale and above) have additional obligations: mandatory adversarial testing, incident reporting, cybersecurity measures, energy efficiency reporting.

Key Compliance Timelines

  • February 2025: Prohibited AI provisions apply
  • August 2025: GPAI model provisions apply
  • August 2026: High-risk AI provisions apply
  • August 2027: Full Act in force (including high-risk AI in Annex I sectors)

Practical Implications for Developers

If you build AI for the EU market:

  1. Classify your AI systems by risk tier — this determines your obligations
  2. If high-risk: implement conformity assessment procedures before deployment
  3. If GPAI: ensure documentation and copyright compliance in training data
  4. For any AI: implement basic transparency (users should know they're interacting with AI)
  5. Appoint an EU representative if you're based outside the EU

The EU AI Office has released implementation guidance, and the NIST AI RMF provides a compatible US framework. ETH-420 at Meridian AI covers the full regulatory landscape in depth.