Does the EU AI Act apply to UK or US companies?

Yes, if the output of the AI system is used in the EU. Geography of the company doesn't matter — what matters is whether EU residents are affected. A US-based SaaS company with EU customers, or a UK agency running campaigns into Germany, is in scope.

When does the EU AI Act apply?

The Act came into force on 1 August 2024. Prohibitions started on 2 February 2025. GPAI rules from 2 August 2025. The main compliance deadline for most obligations is 2 August 2026, with high-risk systems in regulated products following on 2 August 2027.

What counts as a high-risk AI system?

Annex III of the Act lists them: AI used in recruitment, credit scoring, education access, critical infrastructure, law enforcement, migration, and democratic processes — plus AI components in regulated products like medical devices and machinery. Most marketing and creative AI tools are not high-risk.

How do I prepare for the EU AI Act?

Start with an inventory of every AI system you build or use, classify each into a risk tier, and stand up continuous monitoring. Awan Agent automates the inventory and classification step and produces audit-ready evidence mapped to EU AI Act articles.

What are the fines for non-compliance?

Up to €35 million or 7% of global annual turnover for prohibited practices. Up to €15 million or 3% for breaches of high-risk obligations. Up to €7.5 million or 1% for supplying incorrect information to regulators. The higher of the absolute amount or the percentage applies.

BlogFramework guide

The EU AI Act, explained for teams that ship

22 May 20268 min read

The EU AI Act is the first comprehensive horizontal regulation of artificial intelligence. It applies to any provider or deployer that puts an AI system on the EU market — even if the company itself sits outside the EU.

This guide breaks the Act into the parts that actually change how teams build and ship AI: who is in scope, how risk is classified, what each tier requires, and what the rolling 2026–2027 deadlines mean for compliance work this year.

EU AI Act: step-by-step practical framework

The Act takes a product-safety approach. Instead of regulating AI as an abstract technology, it sorts every AI system into one of four risk tiers and attaches obligations that scale with risk.

Unacceptable risk — banned outright (e.g. social scoring, real-time biometric ID in public)
High risk — heavy obligations (recruitment, credit scoring, critical infrastructure, medical devices)
Limited risk — transparency only (chatbots must disclose they're AI; deepfakes must be labelled)
Minimal risk — no obligations (spam filters, recommender systems, most internal tools)

Who the EU AI Act applies to

Scope is extraterritorial. If the output of your AI system is used in the EU, you're in scope — regardless of where the company is registered. That includes US SaaS vendors selling to EU customers, marketing agencies running campaigns into EU markets, and any organisation embedding GPAI models like GPT-5 or Gemini in customer-facing workflows.

Providers

Anyone who develops an AI system and places it on the EU market under their own name. Providers carry the bulk of the technical, documentation and post-market monitoring obligations.

Deployers

Organisations that use an AI system in a professional capacity. Lighter obligations than providers, but real ones: human oversight, monitoring, instructions-for-use compliance, and (for high-risk systems) a fundamental-rights impact assessment.

Key deadlines for best results

The Act came into force on 1 August 2024 but obligations phase in over three years. The dates that matter for most teams:

2 February 2025 — bans on unacceptable-risk practices apply
2 August 2025 — GPAI provider obligations and governance rules apply
2 August 2026 — most remaining obligations apply (the main compliance deadline)
2 August 2027 — high-risk systems embedded in regulated products (medical devices, toys, machinery)

Fines and enforcement

Penalties are tiered and intentionally heavy. Putting a prohibited system on the market can cost up to €35 million or 7% of global annual turnover — whichever is higher. Non-compliance with high-risk obligations: up to €15 million or 3%. Supplying incorrect information to authorities: up to €7.5 million or 1%.

Member-state authorities enforce. The European AI Office coordinates and handles cross-border GPAI matters directly.

What to do this quarter

Three concrete actions, in order, that get most teams 80% of the way to readiness:

Build an inventory of every AI system you provide or deploy — including SaaS tools your team uses
Classify each system into a risk tier and document the reasoning
Stand up a continuous-monitoring process so the inventory stays current (a quarterly spreadsheet is not enough)