Cryptliance
โ† Key Regulations

๐Ÿ‡ช๐Ÿ‡บ EU ยท Key Regulation

EU AI Act

The Artificial Intelligence Act, Regulation (EU) 2024/1689, is the European Union's comprehensive regulatory framework for artificial intelligence. It applies a risk-based approach to the development, placing on the market and use of AI systems in the EU.

In this briefing

  • What it is
  • What does the EU AI Act do?
  • Key things to know

Rather than regulating every AI system in the same way, the Act distinguishes between prohibited practices, high-risk systems, AI subject to transparency requirements, general-purpose AI models and lower-risk uses. The obligations depend on the role of the organisation, the type of system, its intended purpose and the risks it creates.

The AI Act affects both AI developers and businesses using third-party AI. It can apply to providers, deployers, importers, distributors, product manufacturers and providers of general-purpose AI models, including organisations established outside the EU where their systems or outputs are used in the Union.

What does the EU AI Act do?

Creates a Risk-Based Framework

Classifies AI according to the level and type of risk it presents. The framework ranges from prohibited AI practices to high-risk systems, transparency-regulated applications and lower-risk AI that may be used without extensive sector-specific obligations.

Prohibits Certain AI Practices

Bans defined uses considered incompatible with EU values and fundamental rights, including certain forms of manipulation, exploitation, social scoring and biometric categorisation or identification. The precise scope depends on the statutory conditions and available exceptions.

Regulates High-Risk AI Systems

Introduces detailed requirements for high-risk systems, including risk management, data governance, technical documentation, record keeping, human oversight, accuracy, robustness, cybersecurity and post-market monitoring.

Regulates General-Purpose AI Models

Sets transparency, documentation and copyright-related obligations for providers of general-purpose AI models. Providers of models presenting systemic risk face additional requirements around model evaluation, risk mitigation, incident reporting and cybersecurity.

Introduces Transparency Requirements

Requires people to be informed in certain circumstances when they interact with AI or encounter synthetic content. Relevant providers and deployers may need to label or mark AI-generated or manipulated content and disclose the use of specified AI systems.

Allocates Responsibilities Across the AI Value Chain

Creates different obligations for providers, deployers, importers, distributors and product manufacturers. Responsibility can also shift where a system is substantially modified, rebranded or used for a purpose that changes its regulatory classification.

Key things to know

โœ“

The first step is identifying your role

The same system can create different obligations for different organisations. A business may be a deployer when using a third-party tool, but become a provider if it develops, substantially modifies or places the system on the market under its own name.

โœ“

Not every AI system is high-risk

High-risk classification depends on the system's intended purpose and whether it falls within the areas identified by the Act. Firms should document the classification analysis rather than assume that any use of AI in a regulated sector is automatically high-risk. The Commission published draft classification guidance in May 2026 to support this assessment.

โœ“

Using a vendor does not transfer responsibility

Deployers remain responsible for using systems in accordance with instructions, assigning human oversight, monitoring operation and acting where risks or serious incidents arise. Vendor due diligence should therefore cover the system's intended purpose, limitations, data, documentation and monitoring arrangements.

โœ“

AI literacy already applies

Organisations using or providing AI must take measures to ensure an appropriate level of AI literacy among relevant staff. This should reflect employees' roles, the systems being used and the risks involved, rather than relying on generic awareness training.

โœ“

The AI Act does not operate in isolation

AI use may also trigger GDPR, consumer protection, employment, equality, financial services, product safety, cybersecurity, intellectual property and sector-specific rules. Compliance requires considering how these regimes interact with the AI Act.

โœ“

The implementation framework is still developing

The Level 1 Regulation is being supplemented by guidelines, codes of practice, harmonised standards, templates and implementing measures. Firms should continue monitoring materials on high-risk classification, transparency, serious incident reporting, fundamental-rights impact assessments and responsibilities across the AI value chain.

For general information only. Not legal, regulatory or compliance advice.

Working With This Regulation?

Cryptliance helps firms understand what applies, what it means for the business and what to do next โ€” across strategy, controls, product and market execution.