The EU AI Act: what it means for organizations operating in and around Europe

The European Union's Artificial Intelligence Act entered into full application in 2025, making it the world's first comprehensive binding legal framework for AI. For organizations operating in the EU — or selling products and services to EU customers — it creates significant compliance obligations. For organizations outside the EU, including those in Morocco and across the MENA region, it is shaping international standards and will increasingly influence commercial and regulatory requirements in non-EU markets.

This article explains what the EU AI Act actually requires, how its risk-based framework works, the key timelines, and what organizations should be doing now to prepare.

Who does the EU AI Act apply to?

The EU AI Act applies to providers and deployers of AI systems. Providers are organizations that develop AI systems and place them on the market — AI software companies, technology vendors, and organizations that build AI tools for internal or external use. Deployers are organizations that use AI systems provided by others in their business operations.

Critically, the Act applies based on where the AI system is used and who is affected by it — not where the organization is headquartered. A Moroccan company using an EU-based AI recruitment tool to screen candidates for a European role is within scope. A Moroccan software company selling an AI-powered compliance tool to European customers is a provider within scope. Organizations with European operations, European customers, or European employees are likely to have obligations under the Act regardless of where they are based.

The four-tier risk framework

The EU AI Act uses a risk-based approach: the higher the potential harm of an AI system, the more stringent the requirements. There are four tiers:

Unacceptable risk — prohibited: AI applications that pose fundamental threats to rights and safety are banned entirely. These include AI systems that use subliminal techniques to manipulate behavior, exploit vulnerabilities of specific groups, enable mass social scoring by public authorities, and (with narrow exceptions) real-time biometric identification in public spaces. These bans came into force in February 2025.

High risk: AI systems used in critical infrastructure, education, employment, access to essential services, law enforcement, migration, and the administration of justice. High-risk AI is not prohibited, but it is subject to extensive requirements: conformity assessments, registration in an EU database, technical documentation, data governance standards, human oversight, transparency disclosures, and ongoing monitoring. Key examples include AI used in hiring and firing decisions, AI that influences access to credit, AI used in medical diagnosis, and AI in biometric categorization.

Limited risk: AI systems with specific transparency obligations — primarily chatbots and AI-generated content. Users must be informed they are interacting with AI. AI-generated content (images, audio, video, text) that could be mistaken for real must be labeled as AI-generated.

Minimal risk: AI systems that pose little to no risk — spam filters, AI in video games, basic recommendation systems. These have no mandatory requirements under the Act, though the European Commission has published voluntary codes of conduct.

What high-risk AI compliance actually requires

For organizations deploying high-risk AI, the compliance obligations are substantial. The most important requirements include:

Risk management system: A continuous, iterative process that identifies and manages risks associated with the AI system throughout its lifecycle — not a one-time assessment.

Data governance: Training, validation, and testing datasets must meet quality standards — free from biases that could lead to discriminatory outputs, representative of the contexts in which the system will be used, and properly documented.

Technical documentation: Comprehensive documentation of the AI system, its design logic, capabilities, limitations, performance metrics, and the data used to develop it.

Human oversight: High-risk AI systems must be designed so that humans can understand their outputs, monitor their operation, and — critically — override or stop them when necessary. Fully automated high-stakes decisions that humans cannot override are not compliant.

Transparency to users: Deployers must inform individuals that they are subject to a decision made or significantly influenced by a high-risk AI system, and in certain cases must explain the logic involved.

Logging and traceability: AI systems must automatically log their operations at an appropriate level of detail to enable post-hoc review of decisions and identification of errors.

General-purpose AI models (GPAIs)

A significant addition in the final text of the Act is specific obligations for providers of general-purpose AI models — foundation models and large language models (like the AI assistants embedded in many commercial tools). From August 2025, GPAI providers must maintain technical documentation, implement copyright compliance policies, publish summaries of training data, and ensure downstream deployers can meet their own obligations. High-capability models face additional requirements including adversarial testing and cybersecurity measures.

For organizations licensing and deploying commercial AI tools built on GPAIs, this means verifying that the AI providers they use are compliant — and that the contracts governing their use include the representations and obligations the Act requires.

Why this matters for organizations outside the EU

The EU AI Act is, in practical terms, becoming a global baseline. The same dynamic that made GDPR a de facto global data protection standard — the cost of building separate compliance infrastructure for different markets — is likely to produce the same effect with AI regulation. Organizations that build their AI governance around EU AI Act principles are building for the most demanding standard that currently exists, which means they are unlikely to need major restructuring as other jurisdictions develop their own requirements.

Morocco's own digital governance and AI policy frameworks are evolving in alignment with international standards. Organizations in Morocco with European operations, European customers, or European supply chain relationships have both a compliance obligation and a competitive incentive to be ahead of this curve.

What to do right now

For most organizations, the immediate priorities are:

1. Inventory your AI systems. Identify every AI tool your organization uses or deploys — internal tools, vendor products, AI features within existing software platforms. Many organizations are surprised by how long this list is.
2. Classify by risk tier. Map each system against the EU AI Act's risk categories. Focus first on any AI that influences decisions about individuals — in HR, credit, customer service, or access to services.
3. Identify compliance gaps for high-risk systems. For any system that falls in the high-risk category, assess current documentation, human oversight provisions, logging capability, and transparency practices against the Act's requirements.
4. Review vendor contracts. Ensure that contracts with AI vendors include the representations and warranties required under the Act, particularly for GPAI-based tools.
5. Build internal governance capacity. The Act requires ongoing governance — not a one-time compliance exercise. This means assigning responsibility, training the people who will carry it out, and integrating AI governance into existing operational processes.

Organizations that start this process now — rather than waiting for the final deadlines — have the advantage of time to remediate gaps, train staff, and embed governance before external scrutiny begins.

---