What Is the EU AI Act?

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive, horizontal law governing artificial intelligence. It entered into force on 1 August 2024 and regulates AI not by sector but by risk: the higher the potential harm an AI system poses to health, safety, or fundamental rights, the stricter the obligations placed on it. The Act applies to providers and deployers of AI systems used in the EU --- including organizations based outside the EU whose AI outputs are used within it --- making it, like the GDPR before it, a de facto global standard.

The AI Act matters because it converts the broad idea of "responsible AI" into binding legal requirements with real penalties. It establishes what AI may never be used for, what high-stakes AI must prove before it reaches the market, and what every AI system must disclose to the people interacting with it. For any organization building or deploying AI, it turns governance from a voluntary good practice into a compliance obligation --- and the foundation of that compliance is being able to document and govern the data behind every model.

EU AI Act Defined

The AI Act is a regulation --- directly applicable across all EU member states without needing national transposition. It defines an "AI system" broadly (aligned with the OECD definition) and assigns obligations based on the role an organization plays: provider (develops or places an AI system on the market), deployer (uses an AI system under its authority), and to a lesser degree importers and distributors. Most of the heavy obligations fall on providers of high-risk systems.

The defining characteristics of the Act:

• Risk-based, not technology-based --- The same algorithm can be unregulated in one use and high-risk in another. What matters is the context and potential for harm, not the technique.
• Extraterritorial reach --- It applies to non-EU organizations whose AI systems or outputs are used in the EU.
• Horizontal scope --- It cuts across every sector rather than regulating, say, only healthcare or finance AI.
• Enforced with GDPR-scale penalties --- Fines reach the higher of a fixed sum or a percentage of worldwide annual turnover.

The Four Risk Tiers

The Act sorts AI systems into four levels of risk, each with a different regulatory burden.

1. Unacceptable risk --- prohibited

A small set of practices are banned outright because they are judged incompatible with EU values: government social scoring, AI that manipulates behavior to cause harm, untargeted scraping of facial images to build recognition databases, emotion recognition in workplaces and schools, and most real-time remote biometric identification in public spaces. These prohibitions were the first provisions to apply.

2. High risk --- strict obligations

AI used in consequential domains --- employment and hiring, access to credit and essential services, education, medical devices, critical infrastructure, law enforcement, migration, and the administration of justice --- is "high risk." It is not banned, but it must meet a substantial set of obligations before and after it reaches the market. This is where most of the Act's compliance work lives.

3. Limited risk --- transparency duties

Systems that interact with people or generate content carry transparency obligations: users must be told they are dealing with a chatbot, and AI-generated or manipulated content (deepfakes) must be labeled as such. The aim is informed interaction, not pre-market approval.

4. Minimal risk --- no obligations

The vast majority of AI --- spam filters, recommendation engines, game AI --- falls here and faces no new legal requirements under the Act, though voluntary codes of conduct are encouraged.

High-Risk Obligations

For high-risk systems, providers must build and maintain a compliance program that spans the entire AI lifecycle. The core obligations are:

• Risk management system --- A continuous process to identify, evaluate, and mitigate risks across the system's lifecycle.
• Data and data governance (Article 10) --- Training, validation, and testing datasets must be relevant, sufficiently representative, and as free of errors as possible, and examined for bias. This is an explicit data quality and governance mandate.
• Technical documentation --- Detailed documentation demonstrating compliance, kept up to date.
• Record-keeping (logging) --- Automatic logging of events for traceability throughout the system's operation.
• Transparency & information to deployers --- Clear instructions so deployers can use the system correctly.
• Human oversight --- The system must be designed so people can effectively oversee it.
• Accuracy, robustness & cybersecurity --- Appropriate levels maintained throughout the lifecycle.
• Conformity assessment & registration --- High-risk systems undergo a conformity assessment and are registered in an EU database before going to market.

GPAI & the Timeline

General-purpose AI (GPAI) models --- foundation models and large language models that can be adapted to many tasks --- are governed under their own regime. All GPAI providers face transparency and documentation obligations, including a summary of training-data content and a copyright policy. Models deemed to pose "systemic risk" (identified largely by very high training compute) carry additional obligations around evaluation, risk mitigation, and incident reporting.

The Act applies in phases rather than all at once:

• 1 August 2024 --- Entry into force.
• 2 February 2025 --- Prohibitions on unacceptable-risk AI and AI-literacy obligations begin to apply.
• 2 August 2025 --- GPAI model rules and governance/penalty provisions apply.
• 2 August 2026 --- The bulk of the Act, including most high-risk obligations, becomes applicable.
• 2 August 2027 --- High-risk obligations for AI that is a safety component of regulated products apply.

This original timeline has since been revised. Under the Digital Omnibus, a provisional Parliament---Council agreement of 7 May 2026 postpones the high-risk obligations --- standalone systems (Annex III) to 2 December 2027 and product-embedded systems (Annex I) to 2 August 2028 --- largely because the harmonised standards needed to comply are not yet ready. Formal adoption is expected by mid-2026, so treat the dates above as the law's original schedule and the Omnibus dates as the operative ones once adopted. For the full picture of the changes, see our blog: The AI Omnibus --- What Changed in the EU AI Act.

Data Governance Under the AI Act

Strip the AI Act down to its operational core and much of it is a data governance mandate. Article 10's requirement that high-risk training data be relevant, representative, error-checked, and examined for bias cannot be met without knowing what data trained a model, where it came from, and whether it is fit for purpose. The documentation, logging, and traceability obligations are, in practice, requirements to produce governance evidence on demand.

This is where governance tooling becomes compliance infrastructure:

• A data catalog and metadata management provide the inventory of what data exists and how it is used --- the starting point for any AI documentation.
• Data lineage, especially column-level lineage, answers "what data trained this model, and what would change if a source changed?" --- the backbone of traceability and impact analysis.
• Data classification and quality controls demonstrate that datasets were examined for representativeness, bias, and errors as Article 10 demands.

Dawiso's broader role in this is the subject of its AI governance solution and the related concept of AI governance: turning the catalog, glossary, and lineage your organization already maintains into the documented, auditable evidence the AI Act requires. Compliance is not a separate project bolted onto AI --- it is governed data, made provable.

Conclusion

The EU AI Act is the moment AI governance stopped being optional. By tying obligations to risk and backing them with GDPR-scale penalties, it forces organizations to treat the data behind their AI as a regulated asset --- documented, traceable, quality-checked, and governed. The technical requirements are demanding but tractable; the organizations that struggle will be those that cannot answer basic questions about their own data. The ones that already govern their data well will find that AI Act compliance is, to a surprising degree, governance they have already done.