Prohibited Practices
In force since February 2, 2025
AI uses the EU has banned outright, like social scoring or real-time public face recognition. Already enforceable, with the largest penalty in the Act.
Up to 35M euros or 7% of global turnover.
Answer ten plain questions about what your business does and see which of the Act's four risk levels you hit, with the real deadlines for each. About five minutes. Informational only, not legal advice.
Ten plain-language questions about what your business does. No regulatory vocabulary, no technical detail needed. About five minutes. You see which of the four risk levels you hit for free, and you can trade an email for the full tailored report.
This tool is informational only and is not legal advice. It gives a directional read, not a compliance determination.
The Act sorts AI uses into four levels. Obligations and deadlines differ sharply by level, and most businesses hit more of them than they expect.
In force since February 2, 2025
AI uses the EU has banned outright, like social scoring or real-time public face recognition. Already enforceable, with the largest penalty in the Act.
Up to 35M euros or 7% of global turnover.
December 2, 2027
AI that helps make consequential decisions about people: hiring, credit, essential services, education. Carries the heaviest ongoing obligations: risk management, documentation, human oversight, and a conformity assessment before go-live.
Up to 15M euros or 3% of global turnover.
August 2, 2026
If AI talks to your customers or generates content you publish, people must be told. Near-term: this deadline did not move when high-risk did. Content watermarking for systems already on the market gets until December 2, 2026.
Up to 15M euros or 3% of global turnover.
Baseline expectations, ongoing
Using AI at all carries baseline transparency and good-governance expectations, and the rest of the Act reaches further into your operations than most teams assume.
Governance expectations rather than a dedicated fine tier.
Compliance is an operational discipline, not a legal filing. The path is sequential, and most companies have not started.
Step 1 · ATOM: Assess
Find every AI system: built in-house, bought from a vendor, or buried inside a tool you already pay for. You cannot govern what you have not mapped.
Step 2 · ATOM: Tailor
Sort each system into its risk tier and confirm whether you are the provider or the deployer for it. This step decides every obligation that follows.
Step 3 · ATOM: Orchestrate
Stand up the governance the classification demands: documentation, human oversight, and monitoring. The controls that make compliance real instead of a slide.
Step 4 · ATOM: Modernize
Keep it current. New systems ship, vendors change, and the rules keep moving. Compliance is a running state, not a one-time filing.
Very likely, yes. The Act reaches any company whose AI touches people in the EU, wherever that company is headquartered. A US, UK, or Asia-based firm with EU customers, EU users, or EU-facing AI is in scope. Where you are incorporated is not the test. Where your AI lands is the test.
Prohibited practices have been banned and enforceable since February 2, 2025. Transparency obligations apply from August 2, 2026, and that date did not move when the high-risk deadline was delayed. Machine-readable marking of AI-generated content applies from August 2, 2026 for new systems, with systems already on the market getting until December 2, 2026. High-risk obligations were delayed to December 2, 2027.
Broadly, AI that helps make consequential decisions about people: hiring and employee management, credit and insurance decisions, access to essential services, education decisions, and biometric identification. High-risk systems require risk management, documentation, human oversight, and a conformity assessment before going live.
Up to 35 million euros or 7% of global annual turnover for prohibited practices, up to 15 million euros or 3% for high-risk and transparency failures, and up to 7.5 million euros or 1% for giving regulators incorrect information. Smaller companies pay the lower of the two figures rather than the higher. For comparison, GDPR caps at 20 million euros or 4%.
A provider builds an AI system or substantially modifies one and puts it into use; providers carry the heavy obligations like technical documentation, conformity assessment, and registration. A deployer uses AI that others built; deployers must use the system as intended, keep a human in the loop, and monitor it. Heavy customization or fine-tuning can quietly move a business from deployer to provider.
No. The Risk Check gives a directional, informational read based on your answers. It is not a compliance determination and not legal advice. For the legal call, talk to qualified counsel. AtomDigit is the engineering and operational partner that makes compliance real in the systems.