1. Why the EU AI Act is structured by risk, not by technology
The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024. Rather than write rules for "AI" as a single thing, it regulates AI by the risk a given use poses to health, safety, and fundamental rights. The same underlying model can be minimal-risk in one workflow and high-risk in another — what matters is the context of use.
That design has a practical consequence: your obligations depend less on which model you picked and more on what you do with it. A large language model used to summarize internal notes sits in a very different tier than the same model used to screen job applicants. The first question for any deployment is therefore not "is this AI compliant?" but "what is this AI system being used to decide or do?"
2. The four risk tiers — and general-purpose AI
The Act defines four risk tiers, plus a separate regime for general-purpose AI (GPAI) models.
- Unacceptable risk — prohibited. A short list of practices is banned, including social scoring by public authorities, untargeted facial-image scraping, and certain manipulative or exploitative systems.
- High risk — permitted but conditioned. AI used in areas such as employment, education, credit and essential services, critical infrastructure, law enforcement, or as a safety component of a regulated product. Providers must implement risk management, data governance, technical documentation, logging, human oversight, transparency, accuracy, and cybersecurity, and pass a conformity assessment before market entry.
- Limited risk — transparency. Systems such as chatbots and emotion-recognition tools, and AI-generated or manipulated media, carry duties to disclose that AI is in use or that content is synthetic.
- Minimal risk — no new obligations. The large majority of business AI tools, which remain subject only to existing law.
- General-purpose AI models. Foundation models face transparency and documentation duties; models judged to carry systemic risk face additional evaluation, mitigation, and incident-reporting obligations.
Most organizations operate in the minimal and limited tiers as deployers of tools built by others. The work there is lighter than for high-risk providers — but it is not zero, and it is mostly about transparency and evidence.
3. The compliance timeline: what applies when
The Act applies in phases. Treat these dates as planning milestones rather than a single cliff edge.
| Date | What starts to apply |
|---|---|
| 2 Feb 2025 | Prohibited practices; the AI literacy obligation for providers and deployers |
| 2 Aug 2025 | General-purpose AI model rules; governance bodies; penalty provisions |
| 2 Aug 2026 | General application, including most high-risk system obligations |
| 2 Aug 2027 | High-risk obligations for AI embedded in regulated products under existing EU law |
Two of these matter early for ordinary deployers: the prohibitions (make sure nothing you use falls into a banned category) and the AI literacy duty (section 5).
4. Who the Act applies to
The Act assigns obligations by role across the supply chain:
- Providers develop an AI system or place it on the market under their own name. They carry the heaviest obligations, especially for high-risk systems.
- Deployers use an AI system in a professional capacity. Most organizations are deployers — they adopt third-party tools and are responsible for using them within the Act's limits, ensuring human oversight where required, and meeting transparency duties.
- Importers, distributors, and product manufacturers carry obligations where they bring systems into the EU market or build AI into their products.
Crucially, the Act is extraterritorial. A provider or deployer established outside the EU is in scope when the output of its AI system is used within the Union. Geography of incorporation does not remove the obligation.
5. The AI literacy obligation (Article 4): who must be trained
Article 4 is one of the earliest-applying and most broadly relevant duties. From 2 February 2025, providers and deployers must take measures to ensure a sufficient level of AI literacy among their staff and others operating AI systems on their behalf — enough understanding of how the systems work, and of their risks and limits, to use them responsibly.
The obligation is outcome-based, not a fixed curriculum. What "sufficient" means scales with people's roles, the systems they touch, and the context of use. In practice this is the regulatory backing for an AI usage policy plus role-appropriate training: people who operate higher-impact AI need deeper understanding than those using a minimal-risk assistant.
6. How the EU AI Act intersects with GDPR
The AI Act does not replace data-protection law — it runs alongside it. Where an AI system processes personal data, GDPR continues to apply in full: you still need a legal basis, data minimisation, a record of processing, and a human-review path for significant automated decisions.
The two frameworks reinforce each other. Much of what the AI Act expects around documentation, human oversight, and logging maps closely to GDPR obligations you may already meet. Our companion article on EU AI Act and GDPR controls for lean operators walks through the overlapping controls in detail; the short version is that a single, well-instrumented control layer can produce evidence for both at once.
7. The practical controls a deployer needs
For a deployer, AI Act readiness is mostly a governance and evidence problem. The controls that matter are the ones that let you answer, at any time, which AI systems are in use, what data they receive, who operates them, and what they did. In functional terms:
- Inventory and discovery — know which AI tools and services are actually in use across browser, desktop, mobile, and agent runtimes, including the ones adopted without IT's involvement.
- Policy enforcement — apply rules at the prompt and tool-call level: filter sensitive data before it leaves your perimeter, and block categories of use that fall outside policy.
- Human oversight for consequential actions — gate high-risk agent actions so a person approves before execution, with the decision recorded.
- A tamper-evident audit trail — a complete, searchable record of AI interactions that supports both AI Act accountability and GDPR's record-of-processing duty.
Qadar AI's Shield Control provides this layer: it inventories AI usage across runtimes, enforces policy on prompts and tool calls, gates high-risk agent actions, and records every interaction as supervisory-grade evidence — turning ungoverned AI adoption into a controlled, auditable capability. The EU AI Act is a legal framework, and this guide is not legal advice; Qadar AI gives you the operational controls and evidence to use AI within it.
