%3Aquality(100)&w=3840&q=75)
EU AI Act
What Is the EU AI Act?
The EU AI Act (European Union Artificial Intelligence Act) is a comprehensive regulatory framework that governs the development, placement on the market, deployment, and use of artificial intelligence systems within the EU. It applies regardless of where the provider is established, meaning organizations outside the EU may also fall within scope if their AI systems are placed on the EU market, or their outputs are used there.
At its core, the regulation introduces a risk-based governance model, meaning obligations depend on the level of risk an AI system poses to health, safety, and fundamental rights. It covers the full AI ecosystem, including providers, deployers, importers, distributors, and manufacturers integrating AI into products.
The EU AI Act also introduces rules for general-purpose AI (GPAI) models, including foundation models, with additional obligations for GPAI models designated as posing systemic risk.
Alignment with the EU Regulatory Framework
The EU AI Act works alongside other major EU digital regulations, including:
GDPR (data protection and privacy)
EU Digital Services Act (platform accountability)
EU Digital Markets Act (competition and fairness)
EU NIS2 Directive (cybersecurity resilience)
EU Data Act (data access and sharing)
Together, these regulations create a cohesive digital governance framework focused on trust, transparency, cybersecurity, and responsible innovation.
Phased Implementation Timeline
The EU AI Act is a newly adopted regulatory framework that is being phased over time, with requirements applying gradually.
Entry into force (August 2024): The regulation officially becomes law, initiating the phased implementation period.
Six months (February 2025): Prohibited AI practices apply, alongside AI literacy obligations for organizations developing or deploying AI systems.
Twelve months (August 2025): Obligations for general-purpose AI models take effect, including governance and transparency requirements.
Twenty-four months (August 2026): Most remaining provisions become applicable across regulated AI systems.
Thirty-six months (August 2027): Certain high-risk AI system requirements fully apply, completing the rollout of obligations.
Importance of the EU AI Act
Impact on Critical Sectors and Public Services
The EU AI Act is particularly important for sectors where AI directly influences safety, fundamental rights, and essential services. These sectors include healthcare, transportation, energy, financial services, public administration, and critical infrastructure.
Within these environments, the regulation strengthens accountability by requiring structured risk management, comprehensive documentation, human oversight, and ongoing monitoring. These measures help ensure AI-driven decisions remain transparent, traceable, and reliable in mission-critical environments.
Alignment with Governance and Security Practices
The EU AI Act aligns closely with established enterprise security and governance practices. Organizations that already follow secure-by-design development, structured documentation, and continuous monitoring will find many of its requirements familiar.
The regulation reinforces the importance of demonstrable compliance by requiring evidence that AI systems are developed, tested, deployed, and monitored according to regulatory expectations. This supports stronger legal, operational, and reputational risk management.
Operational Clarity through Risk Classification
One of the defining features of the EU AI Act is its structured risk classification framework. AI systems are categorized as unacceptable, high, limited, or minimal risk, with obligations corresponding to each level.
This classification framework supports informed procurement, governance, development, and deployment decisions while reducing the likelihood of compliance gaps or enforcement actions.
Key Elements of the EU AI Act
Unacceptable-Risk AI Systems
Unacceptable-risk AI systems are prohibited under the EU AI Act because they are considered incompatible with EU fundamental rights and present unacceptable levels of risk.
Examples include:
Social scoring systems that result in unjustified or discriminatory treatment of individuals
Certain forms of real-time remote biometric identification in publicly accessible spaces, subject to limited narrowly defined exceptions under law enforcement conditions
AI systems that manipulate behavior in a manner that causes or is likely to cause significant harm, or exploit vulnerabilities of individuals or specific groups
Untargeted scraping of facial images from the internet or CCTV sources to build or expand facial recognition databases
High-Risk AI Systems
High-risk AI systems remain permitted but are subject to extensive regulatory requirements under the EU AI Act.
Examples include AI used in:
Critical infrastructure
Employment and workforce management
Education and student evaluation
Healthcare and medical devices
Credit assessment and access to essential services
Law enforcement
Border management
Administration of justice
These systems are subject to strict obligations, including risk management systems, data governance requirements, technical documentation, logging and record-keeping, transparency and provision of information to users, human oversight, accuracy, robustness, and cybersecurity requirements.
Limited-Risk AI Systems
Limited-risk AI systems are primarily subject to transparency obligations under the EU AI Act.
Examples include:
Chatbots interacting directly with individuals
AI systems generating or manipulating content requiring disclosure
Systems designed to simulate human interaction
Requirements include:
Informing individuals when they are interacting with AI systems
Disclosing AI-generated or manipulated content where required
Ensuring outputs are clearly identifiable as AI-generated where applicable
Minimal or No-Risk AI Systems
Minimal or no-risk AI systems are not subject to mandatory obligations under the EU AI Act.
These systems are considered to present minimal or no risk to health, safety, or fundamental rights and therefore fall outside the act’s specific compliance requirements.
Examples include:
Spam filters and email sorting tools
AI-enabled video games and entertainment features
Basic inventory or logistics optimization tools
Simple recommendation or personalization systems
While not regulated under the EU AI Act, organizations may still apply voluntary governance measures, including transparency practices, internal testing, and cybersecurity controls. Depending on the context of use, other regulatory frameworks such as the GDPR may still apply.
EU AI Act Use Cases
Implementing EU AI Act Compliance
Compliance with the EU AI Act typically begins with a comprehensive inventory of AI systems, including internally developed solutions, embedded AI capabilities, and third-party tools. Each system is classified according to its intended purpose, user impact, and regulatory risk category.
Cross-functional governance involving legal, cybersecurity, engineering, privacy, procurement, and executive leadership helps establish clear accountability across the entire AI lifecycle.
Many organizations align governance activities with recognized standards such as ISO/IEC 42001 for AI management systems, ISO/IEC 27001 for information security, and ISO/IEC 23894 for AI risk management.
Testing, Validation, and Documentation
Testing under the EU AI Act is expected to be rigorous and repeatable. Validation activities may include performance testing, robustness assessments, fairness evaluations where appropriate, and resilience testing against adversarial attacks.
Comprehensive documentation supports conformity assessments and regulatory oversight. Typical records include technical documentation, system descriptions, model information, data governance documentation, testing evidence, and ongoing monitoring activities.
Supplier due diligence also supports compliance by improving transparency around model capabilities, limitations, and governance practices.
Procurement, Operations, and Security
Procurement represents a key governance function under the EU AI Act. Vendor evaluations commonly consider model capabilities, intended use, documentation quality, logging, explainability, auditability, and security controls.
Operational oversight includes continuous monitoring for performance drift, operational anomalies, and cybersecurity risks. Supporting controls typically include encryption, access management, secure deployment practices, incident response processes, and ongoing compliance monitoring.
AI Literacy
The EU AI Act requires organizations to take measures that promote an appropriate level of AI literacy among personnel involved in the development, deployment, or oversight of AI systems. Training should reflect operational responsibilities, governance requirements, and the level of risk associated with each AI system.
Maintaining EU AI Act Compliance
The EU AI Act should be viewed as an evolving governance framework rather than a one-time implementation exercise. Maintaining compliance requires continuous monitoring of regulatory developments, emerging standards, and guidance issued by European authorities.
A mature compliance strategy integrates governance, cybersecurity, procurement, documentation, and operational oversight into a continuous lifecycle. This approach supports regulatory compliance while enabling responsible innovation, operational resilience, and trusted AI adoption across government, critical infrastructure, and other highly regulated sectors.
%3Aquality(100)&w=3840&q=75)
BlackBerry for Secure Communications
For Environments Where Failure Isn’t an Option
BlackBerry Secure Communications is the leading solution that delivers unmatched expertise to protect the world’s most critical communications.
Explore BlackBerry Secure Communications solutions