EU AI Act

What is the EU AI Act?

Regulation (EU) 2024/1689 is the EU’s first horizontal law on artificial intelligence. Parliament and Council adopted it in 2024. It appeared in the Official Journal on July 12, 2024 and entered into force on August 1. Most obligations phase in across the three years that follow.

Risk classification anchors the Act. Unacceptable-risk practices are banned outright. High-risk systems face conformity assessment, registration, post-market monitoring, and human-oversight duties. Limited-risk systems face transparency duties such as deepfake disclosure. Minimal-risk systems carry no specific obligations. General-purpose AI models sit on a parallel track of transparency, copyright, and systemic-risk obligations.

Direct application to US law firms is narrow. It reaches the firm only when the firm itself develops, deploys, or distributes an AI system whose output is used in the EU. Indirect application is wider. Any firm with EU clients, EU-exposed clients, or US subsidiaries of EU parents will face client questions about what the Act requires of those clients.

Who must comply?

Two roles drive most operational compliance: providers and deployers.

• Providers: anyone who develops an AI system and places it on the EU market or puts it into service in the EU under their own name or trademark, with or without charge.
• Deployers: anyone using an AI system under their authority, except for personal non-professional use.
• Importers and distributors carry narrower roles. They primarily verify that the provider met its conformity-assessment duties before placing the system on the market.

Extraterritorial reach is broad. Providers and deployers established outside the EU are in scope whenever the AI system’s output is used in the EU. A US law firm running an AI tool to produce work product for an EU client may pull that tool inside the Act by virtue of where the output lands.

When does it apply?

Application phases in over three years from the August 1, 2024 entry into force:

• February 2, 2025 (six months): prohibitions on unacceptable-risk practices and AI literacy duties on providers and deployers.
• August 2, 2025 (twelve months): general-purpose AI provisions, governance structures (the AI Office and AI Board), and non-compliance penalties.
• August 2, 2026 (twenty-four months): the bulk of substantive obligations on high-risk systems, transparency duties, and conformity assessment.
• August 2, 2027 (thirty-six months): high-risk obligations for AI systems acting as safety components of products in Annex I (toys, machinery, medical devices, vehicles).

For most US firms, August 2, 2026 is the operative milestone. By then, in-scope providers and deployers must have finished conformity assessment, registered high-risk systems in the EU database, and put post-market monitoring in place.

What does compliance documentation look like?

A US firm or client deploying a high-risk AI system in the EU should expect to produce:

• A risk management system covering the system’s lifecycle, from design and training through deployment and post-market monitoring.
• Technical documentation per Annex IV: system architecture, training-data provenance, validation and testing methodology, accuracy and robustness metrics.
• Records of conformity assessment, either internal control or notified-body assessment, depending on system category.
• A registration entry in the EU AI Act database for high-risk systems before market placement.
• Human-oversight protocols specifying how a human reviewer can interpret, override, or stop the system.
• An incident-reporting workflow that meets the Act’s national-authority reporting timeframes.

For firms advising EU-exposed clients on Act readiness, that list is the diligence agenda.

How does the Act interact with US frameworks?

The Act runs parallel to, but independent of, the Colorado AI Act and the NIST AI RMF. Colorado borrows the risk-tier idea but covers a narrower commercial scope and skips conformity assessment. AI RMF is a voluntary US framework, not law, and gets no mention in the Act. Formal compliance under the Act runs through EU harmonized standards published by CEN/CENELEC and through Commission common specifications. Practical overlap is real: AI RMF documentation already covers much of the lifecycle territory the Act’s risk-management rules address. The evidentiary track the Act recognizes, though, is the harmonized-standard or common-specification one.

Firms that already document AI governance against AI RMF or ISO/IEC 42001 face a relabeling and extension exercise, not a separate program. Firms starting from scratch face the most prescriptive of the three frameworks.

Primary sources

• Regulation (EU) 2024/1689 of the European Parliament and of the Council (Artificial Intelligence Act), Official Journal of the European Union, July 12, 2024: eur-lex.europa.eu.
• AI Act explorer (text and implementation timeline): artificialintelligenceact.eu/the-act.