The EU AI Act reaches Australian businesses. The deadline is August 2026.

Regulation 2024/1689 has explicit extraterritorial reach. If your AI affects people in the EU, you are in scope regardless of where you are headquartered. Penalties reach EUR 35 million or 7% of global turnover. The Brussels Effect that caught Australian organisations off-guard with GDPR is repeating.

Run the free AI risk calculator

Built for

SaaS providers with EU customers ยท AI-powered product companies ยท Recruitment & HR tech ยท Financial services ยท GPAI model providers
Aligned to: EU AI Act (2024/1689) / ISO/IEC 42001 / NIST AI RMF / APRA CPS 230 / Privacy Act 1988

When the EU AI Act applies to you.

EU customers

Your AI's outputs are used by or affect people in the EU. SaaS, AI-powered products, or automated decision-making in scope.

EU operations

An office, subsidiary, or establishment in the EU brings the organisation under full provider or deployer obligations.

EU market access

Selling AI or AI-powered products into the EU requires conformity assessment and CE marking before market entry.

Importer obligations

Reselling or integrating AI components from in-scope providers triggers importer obligations under the regulation.

Four risk categories. Different obligations.

The EU AI Act sets four risk tiers. Most AI falls into minimal risk with no special rules. Obligations rise sharply for high-risk systems, and certain practices are banned outright.

  1. 01
    Prohibited

    Unacceptable risk. Banned since February 2025.

    Cannot be used at all where they affect people in the EU. Australian businesses must audit their AI portfolio for any prohibited practices immediately.

    • Manipulative AI using subliminal techniques
    • AI exploiting age, disability, socio-economic vulnerabilities
    • Social scoring of individuals
    • Untargeted scraping of facial images
    • Emotion recognition in workplaces and schools
    • Predictive policing based on profiling alone
  2. 02
    Aug 2026

    High-risk AI. Heavily regulated.

    Conformity assessment, technical documentation, risk management, human oversight, EU database registration. This is where most Australian businesses with EU exposure need to focus.

    • Employment. Recruitment, CV screening, performance, dismissal.
    • Financial. Credit scoring, insurance pricing, fraud, risk.
    • Education. Admissions, outcome evaluation, proctoring.
    • Biometrics. Remote ID, categorisation, emotion recognition.
  3. 03
    Transparency

    Limited risk. Disclosure obligations.

    Users must be told they are interacting with AI. The most common compliance trigger for Australian organisations with customer-facing systems: chatbots, virtual assistants, deepfake generators, AI-generated content, emotion recognition outside the workplace, and synthetic media.

  4. 04
    No special rules

    Minimal risk. Voluntary codes only.

    The vast majority of AI lands here: spam filters, recommendation systems, video game AI, inventory management. No special compliance needed, though voluntary codes of conduct are encouraged.

General-Purpose AI model obligations.

Specific provisions apply to GPAI models including foundation models and large language models. Australian businesses that develop or deploy GPAI models with EU exposure must meet these requirements.

Track A

All GPAI providers

  • Technical documentation of design and training
  • Instructions for downstream integrators
  • EU Copyright Directive compliance
  • Detailed training data summary

Track B

GPAI with systemic risk

Models exceeding 10^25 FLOPs in training compute. Additional obligations:

  • Model evaluations and adversarial testing
  • Systemic-risk assessment and mitigation
  • Serious-incident reporting to AI Office
  • Cybersecurity protections for model and infra

Penalties for non-compliance.

Three-tier penalty system. The higher of the fixed amount or percentage of global annual turnover applies. For Australian businesses, penalties are calculated against worldwide revenue, not just EU earnings.

Tier 1

EUR 35M

or 7% of global turnover

For using prohibited AI practices in the EU market.

Tier 2

EUR 15M

or 3% of global turnover

For high-risk AI non-compliance, missing conformity assessment, or missing documentation.

Tier 3

EUR 7.5M

or 1% of global turnover

For incorrect, incomplete, or misleading information to authorities.

Beyond financial penalties

  • Market withdrawal orders forcing removal of AI from EU
  • Product recalls of AI-powered goods and services
  • Prohibition on future EU market placement
  • Public notification of violations causing reputational damage
  • Loss of EU market access and supply chain disruption
  • Competitive disadvantage against compliant businesses

The nine high-risk system requirements.

If you deploy high-risk AI with EU exposure, these are the core compliance requirements you must meet by August 2026.

  1. 01

    Risk management system

    A continuous risk management process across the AI lifecycle. Identify, assess, evaluate, and mitigate risks. Updated as the system evolves.

  2. 02

    Data governance

    Training, validation, and testing data must be relevant, representative, and as error-free as possible. Document lineage, provenance, and bias mitigation.

  3. 03

    Technical documentation

    Detailed records per Annex IV covering architecture, algorithms, training data, testing results, intended purpose, and limitations. Retain for at least 10 years.

  4. 04

    Record keeping and logging

    Automatic logging of events during system operation to enable traceability. Records retained for at least 10 years and available for regulatory review.

  5. 05

    Transparency requirements

    Clear instructions for deployers covering capabilities, limitations, known risks, and intended use. Users informed when interacting with AI.

  6. 06

    Human oversight

    Mechanisms enabling human intervention, control, and the ability to override AI decisions. Trained overseers can interpret outputs and stop operations.

  7. 07

    Accuracy, robustness, cybersecurity

    Consistent performance under expected conditions. Resilience against errors, faults, and adversarial attacks. Cybersecurity protections proportionate to risk.

  8. 08

    Conformity assessment and CE marking

    Complete conformity assessments before EU market entry. Some categories require Notified Body assessment. Results in Declaration of Conformity and CE marking.

  9. 09

    Fundamental rights impact assessment

    Deployers of high-risk AI must conduct fundamental rights impact assessments before deployment, evaluating effects on fundamental rights of EU individuals.

Australia vs EU. Where Australian businesses stand.

Australia has no dedicated AI legislation. The government considered mandatory guardrails in 2024 but paused that work, instead releasing voluntary guidance. Australian organisations rely on the Privacy Act, consumer law, anti-discrimination law, and voluntary frameworks like the Voluntary AI Safety Standard.

For businesses operating in both markets, the EU AI Act becomes the de facto standard. Companies that design AI governance to EU requirements will be compliant everywhere, while gaining a competitive advantage through demonstrable responsible AI practices.

Aligning your governance to ISO 42001 provides a strong foundation for both EU AI Act compliance and Australian regulatory expectations.

Legal status
EU. Mandatory with penalties. AU. Voluntary guidelines.
Risk classification
EU. Four defined categories. AU. General high-risk concept only.
Conformity assessment
EU. Required for high-risk AI, CE marking. AU. Not required.
Registration
EU. Database registration mandatory. AU. No registration system.
Penalties
EU. Up to EUR 35M or 7% global turnover. AU. Existing-law penalties only.
Prohibited practices
EU. Explicit list of banned AI uses. AU. No explicit prohibitions.
GPAI provisions
EU. Specific transparency and risk obligations. AU. Not specifically addressed.

How we help Australian businesses.

Gap analysis and roadmap
Current governance vs EU AI Act requirements. Prioritised remediation roadmap, resource estimate, and phased strategy to reach full compliance before August 2026.
Technical documentation and risk management
Annex IV technical documentation, risk management system, data governance, and human oversight mechanisms tailored to your AI portfolio.
Conformity assessment preparation
Self-assessment guidance, Notified Body engagement support, Declaration of Conformity preparation, and CE marking processes.
AI literacy and training (Article 4)
Article 4 requires organisations to ensure sufficient AI literacy among staff who operate and oversee AI. Programs that meet the obligation and build real competency.
ISO 42001 alignment
Align EU AI Act compliance with the international AI management system standard. A governance foundation that satisfies EU requirements and Australian regulators.

August 2026 is closer than it looks.

Initial assessment takes 4 to 8 weeks. Full compliance implementation for high-risk systems typically runs 6 to 12 months including technical documentation, risk management, and conformity assessment prep. Earlier starts mean fewer business disruptions.

Or see all services

Get in Touch