A practical guide to scope, timelines, standards, and sector impact.
The EU AI Act is the European Union’s legal framework for regulating certain systems based on risk. It sets out harmonized rules for the development, placing on the market, and use of those systems in the EU.
Its purpose is to support safe deployment, transparency, traceability, and respect for fundamental rights while allowing innovation to continue.
Unlike voluntary guidance, the Act:
In practice, any organization developing, embedding, or using systems that fall within the Act’s scope may need to assess its obligations, regardless of where it is established.
Risk classification is central to the regulation. The Act groups systems into categories with obligations that increase as potential impact increases.
Certain practices are prohibited because they are considered incompatible with fundamental rights or safety. Prohibited practices now include AI systems capable of generating sexualized deepfakes. Other examples include:
High‑risk classification under the Act depends on the role and function of the AI system within a given product or use case, rather than on the sector alone.
In practice, many high‑risk systems are found in regulated products or sensitive domains, including:
These systems must meet requirements relating to:
Under the AI Omnibus agreement, the definition of what qualifies as a safety component has been narrowed.
AI functions that solely assist users or optimise performance are not automatically classified as high‑risk, provided that their failure or malfunction does not create risks to health or safety.
As a result, high‑risk classification for AI systems embedded in regulated products depends on the system’s actual role and safety impact, rather than on the presence of AI alone.
Some systems are mainly subject to transparency obligations. Common examples include:
Most systems fall into this category and are not subject to additional obligations under the Act, although voluntary codes and internal controls may still be useful.
The Act entered into force on 1 August 2024, and after the AI omnibus provisional agreement some original dates have been postponed, and obligations will apply progressively.
For many organizations, December 2027 is now the key milestone for having governance, controls, and evidence ready.
ISO/IEC 42001:2023 is the first international AI management system standard. It is voluntary, but it can support internal governance, documentation, and accountability.
ISO/IEC 42001 remains particularly relevant during the extended transition period under the AI Act, supporting governance, documentation, and accountability as organizations prepare for high‑risk obligations applying from December 2027.
The standard aligns well with themes that also appear in the Act, including:
It is also compatible with other management systems, including ISO/IEC 27001.
In practice:
For high-risk systems, ISO/IEC 42001 can support many of the organizational controls needed for readiness, while EU-specific technical and conformity obligations still need to be addressed separately.
The EU AI Act does not stand alone. It sits within a broader regulatory environment.
The Cyber Resilience Act focuses on the cybersecurity of products with digital elements. It overlaps with the AI Act in areas such as:
This is especially relevant for AI-enabled products.
The Act complements GDPR, but it goes beyond personal data. High-risk systems introduce additional requirements around:
The NIST AI Risk Management Framework is not legally binding in the EU, but it can be useful for:
It is often used alongside ISO/IEC 42001 as a practical reference framework.
ISO/IEC 27001 remains a strong foundation for information security. It supports readiness in areas such as:
It is increasingly treated as a baseline for governance in organizations with mature compliance programs.
Systems used in medical and healthcare settings are often high-risk by design. They also interact closely with MDR and IVDR requirements.
Key focus areas include:
Systems in advanced driver assistance, autonomous functions, or safety components may fall within the high-risk framework and interact with existing vehicle rules.
Main priorities include:
Systems used in industrial and machinery contexts may fall under both the EU AI Act and product‑specific legislation. However, not all AI systems in machinery are automatically classified as high‑risk.
Under the AI Omnibus agreement, the Machinery Regulation has been transferred to Annex I, Section B of the AI Act. The European Commission is expected to adopt delegated acts under the Machinery Regulation to specify AI‑related health and safety requirements, with application foreseen by August 2028.
In practice, only AI systems that qualify as safety components — meaning that their failure or malfunction could create risks to health or safety — are likely to trigger high‑risk obligations.
Systems used for recruitment, evaluation, or profiling are typically high-risk.
The main issues are:
Even before all harmonized standards are available, organizations can already take practical steps toward AI Act readiness.
The extended implementation timelines provide an opportunity for gradual preparation, including governance design, system inventory and classification, risk management procedures, and evidence collection to support future conformity assessments.
No. ISO/IEC 42001 is voluntary, but it is widely recognized as a strong foundation for governance.
Yes, if their systems are placed on the EU market or used in the EU.
No. Some AI systems, including those embedded in regulated products, may fall outside high‑risk obligations where they do not qualify as safety components and do not create risks to health or safety.
No. The Act focuses on system behavior, safety, and fundamental rights, not only on personal data.
Preparing for the EU AI Act is not only about meeting legal requirements. It is also about establishing clear governance, documentation, and control processes that support safe deployment across markets.
Disclaimer: This overview is based on the provisional AI Omnibus agreement. Final obligations and timelines may be refined following formal adoption and publication in the Official Journal of the European Union.
Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). You can accept all cookies by pressing the "Accept" button or configure or reject their use. Consult our Cookies Policy for more information.
They allow the operation of the website, loading media content and its security. See the cookies we store in our Cookies Policy.
They allow us to know how you interact with the website, the number of visits in the different sections and to create statistics to improve our business practices. See the cookies we store in our Cookies Policy.
Based on your behavior on the website (where you click, how long you browse, etc.) we establish parameters and a profile for you to display ads that correspond to your interests. See the cookies we store in our Cookies Policy.