EU AI Act Guidance Clarifies Rules for High-Risk Tools

Penalties for non-compliance with the EU AI Act are severe, surpassing even those of GDPR. Violating the ban on certain prohibited AI practices can result in fines up to €35 million or 7% of a company's global annual turnover, whichever is higher, while infringements related to high-risk systems can draw penalties of up to €15 million or 3% of turnover. An AI system is classified as "high-risk" if it's a safety component in a product or if it falls into specific use-cases listed in Annex III of the Act. These areas include AI used in critical infrastructure, education, employment, and systems intended to influence the outcome of an election or referendum. Providers of high-risk systems face strict obligations, including comprehensive risk assessments, high-quality data governance, detailed technical documentation, and ensuring appropriate human oversight. These specific rules for high-risk AI will become fully applicable on August 2, 2026, with an extended deadline of August 2, 2027, for AI embedded into already regulated products. The AI-generated content labeling mandate also takes effect on August 2, 2026. This requires clear, machine-readable disclosures for synthetic content and visible labels for deepfakes or AI-generated text on matters of public interest, unless it has undergone human editorial review. The "AI Omnibus" package, proposed in late 2025, aims to simplify implementation and reduce administrative burdens. It centralizes oversight of general-purpose AI models under the new EU AI Office and clarifies that processing personal data to detect and correct bias can be considered a legitimate interest under GDPR. The European Parliament specifically added AI systems used to influence voters to its list of high-risk applications. This measure directly targets the rise of AI-generated propaganda, deepfakes, and emotionally-charged synthetic media, which have become standard material in recent European political campaigns.