EU regulation classifying AI systems by risk level and imposing obligations accordingly. In force since August 2024, with obligations phasing in through 2026 and 2027. Stacks on top of GDPR rather than replacing it.
Definition: EU regulation classifying AI systems by risk level and imposing obligations accordingly. In force since August 2024, with obligations phasing in through 2026 and 2027. Stacks on top of GDPR rather than replacing it.
The EU AI Act takes a risk-based approach: systems are classified as prohibited, high-risk, limited-risk, or minimal-risk, with obligations scaling accordingly. Most UX research uses AI in limited-risk or minimal-risk modes, but research that feeds into high-risk decisions (hiring, credit, biometrics, education access) can pull a project into the high-risk category.
Three things matter for tool evaluation. First, transparency: AI-generated content that could be mistaken for human-produced needs to be labelled. Second, documentation: high-risk uses require logging of model versions, inputs, and outputs. Third, deployer obligations: the organisation using the AI bears responsibility, not just the vendor.
The Act does not replace GDPR. They stack. A research workflow can be GDPR-compliant and AI Act non-compliant, or the reverse. Vendors that talk about one but not the other have done half the homework.
This term is referenced in the following articles: