Module 6 – The AI Act: Risk-Based Regulation in Practice

1. Why the AI Act Matters (and How It Fits Your Existing Knowledge)

In this module, you connect what you already know about EU product and digital regulation to a concrete, cutting‑edge case: the EU Artificial Intelligence Act.

Where we are coming from:

• Module 4 (NLF): You learned how the New Legislative Framework (NLF) provides a horizontal toolbox (conformity assessment, CE marking, notified bodies, market surveillance) reused across many product laws.
• Module 5 (Digital Rulebook): You saw how the Digital Services Act (DSA) and Digital Markets Act (DMA) regulate online platforms and gatekeepers as part of the EU digital strategy.

Where we are now:

• The AI Act – formally Regulation (EU) 2024/1689 – is the EU’s flagship law on artificial intelligence.
• It is a horizontal, risk‑based regulation that cuts across sectors (health, transport, education, law enforcement, etc.).
• It entered into force in August 2024 and is being applied in phases up to 2026–2027.

By the end of this 15‑minute module, you should be able to:

• Describe the AI Act’s risk‑based structure and the four main risk categories.
• Explain how the AI Act uses phased implementation and how this compares to other complex EU laws.

Keep in mind: the AI Act is not just about ChatGPT‑like systems. It covers a wide variety of AI uses, from medical diagnostics to CV‑screening tools, and it interacts with both the NLF toolbox and the digital rulebook (DSA/DMA).

2. Scope and Objectives of the AI Act

The AI Act is Regulation (EU) 2024/1689, adopted in 2024 and in force since August 2024. As of today (late 2025), its application is partially in effect and still being phased in.

2.1 What does the AI Act try to achieve?

The AI Act has three core objectives:

1. Ensure safety and fundamental rights are protected when AI is used in the EU.
2. Foster trustworthy AI innovation and uptake in the EU single market.
3. Create a common EU rulebook for AI, avoiding 27 different national regimes.

2.2 Who and what is covered? (Scope)

The AI Act applies to:

• Providers of AI systems (developers who place AI systems on the EU market or put them into service).
• Deployers (users) of AI systems in the EU, especially organizations (e.g., banks, hospitals, public authorities).
• Importers and distributors of AI systems.
• Some rules also touch general‑purpose AI models (GPAI), especially systemic risk models.

It covers AI systems used:

• In the EU market, regardless of where the provider is established.
• Outside the EU, if the AI system’s output is used in the EU (similar extraterritorial logic as the GDPR and DSA).

> Historical note: Before the AI Act, AI issues were handled via sector‑specific laws (e.g., medical devices, product safety) and general rules like GDPR. The AI Act does not replace those, but layers a horizontal set of AI‑specific rules on top, often aligned with the NLF toolbox you saw in Module 4.

3. The Core Idea: A Risk‑Based Approach to AI

The AI Act is built around a risk‑based regulatory model – the higher the risk, the stricter the rules.

It distinguishes four main categories of AI systems:

1. Unacceptable risk – prohibited uses.
2. High‑risk – allowed but under strict requirements.
3. Limited risk – lighter rules, mainly transparency obligations.
4. Minimal (or low) risk – largely unregulated by the AI Act (but still subject to other laws like GDPR, consumer law, etc.).

You can visualize it as a pyramid:

• Top (smallest): Unacceptable risk – banned.
• Below: High‑risk – heavily regulated.
• Next: Limited risk – some transparency.
• Base (largest): Minimal risk – no specific AI Act duties.

This is similar in spirit to risk‑based product safety under the NLF, but with a stronger focus on fundamental rights and context of use (e.g., AI in law enforcement vs AI in a game).

4. Unacceptable vs High‑Risk AI: Concrete Examples

To make the abstract categories more tangible, let’s look at concrete examples.

4.1 Unacceptable Risk AI (Prohibited)

These are AI practices considered incompatible with EU values and fundamental rights. They are generally banned.

Examples (simplified):

• Social scoring by public authorities:
• An AI system that aggregates data from multiple sources to rate citizens (e.g., financial behaviour, social media activity) and then uses that score to decide access to services or benefits.
• Manipulative AI exploiting vulnerabilities:
• AI toys using voice assistants that covertly encourage children to take dangerous actions.
• Real‑time remote biometric identification in public spaces for law enforcement, with only very narrow exceptions (e.g., searching for victims of specific crimes, preventing an imminent terrorist threat) under strict conditions.

These systems are not allowed to be placed on the EU market or used, except under the limited exceptions defined in the Act.

4.2 High‑Risk AI (Heavily Regulated but Allowed)

High‑risk AI systems are permitted, but only if they comply with strict requirements. These are usually AI systems that:

• Are used in products covered by EU product safety laws (e.g., machinery, medical devices), or
• Are used in specific sensitive areas listed in the Act (Annex III), such as:
• Biometric identification and categorisation (non‑prohibited uses).
• Education and vocational training (e.g., AI that grades exams or allocates spots).
• Employment and workers’ management (e.g., CV‑screening tools, AI scheduling systems).
• Access to essential services (e.g., credit scoring systems, welfare eligibility).
• Law enforcement, migration, border control, administration of justice.

High‑risk example scenario:

• A bank uses an AI system to decide whether to grant consumer loans.
• This affects access to an essential service (credit).
• The AI system would likely be classified as high‑risk.
• The provider must meet requirements on risk management, data quality, documentation, human oversight, and more.

When you see a use case, ask: Does this significantly affect people’s rights, access to key services, or safety? If yes, it probably falls into high‑risk or unacceptable categories.

5. Limited‑Risk and Minimal‑Risk AI (Transparency vs No Specific Rules)

Not all AI is scary or high‑stakes. The AI Act explicitly leaves a large space for low‑risk innovation.

5.1 Limited‑Risk AI: Transparency Duties

These systems are not high‑risk, but users should know they are interacting with AI or that AI is used in a certain way.

Typical transparency obligations include:

• Informing people when they interact with an AI chatbot rather than a human.
• Labeling deepfakes (synthetic audio, image, or video content) as artificially generated or manipulated, except in certain legitimate contexts (e.g., law enforcement operations, satire with clear context).
• Disclosing that emotion recognition or biometric categorisation is being used in certain contexts.

Example:

• A customer support chatbot on an e‑commerce site:
• Must clearly inform users that they are interacting with an AI system, not a human.

5.2 Minimal‑Risk AI: No AI‑Act‑Specific Obligations

These are the vast majority of AI applications, such as:

• AI‑powered video game NPCs.
• AI used for spam filters.
• Photo enhancement filters in consumer apps.

For these, the AI Act does not impose specific obligations. But:

• Other laws still apply (e.g., GDPR, consumer protection, copyright).
• Providers are encouraged to follow voluntary codes of conduct or good practices.

This layered approach is intended to avoid over‑regulation of everyday or experimental AI, while focusing legal effort where risks are highest.

6. Classify the Risk: Short Thought Exercise

Try to classify each scenario into one of the four categories: Unacceptable, High‑Risk, Limited‑Risk, Minimal‑Risk.

Write down your answers before checking the suggested classification at the end.

Scenario A

A city government uses AI‑based facial recognition in real time on CCTV feeds in public spaces to identify everyone in a crowd and track their movements for general crime prevention.

Your classification: `...`

---

Scenario B

A university uses an AI tool to automatically grade entrance exams and rank applicants, with minimal human review.

Your classification: `...`

---

Scenario C

An e‑commerce website uses a recommender system to suggest products based on browsing history.

Your classification: `...`

---

Scenario D

A mobile game uses AI to control non‑player characters (NPCs) that adapt to the player’s style.

Your classification: `...`

---

Suggested classifications (compare with yours):

• Scenario A: Unacceptable or very strictly limited – real‑time remote biometric identification in public spaces for law enforcement is generally prohibited, with only narrow exceptions.
• Scenario B: High‑Risk – AI in education and vocational training that affects access to education is typically high‑risk.
• Scenario C: Usually Minimal‑Risk under the AI Act (though other laws like consumer protection and GDPR still apply). It might be Limited‑Risk if it involves certain profiling scenarios requiring transparency.
• Scenario D: Minimal‑Risk – typical entertainment use with limited impact on rights or safety.

7. Timeline: Entry into Force and Phased Application

Complex EU regulations like the AI Act rarely apply fully from day one. Instead, they use staggered timelines so that:

• Institutions can set up governance structures.
• Industry can adapt and build compliance processes.

7.1 Key Milestones (relative to today)

• August 2024 – AI Act entered into force (20 days after publication in the Official Journal). From this date, institutions and companies knew the final text and could start preparing.
• End of 2024–2025 – Early application of prohibited practices (unacceptable risk) and some governance provisions begins (Member States and EU bodies start setting up structures).
• 2025–2026 – Progressive application of rules for:
• General‑purpose AI models (GPAI), especially those posing systemic risks.
• Transparency obligations (e.g., chatbots, deepfake labeling).
• 2026–2027 – Core high‑risk AI obligations become fully applicable (risk management, data governance, human oversight, CE marking, etc.), similar in style to other NLF‑aligned product rules.

> Exact dates for specific provisions are detailed in the final Articles and transitional provisions of the AI Act. Different obligations kick in at different times, but as of late 2025, stakeholders are already under pressure to prepare for the high‑risk AI compliance wave.

7.2 Why the Phased Approach Matters

• It mirrors what you saw in other large EU acts (e.g., DSA, GDPR): entry into force first, application later.
• It gives:
• Regulators time to set up notified bodies, market surveillance authorities, and the new EU AI Office.
• Providers and deployers time to perform risk classification, gap analysis, and system redesign.

Understanding this pattern helps you read future EU tech regulations: don’t just ask what the rules are; always ask when each rule applies.

8. Quick Check: Entry into Force vs Application

Test your understanding of the AI Act’s timeline and how it mirrors other EU regulations.

9. Applying the Risk‑Based Approach: A Mini Case Study

Imagine you are working for a health‑tech startup that develops an AI system to support radiologists in detecting tumours in medical images.

Step 1 – Identify the AI system

• Your product uses machine learning to analyse MRI scans and highlight suspicious areas.

Step 2 – Determine the risk category

• It is used in healthcare and affects patient diagnosis and safety.
• It is likely integrated into a medical device.
• Under the AI Act, this typically falls under high‑risk AI (AI used as a safety component of medical devices).

Step 3 – Understand key obligations (high‑risk)

As a provider of a high‑risk AI system, you must ensure, among other things:

• A risk management system across the lifecycle.
• High‑quality, relevant and representative training data.
• Technical documentation and record‑keeping.
• Transparency and information to deployers (hospitals, clinics).
• Human oversight measures (radiologists remain in the loop).
• Accuracy, robustness, and cybersecurity.
• Conformity assessment (often involving a notified body) and, where relevant, CE marking.

Step 4 – Check interaction with other laws

• The AI Act layers on top of existing frameworks like the Medical Devices Regulation (MDR).
• Your compliance strategy must integrate both:
• MDR requirements (clinical evaluation, post‑market surveillance, etc.).
• AI Act high‑risk requirements (data governance, human oversight, etc.).

This is exactly where your knowledge from Module 4 (NLF) becomes practical: the AI Act reuses the conformity assessment and CE‑marking logic of the NLF, but tailors it to AI‑specific risks.

10. Flashcard Review: Key AI Act Concepts

Flip through these flashcards to reinforce the main concepts from this module.

11. Connect the Dots: AI Act, NLF, and the Digital Rulebook

To consolidate your understanding, take a moment to map connections between this module and the previous ones.

Task

On a blank sheet (or a notes app), draw three circles labeled:

• NLF (Module 4)
• Digital Rulebook: DSA/DMA (Module 5)
• AI Act (Module 6)

For each connection, jot down at least one sentence:

1. NLF ↔ AI Act

• How does the AI Act reuse or align with NLF concepts (e.g., conformity assessment, CE marking, notified bodies)?

1. Digital Rulebook ↔ AI Act

• How might the AI Act interact with the DSA/DMA in practice (e.g., AI recommender systems on very large online platforms, content moderation tools)?

1. NLF ↔ Digital Rulebook

• How do product‑safety‑style rules (NLF) differ from platform‑oriented rules (DSA/DMA), and where does the AI Act sit between them?

Reflection prompts

• In your view, why did the EU choose a risk‑based structure for AI instead of a one‑size‑fits‑all set of obligations?
• Which risk category do you think will be most challenging for regulators and companies to manage in practice, and why?

Use this as a mini‑summary exercise. If you can explain these links in your own words, you have a solid grasp of how the AI Act fits into the broader EU regulatory ecosystem.