TL;DR
- The AI Act is Regulation (EU) 2024/1689, adopted in 2024 and phased in across 2025-2027 with general-purpose AI (GPAI) obligations starting in 2025.
- It applies a risk-based tiering — prohibited / high-risk / limited-risk / minimal-risk — with most obligations falling on high-risk systems and GPAI providers.
- It is extraterritorial: providers based outside the EU are caught if their AI systems are placed on the EU market or their output is used in the EU.
- Fines reach up to USD 39 million or 7% of global turnover for prohibited-practice violations.
The Risk-Based Structure#
The Act is the EU's attempt to create a single horizontal regulation for AI rather than relying on sectoral law. It works by sorting AI systems into four risk tiers and applying very different obligations to each:
| Tier | Examples | Obligation |
|---|---|---|
| Prohibited | Social scoring by governments, untargeted scraping of facial images, manipulative subliminal techniques. | Outright ban. |
| High-risk | AI in critical infrastructure, education access, employment, credit scoring, law enforcement, biometric identification. | Conformity assessment, registration, post-market monitoring, human oversight, technical documentation. |
| Limited-risk | Chatbots, emotion-recognition systems, deepfake generators. | Transparency — users must know they are interacting with AI / seeing generated content. |
| Minimal-risk | AI in spam filters, video games, recommender systems for low-stakes use. | No mandatory obligations; voluntary codes of conduct. |
General-Purpose AI Models#
The Act creates a parallel set of obligations specifically for general-purpose AI (GPAI) models — foundation models, large language models, multimodal models — regardless of how downstream applications are tiered.
Baseline GPAI providers must publish a summary of training data, comply with EU copyright law, and maintain technical documentation. GPAI models with 'systemic risk' (a threshold set on training compute, currently 10^25 FLOPS as of 2026 amendments) carry heavier obligations including model-evaluation reports, incident reporting, and cybersecurity-protection measures for model weights.
The GPAI obligations apply to the model provider, not only the downstream deployer. If you fine-tune a covered model and re-distribute the result, you may be classified as a new GPAI provider in your own right. Take legal advice early if you are training or substantially modifying a model that crosses the systemic-risk threshold.
Timeline#
The Act entered into force in August 2024. Application is phased so that organisations have time to adapt:
- February 2025 — prohibited practices in force.
- August 2025 — GPAI obligations in force.
- August 2026 — most high-risk system obligations in force.
- August 2027 — full application to high-risk systems embedded in regulated products (medical devices, vehicles).
High-Risk Obligations in Practice#
If you operate a high-risk AI system, the headline obligations are:
- Conformity assessment — internal or third-party, depending on the use case.
- Risk-management system covering the AI lifecycle.
- Data governance — training, validation, and test data must meet quality and bias requirements.
- Technical documentation that allows authorities to assess compliance.
- Logging that allows post-market monitoring and incident investigation.
- Human oversight built into the system design — not bolted on.
- Accuracy, robustness and cybersecurity appropriate to the use case.
- Registration in the EU AI database before market placement.
Extraterritorial Scope#
The Act applies to providers and deployers established in the EU, but also to providers established outside the EU whose AI systems are placed on the EU market, and to providers/deployers whose AI output is used in the EU. UK providers therefore face the same exposure as EU ones if they sell into the bloc — broadly comparable to how GDPR works.
Fines#
Fines tier with the obligation tier:
- Up to USD 39 m or 7% of global annual turnover — prohibited-practice violations.
- Up to USD 17 m or 3% of global annual turnover — most other violations.
- Up to USD 8 m or 1% of global annual turnover — providing incorrect information to authorities.
Where Yobitel Sits#
Yobibyte and the Yobitel marketplace are positioned as deployment infrastructure — we are not the model provider for third-party models on the marketplace. For models we train ourselves, we maintain GPAI documentation under the Act. Customers building high-risk systems on our infrastructure receive the technical artefacts (logging, model lineage, training-data provenance) needed to satisfy their own conformity assessment.
References
- Regulation (EU) 2024/1689 — AI Act · EUR-Lex
- EU AI Act — official portal · European Commission
- GPAI Code of Practice · European Commission DG CONNECT