# Governance and the EU AI act: the topline
In 2025, a company shipped an AI tool that scored job applicants partly on facial expressions during video interviews. Under the EU AI Act, that kind of "emotion recognition in the workplace" is now effectively banned. Not "fined." Banned.
The EU AI Act is the world's first major law that regulates artificial intelligence directly. If you work with AI tools, build with them, or even just buy them for your team, the topline matters. You do not need to read 100 pages of legal text. You need the shape of the law: what is forbidden, what is heavily controlled, and when the rules bite.
Let's get you that shape.
The EU AI Act sorts AI systems into risk tiers. The higher the risk to people's rights and safety, the heavier the rules. Think of it like a traffic-light system with four levels.
One key point: the law applies based on where the AI is *used*, not where the company is based. A US startup whose chatbot serves EU customers is on the hook. This is the same "long " that made the GDPR (Europe's privacy law) a global standard.
A quick definition: a "provider" is whoever builds or sells the AI system. A "deployer" is whoever uses it in their organisation. Both have duties, but providers carry the heavier load.
These uses are off the table in the EU. Most took effect in February 2025. Concrete examples:
If your product idea touches any of these, stop. There is no compliance checklist that makes it legal in the EU.
This is the tier most professionals will actually bump into. High-risk does not mean "evil." It means the AI is used in a setting where a bad decision seriously affects someone's life. Examples:
If you deploy a high-risk system, you inherit real obligations: keep humans in the loop, log what the system does, use good-quality data, monitor for bias, and be transparent with the people affected. Providers must register these systems in an EU database before selling them.
Say your HR team buys an AI résumé-screener. You are now a deployer of a high-risk system. Your duties include:
The lesson: "we just bought it off the shelf" is not a defence. Buying high-risk AI makes you responsible for how you use it.
This is where everyday tools like ChatGPT, Claude, and Gemini mostly live for general use. The core rule is simple: people should know when they are dealing with AI.
So if you deploy a customer-service chatbot, a one-line "You're chatting with our AI assistant" disclosure goes a long way.
The big models powering ChatGPT, Claude, and Gemini are called General-Purpose AI (GPAI): models flexible enough to do many tasks. The Act adds a separate set of duties for the companies that make them, which kicked in around August 2025.
GPAI providers must publish summaries of their training data, respect EU copyright rules, and provide technical documentation. The most powerful models (those posing "systemic risk") face extra testing and security requirements. The EU published a voluntary General-Purpose AI Code of Practice to help these providers comply.
For you as a *user*, this mostly happens upstream. But it is why your AI vendor's documentation and "model cards" matter: they are partly there to satisfy these rules.
The Act entered into force in August 2024, but the rules switch on in waves. The headline dates:
So 2026 is the year the bulk of the obligations land. If your organisation uses AI in hiring, lending, or other sensitive areas, this year is when "we should look into that" becomes "we needed this done."
Fines are serious. Banned uses can cost up to 35 million euros or 7% of global annual revenue, whichever is higher. Other breaches scale down from there. The numbers are designed to make compliance cheaper than ignoring the law.
Vérification des acquis
1. Under the EU AI Act's risk-tier system, what happens to AI systems classified as 'unacceptable risk'?
2. A US-based startup operates a chatbot that serves customers located in the EU. According to the lesson, does the EU AI Act apply to it?
3. The lesson compares the EU AI Act's global influence to which earlier piece of European legislation?
4. Select ALL correct answers about the roles of 'provider' and 'deployer' under the EU AI Act.
Sélectionnez toutes les réponses correctes.
5. Select ALL correct answers that are examples of prohibited (unacceptable-risk) AI uses described in the lesson.
Sélectionnez toutes les réponses correctes.
You do not need a lawyer to do a first-pass triage. Ask three questions about any AI system you use or build:
1. Is the use prohibited? (Social scoring, workplace emotion detection, etc.) If yes, stop.
2. Is it high-risk? (Hiring, credit, health, education, law enforcement.) If yes, you have real obligations.
3. Does it talk to or generate content for people? If yes, you owe them transparency.
Here is that triage as a tiny script you could adapt for an internal checklist:
def classify_ai_use(use_case):
prohibited = {"social_scoring", "workplace_emotion_recognition",
"untargeted_face_scraping", "predictive_policing"}
high_risk = {"cv_screening", "credit_scoring", "medical_diagnosis",
"exam_scoring", "border_control"}
if use_case in prohibited:
return "PROHIBITED: do not deploy in the EU."
if use_case in high_risk:
return "HIGH-RISK: human oversight, logging, bias checks required."
return "LIMITED/MINIMAL: add a clear 'this is AI' disclosure."
print(classify_ai_use("cv_screening"))
# HIGH-RISK: human oversight, logging, bias checks required.This is a starting filter, not legal advice. But it forces the right first question every time.
Even if you are in the US, UK, or elsewhere, three reasons to care:
You can read the official summary on the EU's own AI Act page if you want the primary source in plain-ish language.