IT governance, cybersecurity and digital transformation in Belgium · contact@itselect.be
← Back to insights
Data & AI AI Act Updated May 18, 2026 · Read 5 min

EU AI Act: a practical summary of the 13 chapters

The AI Act progressively regulates the development, placing on the market and use of artificial intelligence systems in the European Union. For organisations, the goal is not to stop using AI, but to know where it is used, which level of risk it creates, which obligations apply and how evidence is kept.

Key takeaway. The AI Act does not block AI: it requires organisations to control it, document use cases and prove that risks are handled.

Key points

  • The Regulation is structured into 13 chapters.
  • The approach is risk-based.
  • Providers and deployers may both be concerned.
  • SMEs should mainly map, frame and document AI use cases.

Executive summary

The EU AI Act, formally Regulation (EU) 2024/1689, creates a common framework to support safe, transparent and trustworthy AI. It does not treat every use case in the same way: the higher the potential impact on people, safety or fundamental rights, the stronger the requirements.

Inside an organisation, the first topics are very practical: inventory AI tools, classify use cases, check suppliers, protect data, ensure human validation and train users.

Blog version: a non-legal summary focused on IT governance, compliance, security and leadership decisions.

The 13 chapters of the AI Act in summary

General provisions

This chapter defines the purpose of the Regulation, its scope, key definitions and the AI literacy obligation. It creates the common vocabulary: AI system, provider, deployer, importer, distributor, data, risks and responsibilities.

IT action: Build an inventory of AI use cases and a shared vocabulary across IT, business teams, leadership, DPO and procurement.

Prohibited AI practices

The Regulation bans uses considered to create unacceptable risk, such as certain harmful manipulation, exploitation of vulnerabilities, social scoring and some abusive uses linked to biometrics and surveillance.

IT action: Add exclusion rules to the internal AI policy, especially for HR, surveillance, scoring, biometrics and manipulation use cases.

High-risk AI systems

This is the most operational chapter. It explains how high-risk systems are classified and introduces strong requirements: risk management, data governance, technical documentation, registration, logs, transparency, human oversight, accuracy, robustness and cybersecurity.

IT action: Identify AI tools used in employment, education, essential services, safety, critical infrastructure or decisions that may significantly affect people.

Transparency obligations

Certain systems must clearly disclose that they use AI. Users should be able to know when they interact with AI or when content has been artificially generated or manipulated, in the situations covered by the Regulation.

IT action: Prepare visible notices for chatbots, assistants, content generators, deepfakes, synthetic voices and user-facing automations.

General-purpose AI models

This chapter covers models that can serve many purposes, such as large language models and generative models. It introduces obligations for providers, with stronger requirements for models presenting systemic risk.

IT action: Ask suppliers for compliance information: documentation, training-data summary, copyright approach, security, limitations and terms of use.

Measures in support of innovation

The Regulation introduces regulatory sandboxes, real-world testing and support measures for SMEs and start-ups. The goal is to allow innovation while keeping a control framework.

IT action: Run AI pilots in a limited framework: objectives, authorised data, human validation, logging and stop criteria.

Governance

This chapter organises European and national governance: the AI Office, the European Artificial Intelligence Board, advisory forum, scientific panel and national competent authorities.

IT action: Appoint an internal AI owner to monitor governance, centralise evidence and answer client, auditor or authority requests.

EU database for high-risk AI systems

High-risk AI systems listed in Annex III may need to be registered in an EU database. This reinforces traceability and transparency for the systems concerned.

IT action: Check with suppliers whether a tool is subject to registration and keep the evidence in the supplier file.

Post-market monitoring, information sharing and market surveillance

The Regulation covers monitoring after placing systems on the market, reporting serious incidents, surveillance powers, remedies and the right to explanation for certain individual decisions.

IT action: Connect AI governance to existing processes: incident management, security, complaints, audit, supplier control and continual improvement.

Codes of conduct and guidelines

The Commission may publish guidelines and encourage codes of conduct, including for uses that are not strictly high-risk. These documents will help interpret and apply the Regulation.

IT action: Track official guidance and translate it into simple rules: allowed use cases, validation, confidentiality, quality control and escalation.

Delegation of power and committee procedure

This chapter allows some parts of the Regulation to evolve over time. The AI Act is therefore not a frozen framework: delegated acts, adjustments and clarifications may follow.

IT action: Plan regulatory monitoring and review the AI policy at least annually or when a major tool changes.

Penalties

The Regulation includes penalties and administrative fines, with different levels depending on the seriousness of the infringement. Penalties cover prohibited practices, high-risk obligations and general-purpose AI model obligations.

IT action: Go beyond a policy statement: keep evidence of classification, validation, training, contracts, controls and decisions.

Final provisions

The final chapter covers amendments to other EU texts, systems already placed on the market, evaluation, review and the progressive entry into force/application of the Regulation.

IT action: Maintain a roadmap with applicable deadlines, action owners and dependencies with GDPR, cybersecurity, procurement and compliance.

Dates to watch

1 August 2024 — the Regulation entered into force.

2 February 2025 — prohibited practices and AI literacy obligations started to apply.

2 August 2025 — governance rules and obligations for general-purpose AI models started to apply.

2 August 2026 — general application of the Regulation, with exceptions and transition provisions.

2 December 2027 and 2 August 2028 — announced timeline for certain high-risk AI rules under the Omnibus VII simplification political agreement; check the final applicable texts before relying on it.

What an IT team or SME should do now

InventoryList AI tools used officially and unofficially.
ClassifyIdentify prohibited, sensitive, high-risk or low-risk use cases.
FrameDefine a usage policy: authorised data, validation and responsibilities.
TrainExplain limits, risks, obligations and good reflexes to users.
ContractAsk suppliers for compliance evidence and security commitments.
DocumentKeep decisions, logs, analyses, validations and exceptions.

Conclusion

The AI Act should not be read only as a regulatory constraint. It is also a useful framework to regain control over AI use cases, reduce shadow AI, secure data and clarify responsibilities. The right first step is to turn the Regulation into a simple map of use cases, risks, suppliers and priority actions.

Useful official sources

Read this article in French.
Français

This content is a practical summary for IT governance. It does not replace legal advice tailored to your context.