The Artificial Intelligence Act — commonly called the EU AI Act — is the European Union’s landmark regulation governing artificial intelligence. It entered into force on 1 August 2024 and is the world’s first comprehensive, legally binding AI law. Rather than targeting specific applications, it takes a risk-based approach: the stricter the potential harm an AI system could cause, the heavier the compliance burden. Any business — wherever it is based — that puts AI systems on the EU market or whose AI affects people in the EU must comply.
The four risk tiers
The Act divides AI systems into four categories based on the level of risk they pose:
Prohibited (unacceptable risk). A short list of AI practices is banned outright from the EU — including social scoring systems used by public authorities, AI that manipulates people through subliminal techniques, and (with narrow exceptions) real-time biometric identification of individuals in public spaces by law enforcement. These bans became enforceable on 2 February 2025.
High risk. AI systems that could significantly affect people’s safety or fundamental rights — for example, recruitment tools, student assessment systems, medical diagnostics, credit scoring, or components in critical infrastructure — face the strictest requirements. Providers must conduct conformity assessments, keep technical documentation, implement human oversight, and register their systems in an EU database before placing them on the market. Most high-risk rules apply from 2 August 2026.
Limited risk. Systems like chatbots and AI-generated content tools carry lighter obligations: they must simply be transparent — users must know they are interacting with AI. Deepfakes must be labeled as such.
Minimal risk. The vast majority of AI tools — spam filters, recommendation engines, AI-enabled video games — fall here and face no mandatory requirements under the Act.
When the rules kick in
The Act is being phased in over several years:
- 2 February 2025 — Prohibited AI practices banned; AI literacy requirements for staff begin.
- 2 August 2025 — Rules for general-purpose AI models (like the large language models powering most AI assistants) take effect; EU governance bodies must be established.
- 2 August 2026 — Most high-risk AI system rules apply; transparency obligations for limited-risk systems begin.
- 2 August 2028 — High-risk rules for AI embedded in regulated products (medical devices, vehicles) take full effect.
Who must comply — including non-EU companies
The EU AI Act has extraterritorial reach. If your AI system is sold in the EU, used by EU-based customers, or its outputs affect people in the EU, you must comply — regardless of whether your company is based in Tbilisi, San Francisco, or Tokyo. This mirrors how the GDPR operates for personal data, and the compliance logic is similar: serve EU users, follow EU rules.
Penalties
Non-compliance can be costly. The Act sets fines on a three-tier scale:
- Up to €35 million or 7% of global annual turnover for violations involving prohibited AI practices.
- Up to €15 million or 3% for failures in high-risk AI compliance obligations.
- Up to €7.5 million or 1% for other infractions such as supplying incorrect information to regulators.
Enforcement is carried out by each EU member state through a designated national authority.
Why it matters for Georgia
Georgia has held EU candidate status since December 2023, which means Georgian law is expected to gradually align with EU legislation — including the AI Act. That creates two practical realities for Georgian organizations:
- Georgian companies that sell AI products or services to EU customers, or whose AI systems process data about EU residents, must comply with the AI Act now — candidate-country status does not exempt them.
- Georgia will likely incorporate the AI Act’s framework into national law as part of the EU accession process, meaning the rules will eventually apply domestically too.
Georgian tech companies that get ahead of compliance — documenting their AI systems, classifying them by risk tier, and establishing oversight mechanisms — will be better positioned both for the EU market and for the regulatory environment Georgia itself is moving toward.
In the news
California recently deployed Claude statewide in a landmark deal with Anthropic — a high-profile example of the kind of large-scale AI deployment that the EU AI Act’s rules on government and high-risk AI use are designed to govern.
FAQ
Does the EU AI Act apply to free tools and apps?
Yes, if those tools are offered to EU users. The Act applies based on where the AI’s effects are felt, not on whether a product is paid or free.
When do I need to comply if I run a high-risk AI system?
Most high-risk AI system obligations take effect on 2 August 2026. However, banned AI practices were enforceable from 2 February 2025, and general-purpose AI model rules apply from 2 August 2025.
What counts as a “general-purpose AI model”?
Large language models and other foundation models trained on broad data and capable of many tasks — like GPT-4, Claude, or Gemini — are the primary examples. Their providers face transparency and risk-assessment obligations from August 2025.
Where can I find official compliance guidance?
The European Commission maintains an AI Act resource hub with guidance documents. National AI authorities in each member state are also being established to assist businesses, including those from third countries.