All posts
EU AI Act5 min read

The EU AI Act, Summarised: Risk Tiers, Dates, Who's Affected

A plain-English summary of the EU AI Act: the four risk tiers, what applies when (including the deadlines that just moved), who it reaches beyond the EU, and the penalties. Written for legal and compliance teams who need the shape, not the 400 pages.

By Daman Kaur

The EU AI Act runs to hundreds of articles and annexes, and almost nobody who needs to understand it has time to read it. What most legal and compliance teams actually need is the shape: how it classifies AI, what obligations attach to each class, when those obligations bite, who outside the EU gets caught, and what non-compliance costs.

This is that summary — accurate as of mid-2026, including the deadlines that were recently pushed back, and written to be understood in one read rather than cited in a memo.

The one idea that organises everything: risk tiers

The Act is built on a single organising principle. It doesn't regulate "AI" uniformly; it sorts AI systems by the risk of their use and applies heavier obligations as the risk rises. Get the four tiers and you understand the architecture.

TierWhat it coversWhat applies
Unacceptable riskPractices deemed too harmful (e.g. social scoring, certain manipulation)Banned outright
High riskUses that can materially affect people's rights or safety — including AI in the administration of justice (Annex III)The heaviest compliance obligations
Limited riskSystems people interact with, such as chatbots and generative contentTransparency duties (tell people it's AI)
Minimal riskEverything else — the vast majorityNo specific obligations

Most tools a business uses sit in minimal or limited risk. High risk is a defined, narrower category — which matters, because a lot of commentary implies far more AI is "high risk" than actually is.

What applies, and when (the timeline that moved)

The obligations phase in over several years, and — importantly — some dates were recently deferred by the EU's Digital Omnibus package. Here's the current sequence.

Timeline of EU AI Act obligations: in force August 2024; prohibitions and AI-literacy duties from February 2025; general-purpose AI rules from August 2025; general application August 2026; high-risk (Annex III) deployer duties deferred to December 2027; product-embedded high-risk August 2028.

  • In force: 1 August 2024.
  • 2 February 2025 — banned practices + AI-literacy duty (Article 4). The prohibitions took effect, and the obligation that staff using AI have sufficient understanding to use it responsibly. This is live now and unaffected by later deferrals.
  • 2 August 2025 — general-purpose AI (GPAI) rules. The obligations on the large foundation models most tools are built on.
  • 2 August 2026 — general application. Most of the Act applies from here.
  • 2 December 2027 — high-risk (Annex III) obligations. Originally 2 August 2026, deferred by the Digital Omnibus (the European Parliament approved the postponement in June 2026). Limited-risk transparency under Article 50 moved to December 2026.
  • 2 August 2028 — high-risk AI embedded in regulated products (Annex I).

Practical note: "The EU AI Act deadline" is not one date. The parts most likely to affect a professional-services firm as a deployer of high-risk AI now bite in December 2027 — but the AI-literacy and prohibition duties have applied since February 2025. Don't read the deferral as "nothing until 2027."

Who it affects — including outside the EU

Two distinctions decide whether the Act reaches you.

Provider vs deployer. A provider develops or places an AI system on the market; a deployer uses one under its own authority. Most businesses — including law firms — are deployers, not providers, which means a lighter but real set of obligations. For high-risk systems, Article 26 sets the deployer duties: use the system per instructions, assign competent human oversight, keep logs for at least six months, and monitor operation.

Territory. The Act has extraterritorial reach (Article 2). It can apply to providers and deployers outside the EU where the AI system's output is used in the EU. So a UK firm serving EU clients, or whose AI output is relied on in the EU, can be in scope even without an EU establishment — which is why we cover the UK angle separately in the EU AI Act and UK law firms.

The penalties

The enforcement architecture, under Article 99, is tiered to match the risk framework:

  • Up to €35 million or 7% of global annual turnover (whichever is higher) for engaging in prohibited practices.
  • Up to €15 million or 3% for breaching other obligations, including high-risk requirements.
  • Lower tiers for supplying incorrect information to authorities.

These are GDPR-scale figures, which is the clearest signal of how seriously the EU intends the Act to be taken.

What to actually do about it

The Act rewards preparation and punishes scramble. For a legal or compliance team, the sensible reading:

  • If you're a UK or non-EU firm wondering if it applies: check the territory question first (do you serve EU clients or is your AI output used in the EU?) and the provider/deployer question second. Most firms are in-scope deployers, not providers.
  • If you're deploying AI now: treat the February-2025 duties (AI literacy, no prohibited practices) as already binding, and build the deployer controls — human oversight, logging, monitoring — during the runway to December 2027 rather than against the deadline.
  • If you're a compliance officer: the Act's structure maps neatly onto an AI governance framework you'd want anyway — inventory, risk classification, oversight, records. One build satisfies the Act and your domestic obligations together.

FAQ

What is the EU AI Act in simple terms? The first comprehensive law regulating AI. It classifies AI systems by the risk of their use — unacceptable (banned), high, limited, or minimal — and applies heavier obligations as risk rises.

When does the EU AI Act take effect? It entered into force in August 2024 and phases in: banned practices and AI-literacy duties from February 2025, GPAI rules from August 2025, general application from August 2026, and high-risk (Annex III) obligations from December 2027 after the Digital Omnibus deferral.

Who does the EU AI Act apply to? Providers and deployers of AI systems, including those outside the EU where the system's output is used in the EU. Most businesses are deployers, with obligations under Article 26 for high-risk systems.

Are law firms high-risk under the EU AI Act? Generally no by default. High risk is a defined category; Annex III covers AI used in the administration of justice, which targets courts rather than ordinary private-practice tools. Firms deploying a high-risk system take on Article 26 deployer duties.

What are the penalties under the EU AI Act? Up to €35 million or 7% of global turnover for prohibited practices, and up to €15 million or 3% for other breaches, under Article 99.


LegalAI Space builds AI for legal teams with governance and audit trails aligned to both the EU AI Act's live obligations and UK SRA duties — one layer for both. Book a 30-minute call with Daman.

Related reading