Glossary · Frameworks & standards

What is EU AI Act?

Also known as: European Union Artificial Intelligence Act, AI Act

The EU AI Act is the European Union's comprehensive, risk-based regulation governing artificial intelligence. It classifies AI systems by risk — unacceptable (banned), high-risk, limited, and minimal — imposing the strictest obligations on high-risk uses, and adds specific rules for general-purpose AI models. It applies to providers and deployers whose AI affects the EU market.

Key takeaways

  • The first comprehensive, binding AI law with broad extraterritorial reach.
  • Uses a risk-based approach with four tiers plus dedicated rules for general-purpose AI.
  • Bans certain unacceptable-risk practices outright.
  • Places the heaviest obligations on high-risk AI systems.
  • Carries significant penalties for non-compliance, making AI governance a board-level issue.

How does the EU AI Act classify risk?

The Act sorts AI systems into tiers and scales obligations to the level of risk:

  • Unacceptable risk — practices considered a clear threat to safety or rights, such as certain social scoring and manipulative systems, which are prohibited.
  • High risk — AI used in sensitive areas such as critical infrastructure, employment, education, and certain biometric or safety contexts, subject to strict requirements.
  • Limited risk — systems like chatbots that carry transparency obligations, such as telling users they are interacting with AI.
  • Minimal risk — the majority of AI applications, which face few or no specific obligations.

Separately, the Act sets rules for general-purpose AI (GPAI) models, including documentation and, for the most capable models, additional systemic-risk obligations.

What do high-risk AI systems require?

High-risk systems carry the bulk of the Act's substantive obligations. Providers must generally establish risk management, ensure data governance and quality, maintain technical documentation and logging, provide transparency to deployers, enable human oversight, and meet standards for accuracy, robustness, and cybersecurity.

Many of these obligations align with the practices in ISO 42001 and the NIST AI RMF, so organizations can use those frameworks to operationalize legal requirements rather than starting from scratch.

Who does the EU AI Act apply to?

The Act applies to providers that place AI systems on the EU market and to deployers using AI within the EU, regardless of where they are established, giving it significant extraterritorial reach. A company outside the EU can fall within scope if its AI output is used in the Union.

Obligations and timelines phase in over a transition period, with prohibited practices taking effect earliest and high-risk and general-purpose AI requirements following later. A frequent pitfall is underestimating scope: the same model can be high-risk in one deployment context and minimal-risk in another.

Because the Act expects ongoing risk management, organizations benefit from continuously governing and attack-testing AI, which a platform like CATAAM supports through BAS and an AI governance registry.

Frequently asked questions

Does the EU AI Act apply to companies outside the EU?
Yes. It can apply to providers and deployers anywhere if their AI systems are placed on the EU market or their output is used within the Union.
What happens if you violate the EU AI Act?
The Act provides for significant administrative fines, with the highest penalties reserved for prohibited practices, making non-compliance a material business risk.
How is the EU AI Act different from the NIST AI RMF?
The EU AI Act is binding law with enforcement and penalties, while the NIST AI RMF is a voluntary framework. Many organizations use the RMF or ISO 42001 to help meet the Act's requirements.
What is general-purpose AI under the Act?
General-purpose AI refers to models that can perform a wide range of tasks, such as large language models, which face specific transparency and documentation rules and, for the most capable models, added systemic-risk obligations.

Authoritative sources

← Back to the glossary