EU AI Act
The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive horizontal legal framework for the regulation of artificial intelligence. Formally adopted in March 2024 and published in July 2024, it applies to providers, deployers and importers of AI systems in the European Union, with a phased implementation schedule that began in 2025.
The Act uses a risk-based classification system dividing AI applications into four categories: unacceptable risk (prohibited), high-risk (subject to strict requirements including conformity assessment, technical documentation, transparency, human oversight and registration), limited risk (transparency obligations) and minimal risk (unregulated, representing the vast majority of AI applications). General-purpose AI models—including large language models—have a distinct set of obligations covering transparency, copyright compliance and, for the most powerful models, safety evaluations and adversarial testing.
Penalties for non-compliance reach up to €35 million or 7% of global annual turnover for the most serious violations. The Act also establishes a European AI Office responsible for overseeing general-purpose AI models and supporting consistent implementation across member states.
Our take on this
The EU AI Act is the GDPR of AI—and if you remember the 2018 compliance scramble, you understand the urgency. Organisations that waited until the last minute to achieve GDPR compliance faced expensive retrofitting, rushed projects and reputational risk. The AI Act follows the same pattern: complex requirements, significant penalties, extraterritorial reach and a phased implementation already underway. The 'this doesn't affect us' position is rarely accurate once you look carefully.
The extraterritorial application is the key insight for Australian organisations. The Act applies whenever an AI system's output is used in the EU—not only when you're headquartered or operating there. If your AI products or services are used by European customers, if you're a component in a supply chain serving the EU market, or if you use AI tools provided by vendors subject to the Act, you're within scope in some way.
Why this matters for Australian organisations
Australia is among the EU's significant trading partners, and Australian technology companies increasingly serve European customers. Many of the AI tools Australian businesses use every day—from Microsoft Copilot to Google Vertex to Salesforce Einstein—are being modified to comply with the Act, which changes how those tools work and what you can do with them. Your vendor is subject to the Act whether you are or not, and their compliance posture affects your risk profile.
Beyond direct reach, the AI Act is setting global standards through the 'Brussels Effect'—the EU's demonstrated ability to effectively set global regulatory standards through market power. The Act's requirements for transparency, human oversight, technical documentation and conformity assessment are becoming de facto global expectations, embedded in how major AI vendors build and sell their products. Australian organisations implementing good AI governance now will find the Act's requirements familiar, not foreign.
For organisations in financial services, healthcare, employment, critical infrastructure and education—sectors where the Act's high-risk category directly applies—the requirements are especially relevant. If you're providing services to EU clients using AI in these categories, you need to understand those obligations specifically.
Practical steps for adoption
- Conduct a scoping assessment: map your AI systems against the Act's prohibited and high-risk categories to determine your direct exposure.
- Audit your AI vendor contracts for Act-related obligations—major vendors are updating terms to reflect their compliance posture; understand what obligations they're passing through to you.
- For high-risk AI systems, begin building the technical documentation and conformity assessment infrastructure the Act requires—this takes time and should not be left until a client or regulator asks.
- Track the European AI Office's guidance on general-purpose AI models, particularly if you're deploying frontier AI systems in any European-connected context.
- Even if you determine you're not directly in scope, review the Act's documentation requirements—they represent good governance practice and will ease future compliance if your market position changes.
Ready to transform your AI strategy?
Partner with Australia's AI strategy and governance specialists. From adoption roadmaps to ISO 42001 audit readiness.