Skip to main content

The EU AI Act Decoded: What You Need to Know

The EU AI Act is now the world’s most comprehensive AI regulation. Here’s the clear, practical breakdown of what matters ; risk categories, obligations, timelines, and what organisations must actually do to comply.

Christophe MazzolaChristophe MazzolaĀ· Practicing CISO Ā· Founder of Cyber Academy5 min read
The EU AI Act Decoded: What You Need to Know

Everyone is talking about the EU AI Act. Almost no one understands what it actually requires.

Some think it bans AI. Others think it’s GDPR 2.0. Many assume it only affects ā€œbig tech.ā€

The truth is much simpler ; and much more serious:If your organisation uses, builds, or buys AI, the AI Act affects you. Here’s the decoded, field-tested explanation.

The AI Act is not a technical manual or a philosophical document. It is a governance and accountability framework designed to ensure AI systems are safe, explainable, documented, and ethically deployed.

The Act doesn’t ask you to stop using AI. It asks you to control it ; the same way we control cybersecurity, financial systems, and critical infrastructure.

Let’s break it down without jargon.

1. The Entire Law Revolves Around Four Risk Levels

The AI Act sorts AI systems into four buckets, each with different obligations.

1. Unacceptable Risk → Banned outright

Examples:

  • social scoring
  • manipulative/psychological exploitation
  • biometric categorisation revealing sensitive traits
  • untargeted facial scraping
  • emotion recognition in workplaces/schools

If your system falls here, you cannot use it. Period.

2. High-Risk → The core of the Act (strict governance)

High-risk AI includes systems that affect:

  • people’s rights
  • safety
  • financial stability
  • critical services
  • law enforcement
  • employment
  • healthcare
  • essential infrastructure

This is where 80% of obligations apply.

3. Limited Risk → Transparency required

Examples:

  • chatbots
  • deepfakes
  • generative content
  • AI systems interacting with humans

Users must be informed they are interacting with AI and when content is AI-generated.

4. Minimal Risk → Free use

Examples:

  • spelling/grammar tools
  • AI in videogames
  • recommendation engines No special requirements.

The key: Most organisations operate in categories 2 and 3 ; not 1.

2. High-Risk AI Comes With Significant Obligations

If your AI system is high-risk, you must implement a full AI governance system.

You must prove:

  • risk assessments
  • dataset quality & governance
  • model documentation (architecture, training, testing)
  • bias detection & mitigation
  • robustness and cybersecurity
  • human oversight and decision boundaries
  • performance monitoring
  • incident logging
  • lifecycle traceability
  • transparency for regulators

This is not optional.It is legally mandated.

Anecdote: Several European banks already treat high-risk AI systems as ā€œmini-regulated products,ā€ with lifecycles mirroring financial models.

3. General-Purpose AI (GPAI) and Foundation Models Have Their Own Rules

This is where most companies misunderstand the Act. Even if you don’t build AI, you still need to understand obligations for models you use.

GPAI providers (e.g., large language models) must:

  • publish documentation
  • disclose training data sources
  • provide risk mitigation guidance
  • ensure cybersecurity
  • share technical evaluations
  • test for systemic risks (for powerful models)

Users (you) must:

  • understand intended use
  • apply risk controls
  • avoid reuse in high-risk contexts without oversight
  • ensure outputs are traceable and governed

You inherit obligations when you use a GPAI model.

4. Human Oversight Is Not a Checkbox ; It’s a Core Mechanism

Every high-risk AI system must include:

  • clear human override
  • documented review checkpoints
  • training for human reviewers
  • explanation mechanisms

The Act is explicit: Human oversight must be effective, not symbolic.

This means your staff cannot blindly trust AI outputs ; you need a formal process.

5. The AI Act Requires an ā€œAI Governance Systemā€ ; Not Just Policies

This is the part most organisations underestimate.

The AI Act expects something similar to an ISMS, but for AI:

Your governance system must include:

  • documented roles and responsibilities
  • lifecycle processes
  • risk frameworks
  • model documentation
  • monitoring procedures
  • incident response
  • internal audit
  • continuous improvement
  • organisational AI training
  • procurement controls
  • technical + ethical checks
  • Board-level oversight

This is exactly why ISO released ISO/IEC 42001 ; it mirrors the Act almost perfectly.

The EU never uses the word ā€œmanagement system,ā€ but everything about the AI Act implies one.

6. The AI Act Includes Mandatory AI Incident Reporting

If an AI system leads to:

  • malfunction
  • bias
  • harm
  • misclassification
  • rights violation
  • significant model drift
  • security breach affecting AI

…you must notify authorities.

There is no ā€œsweep it under the rugā€ option.

7. Documentation Requirements Are Heavy (But Logical)

For high-risk AI, expect to maintain:

  • training data documentation
  • model architecture
  • testing protocols
  • robustness checks
  • cybersecurity measures
  • mitigations
  • bias analysis
  • performance metrics
  • human oversight rules
  • logs
  • versioned model history
  • deployment records

This is not bureaucracy ; it is what responsible AI teams should already be doing.

8. Enforcement Timeline Matters ; Here’s How It Breaks Down

The AI Act is phased:

2025–2026

  • Banned practices become illegal
  • GPAI transparency applies
  • National supervisory authorities begin operations
  • AI Office coordinates oversight

2026–2027

  • High-risk AI obligations start
  • Companies must register high-risk systems
  • Governance systems need to be operational

2027–2028

  • Full compliance required
  • Audits and enforcement actions begin
  • Fines become real

If you deploy or buy AI systems in 2025, you must prepare them now.

9. Penalties Are GDPR-Level Serious

Non-compliance fines:

  • up to €35M or 7% global turnover (highest tier)
  • €15M or 3% for high-risk system failures
  • €7.5M or 1.5% for misleading documentation

These numbers are intentional:They make AI Act compliance a Board-level priority.

10. What You Actually Need to Do Now

Here is your real-world, zero-fluff starter list:

  1. Identify and classify your AI systems (risk-based)
  2. Map your vendors and GPAI dependencies
  3. Create your AI governance framework
  4. Start documenting model decisions
  5. Implement human oversight
  6. Develop AI risk assessment procedures
  7. Prepare for incident reporting
  8. Train teams on AI obligations
  9. Align with ISO/IEC 42001
  10. Set up evidence workflows (AI Act ≠ ā€œpromiseā€; it’s ā€œproveā€)

This is the minimum to avoid regulatory pain.

Final Thought

The EU AI Act isn’t anti-innovation. It’s pro-accountability. It says one thing clearly:

If AI affects people’s lives, it must be explainable, controlled, and governed.

This is the future of digital operations ; and businesses who embrace it early will have a competitive advantage, not a compliance burden.

If you want to understand how to implement the EU AI Act in practice ; governance, oversight, documentation and ISO 42001 alignment ; that’s exactly what we teach in the Cyber Academy ISO42001 Lead Implementer and AI Risk Manager programs. Join the next session and prepare your organisation for Europe’s new AI era.

Want the next field note in your inbox?

The GRC Brief newsletter. Five links and one short take, every Monday at 8am CET. Three-minute read.

The EU AI Act Decoded: What You Need to Know Ā· Cyber Academy