Skip to main content
Application partielleApplication : 2025-02-02

EU AI Act

Regulation (EU) 2024/1689 on Artificial Intelligence

First horizontal global AI regulation. High-risk AI obligations applicable on 2 August 2026.

Secteurs concernés

01 · Qu'est-ce que c'est ?

The EU AI Act (regulation EU 2024/1689) is the world's first horizontal AI-regulation framework. Adopted in June 2024, it applies progressively between 2025 and 2027 depending on AI-system categories.

The regulation classes AI systems into four risk levels: unacceptable risk (banned), high risk (strict obligations), limited risk (transparency obligations), minimal risk (free). The pivot for most vendors is the "high risk" category, framed by articles 8 to 15 of the regulation.

02 · Qui est concerné ?

Every actor in the AI chain is concerned, with differentiated obligations:

  • Providers: develop and place an AI system on the market. Bear most obligations.
  • Deployers: use an AI system as part of their professional activity. Obligations on proper use and human oversight.
  • Importers and distributors: obligations to verify compliance before market placement.
  • GPAI (General-Purpose AI) foundation models: specific regime, already applicable since August 2025.

AI is not high-risk by its technology (LLM, vision, classical ML) but by its use case. High-risk uses are listed in Annex III: biometrics, critical infrastructure, education, employment (recruitment, evaluation), access to essential services (credit, insurance, social benefits), law enforcement, migration, justice.

03 · Calendrier d'application

Prohibited AI bans since February 2025. GPAI foundation-model obligations since August 2025. High-risk AI obligations applicable on 2 August 2026.

  • 2 February 2025: bans on prohibited AI (social scoring, cognitive manipulation, real-time biometric identification without supervision).
  • 2 August 2025: obligations for GPAI model providers.
  • 2 August 2026: obligations for high-risk AI systems (articles 8-15).
  • 2 August 2027: CE marking of high-risk AI systems, harmonized CEN/CENELEC standards.

04 · Sanctions

  • Prohibited AI practices: fine up to €35m or 7% of global annual revenue.
  • Breach of high-risk AI obligations: fine up to €15m or 3% of global annual revenue.
  • Providing incorrect information to authorities: fine up to €7.5m or 1% of global annual revenue.

05 · Comment s'y conformer

The seven key obligations of articles 8-15:

  • Continuous risk-management system (art. 9), identification, analysis, risk mitigation.
  • Data governance (art. 10), representative datasets, identified and mitigated biases.
  • Technical documentation (art. 11), Annex IV file per high-risk AI system.
  • Log retention (art. 12), minimum 6 months of operation logs.
  • Transparency and user information (art. 13), instructions for deployers.
  • Human oversight (art. 14), human ability to understand, detect, intervene.
  • Accuracy, robustness, cybersecurity (art. 15), appropriate level, documented, resistant to adversarial attacks.

06 · Questions fréquentes

My credit-scoring SaaS uses an LLM. Am I in high-risk?
Yes. Credit scoring is explicitly listed in Annex III as access to essential services. Technology (LLM, classical ML) is irrelevant, it is the use case that triggers high-risk classification.
Are open-source LLMs like Llama concerned?
Yes, as GPAI (General-Purpose AI) models, they have their own obligations since August 2025. Providers (Meta in Llama's case) have transparency obligations and, for "systemic-risk" models (very high capabilities), reinforced obligations.
How do I avoid tipping into high-risk?
Avoid the Annex III use cases. For a B2B SaaS, this often means: no automated scoring for high-impact decisions (HR, credit), keep the final decision with a human, or position AI as assistance (the "decision" stays human). The exact perimeter is documented in the compliance file.
What is the shadow-AI risk?
Many vendors have experimental AI features deployed without formal governance. If a client uses the feature in a high-risk case, the vendor can find itself non-compliant without knowing. AI usage mapping and an internal AI register are the first measures to put in place.

Sources officielles

Réglementations connexes

  • Network and Information Security 2, Directive (UE) 2022/2555
    In force

    NIS2

    Network and Information Security 2, Directive (UE) 2022/2555

    Directive cybersécurité européenne applicable depuis octobre 2024. Élargit le périmètre aux SaaS, datacenters, transporteurs, alimentaire.

    • B2B SaaS
    • Banking
    • Clinic & Health
    • +3

Articles d'analyse

  • NIS2 pour les éditeurs SaaS : six mois pour passer l'audit
    Salle serveur d'un éditeur SaaS avec consoles de supervision sécurité
    SaaS

    NIS2 pour les éditeurs SaaS : six mois pour passer l'audit

    Applicable depuis octobre 2024, la directive NIS2 commence à mordre en 2026. Les éditeurs SaaS classés « entité importante » font face à des exigences techniques nouvelles.

  • Directive Machines 2023/1230 : le cadre cobot passe en mode exécution
    Atelier industriel avec cobot collaboratif et panneau de sécurité robotique
    Robotique

    Directive Machines 2023/1230 : le cadre cobot passe en mode exécution

    Applicable au 20 janvier 2027, la nouvelle directive machines remplace la 2006/42/CE et intègre EU AI Act. Pour les intégrateurs robotiques, le marquage CE devient un sujet IA.

Un projet logiciel EU AI Act ?

Quand EU AI Act demande un logiciel sur-mesure, nous le livrons en quelques semaines, 3× moins cher qu'un éditeur historique.

Décrire votre projet