The EU AI Act is the world’s first comprehensive law for artificial intelligence — and, like the GDPR before it, its reach extends well beyond Europe’s borders. If your organisation offers AI-enabled products or services connected to the EU market, it is worth understanding even if you are based in India, the United States or anywhere else. Assuming it is “a European problem” is exactly the mistake many organisations made with the GDPR, and paid for later.
A risk-based law
The Act does not treat all AI the same; instead it sorts systems into tiers according to the risk they pose, and calibrates obligations accordingly:
- Unacceptable risk. A small set of practices are banned outright — for example, certain forms of social scoring and manipulative or exploitative systems.
- High risk. Systems used in sensitive areas such as employment, credit, biometrics, education and critical infrastructure carry the heaviest obligations: risk management, data governance, technical documentation, logging, human oversight, and standards of accuracy and robustness.
- Limited risk. Mainly transparency duties — telling people when they are interacting with AI, or that content is AI-generated.
- Minimal risk. The vast majority of everyday AI, with no specific obligations under the Act.
This tiered structure is genuinely helpful for planning, because it lets you concentrate effort where the law concentrates its demands: on the high-risk uses that can materially affect people’s lives and rights.
Why it may apply to you
The Act applies to providers and deployers that place AI systems on the EU market, or whose systems’ output is used in the EU — regardless of where the organisation is established. An Indian software company serving EU customers, or a US firm whose AI-driven decisions affect people in Europe, can fall squarely within scope. Penalties are significant, reaching tens of millions of euro or a percentage of global turnover for the most serious breaches — higher, in the top tier, than even the GDPR. Your role matters too: obligations differ substantially depending on whether you provide an AI system or merely deploy one built by someone else, so establishing your role for each system is an early and important step.
A phased, and shifting, timeline
Obligations roll out in stages rather than all at once. Prohibited practices and AI-literacy duties applied first, followed by obligations for general-purpose AI models, with the heavier high-risk obligations arriving later. Importantly, the timeline has been actively revised through the EU’s “Digital Omnibus” simplification process, which has moved several high-risk deadlines out. This is a law still visibly settling into place, so specific dates should be treated as provisional and monitored rather than carved into a project plan.
The high-risk timeline in particular is in flux and subject to formal adoption. Treat any specific date as provisional and confirm the current position before you build a compliance plan around it.
What to do now
- Inventory your AI. Where do you use AI, and could any of it touch EU users or plausibly be considered high-risk? You cannot assess exposure you have not catalogued.
- Map your role. For each system, are you a provider or a deployer? The obligations differ enough that getting this wrong misdirects your whole effort.
- Build the foundations the Act rewards. Documentation, human oversight, transparency and risk management — the same disciplines that underpin good AI governance generally, and that pay off regardless of exactly how the timeline settles.
- Watch the timeline. Assign someone to track how the high-risk deadlines settle and confirm what applies to your systems and when.
The efficient path
Much of what the EU AI Act asks — an AI inventory, risk assessment, documentation, human oversight, transparency — overlaps heavily with ISO/IEC 42001 and with good privacy practice. If you are already building AI governance for other reasons, you are well on the way to satisfying the Act too. Rather than treating it as a standalone compliance project, fold it into a single governance programme that answers to several regimes at once. Effort spent on genuine, well-documented AI governance rarely goes to waste, whichever law happens to prompt it.
The takeaway
For any organisation with a connection to the European market, the EU AI Act is not a distant curiosity but a live consideration with real teeth. Inventory your AI, establish your role, build the governance foundations the Act rewards, and keep an eye on a timeline that is still moving — and you turn a daunting new regulation into a manageable extension of governance you should be doing anyway.