EU AI Act
The first comprehensive AI law — risk-tiered, extraterritorial, and the reason your compliance question probably has a European answer.
When not to use it
- As a general AI ethics framework. It's a market-access law with defined tiers, not a statement of values.
- As a reason to avoid the EU. Most products are minimal-risk and the obligation is a disclosure line.
- As settled detail. Standards, guidance and the compute threshold are all still moving — check the current text rather than a summary, including this one.
Reach for something else instead
- Sector regulation — medical devices, financial services — often binds harder and came first.
- The NIST AI Risk Management Framework is voluntary and useful where you want practice rather than compliance.
- Your own evals are what actually determine whether the system is safe; the Act determines whether you may sell it.
Sources & further reading
- Regulation (EU) 2024/1689 — the Artificial Intelligence Act; risk tiers, GPAI chapter, the 10²⁵ FLOP systemic-risk presumption, penalties.
- Anderljung et al. (2023), Frontier AI Regulation: Managing Emerging Risks to Public Safety — the compute-threshold proposal the Act's GPAI chapter reflects.
- Bradford (2012), The Brussels Effect — why an EU regulation becomes a global product decision.
Primary sources, listed so you can check the claims on this page rather than take them on trust.
Where people go wrong
- Assuming it doesn't apply outside the EU. It reaches providers placing systems on the EU market and systems whose output is used there, wherever you sit.
- Classifying by model instead of by use. The same model is minimal-risk in one product and high-risk in another; the tier follows the application.
- Treating the compute threshold as a capability measure. It's the frontier-model proxy written into law, and test-time compute and distillation both walk around it.