The EU AI Act (Regulation (EU) 2024/1689) is the world’s first comprehensive law on artificial intelligence. It entered into force on 1 August 2024 and applies in phases through August 2027. Because it is a regulation, it applies directly in Belgium — there is no national transposition to wait for, and it binds any organisation that develops, sells, imports or simply uses AI systems on the EU market, regardless of where the provider is established.
TL;DR — the EU AI Act in 6 points
- A risk-based law: obligations scale with the risk tier of the AI system.
- Four tiers: unacceptable (banned), high-risk, limited (transparency), minimal.
- It applies to providers and deployers — using a third-party AI tool still creates obligations.
- Key dates: 2 Feb 2025 (bans + AI literacy), 2 Aug 2025 (general-purpose AI), 2 Aug 2026 (high-risk).
- Fines reach €35M or 7% of global annual turnover — higher than the GDPR.
- Belgium designates national authorities; the obligation to ensure AI literacy already applies.
What the AI Act regulates — and who it binds
The AI Act does not regulate “AI” in the abstract. It regulates AI systems and general-purpose AI models placed on the EU market or whose output is used in the EU. The obligations attach to roles, not just technologies. The two roles that matter most for a typical Belgian business are:
- Provider — you develop an AI system (or have one developed) and place it on the market under your own name or brand.
- Deployer — you use an AI system under your authority in a professional context. Most Belgian SMEs are deployers (for example, using an AI hiring tool, a credit-scoring model or a customer-service assistant).
Importers and distributors carry obligations too, but provider and deployer are the roles that decide whether you face the heavy high-risk regime or the lighter transparency duties.
The four risk tiers
Everything in the AI Act flows from classification. Before you write a single compliance document, you need to know which tier your system falls into. Our companion guide, AI Act risk classification, walks through the decision step by step; here is the overview.
| Tier | What it covers | Core duty |
|---|---|---|
| Unacceptable | Practices banned under Art. 5 (e.g. social scoring, manipulative or exploitative systems, most real-time remote biometric identification in public spaces). | Prohibited — do not deploy. |
| High-risk | Systems in Annex III areas (employment, education, essential services, law enforcement, critical infrastructure…) and safety components of regulated products. | Full conformity regime: risk management, data governance, logging, human oversight, registration. |
| Limited | Systems that interact with people or generate content (chatbots, deepfakes, AI-generated media). | Transparency: tell people they are dealing with AI; label AI-generated content. |
| Minimal | Everything else (spam filters, recommendation engines, most productivity tools). | No mandatory obligations; voluntary codes encouraged. |
The compliance timeline
The AI Act is not a single deadline but a staircase. Mark these dates — they determine what you must have ready and when.
| Date | What becomes applicable |
|---|---|
| 2 Feb 2025 | Prohibited practices (Art. 5) and the AI literacy obligation (Art. 4) — staff using AI must have adequate understanding of it. |
| 2 Aug 2025 | Obligations for general-purpose AI (GPAI) models, governance bodies, and the penalties framework. |
| 2 Aug 2026 | The bulk of the high-risk obligations (Annex III systems) become enforceable. |
| 2 Aug 2027 | High-risk obligations for AI as a safety component of regulated products, and full compliance for GPAI models already on the market before Aug 2025. |
What high-risk providers and deployers must actually do
If your system is high-risk, the obligations are substantial. Providers must establish a risk-management system across the lifecycle, apply data-governance practices to training and testing data, maintain technical documentation and automatic logging, design for human oversight, hit accuracy/robustness/ cybersecurity targets, run a conformity assessment, affix CE marking and register the system in the EU database. Deployers have a lighter but real set of duties: use the system per instructions, ensure human oversight, monitor operation, keep logs, and — for many public-interest uses — run a fundamental rights impact assessment. Where personal data is involved, this dovetails with your GDPR duties; see GDPR & AI in Belgium.
General-purpose AI (GPAI)
If you build on a foundation model — or provide one — the GPAI rules (applicable since 2 August 2025) require technical documentation, a public summary of training content using the Commission’s template, and measures to respect EU copyright law. Models posing “systemic risk” carry additional obligations. Most Belgian businesses consume GPAI rather than provide it, but if you fine-tune or rebrand a model you may inherit provider duties — check before assuming you are only a deployer.
Penalties
Enforcement has teeth. Breaching the prohibited-practices rules can cost up to €35 million or 7% of total worldwide annual turnover, whichever is higher. Other breaches of obligations and the supply of incorrect information to authorities carry lower (but still significant) caps. The headline ceiling already exceeds the GDPR’s €20M / 4%.
How to prepare — a pragmatic first 90 days
- Inventory your AI. List every AI system you provide or deploy, including embedded vendor features. You cannot classify what you have not mapped.
- Classify each one by risk tier — this drives everything that follows.
- Close the AI-literacy gap. It already applies: give staff role-appropriate training and record it.
- Check for banned uses and stop them now — the prohibitions are already in force.
- Build a governance baseline: ownership, documentation, human-oversight design, and a link to your existing GDPR and information-security programmes.
The AI Act rewards organisations that already run a disciplined compliance function. If you have an ISO 27001 or NIS2 programme, much of the governance scaffolding — risk management, documentation, oversight — can be extended to AI rather than rebuilt. The capstone of this series, deploying AI in the EU, shows how the AI Act, GDPR, NIS2 and DORA fit together across the AI lifecycle.
This article is general information, not legal advice. For decisions with real exposure — classifying a system, scoping high-risk obligations — validate with a qualified adviser. ICTLAB helps Belgian organisations operationalise AI governance alongside their security programme; talk to our team.