Frameworks

The EU AI Act: What It Is, What It Means, and Why You Cannot Ignore It

The world's first comprehensive legal framework for artificial intelligence is now in force. The EU AI Act (Regulation (EU) 2024/1689) is not a proposal, a recommendation, or a voluntary code of conduct. It is binding law. If your business develops, deploys, imports, or distributes AI systems that affect people in the European Union, this regulation may apply regardless of where your company is headquartered.

4 July 20265 min readKodex Compliance
The EU AI Act: What It Is, What It Means, and Why You Cannot Ignore It

What Is the EU AI Act?

The EU AI Act was published in the Official Journal of the European Union on 12 July 2024 and entered into force on 1 August 2024. It is the world's first comprehensive legal framework governing artificial intelligence. Its objective is to encourage trustworthy AI while protecting fundamental rights, safety, and innovation across the European Union.

The regulation adopts a risk-based approach, classifying AI systems according to the level of risk they present.

  • Unacceptable risk: AI practices that are prohibited.

  • High risk: AI systems subject to strict regulatory requirements.

  • Limited risk: AI systems with transparency obligations.

  • Minimal risk: AI systems with few or no additional obligations.

What Is Already Prohibited?

Since 2 February 2025, several AI practices have been prohibited under the Act. Examples include:

  • Social scoring by public authorities.

  • AI systems that use manipulative or deceptive techniques causing significant harm.

  • Certain emotion recognition systems in workplaces and educational institutions.

  • Certain forms of real time remote biometric identification in publicly accessible spaces, subject to limited law enforcement exceptions.

Non compliance with prohibited practice provisions can result in administrative fines of up to €35 million or 7% of worldwide annual turnover, whichever is higher.

The Compliance Timeline

Implementation of the AI Act is phased over several years.

DateKey Milestone1 August 2024Regulation entered into force2 February 2025Prohibited AI practices apply and AI literacy obligations begin2 August 2025Obligations for general purpose AI models beginFrom 2026 onwardsAdditional obligations for high risk AI systems are introduced in phases, subject to the EU's ongoing implementation and simplification process2 August 2027Certain general purpose AI models placed on the market before August 2025 must comply

Businesses should continue monitoring guidance from the European Commission as the implementation timeline continues to evolve.

What Does High Risk Mean?

High risk AI systems are listed in Annex III of the Regulation. These include AI used in areas such as:

  • Recruitment and employment

  • Creditworthiness assessments

  • Education and vocational training

  • Access to essential public and private services

  • Biometric identification

  • Critical infrastructure

  • Law enforcement

  • Border management

  • Administration of justice

Organisations developing high-risk AI systems must establish risk management processes, maintain technical documentation, ensure data governance, implement human oversight, maintain logs, and complete conformity assessments before placing qualifying systems on the EU market.

The European Commission's impact assessment suggests that compliance costs for some SMEs developing high-risk AI systems may reach hundreds of thousands of euros, depending on the complexity of the system and the quality management processes required.

What About SMEs?

The AI Act recognises that smaller businesses require additional support.

Measures available to SMEs include:

  • Simplified technical documentation where appropriate.

  • Priority access to regulatory sandboxes.

  • Fees that are proportionate to company size.

  • Dedicated support from national authorities and the European Commission.

For most SMEs that simply use established AI tools such as ChatGPT, Microsoft Copilot, or other commercial AI services, compliance obligations are generally much lighter than for organisations developing high-risk AI systems.

The most important first step is understanding whether your organisation is acting as a provider, deployer, importer, or distributor under the AI Act.

The Impact on Innovation

The AI Act is already influencing how AI products are developed and launched across Europe.

Research published by ACT | The App Association found that:

  • Six in ten EU and UK startups reported delayed access to frontier AI models.

  • Nearly 60% experienced delays bringing AI products to market.

  • More than one third removed or modified product features because of regulatory requirements.

At the same time, the European Union has continued working on measures to simplify implementation while maintaining high standards for safety and trust.

What Your Business Should Do Now

Every organisation using AI should begin with three practical steps.

  1. Create an inventory of every AI system used across the business, including SaaS platforms, APIs, plugins, and internally developed tools.

  2. Assess each system against the AI Act's risk categories and determine your role under the Regulation.

  3. Document your decisions, governance processes, policies, staff training, and risk assessments.

Remember that the AI Act does not replace the GDPR. Where AI systems process personal data, both legal frameworks may apply simultaneously.

The Bottom Line

The EU AI Act is already reshaping how organisations develop and use artificial intelligence. Understanding your obligations today will put your business in a far stronger position as additional requirements come into force.

At Kodex Compliance, we help organisations understand where they stand, identify practical compliance requirements, and build governance programmes that support innovation while meeting regulatory expectations.

References

  1. European Commission. AI Act: Shaping Europe's Digital Future. https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai

  2. Regulation (EU) 2024/1689 of the European Parliament and of the Council on Artificial Intelligence. Official Journal of the European Union. https://eur-lex.europa.eu/eli/reg/2024/1689/oj

  3. European Commission. Questions and Answers on the AI Act. https://digital-strategy.ec.europa.eu/en/library/questions-and-answers-ai-act

  4. Council of the European Union. Artificial Intelligence: Council and Parliament agree to simplify implementation rules. May 2026.

  5. European Commission. Impact Assessment accompanying the proposal for the Artificial Intelligence Act. SWD(2021) 84 final.

  6. ACT | The App Association. The Hidden Cost of AI Regulations: A Survey of EU, UK, and U.S. Companies. 2025.

  7. European Union Artificial Intelligence Office. Guidance and AI Act implementation resources. https://artificialintelligenceact.eu

Build the evidence trail

Kodex Compliance helps teams turn questionnaires, documents, implementation proof, and reviewer decisions into a clear compliance record.

Request demo