AI Act (EU Artificial Intelligence Act)

Key Takeaway: The EU AI Act is the world's first comprehensive legal framework for artificial intelligence. It classifies AI systems by risk level and imposes binding obligations on developers and deployers — with fines up to €35 million or 7% of global turnover for violations.

What Is the EU AI Act?

The EU Artificial Intelligence Act (Regulation 2024/1689) is the European Union's landmark legislation regulating artificial intelligence systems across all sectors. It entered into force on 1 August 2024 and applies in full from 2 August 2026, with some provisions (notably on prohibited AI and governance) applying from February 2025.

The Act is a regulation, not a directive — meaning it applies directly and uniformly across all 27 EU member states without national transposition. Any organization that places an AI system on the EU market, puts it into service within the EU, or whose AI outputs affect people in the EU is in scope, regardless of where the organization is headquartered.

For enterprise buyers and compliance teams, the AI Act is not a future concern — it is a current operational reality requiring governance structures, documentation, and vendor due diligence today.

How It Works: The Core Architecture

The AI Act is built around four risk tiers, each carrying different compliance obligations:

1. Unacceptable Risk (Prohibited) — AI uses that are outright banned, including social scoring by public authorities, real-time remote biometric surveillance in public spaces (with narrow exceptions), and AI that manipulates individuals through subliminal techniques (Article 5). These prohibitions applied from February 2025.

2. High Risk — AI systems used in critical applications such as recruitment, credit scoring, education assessment, law enforcement, and medical devices (Annex III). These face the heaviest compliance burden: conformity assessments, technical documentation, logging, human oversight, and registration in the EU database. See [link:/glossary/high-risk-ai-systems].

3. Limited Risk — Systems with specific transparency obligations, primarily chatbots and deepfake generators. Users must be told they are interacting with AI.

4. Minimal Risk — The vast majority of AI applications (spam filters, recommendation engines) fall here. No mandatory obligations, but voluntary codes of conduct are encouraged.

Why It Matters for Business

Every company operating in Europe that uses, sells, or integrates AI systems needs to act now. The Act's obligations are not triggered at deployment — they begin in the design and procurement phase. Key business implications include:

  • Vendor due diligence: Deployers of high-risk AI systems must verify that providers have conducted conformity assessments and maintain technical documentation. You cannot delegate compliance to a vendor and walk away.
  • Internal governance: Companies must designate AI literacy training, appoint responsible persons, and establish monitoring processes for high-risk systems in production.
  • Contract risk: Commercial agreements with AI providers need clauses covering data governance, audit rights, and incident notification to align with Act obligations.
  • GPAI model obligations: Organizations using or integrating general-purpose AI models (including large language models) must ensure those models' providers comply with transparency and copyright rules under Title VIII of the Act.

The AI Act interacts closely with [link:/glossary/gdpr-and-ai] — personal data processed by AI systems remains subject to GDPR simultaneously.

Compliance Checklist: AI Act Readiness

  • Map all AI systems in use across the organization against the four risk tiers
  • For any high-risk system, obtain technical documentation and conformity assessment records from the provider
  • Implement human oversight mechanisms for high-risk AI decisions (Article 14)
  • Establish an incident monitoring and reporting process
  • Ensure AI literacy training is in place for staff who deploy or use AI systems (Article 4, applicable February 2025)
  • Review contracts with AI vendors to include audit and compliance clauses
  • Register high-risk AI systems in the EU AI database once it is operational
  • Assess whether any general-purpose AI models you use or provide require additional documentation under Articles 53–55

Related Terms

  • [link:/glossary/ai-risk-classification]
  • [link:/glossary/high-risk-ai-systems]
  • [link:/glossary/ai-conformity-assessment]
  • [link:/glossary/trustworthy-ai]
  • [link:/glossary/gdpr-and-ai]
  • [link:/glossary/foundation-model-regulation]

How Knowlee Addresses the AI Act

Knowlee was built with the EU AI Act compliance framework in mind from the ground up. The platform operates with human-in-the-loop design as a core architectural principle — every AI-generated output in sales and recruitment workflows is surfaced to a human decision-maker before action is taken, directly satisfying the human oversight requirements of Article 14 for high-risk use cases.

Knowlee maintains comprehensive audit trails of all AI-assisted decisions, enabling organizations to produce the logs and documentation required by Articles 12 and 26. The platform's GDPR compliance and SOC 2 Type 2 certification provide the data governance and security foundation that regulators and enterprise buyers expect. Knowlee also provides customers with the technical documentation needed to satisfy their own deployer obligations under the Act, so compliance is a partnership — not a burden placed solely on the customer.