What is the EU AI Act (Regulation 2024/1689)?

The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024 and is phased in until 2027. It is a risk-based regulatory framework. Four risk categories: (1) Unacceptable risk — banned from 2 Feb 2025. Government social scoring, biometric surveillance in public spaces (except serious crime), emotion recognition at work + school, manipulative AI targeting vulnerable groups. (2) High risk — strictly regulated from 2 Aug 2026. Annex III: critical infrastructure, education (admission, exams), HR (recruitment, performance review), essential services (credit scoring, insurance), law enforcement, migration, justice. Requirements: risk management system, transparency, human oversight, cybersecurity, conformity assessment, register in EU AI database. (3) Limited risk — disclosure duty. Chatbots must identify as AI, deepfakes must be labelled as such, AI-generated content must be machine-readable marked. (4) Minimal risk — voluntary codes of conduct. General-purpose AI (GPAI): separate rules for "foundation models" (GPT-4, Claude, Gemini) — from 2 Aug 2025. Transparency, technical documentation, copyright respect, energy-use reporting. Systems "with systemic risk" (10^25 FLOPs+) get extra strict requirements. Enforcement: national AI regulators (NL: ATR + AP together) + new AI Office in Brussels. Fines: up to €35 million or 7% global turnover for prohibited AI practices. GDPR overlap: AI Act supplements GDPR, doesn't replace it. For AI with personal data ALL GDPR obligations apply plus AI Act.