Skip to main content
Hero background

EU AI Act

What Is the EU AI Act?

The EU AI Act (European Union Artificial Intelligence Act) is a comprehensive regulatory framework that governs the development, placement on the market, deployment, and use of artificial intelligence systems within the EU. It applies regardless of where the provider is established, meaning organizations outside the EU may also fall within scope if their AI systems are placed on the EU market, or their outputs are used there. 

At its core, the regulation introduces a risk-based governance model, meaning obligations depend on the level of risk an AI system poses to health, safety, and fundamental rights. It covers the full AI ecosystem, including providers, deployers, importers, distributors, and manufacturers integrating AI into products. 

The EU AI Act also introduces rules for general-purpose AI (GPAI) models, including foundation models, with additional obligations for GPAI models designated as posing systemic risk. 

Alignment with the EU Regulatory Framework 

The EU AI Act works alongside other major EU digital regulations, including: 

Together, these regulations create a cohesive digital governance framework focused on trust, transparency, cybersecurity, and responsible innovation. 

Phased Implementation Timeline 

The EU AI Act is a newly adopted regulatory framework that is being phased over time, with requirements applying gradually. 

Entry into force (August 2024): The regulation officially becomes law, initiating the phased implementation period.  

Six months (February 2025): Prohibited AI practices apply, alongside AI literacy obligations for organizations developing or deploying AI systems.  

Twelve months (August 2025): Obligations for general-purpose AI models take effect, including governance and transparency requirements.  

Twenty-four months (August 2026): Most remaining provisions become applicable across regulated AI systems.  

Thirty-six months (August 2027): Certain high-risk AI system requirements fully apply, completing the rollout of obligations. 

Importance of the EU AI Act

Impact on Critical Sectors and Public Services 

The EU AI Act is particularly important for sectors where AI directly influences safety, fundamental rights, and essential services. These sectors include healthcare, transportation, energy, financial services, public administration, and critical infrastructure. 

Within these environments, the regulation strengthens accountability by requiring structured risk management, comprehensive documentation, human oversight, and ongoing monitoring. These measures help ensure AI-driven decisions remain transparent, traceable, and reliable in mission-critical environments. 

Alignment with Governance and Security Practices 

The EU AI Act aligns closely with established enterprise security and governance practices. Organizations that already follow secure-by-design development, structured documentation, and continuous monitoring will find many of its requirements familiar. 

The regulation reinforces the importance of demonstrable compliance by requiring evidence that AI systems are developed, tested, deployed, and monitored according to regulatory expectations. This supports stronger legal, operational, and reputational risk management. 

Operational Clarity through Risk Classification 

One of the defining features of the EU AI Act is its structured risk classification framework. AI systems are categorized as unacceptable, high, limited, or minimal risk, with obligations corresponding to each level. 

This classification framework supports informed procurement, governance, development, and deployment decisions while reducing the likelihood of compliance gaps or enforcement actions. 

Key Elements of the EU AI Act

Unacceptable-Risk AI Systems 

Unacceptable-risk AI systems are prohibited under the EU AI Act because they are considered incompatible with EU fundamental rights and present unacceptable levels of risk. 

Examples include: 

  • Social scoring systems that result in unjustified or discriminatory treatment of individuals  

  • Certain forms of real-time remote biometric identification in publicly accessible spaces, subject to limited narrowly defined exceptions under law enforcement conditions  

  • AI systems that manipulate behavior in a manner that causes or is likely to cause significant harm, or exploit vulnerabilities of individuals or specific groups  

  • Untargeted scraping of facial images from the internet or CCTV sources to build or expand facial recognition databases 

High-Risk AI Systems 

High-risk AI systems remain permitted but are subject to extensive regulatory requirements under the EU AI Act. 

Examples include AI used in: 

  • Critical infrastructure  

  • Employment and workforce management  

  • Education and student evaluation  

  • Healthcare and medical devices  

  • Credit assessment and access to essential services  

  • Law enforcement  

  • Border management  

  • Administration of justice  

These systems are subject to strict obligations, including risk management systems, data governance requirements, technical documentation, logging and record-keeping, transparency and provision of information to users, human oversight, accuracy, robustness, and cybersecurity requirements. 

Limited-Risk AI Systems 

Limited-risk AI systems are primarily subject to transparency obligations under the EU AI Act. 

Examples include: 

  • Chatbots interacting directly with individuals  

  • AI systems generating or manipulating content requiring disclosure  

  • Systems designed to simulate human interaction  

Requirements include: 

  • Informing individuals when they are interacting with AI systems  

  • Disclosing AI-generated or manipulated content where required  

  • Ensuring outputs are clearly identifiable as AI-generated where applicable 

Minimal or No-Risk AI Systems 

Minimal or no-risk AI systems are not subject to mandatory obligations under the EU AI Act. 

These systems are considered to present minimal or no risk to health, safety, or fundamental rights and therefore fall outside the act’s specific compliance requirements. 

Examples include: 

  • Spam filters and email sorting tools  

  • AI-enabled video games and entertainment features  

  • Basic inventory or logistics optimization tools  

  • Simple recommendation or personalization systems  

While not regulated under the EU AI Act, organizations may still apply voluntary governance measures, including transparency practices, internal testing, and cybersecurity controls. Depending on the context of use, other regulatory frameworks such as the GDPR may still apply. 

EU AI Act Use Cases

Implementing EU AI Act Compliance 

Compliance with the EU AI Act typically begins with a comprehensive inventory of AI systems, including internally developed solutions, embedded AI capabilities, and third-party tools. Each system is classified according to its intended purpose, user impact, and regulatory risk category. 

Cross-functional governance involving legal, cybersecurity, engineering, privacy, procurement, and executive leadership helps establish clear accountability across the entire AI lifecycle. 

Many organizations align governance activities with recognized standards such as ISO/IEC 42001 for AI management systems, ISO/IEC 27001 for information security, and ISO/IEC 23894 for AI risk management. 

Testing, Validation, and Documentation 

Testing under the EU AI Act is expected to be rigorous and repeatable. Validation activities may include performance testing, robustness assessments, fairness evaluations where appropriate, and resilience testing against adversarial attacks. 

Comprehensive documentation supports conformity assessments and regulatory oversight. Typical records include technical documentation, system descriptions, model information, data governance documentation, testing evidence, and ongoing monitoring activities. 

Supplier due diligence also supports compliance by improving transparency around model capabilities, limitations, and governance practices. 

Procurement, Operations, and Security 

Procurement represents a key governance function under the EU AI Act. Vendor evaluations commonly consider model capabilities, intended use, documentation quality, logging, explainability, auditability, and security controls. 

Operational oversight includes continuous monitoring for performance drift, operational anomalies, and cybersecurity risks. Supporting controls typically include encryption, access management, secure deployment practices, incident response processes, and ongoing compliance monitoring. 

AI Literacy 

The EU AI Act requires organizations to take measures that promote an appropriate level of AI literacy among personnel involved in the development, deployment, or oversight of AI systems. Training should reflect operational responsibilities, governance requirements, and the level of risk associated with each AI system. 

Maintaining EU AI Act Compliance

The EU AI Act should be viewed as an evolving governance framework rather than a one-time implementation exercise. Maintaining compliance requires continuous monitoring of regulatory developments, emerging standards, and guidance issued by European authorities. 

A mature compliance strategy integrates governance, cybersecurity, procurement, documentation, and operational oversight into a continuous lifecycle. This approach supports regulatory compliance while enabling responsible innovation, operational resilience, and trusted AI adoption across government, critical infrastructure, and other highly regulated sectors. 

BlackBerry for Secure Communications

For Environments Where Failure Isn’t an Option

BlackBerry Secure Communications is the leading solution that delivers unmatched expertise to protect the world’s most critical communications.

Explore BlackBerry Secure Communications solutions