<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=266259327823226&amp;ev=PageView&amp;noscript=1"> Skip to content

The EU AI Act – culmination of the work towards trustworthy AI in the European Union

The EU AI Act assigns obligations based on risk categories and AI value chain roles. Learn its context in the wider EU regulatory landscape and its key components.
Aino Valkama
Data, clarity etc 1

The EU’s Artificial Intelligence Act (AI Act) is a broad legislative framework that regulates all AI by assigning obligations to specific actor roles in the AI value chain, based on the system’s risk category.

For organizations, this means that AI needs to be understood and managed within a regulatory framework.

In this article, I unpack the regulation: both its context in a wider EU landscape and its key components.

The act builds on earlier EU-level efforts towards “trustworthy AI” – meaning AI that reflects standards such as fairness, transparency, privacy, accountability, accuracy and human agency.  

Earlier work includes two noteworthy documents: in 2019, the Ethics Guidelines for Trustworthy AI were published and, in 2020, the Assessment List for Trustworthy AI was released. These documents articulated requirements for the development, use and governance of trustworthy AI and served as a conceptual basis for the AI Act.

The AI Act transforms these principles into binding legislation, establishing a regulatory framework that assigns obligations to different roles in the AI value chain based mainly on the risk categorization and whether general purpose AI (GPAI) is involved.

Regulatory context of the AI Act

The act regulates products and services including AI as a product subject to market surveillance. The act has three main objectives:

  1. The free movement of the product – an AI system – within the EU internal market

  2. The protection of fundamental rights, health and safety

  3. Supporting innovation

Furthermore, the act – as with any EU regulation – operates in a regulatory framework of data and technology regulation. That means that there’s not a vacuum for AI systems and their regulation, but other regulations such as GDPR and Data Act have to be considered as well whenever they apply to any AI system. Viewing AI systems through the lenses of these different objectives and other regulations adds complexity to interpretation of the Act, which likely won’t be straightforward for many years to come.

Developing framework

Continuing with the topic of complexity, the AI Act and its accompanying materials form a massive body of material. When interpreting the regulation, it’s not enough to only focus on the Act itself. The regulation is also supported by guidelines – the Commission's interpretations of what the regulation means in practice – and Codes of Practice, which describe how compliance with the regulation's obligations can be concretely demonstrated.

There are currently 14 guidelines – either published, in draft or in development – most of which relate to high-risk AI systems. In practice, they will carry considerable weight in the interpretation of the AI Act (Lindroos-Hovinheimo et al. 2025, Tekoälyn sääntely, p. 120). Additionally, there are 2 Codes of Practice relating to general-purpose AI (GPAI) models – these will likely serve as the primary technical means of demonstrating compliance for GPAI models until official standards are finalized (Lindroos-Hovinheimo et al. 2025, Tekoälyn sääntely, pp. 116–117).

To eventually help with demonstrating compliance in a harmonized manner, the Commission has mandated CEN-CENELEC (European Committee for Electrotechnical Standardization) to develop harmonized standards, such as a standard on risk management systems for AI systems, intended to guide the implementation of the AI Act's obligations.

Risk categories and the AI value chain: two key components of assigning regulatory obligations

Like mentioned, the Act regulates AI by assigning it into a risk category. These are:

  • minimal risk (such as spam filters), which is a risk category that is not regulated

  • limited risk (such as chatbots), which is subject to light obligations

  • high risk, which is strongly regulated

  • prohibited risk, which is strictly forbidden.

Actors alongside the AI value chain are assigned into roles as well and these include, for example:

  • provider: actor that develops – or has another party develop – and places the AI system on the market or into service under its trademark

  • deployer: actor that uses an AI system under its authority.  

In some cases, one role can be assigned to multiple parties, and one party can be assigned several roles. This means that e.g. the provider role can be shared between parties, or that an importer of an AI system could be re-classified as a provider if they, for example, put their own trademark on a high-risk system already on the market, thus making the party subject to both roles’ obligations (importer and provider).

On top of these categorizations, if an AI system includes GPAI, it introduces several other obligations to specific roles in the AI value chain that compound with the risk-category based obligations. This means that even if a minimal risk system includes a GPAI component, it becomes regulated by the GPAI obligations.

There is also a cross-cutting requirement of AI literacy, which introduces a requirement for all AI providers and deployers to ensure a sufficient level of AI literacy of their staff and any persons dealing with the operation and use of AI systems. 

High-risk systems

Most of the regulation focuses on high-risk AI systems and most obligations fall on the providers or developers of those systems.

High-risk use cases include e.g. recruitment, law enforcement, border control and admission to educational institutions. Providing or deploying such an AI system introduces requirements such as establishing risk management and quality management systems, conducting data governance, upkeeping extensive technical documentation and registering the system to an EU-wide database.

Limited risk systems

Limited risk systems introduce lighter obligations: ensuring proper transparency towards users and content labeling. There’s a catch, though: if the system is classified as limited risk due to its nature, such as only completing a narrow, pre-determined task, but is deployed in an otherwise high-risk area, it still needs to be thoroughly assessed and registered into the high-risk database.

Penalties for non-compliance

Non-compliance in high-risk cases as well as some limited risk scenarios – more specifically, in transparency requirements - can result in fines up to 15 million euros or 3% of annual turnover, whichever is higher. It’s also noteworthy that non-compliance in prohibited AI practices can rack up a fine of 35 million euros or 7% of annual turnover, whichever is higher.

 

 

In my next article, I’ll review how the Act concretely affects organizations’ day-to-day; what the concrete practices of mitigating AI Act risks are; and what the main challenges of implementing AI compliance are.

 

The AI Act regulation text was used as a source not explicitly mentioned in-text: Regulation (EU) 2024/1689

Aino Valkama

As the Compliance and Responsibility Manager at Norrin, Aino leads the development and coordination of AI compliance and responsible AI practices across the organization.

Aino Valkama

Subscribe to our newsletter

NorrInsights provides a clear, up-to-date view of industry developments, with insights into market direction and key technological advances.

Subscribe to newsletter
Subscribe to newsletter

Related posts