Skip to main content
Regulation EU 2024/1689

Everything you need to know about the EU AI Act

The practical guide for European SMEs. Risk levels, obligations, timeline, and what it means concretely for your business.

Join the waitlist →

Free early access · Notification when we launch

The world's first AI regulation - and it applies to you

Regulation (EU) 2024/1689, known as the "EU AI Act", entered into force in August 2024. It is the world's first legally binding framework to regulate artificial intelligence systems. Its ambition is clear: manage risks without blocking innovation, by applying obligations proportional to the potential impact of each AI system.

The AI Act takes a risk-based approach. Not all AI systems are equal before the law: a customer service chatbot does not have the same obligations as a CV screening tool or a creditworthiness assessment tool. The regulation defines four risk levels - from outright prohibition to no obligation - with proportionate penalties that can reach 7% of global turnover.

The regulation applies to any company that places on the market, deploys or uses an AI system intended for users in the European Union - regardless of its size or location. If your SME uses an AI-powered recruitment tool, generates content via ChatGPT for its clients, or has developed a SaaS with AI features, the regulation applies to you directly.

Your role determines your obligations

Provider

Heavy obligations

You develop or commercialise an AI system. Maximum obligations: technical documentation, conformity testing, registration in the EU database.

  • Complete technical documentation
  • CE marking if applicable
  • Registration in the EU database
  • Post-market surveillance

Example : a SaaS startup integrating an HR scoring model into its product.

Deployer

Targeted obligations

You use a third-party AI system in your operations. Targeted obligations: supplier conformity verification, user information, monitoring.

  • Human oversight of decisions
  • Information of persons concerned
  • Compliance with the provider's instructions
  • Transparency on AI-generated content (Art. 50)

Example : an HR agency using a SaaS CV screening tool for its clients.

⚠️ A deployer who substantially modifies an AI system becomes a provider for those modifications.

The 4 risk levels

Where does your company stand?

Prohibited

Maximum penalty

€35M or 7% of turnover

Art. 5 - EU 2024/1689

Practices prohibited without exception. The regulation deems them incompatible with fundamental rights and European values. Immediate cessation required.

  • A marketing tool using subliminal techniques to manipulate purchase decisions without the user's awareness
  • A "social scoring" system rating customers on their online behaviour to deny them services
  • Emotion recognition software in the workplace (except for specific medical or safety reasons)
Which practices does Art. 5 prohibit? ↓

High risk

Maximum penalty

€15M or 3% of turnover

Art. 6 + Annex III - EU 2024/1689

AI systems in sensitive areas (recruitment, credit, education, infrastructure). Full compliance required before August 2, 2026.

  • CV screening or candidate evaluation tool (Annex III - Domain 4)
  • Credit scoring or creditworthiness assessment system (Annex III - Domain 5)
  • Admissions or grading platform in education (Annex III - Domain 3)
  • Automated management of critical infrastructure components (Annex III - Domain 2)
Is my AI recruitment tool high risk? ↓

Limited risk

Maximum penalty

€7.5M or 1% of turnover

Art. 50 - EU 2024/1689

AI systems interacting directly with users. Transparency and labelling obligations only.

  • A customer service chatbot that answers user questions
  • A text or image generation tool published on your website
  • An AI assistant integrated into your SaaS that interacts with your customers
What are the Art. 50 obligations? ↓

Minimal risk

Maximum penalty

No fine

Outside Annex III and Art. 50

The majority of AI tools used in business. No direct regulatory obligation under the AI Act.

  • ML-based spam filters in your email system
  • Internal content recommendation tools not exposed to customers
  • Internal data analysis tools without automated decisions impacting people
How do I check my risk level? ↓

Regulatory deadlines you cannot miss

Some obligations are already in force. The critical deadline for most SMEs is less than a year away.

  1. Past deadline : February 2, 2025 -

    Prohibited practices applicable

    The 8 prohibited practices (Art. 5) are in force. The AI Literacy obligation (Art. 4) is also active.

  2. Past deadline : August 2, 2025 -

    Governance and operational sanctions

    National governance rules, sanctions and obligations for general-purpose AI models (GPAI) are applicable.

  3. Critical deadline - action required : August 2, 2026 -

    High-risk obligations Annex III - your deadline

    High-risk AI systems in Annex III domains (recruitment, credit, education, infrastructure) must be fully compliant. Fines up to 3% of turnover.

  4. Future deadline : August 2, 2027 -

    Regulated Annex I products

    AI systems embedded in regulated physical products (medical devices, machinery, vehicles) - Art. 6(1).

Join the waitlist →

Frequently asked questions

Everything you need to know

You now know whether you're affected. What's next?

Check your risk level for free and get your personalised roadmap.

Join the waitlist →
Instant resultNo legal jargon100% free