The EU AI Act is a comprehensive legal framework that categorizes AI systems into four risk tiers—unacceptable risk, high risk, limited risk, and minimal risk—with corresponding regulatory obligations. It applies extraterritorially to providers and deployers placing AI systems on the EU market, regardless of where they are established.
Glossary
EU AI Act

What is EU AI Act?
The EU AI Act is the European Union's landmark regulatory framework establishing a risk-based classification system for artificial intelligence applications, imposing strict obligations on high-risk systems and prohibiting unacceptable practices.
High-risk AI systems must undergo mandatory conformity assessments, maintain technical documentation, and implement post-market monitoring before receiving CE marking. Prohibited practices include social scoring by public authorities and real-time remote biometric identification in publicly accessible spaces, with penalties reaching up to 7% of global annual turnover.
The Four Risk Tiers
The EU AI Act establishes a risk-based classification system that determines the regulatory burden placed on an artificial intelligence system. The framework categorizes every AI application into one of four distinct tiers, ranging from outright prohibition to minimal transparency obligations.
Unacceptable Risk
AI practices deemed a clear threat to fundamental rights are strictly prohibited. This tier bans systems that deploy subliminal manipulation, exploit vulnerabilities of children or persons with disabilities, or implement social scoring by public authorities. Real-time remote biometric identification in publicly accessible spaces by law enforcement is also banned, with narrow exceptions for serious crime.
High Risk
Systems posing significant potential harm to health, safety, or fundamental rights. This tier includes AI used in critical infrastructure, educational scoring, employment management, essential services eligibility, law enforcement, migration, and democratic processes. Providers must implement a risk management system, compile technical documentation, undergo conformity assessment, and maintain post-market monitoring.
Limited Risk
AI systems subject to transparency obligations to ensure informed human interaction. This tier covers chatbots, emotion recognition systems, and deepfake generators. Users must be clearly informed they are interacting with an AI system unless it is obvious. Providers of AI-generated synthetic content must label outputs as artificially generated or manipulated.
Minimal Risk
The vast majority of AI systems currently in use fall into this category, including AI-enabled video games and spam filters. These systems face no mandatory regulatory obligations under the AI Act. Providers may voluntarily adopt codes of conduct to demonstrate best practices, but no conformity assessment or documentation is required for market placement.
How the EU AI Act Works
The EU AI Act establishes a product safety framework that classifies artificial intelligence systems into four risk tiers, imposing graduated obligations that range from a total ban on unacceptable practices to light transparency requirements for minimal-risk applications.
The Act operates on a risk-based classification pyramid. At the base, minimal-risk systems like spam filters face no obligations. The next tier imposes transparency duties on systems like chatbots, requiring users to know they are interacting with AI. The core of the regulation targets high-risk AI systems, which must undergo a mandatory conformity assessment before deployment and maintain continuous post-market monitoring.
At the apex, unacceptable risk practices—such as real-time remote biometric identification in public spaces or social scoring by public authorities—are outright prohibited. For general-purpose AI models posing systemic risk, the Act mandates adversarial testing, serious incident reporting, and cybersecurity hardening. Enforcement is distributed across national market surveillance authorities, creating a harmonized but locally executed governance structure.
Frequently Asked Questions
Clear, technical answers to the most common regulatory and operational questions about the European Union's Artificial Intelligence Act, designed for CTOs and compliance officers navigating the risk-based framework.
The EU AI Act is a comprehensive European regulation that establishes a risk-based classification system for artificial intelligence applications, imposing strict obligations on high-risk systems and prohibiting unacceptable practices. It categorizes AI into four distinct tiers: Unacceptable Risk (prohibited practices like social scoring), High Risk (systems impacting safety or fundamental rights requiring conformity assessments), Limited Risk (systems with transparency obligations like chatbots), and Minimal Risk (unregulated applications like spam filters). The Act applies extraterritorially, meaning any provider placing AI systems on the EU market or whose output is used within the EU must comply, regardless of where the organization is headquartered. Enforcement is handled by national Market Surveillance Authorities with the power to demand corrective action, restrict market access, and levy fines of up to 7% of global annual turnover for non-compliance.
Core Obligations for High-Risk AI
The EU AI Act imposes a strict, lifecycle-based regulatory framework on providers and deployers of high-risk artificial intelligence systems. These obligations are designed to ensure safety, transparency, and respect for fundamental rights before, during, and after market placement.
Risk Management System
A mandatory, iterative process that must be planned and documented throughout the entire AI system lifecycle. Providers must identify reasonably foreseeable risks to health, safety, and fundamental rights, estimate their severity and probability, and implement appropriate mitigation measures. Residual risks must be deemed acceptable before the system can be placed on the market.
- Must be continuously updated based on post-market monitoring data
- Includes analysis of risks arising from reasonably foreseeable misuse
- Requires testing to identify the most effective risk mitigation measures
Data Governance Criteria
Training, validation, and testing datasets are subject to rigorous governance requirements. Providers must examine datasets for potential biases that could lead to discrimination, ensure data is relevant and representative of the intended population, and assess for errors and completeness. The data must be appropriate for the system's intended purpose and geographical context.
- Mandatory examination for statistical bias and prohibited discriminatory patterns
- Data provenance and lineage must be documented
- Special rules apply when processing special categories of personal data to mitigate bias
Technical Documentation
Before placing a system on the market, a provider must compile a comprehensive dossier demonstrating compliance. This includes a detailed description of the system's design, development, and performance characteristics, including its architecture, algorithmic logic, and the metrics used to measure accuracy and robustness. The documentation must be kept for 10 years and be readily accessible to authorities.
- Must include instructions for use and information on human oversight mechanisms
- Describes the system's intended purpose and foreseeable unintended consequences
- Forms the basis for the conformity assessment by a notified body
Human Oversight Mechanisms
High-risk systems must be designed to allow for effective human oversight, preventing automation bias and ensuring decisions are not blindly followed. The human operator must have the competence, authority, and actual capacity to understand the system's outputs, override automated decisions, and intervene in real-time. This goes beyond a simple 'rubber stamp' on an AI recommendation.
- Operators must be able to interpret and question the system's output
- Systems must include built-in controls for meaningful human intervention
- Oversight logs must be maintained to audit operator actions and situational awareness
Post-Market Monitoring
Compliance does not end at deployment. Providers must establish a continuous, systematic process to collect and analyze real-world performance data. This system must proactively identify emerging risks, unexpected interactions, and drift in model accuracy. Findings must feed back into the risk management system and can trigger mandatory serious incident reporting to market surveillance authorities.
- Requires a documented post-market monitoring plan
- Must capture data on system performance across diverse demographic groups
- Triggers immediate corrective action if a previously unidentified risk emerges
Quality Management System
Providers must implement a formalized, documented organizational structure of policies, processes, and procedures to ensure consistent compliance. This includes a clear strategy for regulatory adherence, robust design control techniques, and procedures for managing substantial modifications. The QMS ensures that compliance is an institutional capability, not a one-time project.
- Covers the entire product lifecycle from design to decommissioning
- Must include procedures for vendor and sub-contractor management
- Subject to audit by notified bodies during the conformity assessment
EU AI Act vs. GDPR
A structural comparison of the European Union's two landmark digital regulations governing artificial intelligence systems and personal data processing.
| Feature | EU AI Act | GDPR | Overlap |
|---|---|---|---|
Primary Subject Matter | AI systems placed on the EU market | Processing of personal data | AI systems processing personal data |
Legal Basis | Proposed Regulation (COM/2021/206) | Regulation (EU) 2016/679 | Lex specialis interaction |
Risk Framework | 4-tier risk pyramid (Unacceptable, High, Limited, Minimal) | Risk-based approach to data processing | DPIA required for high-risk AI involving personal data |
Maximum Penalty | €35M or 7% of global annual turnover | €20M or 4% of global annual turnover | Higher AI Act fines for violations involving personal data |
Transparency Obligations | Mandatory disclosure of AI interaction; technical documentation for high-risk systems | Right to meaningful information about automated decision logic (Art. 13-15, 22) | Convergent requirement for explainability of automated decisions |
Human Oversight | Mandatory human oversight measures built into system design (Art. 14) | Right not to be subject to solely automated decisions with legal effects (Art. 22) | Human-in-the-loop required for consequential decisions |
Conformity Mechanism | Ex-ante conformity assessment by notified bodies for high-risk systems | Ex-post enforcement by supervisory authorities | DPIA bridges ex-ante and ex-post for AI data processing |
Documentation Requirements | Technical documentation, EU declaration of conformity, CE marking | Records of processing activities (Art. 30), DPIAs (Art. 35) | FRIA under AI Act mirrors DPIA for fundamental rights |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Master the interconnected regulatory concepts, risk tiers, and compliance mechanisms that form the backbone of the European Union's landmark artificial intelligence legislation.
Provider vs. Deployer Obligations
The Act distinguishes between two primary actors with distinct legal duties:
Providers (developers placing AI on the market):
- Implement a risk management system throughout the lifecycle
- Compile exhaustive technical documentation
- Conduct conformity assessments and affix CE marking
- Establish post-market monitoring and report serious incidents
Deployers (professional users):
- Ensure human oversight with meaningful intervention capability
- Conduct fundamental rights impact assessments
- Monitor operation for signs of malfunction or drift
- Retain automatically generated logs for audit purposes
General Purpose AI & Systemic Risk
A dedicated regime for General Purpose AI (GPAI) models trained on broad data at scale:
- All GPAI models must provide technical documentation and comply with EU copyright law by publishing a summary of training data.
- Models classified as posing systemic risk—determined by cumulative compute exceeding 10^25 FLOPs or Commission designation—face additional obligations:
- Mandatory adversarial testing and model evaluation
- Serious incident reporting to the AI Office
- Cybersecurity protections and energy consumption disclosure
- The AI Office serves as the central enforcement body for GPAI regulation.
Conformity Assessment Pathways
High-risk AI systems must demonstrate compliance before market entry through one of two routes:
- Internal Control: The provider self-assesses conformity when applying harmonized standards that provide a presumption of conformity. This is the default pathway for most high-risk systems.
- Notified Body Assessment: Required for specific high-risk categories (biometric systems, safety components) where an accredited third-party notified body audits the quality management system and technical documentation.
A substantial modification to an already-certified system triggers a new conformity assessment cycle.
Enforcement & Penalties
The Act creates a robust enforcement architecture with significant financial consequences:
- Market Surveillance Authorities in each member state investigate non-compliance and can demand corrective action or restrict market access.
- Penalty structure based on infringement severity:
- Up to €35 million or 7% of global annual turnover for prohibited practices
- Up to €15 million or 3% for most other violations
- Up to €7.5 million or 1.5% for supplying incorrect information
- Regulatory sandboxes allow supervised testing of innovative systems without immediate penalty exposure.
- The EU AI Board coordinates enforcement across member states to ensure consistent application.
Transparency & Documentation
A core pillar of the Act is the obligation to provide clear, accessible information:
- Technical documentation must detail system architecture, training methodologies, data provenance, and performance metrics—maintained for 10 years.
- Automated profiling and consequential decisions require explicit notification to affected individuals with a right to meaningful human intervention.
- Human oversight logs must capture override events, operator situational awareness, and intervention rationale.
- Emotion recognition and biometric categorization systems must inform exposed individuals in real-time.
- Deepfake content must be labeled as artificially generated or manipulated.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us