ASAPWhat Is the EU AI Act?
The EU AI Act is the world's first comprehensive AI law to regulate artificial intelligence according to its level of risk, passed by the European Union (EU) in 2024. At its core, the law takes a risk-based approach: it sorts AI systems into four tiers and imposes stricter obligations the greater the risk. It applies to any operator that places AI on the market or uses it within the EU, and even companies based outside the EU are regulated if they offer AI products or services to the EU market. As of 2026, the EU AI Act's obligations are taking effect in phases by tier, making it a pressing compliance challenge for global companies, including those in Korea.
Key Provisions of the EU AI Act
The heart of the EU AI Act is a risk-based approach that classifies AI by level of risk and regulates each tier differently. Passed in 2024, the law does not ban AI itself; instead, it imposes obligations in proportion to the risk that an AI system poses to people's safety and fundamental rights. Systems posing the greatest risk are banned outright, high-risk systems carry strict pre- and post-market obligations, and low-risk systems are subject to only minimal transparency requirements.
The law's main pillars are as follows.
- A four-tier risk classification: unacceptable, high, limited, and minimal
- Strict obligations for high-risk AI, covering risk management, data quality, documentation, and human oversight
- Transparency obligations for limited-risk AI (such as chatbots) — namely, informing users that they are interacting with AI
- Broad extraterritorial scope that also applies to non-EU companies placing products on the EU market
AI Risk Classification Tiers
The EU AI Act classifies AI systems into four tiers according to their level of risk. The criterion for classification is the magnitude of potential harm an AI poses to people's safety and rights, and the higher the tier, the stronger the regulation. A defining feature of this classification scheme, finalized in 2024, is that the same technology can fall into a different tier depending on where and how it is used.
| Risk Tier | Meaning | Regulatory Intensity |
|---|---|---|
| Unacceptable | Uses that seriously infringe fundamental rights | Banned in principle |
| High | AI used in critical domains such as hiring, education, and healthcare | Strict pre- and post-market obligations |
| Limited | Direct interaction with users, such as chatbots | Transparency disclosure obligations |
| Minimal | Most AI, such as spam filters and games | Few or no specific obligations |
As the table shows, the regulatory burden is concentrated at the high-risk tier and above, while the majority of AI on the market today falls under minimal risk.
What Companies Need to Prepare
The first thing companies need to do is determine which risk tier their AI falls into. As of 2026, with the EU AI Act's obligations taking effect in phases, any company with a connection to the EU market should begin with tier assessment and documentation. The recommended preparation sequence is as follows.
- Inventory your AI systems and classify the risk tier of each.
- If a system is high-risk, build out a risk-management framework, data governance, and technical documentation.
- For limited-risk AI such as chatbots, apply transparency disclosures that inform users they are interacting with AI.
- Establish human-oversight procedures and processes for responding to incidents and errors.
- Designate internal compliance owners and review cycles aligned with the enforcement timeline.
EU AI Act Enforcement Timeline
The EU AI Act does not take full effect all at once; it is enforced in phases, obligation by obligation. After the law entered into force in 2024, the rules on banned AI applied first, with the remaining provisions — such as obligations for high-risk systems — taking effect in sequence. Even as of 2026, some obligations are already in force while others are still set to take effect in later phases, so companies must individually verify the effective dates of the provisions that apply to them.
The general flow of phased enforcement is as follows.
- Immediately after entry into force: rules on the unacceptable (banned) tier apply first
- Intermediate phase: transparency and documentation obligations apply to general-purpose AI models and the like
- Later phase: strict obligations for high-risk systems come into full effect
Impact on Korean Companies
Korean companies are also subject to the EU AI Act if they offer AI products or services to the EU market. The Act applies based on whether the AI is used in the EU market, not on where the operator is located, so even a company headquartered in Korea falls under its obligations if it serves EU customers. As of 2026, Korean IT, manufacturing, and platform companies that have entered or plan to enter the EU would be wise to assess their AI's risk tier and the resulting obligations in advance.
In particular, the following impacts are expected.
- Increased burden of tier classification and technical documentation for AI products exported to the EU
- Additional compliance costs, such as certification and documentation, if a system is classified as high-risk
- Following GDPR, the spread of EU AI regulation as a global standard, which will also influence the shaping of domestic regulation