Regulation · in force · European Union

The EU AI Act, seen from Quebec.

The first comprehensive AI regulation classifies systems by risk level. If you sell in Europe, it already applies to you.

The essentials

The European regulation on artificial intelligence, Regulation (EU) 2024/1689, entered into force on 1 August 2024. Its application unfolds in phases: prohibited practices first, then obligations for general-purpose AI models, then the bulk of requirements for high-risk systems.

Its reach is extraterritorial: a Quebec business whose AI system is placed on the European market, or whose outputs are used within the Union, falls within its scope. Distance is not protection.

Its logic is simple: the higher the risk of a system, the heavier the obligations. Most ordinary business uses sit in the lower levels, with reasonable transparency obligations.

Since

In force since August 2024, application rolling out in phases through 2026 and beyond.

Penalties

Up to 35 M euro or 7% of worldwide revenue for prohibited practices.

For whom

Providers and deployers of AI systems affecting the European market, wherever they are established.

Four risk levels, four regimes

LevelExamplesRegime
UnacceptableSocial scoring, manipulation exploiting vulnerabilityProhibited in the Union.
High riskResume screening, credit access, medical devicesHeavy requirements: risk management, data governance, human oversight, documentation, registration.
Limited riskChatbots, generated or manipulated contentTransparency: the person must know they are interacting with AI or viewing generated content.
Minimal riskSpam filters, AI in games, most internal usesNo new obligations; best practices are still recommended.

General-purpose AI (GPAI) models have their own transparency and documentation regime. In the AI id framework, the AI Act weighs most heavily on the Supervised, Secure, and Accountable properties.

How identifiable gets you ready

identifiable assesses your uses and policies against the AI Act: training, classification of your systems by risk level, and attestation of your trajectory.

TrainingEU AI Act literacy for your teams and your leadership
AdvisoryConsulting support to close the gaps, practice by practice
AttestationEvaluation against the AI id framework and a trajectory toward the standard
See corporate training The AI id framework

Three questions that keep coming up

I do not sell in Europe. Am I safe?

For now, legally, yes. But the AI Act is becoming the de-facto global reference, just as the GDPR was before it, and your exporting clients will inherit its requirements and pass them on to you.

Is my chatbot high risk?

Rarely. A customer service assistant generally falls under limited risk: the main thing is that the person knows they are talking to an AI. High risk targets specific domains like employment, credit, or health.

What to do first, from Quebec?

Classify your systems by risk level and document your uses. That is the same inventory that Law 25 and the NIST AI RMF ask for: one piece of work, three frameworks served.

Could you classify your AI systems by risk level?

The diagnostic locates your practices against the four frameworks, including the AI Act. Twelve questions for a first map.

Get your AI Index Talk to identifiable