EU AI Act

Unacceptable Risk (prohibited — e.g., social scoring by public authorities), High Risk (heavily regulated — e.g., AI in employment recruitment), Limited Risk (transparency obligations — e.g., chatbots must disclose AI use), and Minimal Risk (no specific AI Act obligations — e.g., spam filters, AI in video games).

1) Subliminal manipulation, 2) Exploitation of vulnerabilities, 3) Social scoring by public authorities, 4) Individual-level predictive policing, 5) Untargeted facial scraping, 6) Emotion recognition in workplace/education, 7) Biometric categorization for sensitive attributes, 8) Real-time remote biometric ID in public spaces (with narrow exceptions). These took effect February 2, 2025 — the earliest enforceable provisions.

Systemic risk models must: conduct standardized model evaluation including adversarial testing (red-teaming), assess and mitigate systemic risks, report serious incidents to the AI Office, and ensure adequate cybersecurity protections. The threshold is >10^25 FLOPs of cumulative training compute, or designation by the AI Office based on other criteria.

August 1, 2024: Entry into force. February 2, 2025: Prohibited practices + AI literacy. August 2, 2025: GPAI rules. August 2, 2026: High-risk Annex III (standalone AI in biometrics, employment, etc.). August 2, 2027: High-risk Annex I (AI as safety components of products).

Providers develop or place AI systems on the market and bear design-time obligations (technical documentation, conformity assessment, CE marking, post-market monitoring). Deployers use AI systems under their authority and bear use-time obligations (human oversight, fundamental rights impact assessment, log retention, informing individuals). If a deployer substantially modifies a high-risk system, they become the provider and assume all provider obligations.

Article 4 requires ALL providers and deployers to ensure sufficient AI literacy among staff and any persons dealing with the operation and use of AI systems on their behalf. It is not limited to technical staff. The required level is context-dependent, considering technical knowledge, experience, education, context of use, and affected persons. It took effect February 2, 2025 — one of the earliest obligations.

Three tiers: (1) Prohibited practices: up to 35M EUR or 7% global annual turnover; (2) High-risk/GPAI violations: up to 15M EUR or 3%; (3) Incorrect information to authorities: up to 7.5M EUR or 1%. The HIGHER of the fixed amount or percentage applies. For group companies, 'global annual turnover' refers to the entire group's worldwide turnover. SMEs receive proportionate lower caps.

Open-source GPAI models receive partial exemptions: they are not required to provide full technical documentation or a detailed training data summary. However, they MUST still comply with EU copyright law and prohibited practice rules. Critically, if an open-source model poses systemic risk (>10^25 FLOPs or AI Office designation), ALL exemptions are removed and full systemic risk obligations apply.