Key takeaways:
- The law imposes strict rules based on the system's risk level (unacceptable, high, limited, or minimal).
- Any company using a third-party tool with AI is considered a "deployer" and must ensure its compliance.
- The application is progressive with a major deadline in august 2026 for the compliance of business tools.
- Fines can reach up to 7% of global turnover in the event of a serious violation of prohibitions.
The IA Act is the new european legislation governing the use of artificial intelligence by companies. Published in august 2024 by the european commission, this regulation constitutes the first global regulatory framework dedicated to artificial intelligence and is part of major regulatory updates in europe. the first global regulatory framework dedicated to artificial intelligence and is part of major regulatory updates in europe.
It affects any organization that develops or uses an artificial intelligence system in europe, with a progressive application until 2027. Its objective is clear: establish a reliable framework to secure use cases, without slowing down innovation.
IA Act: definition and context — why europe legislated first
The IA Act is the european regulation governing the development and use of artificial intelligence systems within the european union. Officially called Regulation (EU) 2024/1689, it is also referred to as the RIA (règlement sur l’intelligence artificielle).
Why did europe legislate first? The trigger is direct: the massive arrival of tools like ChatGPT at the end of 2022 accelerated the adoption of artificial intelligence in companies, without a structuring framework. Faced with this rapid adoption, european governments chose to act quickly, notably to regulate the integration of these technologies into digital tools and online services accessible on a website.
The objective is twofold: guarantee trustworthy artificial intelligence that respects fundamental rights and privacy, while leaving room for innovation. The european union is thus gaining a strategic lead over the united states and china by establishing the first global regulatory framework dedicated to AI.
Find out more about our IA Act expertise.
The official definition of an AI system according to the regulation
According to the regulation, an artificial intelligence system is an automated system capable of operating with a certain level of autonomy, which generates predictions, recommendations, decisions, or content, with an impact on a real or digital environment.
This definition is intentionally broad. It is not limited to a model like GPT, but includes the entire system: interface, data processing, business logic, and integration into a tool used by the company. This is a point that is often misunderstood.
Concretely, a SaaS software integrating an AI functionality enters the scope of the regulation as soon as it influences a decision or automates a process.
RIA, IA Act, european AI regulation: three names for a single text
The terms IA Act, AI Act, RIA, and regulation (EU) 2024/1689 refer to one and the same text. This plurality of names creates frequent confusion, both in google searches and in exchanges between executives, lawyers, and compliance officers.
In practice, IA Act remains the most widely used term. In france, the CNIL and french administrations tend to use RIA, which corresponds to the official acronym of the regulation in french.
Key takeaways
- IA Act = AI Act = RIA = Regulation (EU) 2024/1689
- One single text, several names
- RIA is the official acronym used in France
The risk-based approach: the 4 classification levels of the IA Act
Level 1 - IA systems with unacceptable risk
- prohibited since february 2025
Artificial intelligence systems with unacceptable risk are strictly prohibited since february 2, 2025. They are considered incompatible with fundamental rights and personal safety.
This notably includes:
Artificial intelligence systems with unacceptable risk are strictly prohibited since february 2, 2025. They are considered incompatible with fundamental rights and personal safety.
This notably includes:
- Subliminal manipulation systems, capable of influencing behavior without the user being aware of it (e.g., an interface discreetly steering a purchasing decision)
- Social scoring, which consists of assigning a behavioral score to individuals
- Real-time biometric recognition in public spaces, except for very strictly regulated exceptions related to public safety (terrorism, serious crime)
- Systems exploiting the vulnerability of specific populations
Concretely, a company deploying this type of system is immediately exposed to sanctions. The prohibition is already in force, with no transition phase.
Level 2 - High-risk IA systems
- reinforced obligations from august 2026
High-risk artificial intelligence systems are those that have a direct impact on sensitive decisions regarding individuals.. This is the most critical level for SMEs and mid-caps, as it involves use cases already present across many business functions.
The regulation notably identifies eight high-risk areas (Annex III):
- Recruitment and HR management (automated CV screening, candidate evaluation)
- Credit and insurance (automated financial scoring)
- Healthcare (medical diagnostic assistance)
- Justice (judicial decision-making assistance)
- Critical infrastructure (energy, transport)
- Education (automated evaluation of students)
- Law enforcement
- Migration and border control
Starting from august 2026, these systems must comply with strict obligations: comprehensive technical documentation, compliance assessment, registration in a european database, effective human supervision, and the completion of a fundamental rights impact assessment (FRIA).
For a company, the challenge is immediate: identify these systems and initiate regulatory alignment right now.
Key takeaways
- High-risk systems involve critical business use cases
- 8 clearly defined areas in Annex III
- Heavy obligations from august 2026 (documentation, compliance, human control)
- Anticipating now avoids a delay that will be difficult to catch up on
Level 3 - IA systems with limited risk
- transparency obligations
Artificial intelligence systems with limited risk mainly concern chatbots, content generation tools (text, image, voice), or deepfakes.. They are widely used in customer service, marketing, or content production.
The main obligation is based on transparency: the user must be informed that they are interacting with an AI. Concretely, a customer service chatbot must clearly introduce itself as such right from the beginning of the interaction.
The objective is simple: avoid any confusion between human interaction and automated interaction.
Level 4 - IA systems with minimal risk
- no specific obligation
Artificial intelligence systems with minimal risk encompass the majority of current business use cases.. This includes spam filters, content recommendation tools, or certain AI used in video games.
These systems are not subject to any specific regulatory obligations. They present a low risk level for users.
For companies, this is a reassuring point: most tools used daily remain outside the constraints of the regulation, provided that their use does not evolve into more sensitive cases.
General-purpose AI (GPAI) models: a specific category that entered into application in august 2025
General-purpose artificial intelligence (GPAI) models refer to versatile systems capable of performing a wide variety of tasks, without being designed for a single use case. This is the case for models like GPT, Claude, Gemini, or LLaMA.
Unlike other systems, they are not classified based on their business purpose. The IA Act therefore applies a specific regime to them, which entered into force on august 2, 2025.
Two levels of obligations are provided for:
- All GPAIs must comply with requirements regarding technical documentation and copyright respect, particularly concerning the data used for training.
- GPAIs presenting a systemic risk (beyond a computing power threshold of 10^25 FLOPs, reserved for the most advanced models on the market) are subject to reinforced obligations: adversarial evaluations, incident reporting, and strict cybersecurity requirements.
Concretely, a company using tools based on these models directly depends on the compliance level of its providers. This point often remains underestimated in compliance strategies.
Regard d'expert : “General-purpose AI models are already integrated into many tools used in business, without their regulatory status always being identified. This is an angle often underestimated in compliance processes.”
“The compliance level of a GPAI provider becomes a direct challenge for the user company. A poorly evaluated dependency can create an indirect regulatory risk.”
The IA Act does not solely concern companies that develop artificial intelligence systems. It defines four distinct roles, each with its own obligations, depending on the use case and the position in the value chain.
Unlike other systems, they are not classified based on their business purpose. The IA Act therefore applies a specific regime to them, which entered into force on august 2, 2025.
| Rôle | Définition | Obligations |
|---|---|---|
| Fournisseur | Développe et met sur le marché un système IA | Évaluation de conformité, marquage CE, enregistrement dans la base européenne |
| Déployeur | Utilise un système IA dans un contexte professionnel | Surveillance humaine, analyse d’impact (FRIA), formation des équipes |
| Importateur | Introduit un système IA hors UE sur le marché européen | Vérification de la conformité du fournisseur et de la documentation technique |
| Distributeur | Commercialise un système IA sans modification | Vérification du marquage CE et des instructions d'utilisation |
Key point for executives:
Even if your company does not develop AI, it is considered a deployer as soon as it uses a tool integrating an artificial intelligence system, whether in HR, customer service, or financial analysis.
Concretely, using a CV screening tool, scoring software, or a chatbot is enough to fall within the scope of the regulation. This reality is still widely underestimated, even though it already triggers obligations regarding supervision, team training, and risk analysis.
In this context, understanding the importance of due dilligence becomes essential for evaluating the tools used, securing providers, and limiting regulatory risks.
In other words, the question is no longer “am I affected?”, but “to what extent am I affected and what actions must I undertake?”.
AI Act timeline 2024-2027: the deadlines your company needs to know
The AI Act timeline spans several years, with a progressive roll-out of obligations. For companies, understanding these deadlines allows them to anticipate the actions required and avoid a delay that will be difficult to catch up on.
Here are the key dates to remember:
- August 1, 2024: entry into force of regulation (EU) 2024/1689
- February 2, 2025: prohibition of unacceptable risk systems (already in force)
- August 2, 2025: obligations applicable to general-purpose AI (GPAI) models
- August 2, 2026: full obligations for high-risk systems (Annex III) and governance rules
- August 2, 2027: extension to high-risk systems covered by Annex I (medical devices, aviation, etc.)
Alert
The august 2026 deadline is the most critical one.. It imposes full obligations for high-risk systems, with high compliance requirements.
Setting up an AI compliance program takes an average of 4 to 6 months.. Companies starting in 2026 expose themselves to a structural delay that will be difficult to make up for.
Anticipating right now allows you to secure your use cases and avoid rushing into compliance.
Need support to structure your AI compliance?
Discover our expertise in AI compliance with Eterra Partners or explore our approach as a compliance consulting firm.
AI Act sanctions: what companies actually risk
The regulation provides for high financial penalties in the event of non-compliance with obligations. The level of the fine depends on the severity of the violation.
| Violation | Amende maximale |
|---|---|
| Utilisation d’un système à risque inacceptable(ex : notation sociale, manipulation subliminale) | 35 M€ ou 7% du CA mondial |
| Non-respect des obligations(ex : absence de documentation, défaut de supervision humaine) | 15 M€ ou 3% du CA mondial |
| Informations inexactes aux autorités(ex : déclaration erronée) | 7,5 M€ ou 1% du CA mondial |
In France, the enforcement of the regulation is handled by the Directorate General for Enterprise (DGE). At the European level, the European AI Office supervises general-purpose models (GPAI) in particular.
For SMEs, sanctions are adapted: they are capped at a lower level, which can be up to 1.5 times less than the maximum amounts provided.
Beyond the monetary amount, the risk is also operational and reputational. Non-compliance can lead to a suspension of use or a loss of trust from partners.
AI Act and GDPR: how to coordinate them in your organization
The AI Act does not replace the GDPR; it complements it. Both regulations apply simultaneously as soon as an artificial intelligence system processes personal data and privacy.
| Critère | RGPD | IA Act |
|---|---|---|
| Objet de la réglementation | Encadre les données personnelles (collecte, traitement, conservation) | Encadre le fonctionnement du système IA (logique, décisions, risques) |
| Finalité principale | Protéger les individus dans l’utilisation de leurs données | Encadrer l’impact des systèmes IA sur les personnes et la société |
| Approche | Centrée sur la donnée | Centrée sur le niveau de risque du système |
Concretely, a single tool can be subject to both frameworks. Automated recruitment software, for example, must both respect data protection rules and meet the requirements of the risk level defined by the AI Act.
Synergies exist. An AI impact assessment (FRIA) can be coordinated with a DPIA, allowing for a pooling of efforts. Similarly, the technical documentation required by the AI Act can build upon the data processing registry already in place.
The challenge for companies is to avoid siloed management and to build a coherent approach to compliance.
FAQ — AI Act: your questions about the european regulation on AI
YOUR QUESTIONS
AI Act: your questions about the european regulation on AI
Before contacting us, you may have these questions. Here are direct answers from our senior consultants.
—
Does the AI Act apply to my company if it is not an AI developer?
Yes. As soon as a company uses an artificial intelligence system in a professional context, it is considered a deployer and falls within the scope of the regulation.
This implies several obligations: effective human supervision, team training, and incident management. These requirements are explicitly provided for by the text, particularly for high-risk systems.
In practice, using a recruitment tool, a chatbot, or analysis software is enough to be affected.
What is the difference between the AI Act and the GDPR?
The GDPR regulates personal data, while the AI Act regulates the artificial intelligence systems themselves.
Concretely, the GDPR regulates data collection, processing, and protection, whereas the AI Act imposes requirements on the operation, risks, and uses of AI systems. Both frameworks often apply simultaneously, notably when AI systems process personal data.
Synergies exist: an AI impact assessment (FRIA) can be linked with a DPIA, allowing for a coherent approach and avoiding duplication.
Is my chatbot or my AI recruitment tool a high-risk system?
This depends on the system’s use case. A customer service chatbot is generally classified as a limited risk: it must simply inform the user that they are interacting with an artificial intelligence.
Conversely, an automated recruitment tool that screens or evaluates candidates is considered a high-risk system, as it directly influences a decision in a sensitive area (Annex III).
The key criterion is as follows: does the system merely assist a decision or does it play a determining role in a process impacting individuals? The stronger its influence, the higher the risk level.
What are the first obligations to put in place to comply with the AI Act?
AI Act compliance is based on three priority steps.
- Mapping your artificial intelligence systems: identify all the tools used in your company (HR, customer service, finance, marketing).
- Classifying each system according to its risk level: determine whether it falls under minimal, limited, high, or unacceptable risk.
- Prioritizing actions on high-risk systems: these are the ones that concentrate the heaviest obligations, with a key deadline in august 2026.
Support from a specialized firm helps structure this approach and avoid interpretation errors.
YOUR QUESTIONS
European law on the AI Act
Before contacting us, you may have these questions. Here are direct answers from our senior consultants.
What are the criteria for an AI system to be classified as high-risk under the AI Act?
An AI system is classified as high-risk if it has a direct impact on sensitive decisions concerning individuals and critical activities, notably in eight areas defined by Annex III of the regulation: recruitment and HR management, credit and insurance, healthcare, justice, critical infrastructures, education, law enforcement, and border control. The classification does not depend on the technology itself but on its use case and its potential impact on fundamental rights.
What are the roles specified by the AI Act and what obligations does each imply?
The regulation distinguishes four roles: the provider (developer of the AI system), the importer, the distributor, and the deployer (professional user). The provider must ensure compliance, obtain the CE marking, and register the system. The importer and the distributor must verify respectively the compliance of the provider and the presence of the marking. The deployer must ensure human supervision, conduct a fundamental rights impact assessment, and train its teams.
How does the AI Act coordinate with the GDPR in companies using artificial intelligence systems?
The GDPR regulates the collection and protection of personal data, while the AI Act governs the operation of the AI systems themselves, focusing on risks and use cases. When an AI system processes personal data, both regulations apply simultaneously. Companies can pool their efforts by coordinating the AI impact assessment (FRIA) with the data protection impact assessment (DPIA), and by integrating the AI technical documentation into the GDPR data processing registry, in order to avoid siloed compliance.
What are the sanctions provided by the AI Act in case of non-compliance with obligations, and how do they vary for SMEs?
Sanctions can reach up to 35 million euros or 7% of global turnover for using unacceptable risk systems, 15 million euros or 3% of turnover for failure to meet obligations (absence of documentation, supervision…), and 7.5 million euros or 1% of turnover for providing false information to authorities. For SMEs, the amounts are adjusted downwards, with a cap that can be 1.5 times lower than the maximums, taking into account their size and financial capacity, but the reputational and operational risk remains significant.
