Lesson 1 of 5 · The EU AI Act for Non-Lawyers
Lesson 1
Why the EU AI Act exists, and who it affects
Where the law came from. The risk-based approach that shapes everything inside it. And the extraterritorial scope that catches more organisations than most people realise.
By the end of this lesson, you will:
- Know why the EU passed the AI Act and the legislative timeline that produced it.
- Understand the risk-based architecture that the rest of the Act is built on.
- Be able to work out, for any AI system you encounter, whether the Act applies to it — and in what role.
A two-minute history
The European Commission proposed the AI Act in April 2021. The proposal followed three years of consultation, a 2018 AI strategy paper, and a 2020 White Paper. It was the first attempt anywhere in the world to write a horizontal, cross-sectoral law for artificial intelligence — meaning the Act applies to AI used in healthcare, recruitment, education, banking, transport, and law enforcement under one common framework.
The political negotiation was long. The European Parliament added rules for foundation models in 2023, after ChatGPT made the limits of the original draft visible. A trilogue agreement was reached in December 2023. The final text was adopted in March 2024, published in the Official Journal in July 2024, and entered into force on 1 August 2024. Different parts of the Act take effect on different dates over a two-to-three year staggered timeline — we cover the dates properly in Lesson 5.
One thing to internalise from this history: the Act took a long time, and it changed substantially during that time. The internet is full of articles written about earlier drafts. Always check that what you are reading reflects the final adopted text, not an earlier version.
Why it exists
Three goals are written into the Act's preamble, and the rest of the law reads more sensibly if you keep these in mind.
To make AI systems used in the EU trustworthy. The Commission's framing throughout has been about "trustworthy AI" — a phrase that means, in practice, AI that respects fundamental rights, is safe, and does what it claims to do. Most of the Act's substantive obligations exist to operationalise this idea.
To create a single market for AI. Before the Act, several Member States were drafting their own AI laws. This would have created a patchwork of national rules that would have made it impossible to deploy an AI system EU-wide. The Act pre-empts that by setting harmonised rules that apply across all 27 Member States.
To position Europe in the global AI race. The Commission has been candid that part of the Act's intent is to set the global regulatory standard the way the GDPR did — what is now called the "Brussels effect". Whether that ambition will be realised is an open question; what is certain is that the Act now shapes how AI is built and sold to Europe.
The architecture — risk-based regulation
The single most important thing to understand about the Act is its risk-based architecture. The Act does not regulate "AI" in the abstract. It regulates AI uses, sorted into four tiers of risk:
Unacceptable risk. A small number of practices are simply prohibited. Social scoring by governments. Real-time biometric identification in public spaces (with narrow exceptions). Manipulative AI that exploits vulnerabilities. We do them properly in Lesson 2.
High risk. AI systems used in domains where they can substantially affect people's rights, safety, or access to services. CV-screening tools for recruitment. AI used to grade students. Credit-scoring. AI components of medical devices. These are permitted, but they come with the bulk of the Act's substantive obligations — risk management, documentation, human oversight, conformity assessment, CE marking. Lessons 2 and 3 are about this tier.
Limited risk. AI systems where the main concern is transparency: people should know they are interacting with an AI, or that content is AI-generated. Chatbots. Deepfakes. Emotion recognition. The obligations here are lighter — usually a notification duty.
Minimal risk. Everything else. Spam filters. AI-enabled video games. Recommendation systems on most consumer sites. The Act mostly leaves this tier alone; voluntary codes of conduct are encouraged but not required.
On top of this four-tier risk pyramid sits a separate set of rules for general-purpose AI models (GPAI) — the foundation models that underpin many specific AI applications. These rules apply to model providers regardless of the eventual risk tier of the systems built on top of the model. We cover GPAI in Lesson 5.
Aside · Why the architecture matters in practice
An AI engineer's first instinct on reading the Act is to ask "is my system covered?" — which is the wrong question. The right question is "which uses of my system are covered, and in which risk tier does each of those uses sit?" The same machine-learning model can be minimal-risk in one use (recommending songs on a streaming service) and high-risk in another (recommending whom to interview for a job). The Act is regulating the use, not the technology.
Who the Act applies to
The Act distinguishes four kinds of actor. Each has a different set of duties. The single most common mistake non-lawyers make is to assume the Act treats all of them the same — it does not. We work out your role here; the consequences come in Lessons 3 and 4.
Provider. The entity that develops an AI system or has it developed, and places it on the EU market or puts it into service under its own name. If your company built the AI and is selling or supplying it, you are the provider. Providers carry the heaviest set of obligations under the Act.
Deployer. The entity that uses an AI system under its authority. If your company bought a CV-screening tool from another vendor and is using it to filter your job applications, you are the deployer. Deployers carry a lighter — but real — set of duties.
Importer. The entity that places on the EU market an AI system from a third country. The Act requires importers to verify that the foreign provider has done what the law requires before the system reaches Europe.
Distributor. The entity that makes an AI system available on the EU market without changing it. A reseller, in practice.
Two extra notes. First, the same organisation can be a provider for one system and a deployer for another. Second, a deployer who substantially modifies a high-risk AI system — fine-tuning, rewiring, repurposing for a new use — can become a provider under the Act, with all the heavier duties that follow. We come back to this in Lesson 4.
The extraterritorial scope
The Act applies if any of three conditions is met:
- The provider is established in the EU.
- The output of the AI system is used in the EU — even if the provider is outside the EU.
- The deployer is established in the EU.
Condition 2 catches a lot of non-EU companies. A US-based AI company that has no European office, no European staff, and no European customer can still be in the Act's scope if the output of its system is used in the EU. The European Court's approach to similar provisions in the GDPR suggests this will be interpreted broadly. If you build AI, the question to ask is not "am I European?" but "is my output used in Europe?"
What is not in scope
A short list of things the Act explicitly excludes. The Act does not apply to AI systems developed and used exclusively for military, defence, or national security purposes. It does not apply to AI for scientific research and development. It does not apply to "personal, non-professional" use of AI. It does not apply to AI systems released under free and open-source licences unless they are placed on the market or put into service as high-risk systems or fall under the GPAI provisions.
These carve-outs are narrower than they sound. The "research and development" exclusion does not cover commercial pilots. The "open source" carve-out does not protect a high-risk system just because the model under it is open. Read these exemptions in the actual text before relying on them.
Exercise — Place your AI system on the map (10 minutes)
- Pick a system or use case you care about. Either one you build, one you buy, or a hypothetical one we will keep using through the course. Write a one-sentence description.
- Answer four questions.
- What is the use the system supports? (Not "the technology" — the actual use.)
- Are you a provider, deployer, importer, or distributor — or several at once?
- Is the output used in the EU?
- Does any of the carve-outs apply to your specific case?
- Note your provisional risk tier. Just a guess for now — we tighten it in Lesson 2.
What we will cover next
Lesson 2 is about the four risk tiers in detail, with concrete examples. By the end of it you will be able to place your system in the correct tier with confidence — and know what that placement actually triggers.
Self-check
- Why did the EU pass the AI Act?
- What are the four risk tiers, and what governs the transition between them?
- What is the difference between a provider and a deployer?
- Under what conditions does the Act apply to a company based outside the EU?