01 · Regulation Overview
- EC Digital Strategy + FLI High-level Summary
- Last verified: 2026-06-15
What it is
Regulation (EU) 2024/1689 — the world's first comprehensive legal framework on AI. Adopted 13 June 2024, published in the Official Journal 12 July 2024, in force 1 August 2024. Full title: "laying down harmonised rules on artificial intelligence" (the Artificial Intelligence Act).
Structure: ~180 recitals, 113 articles, 13 annexes. Amends several prior EU regulations (machinery, transport, product safety directives).
Core logic: risk-based approach
Four tiers, descending from most to least regulated:
| Tier | What it covers | Consequence |
|---|---|---|
| Unacceptable risk | 8 banned practices in force; Omnibus adds new intimate-image/CSAM prohibitions from 2 December 2026 after OJ publication | Prohibited outright. Fines up to €35M / 7% global turnover |
| High risk | Annex I (safety products) + Annex III (sector use cases) | Conformity assessment, technical documentation, human oversight |
| Limited risk | Chatbots, deepfake generators | Must disclose AI nature to users (transparency only) |
| Minimal / no risk | Spam filters, video-game AI, etc. | Unregulated — voluntary codes of conduct only |
Who must comply
| Role | Obligation level | Geographic scope |
|---|---|---|
| Providers (developers) | Heaviest — risk management, technical docs, conformity | Anywhere, if system used in EU |
| Deployers (professional users) | Lighter — human oversight, monitoring, incident reporting | Located in EU, or output used in EU |
| Importers & distributors | Verify provider compliance before market | EU market |
Key definitions
| Term | Definition |
|---|---|
| AI system | Machine-based system that operates with varying autonomy, infers from inputs to generate outputs (predictions, content, recommendations, decisions) that can influence physical or virtual environments |
| Provider | Entity that develops and places an AI system on the market or puts it into service |
| Deployer | Entity that uses an AI system in a professional context — not the end user |
| GPAI model | Model trained on large data via self-supervision, capable of a wide range of tasks, integrable into downstream systems |
| Systemic risk | Risk arising from GPAI models with compute > 10²⁵ FLOPs or designated high-impact capability by the Commission |
Relationship to GDPR
The AI Act doesn't replace GDPR. They overlap where AI processes personal data. DPAs are recommended as market surveillance authorities for rights-impacting high-risk AI. Fines can stack.
The Digital Omnibus amendment (2025–2026)
Proposed by the Commission on 19 November 2025; provisional agreement reached on 6–7 May 2026; Coreper confirmed the agreement on 13 May 2026; Parliament adopted its first-reading position on 16 June 2026; Council gave final approval on 29 June 2026. The act still needs signature and Official Journal publication before the amendments have legal effect. The final PE-CONS 30/26 text would:
- apply Chapter III, Sections 1–3 to Annex III high-risk systems from 2 December 2027 and Annex I high-risk systems from 2 August 2028;
- add Article 5 prohibitions for AI systems generating/manipulating non-consensual intimate material or child sexual abuse material, applying from 2 December 2026;
- reinforce AI Office powers for AI systems under Article 75 supervision;
- extend simplified technical documentation and some penalty proportionality provisions to SMEs/start-ups and small mid-cap enterprises (SMCs);
- move national AI regulatory sandboxes to 2 August 2027 and allow an EU-level AI Office sandbox for Article 75 systems.
Official text links
| Format | Link |
|---|---|
| HTML (English) | EUR-Lex HTML |
| PDF (authentic OJ) | EUR-Lex PDF |
| CELEX (all languages) | CELEX:32024R1689 |