Compliance Guides
Does the EU AI Act apply to us, and at what risk tier?
The EU AI Act applies if you develop, place on the market, or deploy AI systems that touch the EU. Your requirements scale with the risk tier — here are the four tiers and what each one requires.

Photo: Vishnu Mohanan / Unsplash
New to the topic? Start with What sovereign compliance actually means.
The EU AI Act applies to you if you develop an AI system, place one on the EU market, or deployone in the EU — and it reaches many companies based outside Europe whose AI outputs are used there. But it does not treat all AI the same: your requirements scale with the system’s risk tier. This guide sets out when the Act applies, the four tiers, and what each one requires — for European companies and for companies outside Europe that must meet EU requirements to do business in the EU.
When the AI Act applies
The Act — Regulation (EU) 2024/1689 — applies across the lifecycle of an AI system and attaches requirements to the role you play. You are in scope if you develop and place an AI system on the EU market (a provider), or use one under your own authority (a deployer). What you must actually do then depends on the risk tier of the system in question.
- Definition
- Provider (EU AI Act)
- The party that develops an AI system, or has one developed, and places it on the EU market or puts it into service under its own name or trademark. Providers of high-risk systems carry the fullest set of requirements under the Act.
- Definition
- Deployer (EU AI Act)
- A party that uses an AI system under its own authority in the course of its activity — for example a company using a high-risk hiring or credit-scoring system. Deployers carry their own distinct requirements, separate from the provider’s.
The Act applies in phases. It entered into force on 1 August 2024, with the prohibitions on unacceptable-risk uses applying from February 2025, the rules for general-purpose AI from August 2025, and most high-risk requirements from August 2026. That staggered timeline is deliberate: the highest-harm uses were shut off first, and the heaviest compliance work has the longest lead time.
The four risk tiers
The Act sorts AI into four tiers, and your requirements follow the tier rather than the technology. The table below maps each tier to what it requires.
| Risk tier | What it requires |
|---|---|
| Unacceptable risk | Prohibited outright — for example social scoring by public authorities, and certain manipulative or biometric-categorisation uses. These systems may not be placed on the market or used at all. |
| High risk | The strict requirements — for the Annex III use cases (such as employment, credit, and access to essential services) and for AI that is a product or safety component under EU product law: a risk-management system, data governance, technical documentation, record-keeping, human oversight, accuracy/robustness/cybersecurity, and conformity assessment. |
| Limited risk | Transparency requirements — for example disclosing that content is AI-generated, telling users when they are interacting with an AI system or chatbot, and labelling deepfakes. |
| Minimal risk | No mandatory requirements — the large majority of AI systems, such as spam filters or AI in games, fall here. |
Most of the compliance weight sits in the high-risk tier, so working out whether a system lands there is the decisive question for most companies.
High-risk requirements in plain terms
Two of the high-risk requirements are worth spelling out, because they shape how a system has to be built and run rather than just documented.
- Data governance (Article 10)— training, validation, and testing data sets must be subject to appropriate governance practices: they must be relevant and sufficiently representative, examined for possible biases, and as far as possible complete and free of errors for the system’s intended purpose.
- Human oversight (Article 14)— high-risk systems must be designed so that people can effectively oversee them while in use: understanding the system’s capabilities and limits, watching for automation bias, interpreting its output, and being able to intervene or stop it.
Providers vs deployers
The Act draws a clear line between the party that builds an AI system and the party that uses it, and gives each its own requirements. A providerdevelops the system and places it on the EU market or puts it into service — and, for high-risk systems, carries the bulk of the requirements, from the risk-management system through to conformity assessment. A deployeruses the system under its own authority and carries its own distinct requirements, such as using the system in line with its instructions, ensuring meaningful human oversight, and, in certain cases, informing the people affected. The same company can be both — a provider for the AI it builds and a deployer for the AI it buys.
If your company is outside the EU
The AI Act reaches beyond the EU’s borders. It applies to providers that place AI systems on the EU market, and to providers and deployers established outside the EU where the outputproduced by the system is used in the EU — without any EU establishment. Doing business in Europe generally means meeting European requirements, wherever you are based. We cover the broader pattern in non-EU company selling into the EU, and the same cross-border logic runs through does DORA apply to my company.
How COMPLY.Reg helps
Placing a system in the right tier and turning that tier into concrete, traceable requirements is exactly the work that is slow and error-prone by hand. COMPLY.Reg is a regulatory compliance platform that uses AI to do it: it maps your AI systems against the Act, identifies the requirements that apply at your risk tier, and turns them into audit-ready controls with the evidence that proves each one — keeping a human in the loop for every determination. Your source documents stay on your own systems, and your compliance data is processed in the EU. Not sure the AI Act is the only regime in play? Start with which EU regulations apply to your company.
Frequently asked questions
- When does the EU AI Act start to apply?
- It entered into force on 1 August 2024 and applies in phases: the prohibitions on unacceptable-risk uses from February 2025, general-purpose AI rules from August 2025, and most high-risk requirements from August 2026.
- Does the EU AI Act apply to companies outside the EU?
- Yes. It reaches providers that place AI systems on the EU market, and providers and deployers established outside the EU where the system’s output is used in the EU — even without an EU establishment.
- Does every AI system carry the same requirements?
- No. Requirements scale with the risk tier: unacceptable-risk uses are prohibited, high-risk systems carry strict requirements, limited-risk systems carry transparency requirements, and minimal-risk systems carry no mandatory requirements.