The first wave of obligations under the EU AI Act took effect this month. Here's a plain-English guide to who is affected and how to stay compliant.
After years of negotiation, the EU AI Act has officially entered its enforcement phase. The first set of rules — covering prohibited practices and general-purpose AI transparency — became binding on May 1st, with fines of up to €35 million or 7% of global turnover for violations.
The four risk tiers
The Act classifies AI systems into four categories: unacceptable (banned outright), high-risk (heavy compliance burden), limited-risk (transparency obligations), and minimal-risk (no obligations). Most consumer chatbots fall into the limited-risk bucket, but anything touching hiring, credit scoring, or law enforcement is now high-risk.
Practical steps for startups
- Audit your training data sources and keep an evidence trail.
- Add an "AI-generated" disclosure to any synthetic media your product produces.
- If your model exceeds 10^25 FLOPs of training compute, you owe the Commission a model card.
- Document your red-teaming methodology — vague hand-waving will not pass an audit.
The good news: most well-engineered teams already do 80% of this. The bad news: that last 20% is paperwork, and paperwork is what gets audited.