Sign In
Request a Demo
Sign In
Request a Demo

What Is the EU AI Act?

What Is the EU AI Act?

The EU Artificial Intelligence Act (EU AI Act) is the world’s first comprehensive regulatory framework for the development, deployment, and use of artificial intelligence within the European Union. Proposed by the European Commission and formally adopted by the EU, the Act establishes a risk-based approach to AI regulation, classifying AI systems by the level of risk they pose to individuals, society, and fundamental rights.

The EU AI Act applies not only to organizations based in the EU, but also to any company that develops or uses AI systems that impact EU citizens, making it a global compliance consideration.

Why the EU AI Act Matters

The EU AI Act represents a major shift from voluntary AI guidance to enforceable legal obligations. Organizations must now demonstrate that AI systems are:

  • Governed responsibly
  • Transparent and explainable where required
  • Secure and resilient
  • Actively monitored for ongoing risk

Non-compliance can lead to significant financial penalties, reputational damage, and restrictions on the use of AI systems.

The EU AI Act’s Risk-Based Classification

The Act categorizes AI systems into four primary risk tiers:

1. Unacceptable Risk

AI systems that threaten fundamental rights or societal values are prohibited outright. Examples include government social scoring or certain forms of biometric surveillance.

2. High-Risk AI Systems

High-risk systems are permitted but subject to strict governance, risk management, and oversight requirements.

Common examples:

  • AI used in creditworthiness or lending decisions
  • AI in hiring, performance evaluation, or employee monitoring
  • AI supporting medical devices or critical infrastructure
  • Biometric identification systems

High-risk AI systems must meet detailed requirements for risk management, data governance, transparency, human oversight, and continuous monitoring.

3. Limited Risk

Systems that require specific transparency obligations, such as informing users when they interact with AI (e.g. chatbots, synthetic media).

4. Minimal Risk

Low-risk applications (e.g., AI in games or photo enhancement) that face little to no regulatory burden.

Key EU AI Act Requirements

For organizations operating high-risk AI systems, the EU AI Act mandates:

  1. AI risk management systems to identify, assess, and mitigate risks
  2. High-quality training and validation data to reduce bias and errors
  3. Technical documentation and record-keeping for traceability
  4. Human oversight mechanisms to intervene or override AI decisions
  5. Post-deployment monitoring to detect drift, misuse, or emergent risks
  6. Incident reporting for serious AI-related failures

These obligations emphasize continuous governance, not one-time compliance.

Who Must Comply With the EU AI Act?

The EU AI Act applies to:

  • AI providers and developers placing systems on the EU market
  • Organizations deploying AI systems in the EU
  • Non-EU companies whose AI systems affect EU individuals

In practice, this means many global enterprises will fall within scope, even without a physical EU presence.

EU AI Act and AI Governance Standards

The EU AI Act does not mandate a specific certification standard, but compliance requires formal governance structures, risk assessments, and ongoing controls.

Standards such as ISO/IEC 42001 (AI Management Systems) and frameworks like NIST AI RMF are commonly used to operationalize EU AI Act requirements by:

  • Structuring AI governance roles and accountability
  • Mapping regulatory obligations to controls and evidence
  • Supporting auditability and regulatory defensibility
  • Enabling continuous monitoring rather than static checklists

Penalties and Enforcement

Violations of the EU AI Act can result in fines of up to €35 million or a percentage of global annual turnover, depending on the severity of the breach and the type of violation.

Enforcement focuses on demonstrable governance and risk management, not just policy statements.

EU AI Act and Enterprise Risk Management

The EU AI Act elevates AI from a technical concern to a board-level risk issue. Organizations must connect AI behavior to business impact, regulatory exposure, and operational resilience.

This shift reinforces the need for integrated cyber risk and AI governance programs that provide:

  • Clear accountability
  • Continuous visibility into AI risk posture
  • Evidence-based reporting for regulators and executives

Comparing the EU AI Act and ISO/IEC 42001

As AI regulation and governance mature, organizations often ask how the EU AI Act compares to ISO/IEC 42001. While both address AI risk, they serve different but complementary purposes.

Category

EU AI Act

ISO/IEC 42001

Type

Binding regulation (law)

Voluntary international standard

Primary Purpose

Legal compliance and protection of fundamental rights

Operational AI governance and risk management

Scope

AI systems impacting EU individuals

AI systems across the full enterprise lifecycle

Applicability

EU-based and non-EU organizations

Global, industry-agnostic

Risk Approach

Risk-tiered (unacceptable, high, limited, minimal)

Continuous, management-system-based

Enforcement

Regulatory authorities

Third-party certification bodies

Penalties

Fines up to €35M or % of global revenue

No fines (certification-based)

Auditability

Regulatory audits and investigations

Formal certification and audits

 

Key Differences Explained

1. Regulation vs Governance Standard

The EU AI Act is enforceable law. It defines what organizations must do to legally deploy AI systems in the EU.

ISO 42001 is a governance standard. It defines how organizations should manage AI risk consistently, transparently, and defensibly across the AI lifecycle.

In practice:

  • The EU AI Act sets legal obligations
  • ISO 42001 provides the operational structure to meet them

2. Scope of Control

  • EU AI Act: Focuses on AI systems that pose risks to individuals’ rights, safety, or access to services
  • ISO 42001: Applies to all AI systems an organization develops, deploys, or uses, regardless of geography

ISO 42001 helps organizations manage AI risk before, during, and after deployment, not just where regulation applies.

3. Risk Management Approach

  • EU AI Act: Prescriptive requirements tied to AI risk classification
  • ISO 42001: Continuous risk identification, assessment, treatment, and improvement

The Act emphasizes compliance thresholds, while ISO 42001 emphasizes governance maturity.

4. Accountability and Evidence

  • EU AI Act: Requires documentation and transparency sufficient for regulatory review
  • ISO 42001: Requires ongoing monitoring, internal audits, management review, and improvement

ISO 42001 creates audit-ready evidence that can support EU AI Act compliance.

How to Use ISO 42001 and the EU AI Act Together

Many organizations treat the EU AI Act as the “what” and ISO 42001 as the “how.”

A common approach:

  1. Identify in-scope AI systems under the EU AI Act
  2. Classify AI risk levels
  3. Use ISO 42001 to operationalize governance, controls, monitoring, and accountability
  4. Produce continuous, defensible evidence for regulators and leadership

This reduces last-minute compliance effort and avoids fragmented, policy-only responses.

EU AI Act FAQs

Does the EU AI Act apply to U.S. companies?

Yes. The EU AI Act applies to U.S. companies if their AI systems impact individuals in the European Union.

You do not need a physical EU presence to fall within scope. The Act applies to:

  • U.S. companies offering AI-powered products or services in the EU
  • Organizations using AI systems that influence decisions affecting EU residents
  • Vendors whose AI outputs are used by EU-based customers

If AI outcomes affect EU citizens’ rights, access, or safety, the EU AI Act likely applies.

Do U.S. companies need to be ISO 42001 certified to comply with the EU AI Act?

No. ISO 42001 certification is not legally required under the EU AI Act.

However, ISO 42001 is widely viewed as a practical way to demonstrate responsible AI governance, providing:

  • Structured enterprise risk management processes
  • Clear accountability and oversight
  • Continuous monitoring and improvement
  • Audit-ready documentation

Many organizations use ISO 42001 to support and streamline compliance with the EU AI Act.

Is ISO 42001 enough to meet EU AI Act requirements?

ISO 42001 alone does not guarantee compliance, but it significantly reduces the effort required.

The EU AI Act includes specific legal obligations that must be addressed directly. ISO 42001 helps organizations:

  • Maintain ongoing control effectiveness
  • Detect and manage AI risk over time
  • Produce defensible governance evidence

Together, they create a more resilient compliance posture.

When should organizations start preparing?

Now. The EU AI Act introduces obligations that require:

  • AI system inventory and classification
  • Governance and oversight structures
  • Continuous monitoring processes

Organizations that wait until enforcement deadlines approach risk reactive, costly compliance efforts rather than scalable governance.

See Also

LEARN MORE ABOUT CONTINUOUS COMPLIANCE

Streamline Compliance with our Control Automation Brief

GET THE BRIEF