The EU AI Act: What businesses need to know

Whether or not you’re headquartered in the European Union, the EU AI Act has ramifications for organizations around the world. 

David Harris, Principal Generative AI Author at Pluralsight, explains the key elements of the act and how to align your AI strategy with changing legal frameworks. 

Want all the insights? Watch the on-demand webinar now.

The EU Artificial Intelligence Act is the world's first comprehensive or horizontal legal framework specifically governing artificial intelligence. It lays down rules for the development, placement on the market, and use of AI systems. 

The act recognizes AI's risk, alongside its potential to deliver economic and societal benefits, such as advancements in healthcare, transportation, manufacturing, and energy.

In a nutshell, the act aims to foster innovation and investment in AI technologies while protecting health, safety, and the environment from potential risks posed by AI systems.

“It champions a distinctly human-centric and trustworthy AI approach, mandating that AI development and deployment align with core European Union values,” says David.

While it’s called the EU AI Act, it’s actually designed to apply to various activities that connect AI systems to the EU market. That means it applies to people and organizations outside the European Union as well.

“It applies to providers who place AI systems on the EU market or put them into service, regardless of whether those providers are established within or outside the EU,” explains David. “It also applies to deployers of AI systems who are located within the EU.” 

This includes situations where an AI system’s output is used within the EU, even if the system itself is operated elsewhere. This refers to standalone AI systems as well as components integrated within other products.

“For example, a US-based company utilizing an AI tool for recruitment processes targeting job openings within the EU would likely fall under the Act's scope because the AI's output—the candidate assessments, short lists, things like that—is being used in the Union,” says David.

“Similarly, a non-EU AI service provider processing data for an EU client where the resulting analysis or predictions are sent back for use within the EU would also be subject to the act.”

The EU AI Act takes full effect on August 2, 2026. However, there are a few exceptions. Here’s a high-level overview of key dates:

• August 2, 2025: Certain rules related to GPAI models, governance, and confidentiality begin to take effect
• August 2, 2026: The EU AI Act begins to take full effect, except for Article 6(1)
• August 2, 2027: Article 6(1) begins to take effect

Learn more about the EU AI Act timelines.

To understand what rules you need to comply with, start by identifying your organization's role.

• AI provider: A provider is a natural or legal person, public authority, agency, or other body that develops an AI system, GPAI model, or has an AI system or GPAI model developed and places it on the market or puts it into service under its own name or trademark.
• AI deployer: A deployer is a natural or legal person, public authority, agency, or other body using an AI system under its authority for personal, non-professional activities.
• AI importer: An importer is a natural or legal person located or established in the EU that places an AI system on the market bearing the name or trademark of a natural or legal person established outside the Union.
• AI distributor: A distributor is a natural or legal person in the supply chain other than the provider or the importer.
• AI operator: An operator is a collective term encompassing the provider, product manufacturer, deployer, authorized representative, importer, or distributor. 

“An organization can simultaneously hold multiple roles, like being both a provider and a deployer, and must fulfill the obligations associated with each role,” says David.

What’s more, under Article 25 of the act, some obligations typically taken on by the provider can shift to others in the value chain under specific circumstances. That’s why it’s so important to understand your organization’s role.

Failing to comply with certain practices outlined in the EU AI Act can result in fines up to 35 million EUR or 7% of a company's annual turnover (depending on the severity of the violation).

Implement AI strategies across your organization to reduce the risk of these unnecessary costs.

A robust AI governance framework includes internal policies, procedures, and controls that align your organization’s AI use and development with your overall mission, ethical principles, and other legal obligations.

“Many organizations find it beneficial to start by creating a high-level AI responsible use policy to guide initial efforts. This framework should not be a standalone silo, but should integrate with existing governance structures for data protection, cybersecurity, and overall risk management,” says David.

Staying compliant with the act requires a workforce that understands the basics of AI and its risks. Upskill your employees in fundamental AI concepts, along with potential risks like bias, security, and safety.

“Personnel involved in the operation and use of AI systems, including development, deployment, and oversight roles, [should] possess a sufficient level of AI literacy to ensure appropriate handling and compliance,” says David.

Looking for more practical strategies to help your organization comply with the EU AI Act? Check out the full on-demand webinar to get David’s tips.

The EU AI Act remains ambiguous in some contexts. When in doubt, consult your legal representative and consider complying with the highest standard of the act to ensure compliance.

“It remains unclear whether mere accessibility of an AI's output to an EU person or incidental use by someone located in the EU is sufficient to bring a non-EU provider or deployer within the scope. This ambiguity makes it challenging for companies outside the EU to definitively assess their obligations,” says David.

“This uncertainty, coupled with the substantial penalties for noncompliance, creates a strong incentive for international businesses, particularly providers, to adopt the AI Act's requirements as a global baseline.”

Learn more about the EU AI Act in this Pluralsight course.