EU AI Act — What It Requires from Your Organization

Four Risk Tiers — The Core of the Act

The Act classifies every AI system into one of four risk tiers. Each tier carries an entirely different set of obligations:

1. Unacceptable Risk — Prohibited

Systems designed to exploit psychological vulnerabilities, government social scoring, real-time remote biometric identification in publicly accessible spaces (with narrow exceptions), and emotion recognition in workplaces or educational institutions. These systems may not be operated. In force from February 2025.

2. High Risk — Annex III

The majority of compliance work centers on high-risk systems. Annex III includes, among others:

• CV screening and recruitment decision-support
• Credit decisions and consumer credit scoring
• Educational systems that influence admission to institutions
• Law enforcement decisions and access to public services
• Critical infrastructure operation (transport, electricity, water)

3. Limited Risk — Transparency Only

Chatbots, generative AI content systems, and deepfakes carry transparency obligations only. Users must be informed they are interacting with an AI rather than a human, and AI-generated content must be labelled as such.

GPAI — General Purpose AI

Large foundation models (GPT-4, Claude, Gemini, Llama) face a separate set of obligations that came into force in August 2025. A GPAI provider must document model architecture, training data scope, and energy consumption. Models with “systemic risk” (trained on more than 10²⁵ FLOPs as of 2025) face enhanced obligations including adversarial testing and incident reporting.

What does this mean for an organization that uses GPAI but does not develop it? You need to know which model is in use, which provider maintains it, and verify that the provider meets its own GPAI obligations — a point that should appear explicitly in updated data processing agreements.

Classifying an Existing System

1. Identify the purpose: What is the system used for? Recruitment, credit, or education use cases point to high risk. Internal content drafting or summarization typically falls under limited risk at most.
2. Assess human impact: Does the system make or materially influence a decision that affects a person? If so, it is almost certainly high risk.
3. Determine your role: Are you using a GPAI foundation model? Both the model provider and your organization carry obligations. Using a dedicated third-party SaaS? The vendor absorbs some provider obligations, but you remain a deployer with your own duties.
4. Check for exemptions: Annex III includes narrow exemptions where a system functions purely as an aid and does not drive the decision — but the definition is tight and requires thorough documentation to substantiate.

Enforcement Timeline

The Act takes effect in phases. These are the key dates every organization serving the EU market should have on its compliance roadmap:

Organizational Checklist

• Map every AI system in use across the organization, including shadow AI adopted independently by staff
• Classify each system against the four risk tiers using the criteria above
• Identify which systems place the organization in a provider role and which in a deployer role
• Update data processing agreements with AI vendors: Act obligations, GPAI compliance commitments, notification on model changes
• Establish human oversight processes for every high-risk system
• Define an AI incident reporting procedure (erroneous output, bias detection, data exposure)
• Open an operational log for high-risk systems — mandatory under Article 12

The Alice GRC portal questionnaire covers each of these points and produces a prioritized action list specific to your organization. Organizations implementing ISO/IEC 42001 gain substantial coverage of Act requirements from the governance foundation the standard establishes.