Whistleblowing | Workplace Compliance
EU AI Act (Regulation 2024/1689)
A landmark regulation, creating the world’s first comprehensive legal framework for artificial intelligence, classifying AI systems by risk level, and imposing binding obligations on providers and deployers across the EU market, including certain non-EU entities with local EU impact.
Table of contents
What Is the EU AI Act?
Regulation (EU) 2024/1689, simply known as the EU AI Act, is a landmark regulation that establishes the first-ever comprehensive legal framework for governing the development, deployment, and use of artificial intelligence (AI) systems within the EU market. The Act follows a risk-based classification approach, organizing AI systems into four tiers based on level of risk:
Key EU AI Act Provisions | |
Prohibited AI Practices | Article 5 of the Act outright bans AI systems posing unacceptable risks, including social scoring, real-time biometric ID in public spaces, subliminal manipulation, and emotion inference in the workplace. In force since 2 February 2025. |
High-Risk AI Systems | Annex III outlines binding obligations for AI in areas such as recruitment, credit scoring, border control, and law enforcement. Full compliance was previously expected from 2 August 2026, but may now be deferred to 2 December 2027. |
General-Purpose AI | Articles 51 to 56 detail transparency, documentation, and safety obligations for foundation model providers. Systemic-risk GPAI faces additional requirements. In force since 2 August 2025. |
Transparency Obligations | Article 50 prescribes disclosure requirements for limited-risk AI, including chatbots, deepfakes, and AI-generated content. Applicable from 2 August 2025. |
The Act broadly applies to providers, deployers, importers, and distributors of AI systems, including non-EU organizations whose systems or outputs affect individuals in the EU or are placed on the EU market. The law protects natural persons who interact with or are affected by AI systems, emphasizing fundamental rights, health, safety, and non-discrimination.
A significant development occurred on 7 May 2026, when the European Parliament and the Council of the EU reached a provisional political agreement on the Digital Omnibus on AI. The Digital Omnibus is a simplification package proposed by the European Commission that also expands Article 5 to introduce two new prohibited practices:
- AI systems that generate or manipulate non-consensual intimate imagery
- AI systems that generate or manipulate child sexual abuse material
Once formally adopted and published, the agreement will defer the compliance deadline for high-risk AI systems under Annex III to 2 December 2027. Notably, Article 50, which covers transparency obligations regarding chatbots, deepfakes, and AI-generated content, was not deferred and remains applicable as of 2 August 2026.
Who Is Responsible for the EU AI Act?
The primary enforcement body for general-purpose AI models and systemic risk models is the European AI Office, established within the European Commission. Enforcement for all other AI systems sits with the national competent authorities of each EU member state, which were required to be designated by 2 August, 2025.
The AI Board, composed of member state representatives, coordinates the consistent application of the Act across the EU. Where an AI system also processes personal data, Data Protection Authorities may exercise parallel jurisdiction under the GDPR.
Where the legal system of a member state so requires, fines may be imposed by national courts rather than administrative authorities. In all cases, enforcement powers under Article 99 are subject to effective judicial remedies and due process in accordance with Union and national law.
What Are the Possible Penalties Under the EU AI Act?
The Act establishes a three-tier administrative fine structure under Article 99. Fines are calculated as the higher of a fixed euro amount or a percentage of global annual turnover, meaning the penalty scales within an organization’s economic size. For SMEs and startups, fines are capped at the lower of the fixed euro or percentage amount.
Violations of prohibited practices under Article 5 carry fines of up to 35 million euros or 7% of global annual worldwide turnover. Non-compliance with high-risk AI and GPAI obligations carries fines of up to 15 million euros or 3% of global annual turnover. Providing incorrect, incomplete, or misleading information carries fines of up to 7.5 million euros or 1% of global annual turnover.
What Does the EU AI Act Require?
An organization’s compliance obligations under the Act depend on its role in the AI value chain and the risk classification of its AI systems. For high-risk AI systems under Annex III, requirements include:
Core Requirements for High-Risk AI | |
Risk Management System | Carry out continuous identification, analysis, and mitigation of risks throughout the AI system's lifecycle. |
Technical Documentation | Maintain documentation demonstrating conformity with the Act for 10 years after the product is placed on the market or deployed. |
Data Governance | Ensure training, validation, and testing data are relevant, representative, and free from material errors. |
Human Oversight | Design measures allowing natural persons to monitor, interrupt, or override the system. |
Transparency to Deployers | Disclose instructions for use, limitations, and intended purpose to deployers. |
Post-Marketing Monitoring | Actively monitor system performance, with serious incidents reported to competent authorities. |
For general-purpose AI models, providers must maintain technical documentation and publish summaries of the training data used. GPAI providers whose models meet the systemic-risk threshold (>10^25 floating-point operations) must conduct adversarial testing, assess and mitigate systemic risks, implement incident reporting, and apply cybersecurity protections.
Deployers of high-risk AI in employment contexts, including automated CV screening, performance monitoring, and task allocation, face specific transparency obligations toward affected individuals. They must conduct fundamental rights impact assessments, making the Act directly relevant to HR and compliance teams in medium-to-large organizations using third-party AI tools.
Why Is the EU AI Act Important?
The EU AI Act sets the baseline for compliance for any organization using or building AI at scale in Europe. Its extraterritorial scope, modeled on the GDPR, means organizations headquartered outside the EU cannot avoid its obligations if their AI systems affect individuals within the EU.
With fines for the most serious violations exceeding the GDPR’s maximum, the financial stakes of non-compliance are substantial, and the enforcement framework, including the AI Office’s pre-investigation powers, is operational. Beyond legal risk, the Act reflects a shift in how regulators and boards view AI governance.
Executives are increasingly expected to account for AI risk in the same way they account for financial or cybersecurity risk. Organizations that establish AI governance programs now, covering system inventories, role classification, and conformity documentation, are better positioned for future regulatory iterations.
How Does FaceUp Help Comply with the EU AI Act?
The EU AI Act does not directly require organizations to operate a whistleblowing system. However, the Act does create significant compliance complexity, and internal reporting channels are valuable in this context.
Employees interacting with or building AI systems need a secure, anonymous channel to raise concerns about prohibited practices without fear of retaliation. At the same time, organizations deploying high-risk AI systems must demonstrate accountability structures for regulators, and an auditable internal reporting system contributes to that evidence base.
FaceUp helps organizations subject to both the EU AI Act and the EU Whistleblower Directive by offering fully anonymous, multi-channel reporting across web surveys, iOS/Android mobile apps, and 24/7 hotlines in 113 languages. Additionally, its centralized case management system with full audit trails helps ensure ongoing compliance documentation is available on demand.
Quick Facts
Full legislation
Applies to
Providers, deployers, importers, and distributors of AI systems in or affecting the EU market.
Penalties
Up to 35 million euros or 7% of global annual turnover for prohibited AI practices;
up to 15 million euros or 3% for high-risk and GPAI violations;
Up to 7.5 million euros or 1% of global annual turnover for disclosure violations.
The FaceUp Solution
FaceUp is an anonymous reporting and compliance platform designed to help businesses meet whistleblowing regulations worldwide, including those in the US, EU, UK, and UAE.

Fully Anonymous Reporting
Give staff multiple secure channels to report their concerns, complete with an anonymous two-way chat.
Mobile-First Accessibility
No IP storage, no device IDs, encrypted submissions
Customizable forms, categories, routing rules, and more

Customizable Case Management
Create an easily verifiable audit trail through a customizable case management system with automatic routing.
Supports multiple locations, subsidiaries, or units
Entity-specific routing and access permissions
Optional notifications via email, Teams, or Slack

Real-Time Data Analytics
Identify trends, repeated issues, and escalation risks early with customizable visual real-time dashboards.
Filter by category, region, channel, and more
Share without revealing sensitive information
ISO 27001 and SOC 2-certified local servers