Why the EU AI Act exists
AI moved into real products faster than any existing rulebook anticipated. A model that drafts contracts, screens job applicants, or scores credit can affect people's rights and safety, yet the obligations around it were scattered across data-protection law, sector rules, and voluntary guidance. The EU AI Act is the first attempt by a major jurisdiction to set a single, horizontal framework for how AI may be built and used.
Its goal is not to slow AI down but to make its use accountable: clear about what is prohibited, structured about what is high-risk, and transparent about everything else. For organizations, that turns "are we allowed to use this AI tool?" into a question with a defined answer rather than a guess.
What the EU AI Act regulates: the risk tiers
The Act classifies AI systems into four risk levels, plus a separate category for general-purpose AI (GPAI) models such as the large language models behind most AI assistants.
Unacceptable risk (prohibited)
A small set of practices is banned outright — for example social scoring by public authorities, untargeted scraping of facial images to build recognition databases, and certain manipulative or exploitative systems. These prohibitions are the earliest part of the Act to apply.
High risk
AI used in sensitive contexts — such as employment, education, essential services, law enforcement, or as a safety component of a regulated product — is permitted but heavily conditioned. Providers must meet requirements around risk management, data quality, documentation, human oversight, transparency, accuracy, and cybersecurity before the system reaches the market.
Limited risk (transparency)
Some systems carry specific transparency duties rather than full high-risk obligations. Users must be told when they are interacting with an AI system, and certain AI-generated or manipulated content (including deepfakes) must be disclosed.
Minimal risk
The large majority of AI applications — spam filters, recommendation features, productivity assistants used in ordinary ways — fall here and face no new obligations under the Act beyond existing law.
General-purpose AI (GPAI) models
Foundation models are governed separately. Their providers face transparency and documentation duties, and the most capable models — those judged to carry systemic risk — face additional obligations around evaluation, risk mitigation, and incident reporting.
The EU AI Act risk tiers at a glance
| Risk tier | What it covers | Core obligation |
|---|---|---|
| Unacceptable | Banned practices (e.g. social scoring, manipulative systems) | Prohibited — may not be placed on the market or used |
| High risk | Employment, credit, essential services, safety components | Conformity assessment, risk management, human oversight, logging |
| Limited (transparency) | Chatbots, emotion recognition, AI-generated or manipulated media | Disclose that AI is in use / that content is AI-generated |
| Minimal | Most everyday AI tools | No new obligations beyond existing law |
| GPAI models | Foundation / large language models | Transparency + documentation; stricter rules for systemic-risk models |
When the EU AI Act takes effect
The Act entered into force on 1 August 2024 and applies in stages so that organizations and regulators can adapt:
| Date | What starts to apply |
|---|---|
| 2 Feb 2025 | Prohibited practices, and the AI literacy obligation for providers and deployers |
| 2 Aug 2025 | Rules for general-purpose AI models, governance bodies, and penalty provisions |
| 2 Aug 2026 | General application, including most high-risk system obligations |
| 2 Aug 2027 | High-risk obligations for AI embedded in regulated products under existing EU law |
Who the EU AI Act applies to
The Act reaches the whole supply chain, not just model builders. Its obligations fall on providers (who develop or place an AI system on the market), deployers (organizations that use an AI system in a professional capacity), and also importers, distributors, and product manufacturers. Its reach is extraterritorial: a provider or deployer outside the EU is still in scope where the system's output is used in the Union.
Most organizations encounter the Act as deployers — they adopt AI tools built by someone else. A separate, early-applying duty is AI literacy (Article 4): providers and deployers must ensure their staff who operate or use AI systems have a sufficient level of understanding to do so responsibly. This is the obligation behind common questions about who must be trained on AI in the workplace.
Where the EU AI Act meets AI governance
For a deployer, compliance is less about the model and more about evidence: which AI systems are in use, what data they receive, who operates them, and what they do once connected to internal systems. Those are governance questions, and most organizations cannot answer them because AI tools enter through browsers, desktop apps, and agent integrations faster than policy can keep up.
A control plane closes that gap. Qadar AI's Shield Control inventories AI usage across browser, desktop, mobile, and agent runtimes, enforces policy on prompts and tool calls, gates high-risk agent actions, and records every interaction as a tamper-evident audit trail — the practical foundation for demonstrating that AI use is governed in line with the Act's expectations. The EU AI Act is a legal framework, not a product requirement; Qadar AI helps you operate within it, and is not a substitute for legal advice.
