Mar 14 / Punit Bhatia

EU AI Act: Five Things You Need To Know

Drag to resize

The European Union's AI Act is a landmark legislation that marks the first major attempt to regulate Artificial Intelligence (AI) on a global scale. With its far-reaching implications, it's criticality for businesses, developers, and stakeholders, in this article, we focus on key things that you need to know as someone who is interested in understanding the EU AI Act.

EU AI Act: Five Things You Need To Know

1. Risk-Based Approach

The EU AI Act is a risk-based regulatory framework. Artificial Intelligence (AI) systems are classified into four risk categories:
  • unacceptable risk,
  • high risk,
  • limited risk, and
  • minimal risk.

This classification dictates the level of regulatory scrutiny and compliance requirements that an AI system will be subjected to. Of course, the high-risk applications face the most stringent controls. This approach allows for flexibility and innovation (especially in lower-risk AI applications) while ensuring that those posing significant risks to safety and fundamental rights are adequately regulated.

Make no mistake, that the development and deployment of AI systems that can pose unacceptable risk shall be prohibited as per this law. These include AI systems that deploy subliminal techniques to manipulate persons to their detriment, exploit vulnerabilities of specific groups, conduct social scoring, or use real-time biometric identification in public spaces for law enforcement, with certain exceptions.

: Evaluate the risk posed by your AI systems to ensure that your products comply with the EU's standards.

2. Obligations for High Risk Systems

 While systems that have the potential to violate rights or pose significant risks to individuals' safety are considered to pose unacceptable risk and will be prohibited, the systems that will create high risk will be subject to all requirements from this regulation. These requirements include data governance, transparency, and explain ability i.e., provision of clear information to users; robustness and accuracy; human oversight; and specific documentation requirements such as logging, adopting extensive testing methodologies and record-keeping to enable traceability.

Tip: Businesses operating or aiming to launch AI solutions that may pose high risk must prepare to meet all these obligations.

3. Transparency Requirements

For AI applications that may not be classified as high-risk, particularly those interacting directly with consumers (like chatbots), must adhere to transparency requirements. This includes providing users with information that an AI system is being used, ensuring that users are aware of their interaction with an AI and not a human. This transparency is vital for maintaining trust and integrity in AI systems across all sectors.

Tip: Businesses are recommended to implement transparency requirements into all AI systems irrespective of the risk.

4. No Requirements for low risk applications

While many will talk about the doom and gloom that this regulation will bring, it is essential to share that AI systems that are deemed to pose a low or limited risk shall have no requirements being imposed by this legislation..

Tip: We recommend to formally evidence whether your AI system poses a minimal or no risk and not assume this.

5. Enforcement and Penalties

Like the EU GDPR, the EU AI Act will also be enforced rigorously. There are significant penalties for non-compliance. Depending on the violation, fines can go up to €30 million or 6% of the total worldwide annual turnover of the preceding financial year, whichever is higher. This strict enforcement underlines the EU's commitment to ethical AI development and usage. It also signals the importance of compliance for all AI stakeholders.

Tip: We recommend you as a company to start now. And, we can help you.


In my opinion, the EU AI Act is a landmark regulation that will shape the future of AI development and usage not only within the European Union but also globally, as businesses and organizations worldwide will need to comply with these regulations to operate in the EU market. I believe many countries will now go for similar regulations. So, as business you need to start strengthening your risk management, data governance, transparency, testing and logging capabilities to name a few. 

While it creates work for companies, I am convinced that this will contribute to a safer, more ethical AI landscape that is good for us humans.

Need help with EU AI Act compliance?

About Punit Bhatia

Punit Bhatia is one of the leading privacy experts who works independently and has worked with professionals in over 30 countries. Punit works with business and privacy leaders to create an organization culture with high AI & privacy awareness and compliance as a business priority by creating and implementing a AI & privacy strategy and policy.

Punit is the author of books “Be Ready for GDPR” which was rated as the best GDPR Book, “AI & Privacy – How to Find Balance”, “Intro To GDPR”, and “Be an Effective DPO”. Punit is a global speaker who has spoken at over 50 global events. Punit is the creator and host of the FIT4PRIVACY Podcast. This podcast has been featured amongst top GDPR and privacy podcasts.

As a person, Punit is an avid thinker and believes in thinking, believing, and acting in line with one’s value to have joy in life. He has developed the philosophy named ‘ABC for joy of life’ which passionately shares. Punit is based out of Belgium, the heart of Europe.

For more information, please click here.

Listen to the top ranked AI & privacy podcast...

Stay connected with the views of leading data privacy professionals and business leaders in today's world on a broad range of topics like setting global privacy programs for private sector companies, role of Data Protection Officer (DPO), EU Representative role, Data Protection Impact Assessments (DPIA), Records of Processing Activity (ROPA), security of personal information, data security, personal security, privacy and security overlaps, prevention of personal data breaches, reporting a data breach, securing data transfers, privacy shield invalidation, new Standard Contractual Clauses (SCCs), guidelines from European Commission and other bodies like European Data Protection Board (EDPB), implementing regulations and laws (like EU General Data Protection Regulation or GDPR, California's Consumer Privacy Act or CCPA, Canada's Personal Information Protection and Electronic Documents Act or PIPEDA, China's Personal Information Protection Law or PIPL, India's Personal Data Protection Bill or PDPB), different types of solutions, even new laws and legal framework(s) to comply with a privacy law and much more.
Created with