Tekve Oy Logo
Regulatory Guidance

What is the Artificial Intelligence Act (AI Act)?

The European Union's Artificial Intelligence Act is the world's first comprehensive legal framework for safe and ethical AI deployment.

What is the Artificial Intelligence Act (AI Act)?

The Artificial Intelligence Act (AI Act) is a European Union regulation that establishes the world’s first comprehensive legal framework for artificial intelligence. Its primary goal is to harmonize rules on the development, marketing, and use of AI systems within the EU market.

The regulation seeks to safeguard fundamental human rights, safety, and ethical standards, while fostering trust, investment, and innovation in AI technologies. The AI Act officially entered into force in August 2024, with various compliance requirements taking effect in stages between 2025 and 2026.

Who does the AI Act apply to?

The AI Act applies broadly to any entity whose AI-based solutions or outputs affect individuals or businesses within the EU:

  • Providers: Organizations that develop an AI system or general-purpose AI model and place it on the market or put it into service under their own name.
  • Deployers: Entities (businesses, public bodies, or individuals) using AI systems under their authority in the course of their professional activities.
  • Importers and Distributors: Entities that place AI systems from outside the EU onto the market or distribute them within the EU.
  • Third-Country Operators: Providers or deployers located outside the EU whose AI system’s outputs (e.g., predictions, content, or decisions) are used within the EU.

AI Risk Classifications

The AI Act adopts a risk-based approach, categorizing AI systems into four risk levels, each carrying different legal obligations:

AI Act Risk Pyramid

1. Unacceptable Risk (Prohibited AI)

AI systems that present a clear threat to the safety, livelihoods, and rights of individuals are banned entirely within the EU. These include:

  • Cognitive behavioral manipulation that causes physical or psychological harm.
  • Social scoring (classifying individuals based on their social behavior or personal characteristics).
  • Real-time biometric identification in publicly accessible spaces for law enforcement (subject to very narrow exceptions).
  • Emotion recognition systems in workplaces or educational institutions.
  • Predictive policing based solely on profiling or assessing personality traits.

2. High-Risk AI

AI systems that are permitted but subject to strict compliance obligations before being placed on the market and throughout their lifecycle. These include AI used in:

  • Critical infrastructure (e.g., road traffic and electricity grids).
  • Education and vocational training (e.g., automated exam grading).
  • Employment and recruiting (e.g., CV sorting and talent screening tools).
  • Access to essential private and public services (e.g., credit scoring and loan evaluations).
  • Law enforcement, migration control, and administration of justice.
  • Safety components in regulated products (e.g., medical devices, toys, machinery).

3. Limited Risk (Transparency Obligations)

AI systems with moderate risk, such as general-purpose AI models, chatbots, and deepfakes. These systems must comply with transparency requirements: users must be clearly informed that they are interacting with an AI or that the content has been artificially generated.

4. Minimal or No Risk

The vast majority of AI systems currently in use (e.g., spam filters, video games, inventory management). These systems face no specific legal obligations under the AI Act, though following voluntary ethical codes is encouraged.

What are the requirements for High-Risk AI?

Providers and deployers of high-risk AI systems must implement specific technical and administrative controls:

  • Risk Management System: An ongoing, documented process to identify, analyze, and mitigate security and safety risks throughout the AI’s lifecycle.
  • High-Quality Training Data: Dataset governance ensuring training, validation, and testing data are representative, error-free, and free of bias.
  • Technical Documentation: Detailed records describing the AI system’s architecture, design, and development process to demonstrate compliance to regulators.
  • Traceability and Logging: Automatic logging features to record the system’s operations, making it possible to audit and trace decisions.
  • Transparency and Instructions: Clear user instructions outlining the system’s capabilities, limitations, and expected accuracy.
  • Human Oversight: Mechanisms to allow meaningful human control (human-in-the-loop) to intervene or override automatic decisions.
  • Cybersecurity and Robustness: High levels of accuracy, resilience, and protection against unauthorized access or manipulation (such as data poisoning).

AI Act Timeline and Milestones

The regulation is being rolled out in phases:

  • August 1, 2024: The AI Act officially entered into force.
  • February 2, 2025: Bans on prohibited AI practices and provisions on AI literacy requirements take effect.
  • August 2, 2025: Rules regarding General Purpose AI (GPAI) models and the governance structure become applicable.
  • August 2, 2026: The regulation becomes fully applicable. High-risk AI requirements and national regulatory sandboxes must be established.

Penalties for Non-Compliance

Violations of the AI Act can result in severe financial penalties:

  • Non-compliance with prohibited AI practices: Fines of up to €35,000,000 or 7% of global annual turnover (whichever is higher).
  • Non-compliance with other obligations (such as high-risk AI requirements): Fines of up to €15,000,000 or 3% of global turnover.
  • Supplying incorrect or misleading information to authorities: Fines of up to €7,500,000 or 1.5% of global turnover.

[!NOTE] For SMEs, startups, and micro-entities, fines are calculated proportionally with lower maximum caps to ensure penalties do not threaten their economic viability.

How can Tekve help you navigate AI compliance?

We help your organization manage AI risks, comply with EU regulations, and build responsible AI solutions:

  1. AI Inventory and Classification: We map the AI systems your company uses or develops and determine their official risk categories under the AI Act.
  2. ISO/IEC 42001 (AI Management System): We help build and certify an AI Management System based on the international ISO 42001 standard, providing the best structural foundation for AI Act compliance.
  3. Technical Documentation Preparation: We compile risk management plans, dataset quality descriptions, and logging procedures for high-risk systems.
  4. AI Policies & Guidelines: We draft clear internal policies governing the secure and ethical use of AI tools (like Copilot, ChatGPT, or custom LLMs) within your company.
  5. AI Literacy Training: We deliver interactive training sessions for your staff and leadership to build the required AI literacy and risk awareness.
Contact

Speak with Our Advisors

Ready to discuss your security requirements? Fill out the form below and our team will get back to you shortly.