AI Act — the new regulatory reality
The European Union was the first in the world to create comprehensive regulation of artificial intelligence. The AI Act regulation (Regulation (EU) 2024/1689) entered into force on 1 August 2024 and is applied in stages: the first obligations apply from 2 February 2025, the main part from 2 August 2026, full application from 2 August 2027. Every enterprise deploying AI systems in operational activities in the EU must become familiar with them.
The AI Act does not ban artificial intelligence — it regulates it based on a risk-based approach. The higher the risk, the stricter the requirements. Most business use cases of AI fall into the low or limited risk categories, which means relatively light obligations. But there are areas where the requirements are very rigorous.
Timeline of entry into force (Art. 113)
- 1 August 2024 — entry into force of the regulation
- 2 February 2025 — prohibitions of dangerous practices apply (Chapter II, Art. 5) and the AI literacy obligation (Art. 4)
- 2 August 2025 — obligations for providers of general-purpose AI models (Chapter V) and provisions on supervisory authorities and penalties
- 2 August 2026 — obligations for high-risk systems apply (Chapter III), transparency for chatbots and deepfakes (Art. 50), regulatory sandboxes
- 2 August 2027 — full application, including obligations for high-risk systems embedded in products already covered by existing EU harmonisation legislation (Annex I)
Risk classification of AI systems
The AI Act divides AI systems into four risk categories:
- Unacceptable risk (prohibited, Art. 5) — systems manipulating human behaviour below the threshold of consciousness, social scoring by public authorities, real-time biometric surveillance (with exceptions), emotion recognition in the workplace and education, predictive criminal profiling. These systems are prohibited.
- High risk (Chapter III, Art. 6-27) — AI used in recruitment, credit, healthcare, education, administration of justice, critical infrastructure. The strictest requirements: documentation, testing, transparency, human oversight, registration in the EU database.
- Limited risk (Art. 50) — chatbots, deepfakes, content-generating systems. Transparency obligation: the user must know they are talking to an AI, and AI-generated content must be labelled in a machine-readable way.
- Minimal risk — most business applications of AI: spam filters, product recommendations, automation of internal processes. Minimal or no obligations.
Who is a provider, and who is a deployer of an AI system?
The AI Act distinguishes two key roles. A provider is an entity that creates and places an AI system on the market. A deployer is an entity that uses an AI system in economic activity. Obligations differ for each role — providers have more rigorous requirements regarding technical documentation and certification.
A company that purchases a ready-made AI solution from a provider and uses it for its own processes is a deployer. A company that adapts or fine-tunes a model for its own applications may become a provider with all its consequences.
Obligations of deployers of high-risk systems (Art. 26)
If your company uses a high-risk AI system (e.g. a scoring system in a credit process, a CV pre-screening tool, a medical diagnostic support system), you must:
- Ensure human oversight over the decisions of the AI system
- Keep operational logs for a minimum of 6 months
- Carry out a fundamental rights impact assessment (FRIA, Art. 27)
- Inform employees about AI systems that affect them
- Report serious incidents and malfunctions to the relevant supervisory authority
Regulatory sandboxes (Art. 57-63)
The AI Act provides for regulatory sandboxes — a mechanism that allows companies to test innovative AI systems under the supervision of a supervisory authority in a controlled environment. Each Member State is required to launch at least one sandbox by 2 August 2026. For companies developing AI solutions in high-risk areas, this is a practical path to obtaining regulator feedback even before full certification.
Penalties (Art. 99)
Penalties for infringement of the AI Act are tiered depending on the type of violation:
- up to 35 million EUR or 7% of global annual turnover (whichever is higher) for the use of prohibited practices (Art. 5)
- up to 15 million EUR or 3% of global annual turnover for infringements of other obligations under the regulation
- up to 7.5 million EUR or 1% of global annual turnover for providing false, incomplete or misleading information to supervisory authorities
For SMEs and start-ups, the lower of the two amounts applies, in order to avoid a disproportionate burden.
How ESKOM.AI supports AI Act compliance
ESKOM.AI helps organisations prepare for the AI Act requirements. We offer audits of existing AI systems in terms of risk classification, preparation of technical documentation, implementation of human oversight and logging mechanisms, as well as training for teams responsible for compliance. Every new AI deployment we carry out is designed with AI Act compliance in mind from day one.