The EU AI Act, formally Regulation (EU) 2024/1689, is the European Union’s comprehensive legal framework for artificial intelligence and the first law of its kind anywhere in the world. It sets out harmonised rules for the development, placing on the market, and use of AI systems across the Union, with the declared aim of fostering trustworthy AI while protecting health, safety, and fundamental rights. For any organisation that builds, sells, or merely uses AI in or toward the European market, the AI Act is now the defining regulatory reference.
The risk-based approach
The central idea of the AI Act is that not all AI carries the same risk, so not all AI should face the same rules. The regulation therefore sorts AI into tiers. A small set of practices is considered an unacceptable risk and is prohibited outright. A larger set of uses is classified as high-risk and subject to extensive obligations before and after they reach the market. Certain systems carry specific transparency obligations — users must be told, for instance, that they are interacting with a machine or viewing AI-generated content. Everything else is treated as minimal risk and faces no new obligations. This graduated structure is what makes the AI Act proportionate rather than a blanket restriction on the technology.
What counts as an AI system
A threshold question is what the law actually governs. The AI Act defines an AI system as a machine-based system designed to operate with varying levels of autonomy that, for explicit or implicit objectives, infers from the input it receives how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. The emphasis on inference is deliberate: it distinguishes genuine AI from ordinary deterministic software. Getting this classification right is the first step in any compliance assessment, because a system that does not meet the definition falls outside the regulation entirely.
Prohibited practices
At the top of the risk pyramid sit the prohibited practices — uses of AI considered so harmful that they are banned regardless of any safeguards. These include systems that deploy subliminal or manipulative techniques to materially distort behaviour, that exploit the vulnerabilities of specific groups, that enable social scoring by public authorities, and certain uses of real-time remote biometric identification in public spaces. The prohibitions were among the first provisions of the Act to take effect, and any organisation operating AI in Europe should confirm early that none of its uses fall into this category, because no amount of documentation can rescue a banned practice.
High-risk systems
The heart of the regulation is the high-risk category. These are AI systems used in sensitive domains — listed in the Act’s annexes — such as critical infrastructure, education, employment, access to essential services, law enforcement, migration, and the administration of justice, as well as AI used as a safety component of regulated products. High-risk systems are not banned, but they must satisfy a demanding set of requirements covering risk management, data governance, technical documentation, record-keeping, transparency, human oversight, and accuracy and robustness. They must also pass a conformity assessment before being placed on the market and be monitored afterwards.
Who the AI Act applies to
The AI Act assigns obligations chiefly to two roles. A provider is the party that develops an AI system, or has one developed, and places it on the market under its own name. A deployer is any party that uses an AI system in a professional capacity. Providers bear the heaviest burden, but deployers of high-risk systems have real duties too — ensuring human oversight, monitoring operation, and keeping logs. Crucially, the Act has extraterritorial reach: it applies not only to providers and deployers established in the EU but also to those outside it whenever the output of the AI system is used within the Union. A Swiss or US company serving European users is therefore squarely in scope.
The enforcement timeline
The AI Act entered into force in 2024 and applies in stages rather than all at once. The prohibitions on unacceptable-risk practices and the obligations around AI literacy applied first. The rules for general-purpose AI models followed. The bulk of the high-risk obligations apply later, with the headline date for many high-risk systems falling in 2026, and certain provisions tied to existing product-safety legislation extending into 2027. This staggered timeline gives organisations a window to prepare — but the preparation for high-risk obligations is substantial, so the sensible posture is to start the gap analysis well before the relevant deadline rather than after it.
General-purpose AI
The rapid rise of large, broadly capable models prompted the Act to add a dedicated regime for general-purpose AI — models that can perform a wide range of tasks and be integrated into many downstream systems. Providers of these models face their own obligations around technical documentation, transparency to downstream developers, and respect for copyright, with stricter duties for the most capable models deemed to pose systemic risk. Any organisation that integrates such a model into its own product needs to understand both its duties as a downstream provider and the information it can expect from the model provider.
What DACH companies should do now
For companies in Switzerland, Germany, and Austria, the practical first step is an inventory: identify every AI system in use or in development, and classify each against the Act’s risk tiers. That classification determines everything that follows — whether a use is banned, whether it triggers the full high-risk regime, or whether only light transparency duties apply. From there, high-risk systems need a structured compliance programme, and even lower-risk uses benefit from documentation and the AI-literacy measures the Act requires. Innopulse supports exactly this assessment with its own tool, AI Risk Check, which guides organisations through a structured self-evaluation and shows where and to what extent the AI Act’s obligations apply.
Conclusion
The EU AI Act is the world’s first comprehensive AI law, and through its extraterritorial reach it sets a standard that affects organisations far beyond Europe. Its risk-based structure means the burden is proportionate — most systems face little or nothing, while high-risk uses face a demanding regime and a narrow set of practices is banned. The staggered timeline through 2026 and 2027 offers room to prepare, but high-risk compliance is involved enough that early action is the prudent course. Understanding which tier each AI system falls into is the foundation on which all further compliance work rests.