Europe AI & Data Rules Hub

Explaining the EU AI Act to Non-Lawyers

UpdatedMay 19, 2025

ByIuliia Gorshkova

The European Union’s Artificial Intelligence Act (AI Act) represents a landmark piece of legislation, establishing the world’s first comprehensive legal framework specifically designed to govern artificial intelligence. For professionals working in technology, engineering, healthcare, and public administration, understanding this regulation is not merely a legal exercise; it is a prerequisite for operational compliance and strategic planning. The regulation takes a risk-based approach, meaning that the legal obligations imposed on a provider or user of an AI system are directly proportional to the potential harm that system could cause to the health, safety, and fundamental rights of individuals. This article provides a detailed, non-technical explanation of the Act’s scope, the classification of risk levels, and the specific obligations attached to each.

Understanding the Scope and Applicability

Before dissecting the risk categories, it is essential to determine who is bound by the regulation. The AI Act applies to any provider, user, affected person, or third party involved in the AI lifecycle within the EU, regardless of whether they are established inside or outside the Union. This extraterritorial reach is a defining feature of modern European regulation, similar to the GDPR.

Providers vs. Deployers

The regulation distinguishes primarily between two types of actors: providers and deployers (users).

A provider is any natural or legal person, public authority, agency, or other body that develops an AI system or a general-purpose AI (GPAI) model with a view to placing it on the market or putting it into service under its own name or trademark. If a company in the US or China develops an AI tool intended for the European market, they are a provider and must comply with the Act, even if they have no physical presence in Europe.

A deployer is any natural or legal person, public authority, agency, or other body using an AI system under its authority, except where the AI system is used in the course of a personal non-professional activity. For example, a bank using an AI system to assess creditworthiness is a deployer. However, the Act creates a notable exception: if a deployer uses an AI system made available by a provider but modifies it in a way that changes its intended purpose, that deployer becomes a provider for the purposes of the regulation.

Excluded Systems

Not all automated systems constitute “AI” under the Act. The regulation excludes systems used for military, defense, or national security purposes. It also excludes AI systems specifically developed for the sole purpose of research and innovation, provided they are not placed on the market as a product. Simple computational tools that perform calculations based on defined rules (legacy software) are generally not considered AI systems under this regulation, though the boundary between traditional software and AI is becoming increasingly blurred.

The Risk-Based Pyramid: A Structural Overview

The core logic of the AI Act is the categorization of AI systems into four distinct risk levels. This stratification is designed to avoid a “one-size-fits-all” approach, ensuring that high-risk applications are subject to rigorous scrutiny while low-risk applications face minimal interference.

1. Unacceptable Risk: Prohibited Practices

AI systems that pose a clear threat to the fundamental rights and values of the EU are banned entirely. These prohibitions apply regardless of the technology’s sophistication or the provider’s intent to ensure safety.

Subliminal Manipulation

Systems that deploy subliminal techniques beyond a person’s consciousness to materially distort a person’s behavior in a manner that causes physical or psychological harm are prohibited. This targets systems designed to bypass rational decision-making.

Exploitation of Vulnerabilities

AI systems that exploit the vulnerabilities of a specific group of persons (due to their age or disability) to distort their behavior in a way that causes harm are also banned.

Social Scoring and Predictive Policing

The Act prohibits the use of AI for social scoring by public authorities (evaluating trustworthiness based on social behavior or personal traits) and for the use of “untargeted” scraping of facial images from the internet or CCTV footage to create facial recognition databases. Predictive policing based solely on profiling or assessing risk of criminal offense is also prohibited.

Biometric Categorization and Remote Identification

Perhaps the most debated prohibitions involve biometrics. The Act bans AI systems that categorize individuals based on biometric data to infer sensitive attributes (race, political opinions, etc.) and real-time remote biometric identification (RBI) in publicly accessible spaces for law enforcement purposes. There are narrow, strictly defined exceptions for the latter (e.g., searching for a missing child, preventing a specific and imminent terrorist threat), but they require judicial authorization and are subject to strict time limits.

2. High-Risk Systems

This is the most regulated category and constitutes the operational heart of the AI Act. High-risk AI systems are those that have the potential to cause significant harm to health, safety, or fundamental rights. The Act provides two criteria to identify them:

They are safety components of a product (or the product itself) covered by existing EU harmonization legislation (e.g., medical devices, machinery, lifts, cars).
They fall into specific areas listed in Annex III of the Act.

Annex III covers eight critical areas, including:

Critical infrastructure (e.g., transport, energy).
Educational and vocational training.
Employment, worker management, and access to self-employment.
Access to and enjoyment of essential private services and public services (e.g., credit scoring, insurance).
Law enforcement, migration, asylum, and border control.
Administration of justice and democratic processes.

Important Nuance: An AI system used in one of these areas is not automatically high-risk. It is only high-risk if it poses a significant risk of harm. The Act provides a safety valve: a provider can demonstrate through a formal assessment that their system does not pose a significant risk, thereby exempting it from high-risk obligations. However, systems used for biometric categorization, emotion recognition, or security screening are always considered high-risk if they fall into the Annex III categories.

3. Limited Risk: Transparency Obligations

AI systems with limited risk have a specific obligation: transparency. The primary example is the requirement to disclose that the user is interacting with an AI system. This applies to systems like chatbots or emotion recognition systems. If an AI system generates or manipulates image, audio, or video content resembling existing persons (deepfakes), it must be labeled as such, with the exception of artistic or satirical works. This ensures that the “human in the loop” is aware they are interacting with a machine or synthetic content.

4. Minimal or No Risk: Free Use

The vast majority of AI systems currently in use (e.g., spam filters, video games, inventory management systems) fall into the minimal risk category. The Act does not impose mandatory legal obligations on these systems, though it encourages the voluntary adoption of codes of conduct.

Obligations for High-Risk AI Systems

For professionals managing AI development or procurement, the high-risk category requires the most attention. The obligations are comprehensive and span the entire lifecycle of the system.

Risk Management System

Providers must establish a continuous, iterative process for identifying, analyzing, and mitigating risks. This is not a one-time check; it is a permanent governance requirement. The system must address risks that may emerge from the use of the AI system as well as risks associated with the interaction with other systems.

Data and Data Governance

The quality of the data used to train, validate, and test the AI model is strictly regulated. The Act requires that data sets be relevant, representative, free of errors, and complete. Bias mitigation is a central theme here; providers must check for biases that could lead to discriminatory outcomes, particularly regarding protected characteristics (gender, race, age, etc.).

Technical Documentation

Before placing a high-risk AI system on the market, the provider must draw up a “technical documentation.” This is essentially a blueprint of the system designed to demonstrate compliance. It must include details on the system’s capabilities, limitations, the algorithms used, the data sets, and the risk management measures. This documentation must be available to national authorities upon request.

Record Keeping

High-risk AI systems must be designed to automatically record events (“logs”) throughout their lifecycle. This ensures traceability. If an automated vehicle makes a decision that leads to an accident, the logs must allow authorities to reconstruct why that decision was made.

Human Oversight

A critical safety requirement is that high-risk AI systems must be designed to enable effective human oversight. This is not merely about having a human “in the loop”; it is about ensuring the human can understand the system’s capacities and limitations, interpret its output, and override or ignore the system when necessary. The system must provide clear, timely information to the human operator so they can intervene.

Accuracy, Robustness, and Cybersecurity

High-risk AI systems must be accurate and robust. Providers must define accuracy metrics and achieve them. Furthermore, the systems must be resilient against attempts to alter their use or output by third parties (e.g., adversarial attacks, data poisoning).

Conformity Assessment

Before a high-risk AI system is deployed, it must undergo a conformity assessment. For many high-risk systems (those that are also safety components of products), the provider can perform this assessment internally. However, for high-risk AI systems in sensitive areas like law enforcement or critical infrastructure (Annex III), the provider must involve an independent third-party Notified Body. This is similar to the CE marking process for medical devices.

Registration

High-risk AI systems must be registered in an EU database before they are put into service or placed on the market. This database is maintained by the European Commission and allows authorities and the public to see which high-risk systems are being used.

General-Purpose AI (GPAI) Models

The original AI Act proposal focused on specific applications. However, the rapid rise of Large Language Models (LLMs) necessitated a new category: General-Purpose AI (GPAI) models. These are models trained on broad data at scale and capable of performing a wide range of distinct tasks (e.g., GPT-4, Llama).

Obligations for GPAI Providers

Most GPAI models face transparency obligations: they must publish a summary of the content used for training and comply with EU copyright law (specifically, the obligation to identify content that requires permission).

Systemic Risk

If a GPAI model presents a systemic risk (i.e., a risk with a large impact on the market, public health, or safety), stricter obligations apply. Providers of such models must perform model evaluations and adversarial testing, report serious incidents to the European AI Office, and ensure robust cybersecurity protections. The determination of systemic risk is based on criteria such as the number of end-users and the computational power used to train the model.

Implementation and Enforcement: The Institutional Framework

The AI Act does not exist in a vacuum; it relies on a complex network of oversight bodies.

European AI Office

Within the European Commission, the AI Office has been established to coordinate the implementation of the Act at the EU level. It plays a central role in supervising GPAI models and developing codes of practice.

National Competent Authorities

Member States must designate one or more national authorities to supervise the application and enforcement of the rules (except for GPAI models, which are handled at the EU level). In many countries, existing regulators (like data protection authorities or market surveillance bodies) will take on these roles. This creates a decentralized enforcement landscape.

The AI Board

An AI Board, composed of representatives from Member States and the European Commission, will advise on the implementation and ensure a consistent application of the Act across the Union.

Timeline and Phased Application

The AI Act applies in a staggered manner to allow stakeholders time to adapt. The timeline is crucial for compliance planning.

6 months after entry into force: Prohibitions on prohibited AI practices become applicable.
12 months: Obligations for GPAI models apply (codes of practice must be ready).
24 months: The high-risk AI systems listed in Annex III (specific use cases) become subject to the regulation.
36 months: High-risk systems that are safety components of products regulated by existing EU legislation (e.g., medical devices, cars) become applicable.

Interaction with National Law and Other Regulations

The AI Act is a Regulation, meaning it is directly applicable in all Member States without the need for national transposition laws. However, Member States do have some discretion, particularly regarding the organization of their national authorities and the rules on the use of AI by law enforcement.

AI Act vs. GDPR

It is vital to distinguish between the two. The GDPR regulates the processing of personal data. The AI Act regulates the functioning of AI systems. An AI system may be fully compliant with the AI Act (e.g., it is safe and robust) but still violate the GDPR if it processes personal data unlawfully (e.g., lacks a legal basis). Conversely, a system that complies with GDPR data minimization principles might still be a high-risk AI system requiring strict technical documentation.

Liability

The AI Act does not harmonize civil liability rules. If an AI system causes damage, the victim will still rely on national tort law or the new EU Product Liability Directive (which has been revised to include AI). This means that proving fault or causation remains a challenge in national courts, and the AI Act’s compliance documentation will likely become a key piece of evidence in liability litigation.

Practical Steps for Compliance

For organizations, the path to compliance requires a multidisciplinary approach involving legal, technical, and ethical teams.

1. AI System Mapping

Organizations must first inventory all AI systems in use or in development. For each system, they must perform a risk classification exercise. Is it prohibited? Is it high-risk? Is it limited risk? This classification determines the applicable legal regime.

2. Governance and Documentation

For high-risk systems, companies must establish a risk management system and ensure that technical documentation is created. This often requires updating internal processes, as many organizations currently lack the rigorous documentation standards required by the Act.

3. Supply Chain Management

Deployers (users) of high-risk AI systems are not free of obligations. They must use the system in accordance with the provider’s instructions, ensure human oversight, and monitor for incidents. They must also inform the provider if they encounter risks. This creates a chain of responsibility that extends through the supply chain.

4. Preparing for Conformity Assessment

Providers of high-risk systems in sensitive areas should start engaging with potential Notified Bodies early. The capacity of these bodies is limited, and a backlog is anticipated. The conformity assessment process will be rigorous and time-consuming.

Conclusion on the Regulatory Landscape

The EU AI Act is not merely a compliance checklist; it is a fundamental reshaping of the digital market. By establishing clear rules, it aims to create a “trust ecosystem” where citizens feel safe using AI-driven services. For businesses, it offers a competitive advantage: a product that is certified as compliant with the AI Act will likely be viewed as trustworthy globally. However, the complexity of the obligations, particularly regarding data governance and technical documentation, presents a significant operational challenge. The success of this framework will depend on the practical guidance issued by the EU AI Office and the ability of national authorities to enforce the rules consistently across the Union.

Table of Contents

AI in Education: Fundamentals & Tools

Understanding AI Basics

Practical AI Tools for Educators

Integrating AI into Teaching

Case Studies & Success Stories

Ethical AI & Inclusive Practices

Ethical & Legal Frameworks for AI Systems

Equity & Inclusion

Transparency & Trust

Algorithmic Bias, Discrimination & Legal Risk

AI Errors, Accountability & Legal Responsibility

Institutional AI Governance & Policy Design

AI, Security & GDPR Compliance

Data Protection & Privacy

Cybersecurity in AI

EU Regulations & Policies

Engaging Parents & Guardians

Data Protection, Privacy & AI Governance

Additional Resources

Glossary of Terms

Templates & Guides

Webinars & Research

AI for Administrative & Pedagogical Support

AI for Time Management

AI in Student Performance Tracking

AI for Automated Communication

AI for Document Management

AI, Robotics & Biotech Regulation in Europe

EU AI Act Explained: Scope, Risk Levels, Obligations

AI-Enabled Products: Robots, Medical Software, Smart Devices

Machinery Regulation & Safety Standards for Intelligent Systems

AI in Healthcare & Biotech: MDR, IVDR, EMA

Liability & Responsibility for AI-Driven Systems

Compliance in Practice: From Risk Assessment to CE Marking

Country-Specific AI Regulation & Enforcement

How EU AI Law Is Applied at National Level

Different Compliance Models

National AI Sandboxes & Regulatory Experiments

Public Sector AI Rules Across Europe

Cross-Border AI Deployment Challenges

When National Law Overrides EU Guidance

Legal Cases, Enforcement & Real-World Precedents

AI Act, GDPR & Algorithmic Decision-Making Cases

Liability Disputes Involving Automated Systems

Robotics Accidents & Legal Responsibility

Medical & Biotech AI Failures: Lessons Learned

What Enforcement Trends Tell Us About Future Regulation