AI AuditsEU Get a quote

Guide

What does the EU AI Act regulate?

Updated June 16, 2026 · By Max Langley, AI Audits EU

The EU AI Act regulates AI systems placed on the EU market or whose output is used in the EU, and it does so by risk. It bans a short list of unacceptable practices, loads the heaviest obligations onto high-risk systems, requires transparency for limited-risk systems, leaves minimal-risk systems mostly alone, and sets separate rules for general-purpose AI models.

A framework built on four risk tiers

The Act sorts AI into four tiers. Unacceptable-risk systems are banned outright. High-risk systems are allowed but heavily regulated. Limited-risk systems face transparency duties only. Minimal-risk systems, which is most software, carry no specific obligations. On top of this sits a separate regime for general-purpose AI models. Your obligations follow your tier, which is why classification matters more than anything else.

What it bans

The prohibited practices include social scoring by public authorities, manipulative or exploitative systems that cause harm, untargeted scraping of facial images to build recognition databases, emotion recognition in workplaces and schools, certain kinds of biometric categorisation, and real-time remote biometric identification in public spaces by law enforcement, allowed only in narrow, pre-authorised situations. These bans have applied since February 2025.

What it regulates most heavily

High-risk systems, defined through Annex I product law and the Annex III use-case list, carry the full obligation set: risk management, data governance, technical documentation, logging, transparency, human oversight, accuracy, robustness, cybersecurity, conformity assessment, and registration. Limited risk is lighter: you disclose that people are dealing with AI and label synthetic or manipulated media.

General-purpose AI and the line with GDPR

Providers of general-purpose AI models face documentation, training-content transparency, and copyright obligations, with more for models that carry systemic risk. And the Act is not GDPR. GDPR governs personal data; the AI Act governs AI systems and their wider risks. A single system can be subject to both at once, and satisfying one does not discharge the other.

What does the EU AI Act regulate?

It regulates AI systems placed on the EU market or whose output is used in the EU, using a risk-based approach. It bans a small set of unacceptable practices, imposes heavy obligations on high-risk systems, requires transparency for limited-risk systems, leaves minimal-risk systems largely free, and adds separate rules for general-purpose AI models.

What AI practices are banned?

Prohibited practices include social scoring by public authorities, manipulative or exploitative techniques that cause harm, untargeted scraping of facial images to build recognition databases, emotion recognition in workplaces and schools, certain biometric categorisation, and real-time remote biometric identification in public spaces by law enforcement, except in narrow, authorised cases.

Is the EU AI Act the same as GDPR?

No. GDPR governs personal data. The AI Act governs AI systems and their risks, including safety and fundamental rights beyond data protection. They overlap and apply together: an AI system can be subject to both, and meeting one does not satisfy the other.

Does it cover ChatGPT-style models?

Yes, through the general-purpose AI model rules. Providers of these models face documentation, training-content transparency, and copyright obligations, with extra duties for models judged to carry systemic risk. Specific uses built on top of such a model can also be high-risk in their own right.

Sources

Which tier is your system?

The whole Act turns on classification. We will tell you your risk tier and exactly which obligations follow.

Get a quote High-risk systems explained

This guide is general information, not legal advice. Confirm your obligations with qualified counsel.