EU AI Act Compliance

You're in Australia. The EU AI Act Still Applies to You.

If you have European customers, operations, or use AI that affects people in the EU, you're in scope. The same thing happened with GDPR. August 2026 is the deadline for high-risk AI systems. Penalties reach 7% of global revenue.

See the Requirements

Does This Apply to My Company?

The EU AI Act has extraterritorial reach. If any of these apply, you need to pay attention.

EU Customers

Your AI systems' outputs are used by or affect people in the EU

EU Operations

You have an office, subsidiary, or establishment in the EU

EU Market Access

You sell AI systems or AI-powered products into the EU market

EU AI Suppliers

You resell or integrate AI components from providers who must comply

Common scenarios for Australian companies:

Yes: SaaS company with EU customers using AI features
Yes: Recruitment firm using AI to screen candidates for EU roles
Yes: Bank using AI for credit decisions affecting EU residents
Yes: Company with AI chatbot accessible to EU website visitors
No: AI used purely internally with no EU data or users
No: AI spam filters or internal inventory management

The EU AI Act Uses Risk Categories

Different AI systems have different requirements. Most AI falls into "minimal risk" with no special rules. The trouble starts with high-risk.

Prohibited AI

Banned entirely. Already in force since February 2025.

These AI systems cannot be used at all in the EU:

  • × Manipulative AI that distorts behaviour to cause harm
  • × AI exploiting vulnerabilities (age, disability, economic status)
  • × Social scoring systems
  • × Scraping facial images from internet/CCTV for databases
  • × Emotion recognition in workplaces (with limited exceptions)
  • × Predictive policing based on profiling

High-Risk AI

Allowed but heavily regulated. August 2026 deadline.

These AI systems need conformity assessments, documentation, and ongoing monitoring:

Employment

Recruitment, CV screening, performance evaluation, promotion decisions

Financial Services

Credit scoring, insurance pricing, fraud detection affecting individuals

Education

Admission decisions, learning outcome evaluation, student monitoring

Biometrics

Remote biometric identification, biometric categorization

Limited Risk AI

Transparency obligations only

Users must be informed they're interacting with AI:

  • Chatbots
  • Virtual assistants
  • Deepfake generators
  • AI-generated content
  • Emotion recognition (non-workplace)

Minimal/No Risk AI

No specific requirements

Most AI falls here: spam filters, recommendation systems, video game AI, inventory management. No special compliance needed.

Timeline

The EU AI Act entered into force August 2024. Requirements phase in over three years.

Already in force

February 2, 2025

Prohibited AI practices banned. AI literacy requirements now apply. If you're using any prohibited AI in the EU, you're already non-compliant.

Already in force

August 2, 2025

GPAI (general-purpose AI) transparency requirements. Penalty regime now in effect. Fines can be imposed.

Coming

August 2, 2026

Full high-risk AI requirements. Conformity assessments, EU database registration, complete technical documentation, risk management systems, human oversight mechanisms all required.

Extended deadline

August 2, 2027

AI embedded in regulated products (medical devices, machinery, automotive, aviation) must comply.

Penalties

Three tiers. The higher of the fixed amount or percentage of global turnover applies.

€35M
or 7% of global revenue

For using prohibited AI

€15M
or 3% of global revenue

For high-risk non-compliance

€7.5M
or 1% of global revenue

For providing incorrect information

Beyond fines:

  • Market withdrawal orders
  • Product recalls
  • Prohibition on EU market placement
  • Public notification of violations

High-Risk AI Requirements

If you have high-risk AI systems, here's what you need by August 2026.

1

Risk Management System

Continuous process throughout AI lifecycle. Identify, assess, mitigate risks. Keep it updated.

2

Data Governance

Training data must be relevant, representative, and error-free. Document data lineage.

3

Technical Documentation

Detailed records of architecture, algorithms, testing, purpose. Per Annex IV requirements.

4

Record Keeping

Automatic logging of events during system operation. Keep records for 10 years.

5

Transparency

Clear instructions for deployers. Information about capabilities and limitations.

6

Human Oversight

Mechanisms enabling human intervention and control. People must be able to override.

7

Accuracy & Robustness

Consistent performance. Resilience against errors and attacks. Cybersecurity protections.

8

Conformity Assessment

Complete before market entry. May need third-party assessment. CE marking required.

9

EU Database Registration

Register high-risk systems in the EU database. Mandatory before deployment.

Australia vs EU: Where We Stand

Australia doesn't have dedicated AI legislation. The government considered mandatory guardrails in 2024 but paused that work. For now, we rely on existing laws (Privacy Act, consumer law, anti-discrimination) plus voluntary guidelines.

This means if you're doing business in both markets: design for EU requirements. They're stricter, and you'll be compliant everywhere.

Key differences

Legal status
EU: Mandatory regulation
AU: Voluntary guidelines
Conformity assessment
EU: Required for high-risk
AU: Not required
Registration
EU: Database required
AU: No system exists
Penalties
EU: Up to 7% global revenue
AU: Existing law penalties
Prohibited practices
EU: Explicit list banned
AU: No explicit prohibitions

How We Help

EU AI Act compliance for Australian companies.

Applicability Assessment

Figure out if and how the EU AI Act applies to your business. Map your EU touchpoints, classify your AI systems by risk category, identify any prohibited practices.

Gap Analysis

Compare your current AI governance against EU AI Act requirements. Get a specific list of what's missing and what needs to change, with priorities.

See our audits →

Implementation Support

Build what you need: technical documentation, risk management systems, human oversight mechanisms, conformity assessment preparation.

See governance services →

August 2026 Is Closer Than You Think

Find out where you stand. We'll tell you if you're affected, what risk categories your AI falls into, and what you need to do before the deadline.

See All Services