The world's first comprehensive AI law, organized by one simple idea: regulate by risk, not by technology
Day 51 of 60
The EU AI Act is long and technical, but its architecture rests on a single move: it regulates AI systems by the risk of their use, not by the technology inside them. The same model can be unregulated in one context and tightly controlled in another, depending on what it's used for and who it affects. That risk-based design is the thing to understand; the clauses are downstream of it.
The Act sorts AI uses into four tiers of increasing obligation. As risk to people's safety and rights rises, so does the burden of proof on whoever deploys the system. Your job as a practitioner isn't to recite the statute — it's to look at a deployment and say, credibly, which tier this is likely to fall into and what that implies.
Describe the shape of the law confidently, but treat any specific date, transition deadline, or penalty figure as something to verify — not assert. These have moved through the legislative process and are still phasing in. Always check a precise number against the official European Commission or EUR-Lex text before you quote it in writing or an interview.
A small set of uses considered a clear threat to people's safety, livelihoods, and rights are banned outright. Think of practices the law treats as incompatible with EU fundamental rights. The obligation here is simple: don't do it.
Uses in sensitive domains (for example, areas touching safety, access to essential services, employment, or justice). These are allowed but carry the heaviest compliance load: a risk-management system, data governance, technical documentation, human oversight, accuracy/robustness/security, and post-market monitoring. This tier is where most real governance work lives.
Uses where the main concern is that people should know they're interacting with or seeing AI — disclosure obligations (e.g., that content is AI-generated or that you're talking to a system). Lighter than high-risk, but not nothing: the duty is honesty about the AI's presence.
The vast majority of AI uses fall here and face no new obligations under the Act. Voluntary codes of conduct are encouraged, but the law doesn't impose specific requirements.
Notice the gradient: the law spends almost all of its weight on the high-risk tier, because that's where capable systems meet consequential decisions about real people. The other tiers exist mostly to define what is not high-risk.
The tier a system lands in determines what evidence its operators must be able to produce. "Is this allowed?" becomes "which tier, and can we show the controls that tier demands?" That reframing — from permission to demonstrable compliance — is the bridge from the technical safety work you've done all course to the governance world you're entering now.
You don't need every clause memorized. You need to look at a deployment and reason: is this a prohibited use? Does it touch a high-risk domain? If so, the obligations on Day 53 are exactly what someone will ask you to evidence. Tiering is triage — the same instinct you built in Week 1, now applied to law.
The full curated, verified resource list for this week is at the bottom of the page — start with the one marked Start here.
An enthusiast says "the EU is regulating AI." An expert immediately asks: which risk tier does this specific use fall into, and what obligations does that trigger? The altitude jump is from treating regulation as a vibe to treating it as a classification problem with concrete consequences — and being scrupulous about not asserting a date or penalty you haven't verified at the source.
Say this in an interview: "The EU AI Act is risk-based — it sorts uses into prohibited, high-risk, transparency, and minimal tiers, and the obligations scale with risk. I reason about which tier a deployment lands in and what evidence that demands. And I'm careful: for any specific date or penalty I go to the official Commission or EUR-Lex text rather than trusting a number from memory."