EU AI Act

The EU AI Act, for people who ship LLMs

A short, opinionated read on what the AI Act actually requires from teams deploying LLMs in Europe, and how LLM Radar tracks vendor posture against it.

What the AI Act is

The EU AI Act (Regulation 2024/1689) is a horizontal, risk-tiered rulebook for AI systems placed on the EU market. It came into force in August 2024; obligations phase in through 2026, with general-purpose AI (GPAI) duties under Article 53 already applicable.

It applies to providers (who put a system on the market), deployers (who use it in a professional capacity), importers, distributors, and product manufacturers, regardless of where they are established, if the output is used in the EU.

Implementation timeline

Obligations phase in over three years. The dates below assume the official Journal text of August 2024:

Aug 2024
In force
The regulation enters into force across the EU.
Feb 2025
Bans active
Prohibited practices unenforceable; AI literacy duties apply.
Aug 2025
Foundation-model duties
Article 53 obligations for GPAI providers, plus governance and penalties.
Aug 2026
Main rules apply
Limited-risk transparency and the full high-risk regime apply to new deployments.
Aug 2027
Legacy deadline
Existing high-risk systems already on the market must comply.

Aug 2024In forceThe regulation enters into force across the EU.
Feb 2025Bans activeProhibited practices unenforceable; AI literacy duties apply.
Aug 2025Foundation-model dutiesArticle 53 obligations for GPAI providers, plus governance and penalties.
Aug 2026Main rules applyNextLimited-risk transparency and the full high-risk regime apply to new deployments.
Aug 2027Legacy deadlineExisting high-risk systems already on the market must comply.

The four risk tiers

Minimal

Spam filters, AI in video games, basic recommenders. No specific obligations beyond existing EU law. Most LLM use cases land here.

Limited

Chatbots, AI-generated content, emotion recognition. Transparency obligations: users must know they are interacting with an AI; synthetic content must be machine-readable as such.

High-risk

AI in recruiting, credit scoring, education, critical infrastructure, law enforcement, medical devices. Heavy obligations: risk management, data governance, technical documentation, human oversight, conformity assessment, EU database registration.

Prohibited

Social scoring, untargeted facial-recognition scraping, manipulative or exploitative systems, real-time biometric ID in public spaces (with narrow exceptions). Banned outright since February 2025.

What counts as high-risk (Annex III)

If your system is used for any of these purposes, the full high-risk regime applies, regardless of which model is under the hood:

Biometric identification, categorisation, and emotion recognition outside Article 5's outright bans.
Critical infrastructure (road, rail, water, gas, electricity, digital infrastructure).
Education and vocational training (admissions, evaluation, proctoring).
Employment and worker management (CV screening, performance scoring, scheduling).
Access to essential services (credit scoring, insurance pricing, social benefits, emergency triage).
Law enforcement, migration and border control, and the administration of justice.

What it means if you're shipping an LLM

If you build or fine-tune a foundation model: you are a GPAI provider. Article 53 requires you to publish a sufficiently detailed summary of training data, document copyright-compliance measures, and maintain technical documentation for downstream deployers.

If you embed someone else's LLM into a product: you are a deployer. Your obligations follow your use case's risk tier; most chatbot and copilot scenarios land in Limited (transparency) or Minimal. High-risk use cases (HR screening, credit, medical) inherit the full Annex III regime regardless of which model you picked.

GPAI with systemic risk: models trained with more than 10²⁵ FLOPs (currently a small set of frontier models) carry additional duties: model evaluation, adversarial testing, incident reporting, cybersecurity protections.

Penalties

Fines scale with the severity of the breach and the size of the offender. National authorities pick the higher of a fixed cap or a percentage of worldwide annual turnover:

€35M or 7% for placing a prohibited system on the market or otherwise breaching Article 5.
€15M or 3% for breaching most other obligations, including the rules for providers and deployers of high-risk systems.
€7.5M or 1% for supplying incorrect, incomplete, or misleading information to notified bodies and authorities.

GPAI providers face a separate scheme under Article 101, capped at €15M or 3% of turnover. SMEs and startups are subject to the lower of the two figures rather than the higher.

How LLM Radar scores AI Act posture

Every provider in our register carries an AI Act badge. The rubric is identical to the one in our methodology; we just surface the dimension here for context:

See the full methodology →

Not legal advice

This page is editorial, not legal counsel. The AI Act is enforced by national authorities and the EU AI Office; consult your DPO and outside counsel before relying on a vendor's posture for a regulated deployment.