As of Sunday in the European Union, the blocs regulators can ban the use of AI systems they deem to pose unacceptable risk or harm.February 2 is the first compliance deadline for the EUs AI Act, the comprehensive AI regulatory framework that the European Parliament finally approved last March after years of development. The act officially went into force August 1; whats now following is the first of the compliance deadlines.The specifics are set out in Article 5, but broadly, the Act is designed to cover a myriad of use cases where AI might appear and interact with individuals, from consumer applications through to physical environments.Under theblocs approach, there are four broad risk levels: (1) Minimal risk (e.g., email spam filters) will face no regulatory oversight; (2) limited risk, which includes customer service chatbots, will have a light-touch regulatory oversight; (3) high risk AI for healthcare recommendations is one example will face heavy regulatory oversight; and (4) unacceptable risk applications the focus of this months compliance requirements will be prohibited entirely. Some of the unacceptable activities include:AI used for social scoring (e.g., building risk profiles based on a persons behavior).AI that manipulates a persons decisions subliminally or deceptively.AI that exploits vulnerabilities like age, disability, or socioeconomic status.AI that attempts to predict people committing crimes based on their appearance.AI that uses biometrics to infer a persons characteristics, like their sexual orientation.AI that collects real time biometric data in public places for the purposes of law enforcement.AI that tries to infer peoples emotions at work or school.AI that creates or expands facial recognition databases by scraping images online or from security cameras.Companies that are found to be using any of the above AI applications in the EU will be subject to fines, regardless of where they are headquartered. They could be on the hook for up to 35 million (~$36 million), or 7% of their annual revenue from the prior fiscal year, whichever is greater.The fines wont kick in for some time, noted Rob Sumroy, head of technology at the British law firm Slaughter and May, in an interview with TechCrunch.Organizations are expected to be fully compliant by February 2, but the next big deadline that companies need to be aware of is in August, Sumroy said. By then, well know who the competent authorities are, and the fines and enforcement provisions will take effect.Preliminary pledgesThe February 2 deadline is in some ways a formality. Last September, over 100 companies signed the EU AI Pact, a voluntary pledgeto start applying the principles of theAI Actahead of its entry into application. As part of the Pact, signatories which included Amazon, Google, and OpenAI committed to identifying AI systems likely to be categorized as high risk under the AI Act.Some tech giants, notably Meta and Apple, skipped the Pact. French AI startup Mistral, one of the AI Acts harshest critics, also opted not to sign. That isnt to suggest that Apple, Meta, Mistral, or others who didnt agree to the Pact wont meet their obligations including the ban on unacceptably risky systems. Sumroy points out that, given the nature of the prohibited use cases laid out, most companies wont be engaging in those practices anyway.For organizations, a key concern around the EU AI Act is whether clear guidelines, standards, and codes of conduct will arrive in time and crucially, whether they will provide organizations with clarity on compliance, Sumroy said. However, the working groups are, so far, meeting their deadlines on the code of conduct for developers.Possible exemptionsThere are exceptions to several of the AI Acts prohibitions.For example, the Act permits law enforcement to use certain systems that collect biometrics in public places if those systems help perform a targeted search for, say, an abduction victim, or to help prevent a specific, substantial, and imminent threat to life. This exemption requires authorization from the appropriate governing body, and the Act stresses that law enforcement cant make a decision that produces an adverse legal effect on a person solely based on these systems outputs.The Act also carves out exceptions for systems that infer emotions in workplaces and schools where theres a medical or safety justification, like systems designed for therapeutic use.The European Commission, the executive branch of the EU, said that it would release additional guidelines in early 2025, following a consultation with stakeholders in November. However, those guidelines have yet to be published.Sumroy said its also unclear how other laws on the books might interact with the AI Acts prohibitions and related provisions. Clarity may not arrive until later in the year, as the enforcement window approaches.Its important for organizations to remember that AI regulation doesnt exist in isolation, Sumroy said. Other legal frameworks, such as GDPR, NIS2, and DORA, will interact with the AI Act, creating potential challenges particularly around overlapping incident notification requirements. Understanding how these laws fit together will be just as crucial as understanding the AI Act itself.