The EU Artificial Intelligence Act is the world's first comprehensive AI law — and like the GDPR before it, its reach extends well beyond Europe. If your organisation builds, sells or uses AI systems that touch the EU market, the AI Act likely applies to you, even if you are based in India, the UK, the US, the Gulf or anywhere else. This guide explains what the Act does, who it affects, the timeline, and how to prepare.

The EU AI Act is a risk-based regulation that sets obligations for AI systems based on how much risk they pose to health, safety and fundamental rights. It entered into force on 1 August 2024 and applies in phases. Rather than regulating the technology itself, it regulates how AI is used — the higher the risk of a use case, the stricter the requirements.

Yes — the AI Act is extraterritorial. It applies to providers that place AI systems on the EU market regardless of where they are established, and to providers and deployers outside the EU whose AI system output is used in the EU. In practice, if EU users or EU-based customers rely on your AI, you should assume the Act is in scope and assess accordingly.

Certain AI practices are banned outright — for example, social scoring by public authorities, manipulative or exploitative systems, and most real-time remote biometric identification in public spaces. These prohibitions began applying in early 2025.

AI used in sensitive areas — such as critical infrastructure, employment and HR, education, essential services, law enforcement and certain medical or safety components — is classed as high risk. These systems face the strictest obligations: risk management, data governance, technical documentation, logging, human oversight, accuracy, robustness and cybersecurity.

Systems like chatbots and generative AI must meet transparency obligations — users should be told they are interacting with AI, and AI-generated content (including deepfakes) should be labelled.

The majority of AI systems — spam filters, recommendation engines, AI in games — fall here and face no new mandatory obligations, though voluntary codes of conduct are encouraged.

The Act also sets obligations for general-purpose AI models (the foundation models behind many products), including technical documentation, transparency about training data, and copyright compliance — with additional requirements for the most capable models that pose systemic risk. If you build on top of GPAI models, your obligations depend on how you use and modify them.

Non-compliance carries GDPR-scale fines: up to €35 million or 7% of global annual turnover for prohibited practices, and up to €15 million or 3% for other violations. The combination of large fines and extraterritorial reach makes the AI Act a board-level issue.

Meeting the AI Act is part governance, part security. CyberSigma classifies your AI systems by risk tier, runs gap assessments against the Act, implements ISO/IEC 42001 and NIST AI RMF governance, and red-teams your AI to satisfy the robustness and cybersecurity obligations — giving you defensible, audit-ready evidence whether you are in the EU or serving EU users from elsewhere.

The EU AI Act makes responsible, secure AI a legal requirement — with real penalties and global reach. The organisations that act now to inventory, classify, govern and security-test their AI will adopt AI with confidence; those that wait risk fines and lost market access. Start with an AI inventory and a risk classification, and build governance and security from there.