Question 1

What are the four risk tiers under the EU AI Act?

Accepted Answer

The EU AI Act classifies AI systems into four tiers. Unacceptable risk systems, such as social scoring or real-time biometric surveillance, are prohibited outright. High-risk systems in areas like employment, education, or critical infrastructure require conformity assessments and registration. Limited risk systems must meet transparency obligations. Minimal risk systems face no specific obligations.

Question 2

Does the EU AI Act apply to companies outside the EU?

Accepted Answer

Yes. Like GDPR, the EU AI Act has extraterritorial reach. It applies to any organisation placing AI systems on the EU market or whose AI outputs are used in the EU, regardless of where the developer or deployer is headquartered. Non-EU providers of high-risk AI systems must appoint an EU representative.

Question 3

What is a GPAI model and what obligations does it have?

Accepted Answer

General Purpose AI (GPAI) models are AI systems trained on large datasets capable of performing many different tasks, such as large language models. The EU AI Act imposes transparency obligations on all GPAI model providers, including model documentation and compliance with copyright law. Models with systemic risk (above defined compute thresholds) face additional requirements including adversarial testing.

Question 4

When do EU AI Act obligations become enforceable?

Accepted Answer

The EU AI Act entered into force in August 2024. Prohibited use prohibitions applied from February 2025. Obligations for GPAI models apply from August 2025. High-risk AI system obligations for most Annex III use cases apply from August 2026. KaitoSec tracks all deadlines and helps you prioritise work based on your compliance timeline.

Question 5

How does the EU AI Act interact with GDPR?

Accepted Answer

The EU AI Act and GDPR interact closely when AI systems process personal data. GDPR governs how that data is collected, processed, and stored, while the AI Act governs how AI systems using that data must be designed, tested, and governed. KaitoSec cross-maps obligations so shared requirements, such as data quality, transparency, and human oversight, are evidenced once across both frameworks.

EU AI Act as part of the AIMS, not a separate compliance silo

AI System Risk Classification

High-Risk Conformity Assessment

AI Governance and Accountability

AI Portfolio Register

Technical Documentation Builder

Transparency Obligation Tracker

FAQ

Product

Frameworks

Solutions

Services

Resources

Company

Legal