Published: Last updated:

EU AI Act: the first comprehensive AI regulation

This article frames the regulation factually and is not a substitute for legal advice in an individual case. Whether and how the EU AI Act covers a specific application depends on the particular constellation and is to be clarified against the text of the Regulation and, where appropriate, professional advice.

Regulation (EU) 2024/1689 (the "EU AI Act") is the first comprehensive legal framework for artificial intelligence. It takes a risk-based approach. The higher an AI system's risk to health, safety and fundamental rights, the stricter its obligations. It entered into force on 1 August 2024 and, through its extraterritorial scope, also applies to Swiss providers and deployers whose AI output is used in the EU.


Scope: who is covered

The AI Act does not address "companies" in the abstract; it defines roles along the AI value chain. Obligations attach to the role an actor takes with respect to a specific AI system:

  • Provider: develops an AI system or a GPAI model (or has one developed) and places it on the market or puts it into service under its own name. Carries the bulk of the obligations.
  • Deployer: uses an AI system under its own authority in a professional context (not purely personal use).
  • Importer and distributor: bring an AI system from a third country into the EU, or make it available on the market.

What counts is the actual function, not the corporate label. Anyone who substantially modifies a bought-in system or distributes it further under their own name can themselves become a provider (Art. 25).

Extraterritorial reach (Art. 2)

The AI Act is EU law, but its scope does not stop at the EU's external border. Under Art. 2(1) the Regulation covers, among others:

  • providers placing an AI system on the market or putting it into service in the EU, irrespective of whether they are established in the EU or in a third country;
  • providers and deployers established in a third country where the output produced by the AI system is used in the EU (the so-called output-in-the-EU trigger).

This is the decisive mechanism for readers outside the EU. Not the provider's location but the place of effect can bring the system within scope.

Relevance to Switzerland (as of 2026)

For Swiss actors this produces a dual situation, to be stated factually (not as advice):

  • EU law reaches in. If a Swiss provider or deployer uses AI such that the output is used in the EU (for example for customers in the EU), the conditions of Art. 2 may be met. Whether that is the case in a given instance depends on the concrete constellation. This page only states the conditions; it makes no finding about any particular company.
  • Switzerland has (as of 2026) no AI-Act equivalent in force. On 12 February 2025 the Federal Council decided to ratify the Council of Europe Framework Convention on AI (on AI and human rights, democracy and the rule of law) and to amend existing sectoral law rather than create a horizontal cross-sector regulation along EU lines. Switzerland signed the convention on 27 March 2025; a consultation draft is to be prepared by the end of 2026 (www.admin.ch/gov/en/start/documentation/media-releases.msg-id-104110.html).
  • Data protection applies in parallel. Where an AI system processes personal data, the revised Swiss Data Protection Act (nDSG/nFADP) applies independently of the AI Act. The two regimes overlap; they do not replace one another. Anyone who also passes data to US providers meets a second legal layer, described under the US Cloud Act.

A practical aside: third-country actors that fall within EU scope will recognise the concept of an EU representative from the GDPR (Art. 27 GDPR). For affected third-country providers, the AI Act provides a comparable duty in Art. 22 to appoint an authorised representative in the EU.


The four risk classes

The AI Act sorts AI systems into four tiers by risk. The tier determines the obligations:

  • Unacceptable risk, prohibited (Art. 5). Certain practices are banned in the EU, such as social scoring by authorities, manipulative exploitation of vulnerabilities, or untargeted scraping of facial images for facial-recognition databases. These systems may not be used.
  • High risk (Art. 6 + Annex III). AI in sensitive fields, for example employment and recruitment, creditworthiness assessment, access to education, critical infrastructure, biometric identification, law enforcement. Permitted, but bound to extensive obligations.
  • Limited risk, transparency (Art. 50). Systems that interact with people (chatbots) or generate or manipulate content (generative AI, deepfakes). Permitted, but with labelling and disclosure obligations. This is exactly where a RAG architecture with source attribution fits in, binding AI answers traceably to their sources.
  • Minimal risk. All remaining systems, for example spam filters or AI in video games. No specific obligations under the AI Act; voluntary codes of conduct are encouraged.

Which class applies to a given system can be determined along a decision sequence:

flowchart TD
    A["AI system in use<br/>or planned"] --> B{"Prohibited practice?<br/>(Art. 5)"}
    B -- "Yes" --> V["Unacceptable risk:<br/>prohibited"]
    B -- "No" --> C{"High-risk?<br/>(Art. 6, Annex III)"}
    C -- "Yes" --> H["High-risk:<br/>full obligations"]
    C -- "No" --> D{"Transparency duty?<br/>(Art. 50)"}
    D -- "Yes" --> L["Limited risk:<br/>labelling"]
    D -- "No" --> M["Minimal risk:<br/>no requirements"]

The decision tree mirrors the order of assessment: first the prohibition (Art. 5), then the high-risk classification (Art. 6 + Annex III), then the transparency cases (Art. 50); whatever remains carries no specific obligations. The order is a reading aid, not a substitute for checking against the text of the Regulation.


Obligations per class

  • Unacceptable (Art. 5)
    • Core obligation under the Regulation: Prohibition, the system may not be placed on the market or used.
  • High (Art. 8 et seq., Annex III)
    • Core obligation under the Regulation: Risk-management system, data governance, technical documentation, logging, transparency towards deployers, human oversight, accuracy/robustness/cybersecurity; conformity assessment and EU-database registration before placing on the market.
  • Limited (Art. 50)
    • Core obligation under the Regulation: Transparency obligations: disclose that one is interacting with an AI; machine-readable marking of AI-generated content; labelling of deepfakes.
  • Minimal
    • Core obligation under the Regulation: No specific obligations; voluntary codes of conduct (Art. 95).

Anyone who wants to anchor these obligations not as a one-off project but as a checkable rule in operations finds the methodical lever under Compliance as Code. The organisational frame for security and evidence-keeping is described by the standard ISO 27001.

GPAI as a cross-cutting layer (Art. 51 et seq.)

Cutting across the four classes are general-purpose AI models (GPAI), large foundation models used for many purposes. Their providers carry their own obligations (Art. 53 et seq.):

  • technical documentation and information for downstream providers;
  • a publicly available summary of the training data, plus a policy to comply with EU copyright law.

This is tightened for GPAI models with systemic risk. Under Art. 51, systemic risk is presumed where the cumulative compute used for training exceeds 10^25 FLOP. Such models are additionally subject to model evaluation, risk mitigation, serious-incident reporting and cybersecurity (Art. 55). As an implementation aid, the EU AI Office published the voluntary GPAI Code of Practice (chapters on transparency, copyright, safety) on 10 July 2025; signing it establishes a presumption of compliance but does not replace the obligations.


Timeline / phase-in (Art. 113)

The Regulation does not apply all at once but in stages. The dates follow from Art. 113:

timeline
    title EU AI Act phase-in (Art. 113)
    2024-08: In force
    2025-02: Prohibitions + AI literacy
    2025-08: GPAI obligations
    2026-08: Main application + high-risk
    2027-08: High-risk (Annex I)

The timeline shows: prohibitions and the AI-literacy duty have applied since 2 February 2025, the GPAI obligations since 2 August 2025, the bulk of the Regulation (including the high-risk applications under Annex III) from 2 August 2026; the obligations for high-risk systems that are safety components of regulated products (Annex I) follow from 2 August 2027.


What a Swiss SME / agency concretely has to do

The following steps summarise what the Regulation factually requires of affected actors. They are descriptive, not advice for any individual case:

  1. Build an AI inventory. Capture all AI applications in use and planned, expressly including shadow IT (bought-in SaaS tools, embedded AI features).
  2. Determine role and risk class per application. For each system, clarify whether the organisation acts as a provider or a deployer and into which of the four classes it falls (see the decision tree).
  3. For high-risk: meet the obligations from Art. 8 et seq., that is risk management, technical documentation, human oversight, conformity assessment. Explainability (XAI) is one means here of meeting the transparency and oversight obligations.
  4. For generative AI / chatbots: implement the transparency and labelling obligations under Art. 50 (disclose the AI interaction, mark AI-generated content).
  5. Ensure AI literacy in the team. Since February 2025, Art. 4 requires a sufficient level of AI literacy among the people operating AI systems.

These steps align with the AI-governance practice described on the Compliance page; the provider obligations mainly concern those who build AI themselves.


Primary texts + further reading

Primary sources (own statements bound to these):

Switzerland:


Related topics


Open points

  • A simplifying EU "AI Omnibus" initiative is (as of 2026) discussing adjustments to individual deadlines; verify against the current state of the Regulation before any binding use.
  • Switzerland's implementation of the Council of Europe convention is in progress (consultation announced for the end of 2026); the Switzerland section is dated to that state.

Ask AI

These links open external AI services, the conversation and its content are sent to their providers.