TL;DR

  • The EU AI Act entered into force on 1 August 2024 [1] — prohibited AI practices have been banned since February 2025, high-risk system rules land August 2026.
  • If you serve EU customers from Australia, the Act applies to you — the same extraterritorial logic as GDPR [2].
  • Risk classifications range from outright banned to minimal — most businesses using AI in hiring, lending, or customer service sit in the high-risk tier [3].
  • lilMONSTER offers ISO 42001 compliance reviews [4] and GetReady-Comply automation to get Australian businesses audit-ready before enforcement tightens.

The EU AI Act (Regulation 2024/1689) officially entered into force on 1 August 2024 [1]. The first real enforcement deadlines have already passed, and more are rolling through 2025 and 2026. If your business touches European customers — even from a Sydney or Melbourne office — this law applies to you.​‌‌​​‌​‌‍​‌‌‌​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Let's break down what's actually happening, what you need to do, and why waiting is the wrong call.

What Is the EU AI Act and When Does It Apply?

The EU Artificial Intelligence Act (Regulation 2024/1689) is the world's first comprehensive legal framework for AI systems [1]. According to the European Parliament, the Act aims to ensure AI in the EU is "safe, transparent, traceable, non-discriminatory, and environmentally friendly" [5]. It passed in May 2024 and entered into force on 1 August 2024.​‌‌​​‌​‌‍​‌‌‌​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The Act applies to providers who place AI systems on the EU market, deployers of AI systems wi

thin the EU, and — critically — providers and deployers located outside the EU whose AI systems are used inside the EU [2]. This extraterritorial scope is the explicit design of the regulation, not a technicality.

The Organisation for Economic Co-operation and Development (OECD) AI Policy Observatory, which tracks AI legislation globally, identifies the EU AI Act as the most comprehensive binding AI regulation in force as of 2025 [6].

The EU AI Act Timeline: What's Already Enforced, What's Coming

The Act rolls out in four phases. Knowing where each deadline sits is the starting point for any compliance plan [1].

February 2025 — Prohibited AI Practices Banned The six-month grace period for prohibited AI systems ended. From this date, AI that manipulates people subliminally, exploits vulnerabilities of specific groups, enables government social scoring, and performs real-time biometric surveillance in public spaces (with narrow law enforcement exceptions) is illegal throughout the EU [3].

August 2025 — General-Purpose AI Model Rules (GPAI) Rules for general-purpose AI model providers come into force [1]. This covers providers of large foundation models integrated into downstream products. GPAI providers must publish technical documentation, comply with copyright law, and release summaries of training data. High-capability GPAIs face additional requirements including adversarial testing [3].

August 2026 — High-Risk AI System Requirements The core compliance wave. Businesses deploying AI in employment, credit, education, critical infrastructure, healthcare, and law enforcement adjacent systems must have full conformity assessments, technical documentation, human oversight mechanisms, and EU database registration in place [3].

August 2027 — Legacy High-Risk System Deadline Existing high-risk AI systems already on the market before August 2026 receive one additional year to comply [1].

Related: Why Your Business Needs an AI Governance Framework Before It's Too Late

Does the EU AI Act Apply to Australian Businesses?

Yes — if your AI system is used by people in the EU, the Act applies regardless of where your business is registered.

Article 2 of Regulation 2024/1689 states the Act applies to "providers and deployers of AI systems that are established in a third country, insofar as the output produced by those systems is used in the Union" [2]. An Australian SaaS company with European customers, an Australian business using AI-powered HR tools on EU-based employees, or an Australian platform accessed by EU users is in scope.

This mirrors the territorial logic of GDPR (Regulation 2016/679), under which Australian businesses collecting data from EU residents were subject to European data protection law regardless of their registration location [7]. The EU AI Act follows the same architecture.

According to Gartner, by 2025 more than 75% of the global population will have personal data covered under modern privacy and AI regulations — the EU AI Act is the enforcement mechanism backing that trend [8].

EU AI Act Risk Classifications Explained

What Is Unacceptable Risk Under the EU AI Act?

Unacceptable risk AI systems are prohibited outright under Article 5 of Regulation 2024/1689 [3]. These include AI that uses subliminal techniques to manipulate behaviour below conscious awareness, systems that exploit psychological weaknesses of specific groups, government social scoring systems that evaluate citizens based on behaviour, and real-time remote biometric identification in public spaces for law enforcement (outside narrow exceptions). These were banned from February 2025.

What Is a High-Risk AI System?

High-risk AI systems are defined in Annex III of Regulation 2024/1689 [3]. They cover: biometric identification, management of critical infrastructure, education and vocational training, employment and HR management (including CV screening, hiring decisions, and performance monitoring), essential private and public services (credit scoring, insurance), law enforcement, migration and border management, and administration of justice.

Businesses operating high-risk AI systems must implement a risk management system, maintain comprehensive technical documentation, apply data governance practices to training data, ensure human oversight, demonstrate accuracy and robustness, and register the system in the EU AI Act database before deployment [3].

What Is Limited Risk Under the EU AI Act?

Limited risk covers AI systems that interact directly with people — primarily chatbots and AI-generated content. The core obligation under Article 50 is transparency: users must be informed they are interacting with an AI system [3]. The requirement is relatively light-touch but non-negotiable.

What Counts as Minimal Risk?

Spam filters, AI-powered recommendation engines, and AI in video games sit at minimal risk. No specific obligations beyond existing consumer protection and product safety law apply [3].

Related: On-Device AI — Why the Future of Business AI Doesn't Need the Cloud

How ISO 42001 Maps to EU AI Act Compliance

ISO/IEC 42001:2023 is the international standard for AI management systems, published by the International Organization for Standardization [4]. According to the ISO, 42001 specifies requirements for "establishing, implementing, maintaining, and continually improving an AI management system within an organisation," covering governance, risk management, impact assessments, and the responsibilities of AI providers and operators.

The overlap with EU AI Act requirements is substantial. Both frameworks require documented risk assessments, data governance processes, defined roles and responsibilities for AI oversight, mechanisms for human control, and ongoing monitoring of AI system performance. ISO 42001 is designed to be compatible with ISO 27001 (information security) and ISO 9001 (quality management), allowing integration into existing management structures [4].

The OECD AI Principles — adopted by over 42 countries — provide the normative foundation that both ISO 42001 and the EU AI Act draw from, ensuring that ISO-aligned governance is recognised by regulators across jurisdictions [6].

Penalties for Non-Compliance With the EU AI Act

The EU AI Act penalty structure is tiered by violation severity under Article 99 [3]. Prohibited AI practices carry fines up to €35 million or 7% of total global annual turnover, whichever is higher. High-risk system non-compliance carries fines up to €15 million or 3% of global annual turnover. Providing incorrect documentation or information to authorities carries fines up to €7.5 million or 1% of global annual turnover. The lower figure applies to SMBs and public bodies.

How lilMONSTER Helps Australian Businesses With EU AI Act Compliance

ISO 42001 Compliance Reviews — We assess your current AI usage against the ISO 42001 standard [4]: identifying governance gaps, missing documentation, and absent risk management processes. The output is a prioritised compliance roadmap covering both ISO 42001 certification and EU AI Act readiness.

GetReady-Comply — Our GRC automation tool consolidates compliance workflows. Track AI systems in use, document risk assessments, manage evidence, assign oversight responsibilities, and stay audit-ready without spreadsheet sprawl. Built for businesses that need compliance infrastructure without an in-house legal and governance team.

FAQ: EU AI Act for Australian Businesses

Does the EU AI Act apply to my Australian business if I don't have a European office? Yes. Article 2 of Regulation 2024/1689 applies the Act to any business whose AI system outputs are used by people in the EU [2]. If EU-based customers, employees, or users interact with your AI system, you are in scope regardless of where your company is registered.

When do high-risk AI system requirements come into force? High-risk AI system compliance requirements take full effect from August 2026. Existing high-risk systems already deployed before that date have until August 2027 to comply [1].

What counts as a high-risk AI system under the EU AI Act? Annex III of Regulation 2024/1689 lists high-risk categories: employment, credit scoring, insurance, education, healthcare, critical infrastructure, law enforcement, migration, and administration of justice [3].

What's the difference between ISO 42001 and EU AI Act compliance? ISO/IEC 42001:2023 is a voluntary international standard for AI management systems [4]. EU AI Act compliance is a legal obligation for businesses operating in the EU. The two overlap significantly — ISO 42001 provides most of the governance infrastructure that EU AI Act compliance requires.

What are the fines for violating the EU AI Act? Fines range from €7.5 million (or 1% of global turnover) for documentation violations up to €35 million (or 7% of global turnover) for prohibited AI practices, per Article 99 [3].

References

[1] European Union, "Regulation (EU) 2024/1689 of the European Parliament and of the Council — Artificial Intelligence Act," Official Journal of the European Union, vol. OJ L, Jul. 2024. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689

[2] European Union, "Regulation (EU) 2024/1689, Article 2 — Scope," Official Journal of the European Union, Jul. 2024. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689#d1e1487-1-1

[3] European Union, "Regulation (EU) 2024/1689, Articles 5, 50, 99 and Annex III — Prohibited Practices, Transparency, Penalties and High-Risk Categories," Official Journal of the European Union, Jul. 2024. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689

[4] International Organization for Standardization, "ISO/IEC 42001:2023 — Information Technology — Artificial Intelligence — Management System," ISO, Geneva, Switzerland, 2023. [Online]. Available: https://www.iso.org/standard/81230.html

[5] European Parliament, "EU AI Act: First Regulation on Artificial Intelligence," European Parliament News, Jun. 2023. [Online]. Available: https://www.europarl.europa.eu/topics/en/article/20230601STO93804/eu-ai-act-first-regulation-on-artificial-intelligence

[6] Organisation for Economic Co-operation and Development, "OECD AI Principles," OECD.AI Policy Observatory, 2019, updated 2024. [Online]. Available: https://oecd.ai/en/ai-principles

[7] European Union, "Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR), Article 3 — Territorial Scope," Official Journal of the European Union, Apr. 2016. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

[8] Gartner, "Gartner Predicts 75 Percent of the World's Population Will Have Its Personal Data Covered Under Modern Privacy Regulations by 2025," Gartner Press Release, Jun. 2020. [Online]. Available: https://www.gartner.com/en/newsroom/press-releases/2020-09-14-gartner-says-by-2023--65--of-the-world-s-population-w

[9] Future of Life Institute, "EU AI Act Implementation Timeline," AI Act Explorer, 2024. [Online]. Available: https://artificialintelligenceact.eu/implementation-timeline/

🛡️ Ready to Take Action?

Protect your business with our compliance toolkits — built specifically for SMBs:

Need help with AI governance? lilMONSTER can get you sorted.

New Rules for AI — And Why Your Business Has to Follow Them Even If You're Not in Europe

TL;DR

  • Europe made rules about how businesses can use AI — the EU AI Act has been in force since August 2024 [1].
  • The rules apply to you even if you're in Australia, as long as you have customers or users in Europe [2].
  • Some AI is completely banned. Some needs strict oversight. Some just needs a "hey, you're talking to a robot" label [3].
  • Fines for non-compliance reach €35 million or 7% of global turnover [3]. lilMONSTER helps you get it right.

Imagine your school made a rule: "No copying someone else's homework." A student from another suburb thinks the rule doesn't apply to them — until they come to sit an exam at your school. The moment they're in your school doing school things, the rule applies.

That's exactly what's happening with AI and Europe right now.

Europe Made Rules for AI

The European Union — 27 countries all sharing one set of laws — passed the EU AI Act (Regulation 2024/1689), which entered into force on 1 August 2024 [1]. It's the world's first comprehensive legal rulebook for artificial intelligence.

AI programs are everywhere. They help businesses screen job applications, answer customer questions, and decide who gets a loan. Europe decided that some of these programs are powerful enough to hurt people if used badly — so they made rules [5].

What Kind of Rules Are There?

The rules sort AI into four groups based on how risky they are [3]:

Completely Banned (from February 2025) Some AI is not allowed at all — AI that secretly messes with your emotions, AI that rates people as "good" or "bad" citizens, and AI used for mass surveillance in public spaces. These are banned under Article 5 [3].

High-Risk (Strict Rules from August 2026) AI used in big life decisions — hiring, loans, school admissions, healthcare — must follow strict rules. Businesses must keep detailed records, prove the AI works properly, and have a real human checking critical decisions [3].

Has to Be Honest Chatbots and AI assistants must clearly tell users they're talking to AI — this is mandatory under Article 50 [3].

Low-Risk (No Special Rules) Spam filters and AI in video games. Basically fine [3].

But We're in Australia — Do These Rules Apply to Us?

Yes, if you have customers or users in Europe.

Article 2 of the EU AI Act states the regulation applies to providers "established in a third country, insofar as the output produced by those systems is used in the Union" [2]. If you sell software to European businesses or EU people use your app, Europe's rules apply. This is the same principle as GDPR [4], which Australian businesses already had to comply with.

According to the OECD AI Policy Observatory, the EU AI Act is now the most comprehensive binding AI regulation globally — and its extraterritorial reach is intentional [6].

What If You Ignore It?

Article 99 of the EU AI Act sets fines up to €35 million or 7% of global annual turnover for the worst violations [3]. For a small business, that would be devastating.

What Should You Actually Do?

  1. Check if Europe applies to you — any EU customers, users, or employees?
  2. Figure out what kind of AI you use — chatbots, hiring tools, credit decisions each carry different rules [3].
  3. Get records sorted — high-risk AI needs documentation on how it works and who checks it.
  4. Talk to someone who knows this — lilMONSTER runs ISO 42001 compliance reviews [7] mapping your AI against the rules. GetReady-Comply automates the ongoing evidence collection.

FAQ

Do Australian businesses really have to follow European AI rules? Yes. Article 2 of Regulation 2024/1689 applies the Act to any business whose AI system outputs are used in the EU [2].

What's actually banned under the EU AI Act? Article 5 prohibits subliminal manipulation, citizen scoring systems, and mass public surveillance AI — banned from February 2025 [3].

When do the big rules kick in? High-risk AI system requirements come fully into force in August 2026 [1].

What is ISO 42001 and how does it help? ISO/IEC 42001:2023 is the international standard for AI management systems [7]. Implementing it creates the governance infrastructure that EU AI Act compliance requires.

How can lilMONSTER help my business? lilMONSTER runs ISO 42001 compliance reviews to find governance gaps and build a fix roadmap. GetReady-Comply keeps compliance records automated and audit-ready.

References

[1] European Union, "Regulation (EU) 2024/1689 — Artificial Intelligence Act," Official Journal of the European Union, Jul. 2024. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689

[2] European Union, "Regulation (EU) 2024/1689, Article 2 — Scope," Official Journal of the European Union, Jul. 2024. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689

[3] European Union, "Regulation (EU) 2024/1689, Articles 5, 50, 99 and Annex III," Official Journal of the European Union, Jul. 2024. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689

[4] European Union, "Regulation (EU) 2016/679 — GDPR, Article 3 — Territorial Scope," Official Journal of the European Union, Apr. 2016. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

[5] European Parliament, "EU AI Act: First Regulation on Artificial Intelligence," European Parliament News, Jun. 2023. [Online]. Available: https://www.europarl.europa.eu/topics/en/article/20230601STO93804/eu-ai-act-first-regulation-on-artificial-intelligence

[6] Organisation for Economic Co-operation and Development, "OECD AI Principles and Policy Observatory," OECD.AI, 2024. [Online]. Available: https://oecd.ai/en/ai-principles

[7] International Organization for Standardization, "ISO/IEC 42001:2023 — AI Management System," ISO, Geneva, 2023. [Online]. Available: https://www.iso.org/standard/81230.html

[8] Future of Life Institute, "EU AI Act Implementation Timeline," AI Act Explorer, 2024. [Online]. Available: https://artificialintelligenceact.eu/implementation-timeline/

Want to know exactly where your business stands? Book a free AI governance review with lilMONSTER.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation