Skip to main content
v2026.1714 entries · CC-BY 4.0
CiteLicenceEN-GB
CASRAI

Definition · Plain-language

EU AI Act

The EU AI Act is Regulation (EU) 2024/1689, the first comprehensive, horizontal law governing artificial intelligence across the European Union, structured around a risk-based approach.

CASRAI research-methods explainer — EU AI Act

The step most authors miss

Doing CRediT right? Don’t stop at the statement.

A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.

Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.

Sign in with ORCID — free Why this matters →

A risk-based, horizontal regulation

The EU AI Act is described as horizontal because it applies across sectors rather than to a single industry, and as risk-based because the obligations it imposes scale with the level of risk an AI system is judged to pose. The text defines four broad tiers. Unacceptable-risk systems are prohibited outright. High-risk systems, listed mainly in Annex III or arising as safety components of regulated products, face the strictest requirements. Limited-risk systems carry transparency duties, and minimal-risk systems are largely unregulated. As a Regulation, the Act is directly applicable in all Member States without needing national transposition.

What the four risk tiers cover

Prohibited practices, set out in Article 5, include certain manipulative or exploitative systems, social scoring by public authorities and untargeted scraping of facial images. High-risk systems span domains such as employment, education, essential services, biometrics, law enforcement and critical infrastructure, and must meet requirements on risk management, data governance, documentation, human oversight and conformity assessment. Limited-risk systems — for example chatbots or generative tools — must disclose that users are interacting with AI or that content is artificially generated. Minimal-risk systems, the largest category, face no specific obligations under the Act.

Timeline and penalties

The Act entered into force on 1 August 2024 and applies in stages. Provisions on prohibited practices and AI literacy began to apply from February 2025; obligations for general-purpose AI models from August 2025; and most remaining provisions, including the bulk of the high-risk regime, from August 2026, with certain Annex-I high-risk rules extending to 2027. The Regulation sets a tiered penalty structure, with fines for breaches of the prohibited-practice rules reaching up to €35 million or 7% of total worldwide annual turnover, whichever is higher.

Key facts

At a glance

  • Definition: The EU’s first comprehensive horizontal law on artificial intelligence.
  • Instrument: Regulation (EU) 2024/1689 — directly applicable in all Member States.
  • Approach: Risk-based, with prohibited, high-risk, limited-risk and minimal-risk tiers.
  • In force: Entered into force 1 August 2024; applies in phases.
  • Key dates: Bans + AI literacy Feb 2025; GPAI Aug 2025; high-risk Aug 2026.
  • Max penalty: Up to €35M or 7% of global annual turnover for prohibited breaches.

Common misconceptions

What people often get wrong

Often heard: The EU AI Act bans most uses of artificial intelligence.

Actually: The Act prohibits only a narrow set of unacceptable-risk practices listed in Article 5. The largest category of AI systems is minimal-risk, which faces no specific obligations under the Regulation.

Often heard: All provisions of the EU AI Act applied as soon as it entered into force.

Actually: The Act applies in phases. It entered into force in August 2024, but prohibitions and AI literacy applied from February 2025, GPAI rules from August 2025, and most high-risk provisions from August 2026.

Often heard: The EU AI Act only governs AI built by European companies.

Actually: The Regulation can apply to providers and deployers outside the EU where their AI systems are placed on the EU market or their output is used in the Union, reflecting an extraterritorial reach.

Going deeper

Related CASRAI guidance

High-risk AI systemProhibited AI practicesGeneral-purpose AI (GPAI)EU AI Act vs US AI regulationNIST AI RMFStandards dictionary

Referenced across the research world

University of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logoUniversity of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logo
  • University of Cambridge logo
  • Columbia University logo
  • University of Edinburgh logo
  • Harvard University logo
  • University of Oxford logo
  • Princeton University logo
  • Stanford School of Medicine logo
  • University College London logo
  • ORCID logo
  • Crossref logo

View CASRAI adoption →