The EU AI Regulation 2024/1689

Legal Basis

The EU Artificial Intelligence Act (AI Act) was formally adopted in 2024 and will be fully applicable by 2026, with phased obligations starting earlier. It is the world’s first horizontal regulation on AI, aimed at ensuring that AI systems used in the EU are safe, transparent, ethical, and respect fundamental rights.

Scope

The EU Artificial Intelligence Act applies to:

  • Providers, deployers, importers, and distributors of AI systems in the EU.
  • AI systems placed on the EU market or used in the EU, even if developed or hosted abroad.

It covers machine learning, expert systems, and statistical approaches as AI.

Risk-Based Classification

The AI systems are categorized into four levels of risk, each with corresponding obligations:

(i) Prohibited AI Systems: the systems of this category are strictly banned due to unacceptable risk to fundamental rights, e.g.:

  • Social scoring by governments.
  • Real-time biometric identification in public spaces (with limited exceptions).
  • Exploitative or manipulative AI targeting vulnerable groups.

(ii) High-Risk AI Systems: high-risk systems are subject to strict requirements before being placed on the market. Examples include:

  • AI systems used in critical infrastructure, education, recruitment, law enforcement and healthcare.
  • These systems must meet requirements including:
    • Risk management and mitigation.
    • Data governance and quality.
    • Transparency, human oversight, and accountability.
    • Registration in an EU-wide AI database.

According to the AI Act the key obligations for High-Risk AI include:

  • CE Marking & Conformity Assessment;
  • Technical Documentation & Record-Keeping;
  • Human Oversight Mechanisms;
  • Post-Market Monitoring & Incident Reporting;
  • Cybersecurity and Robustness Standards.

(iii) Limited Risk AI Systems

These systems require transparency obligations, such as informing users they are interacting with an AI system (e.g., chatbots, emotion recognition tools).

(iv) Minimal Risk AI Systems

There are no mandatory obligations applicable in these AI systems. The minimal risk AI systems include most consumer-grade AI, e.g. spam filters, video games, AI-enabled photo editing.

Regulatory Supervision

Implementation and enforcement are pursuant to the AI Act supported by a complex EU-level framework. Particularly, there will be:

  • a European AI Board which will coordinate national authorities;
  • an AI Office attached to the Commission;
  • a Scientific Panel of Experts for technical guidance and alerts on systemic risks.

Further to the implementation at EU level, national authorities will conduct compliance assessments and market surveillance.

General-Purpose AI & Foundation Models

Following recent amendments, the AI Act introduces specific obligations for foundation models (e.g., large language models like GPT). GPAI providers must:

  • Ensure technical documentation and risk assessments.
  • Comply with transparency and copyright obligations.
  • Very large models with systemic risk face additional safety and testing requirements.

Sanctions and Penalties

The AI Act includes several sanctions and penalties for non-compliance which are designed to ensure accountability and effective enforcement. These sanctions vary up to €35 million or 7% of global annual turnover, depending on the type of infringement.

Entry into Force and Timelines

The AI Act was officially adopted in May 2024 and was entered into force 20 days after its publication in the EU Official Journal. The Act will become fully applicable in 2026, with staged obligations starting as early as 2025 for GPAI providers and prohibited uses.

Practical Implications for Businesses

Businesses shall early assessed whether their AI systems are high-risk or GPAI and they should be prepared with compliance documentation and technical standards. Finally, businesses shall have developed integrated AI governance frameworks across design, development, and deployment. The world’s first-ever comprehensive AI law establishes for the first time the regulatory benchmark with far-reaching implications for AI developers and users globally. Companies and policymakers worldwide are already adjusting to its framework, introducing a new era of regulated AI innovation.

Related Posts

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners. View more
Cookies settings
Accept
Privacy & Cookie policy
Privacy & Cookies policy
Cookie name Active
Makis Anastasiou & Co. LLC is a law firm registered and operating under the laws of the Republic of Cyprus with its registered office at 211 Arch. Makariou III Avenue, Christina Center, Office 301, 3030 Limassol – Cyprus. We act as the “Data Controller” for the purposes of the General Data Protection Regulation (EU) 2016/679 (“GDPR”). At Makis Anastasiou & Co. LLC we are committed to protecting your privacy and handling your personal information and/ or data with transparency and care. This Privacy Policy describes how we collect, use, safeguard your personal information when you visit our website or interact with us through it. Personal data that may be collected and processed may include:
    • Contact information (e.g., name, email address, phone number)
    • Information you provide via contact forms or email
    • Technical data (e.g., IP address, browser type, device information)
    • Usage data (e.g., pages visited, time spent on our site)
Your personal data may be used for the following purposes:
    • To respond to your enquiries or provide legal services
    • To improve and maintain our website
    • To comply with legal or regulatory obligations
    • To protect our legal rights
We do not use your data for marketing purposes without your explicit consent. Process of your personal data is based on:
    • Your consent
    • The performance of a contract or pre-contractual steps
    • Our legitimate interest (e.g. improving services or website functionality)
    • Compliance with a legal obligation
Please note that we do not sell, rent, or trade your personal data. We may share your data with trusted third-party service providers (e.g., IT or hosting providers) only to the extent necessary and under confidentiality obligations. Your personal data will be retained only for as long as necessary for the purposes outlined above or as required by applicable law. Once no longer needed, your data will be securely deleted or anonymised. Under GDPR, you have the following rights:
    • Right to access your personal data
    • Right to rectification or erasure
    • Right to restrict or object to processing
    • Right to data portability
    • Right to withdraw consent (where applicable)
    • Right to lodge a complaint with the Office of the Commissioner for Personal Data Protection in Cyprus
Our website may use cookies to improve your browsing experience. You can manage cookie preferences through your browser settings. For more information, please see our [Cookie Policy].

Security
We implement appropriate technical and organizational measures to protect your data from unauthorized access, disclosure, or misuse.

Contact Us
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at +35725359159 or at info@anastasioulawfirm.com.
Save settings
Cookies settings