EU AI Act Guide for Canadian Business — Free Course
What is the EU AI Act?
What is the EU AI Act?
The EU AI Act — officially Regulation (EU) 2024/1689 — is the world's first comprehensive, horizontal law governing artificial intelligence. "Horizontal" means it applies across every sector rather than to one industry: the same rulebook covers a hiring tool, a medical device, a credit model, and a customer-service chatbot.
It was published in the *Official Journal of the European Union* on 12 July 2024 and entered into force on 1 August 2024. Its obligations do not all switch on at once — they phase in over roughly three years (covered in Module 7).
Official source: European Commission — AI Act · Full legal text: EUR-Lex — Regulation (EU) 2024/1689
Why the EU built it
The EU spent years watching AI move from research labs into decisions that affect people's rights — who gets hired, who gets a loan, who gets flagged at a border. Existing law (GDPR, product-safety directives, consumer law) touched pieces of the problem but left gaps. The AI Act was designed to:
- Set one predictable set of rules for AI across the single market, so companies don't face 27 divergent national regimes
- Protect health, safety, and fundamental rights without banning AI outright
- Concentrate the heaviest obligations on the highest-risk uses, and leave low-risk uses essentially free
- Give the EU a first-mover standard it hopes the rest of the world will converge toward — the so-called "Brussels effect" already seen with GDPR
A risk-based law, not a technology ban
The Act's defining idea is proportionality by risk. It does not regulate "AI" as a monolith. It sorts AI systems into tiers and scales the obligations to the danger:
| Risk tier | Treatment |
|---|---|
| Unacceptable risk | Prohibited outright |
| High risk | Permitted, but subject to strict obligations before and after market entry |
| Limited risk | Permitted, subject to transparency duties (tell people they're dealing with AI) |
| Minimal risk | Permitted freely — the vast majority of AI systems |
Layered on top is a separate regime for general-purpose AI (GPAI) — the foundation models (large language models and similar) that can be built into countless downstream applications. GPAI has its own obligations regardless of the tier of the app that eventually uses it (Module 6).
How "AI system" is defined
The Act uses a definition deliberately aligned with the OECD: broadly, a machine-based system that operates with some autonomy, may adapt after deployment, and — from the inputs it receives — infers how to generate outputs such as predictions, content, recommendations, or decisions that influence physical or virtual environments.
The practical takeaway: a plain deterministic script or a basic spreadsheet formula is not an "AI system." A model that learns patterns and produces inferences is. If you're unsure, that uncertainty itself is a signal to document your reasoning — regulators will expect you to show your classification work.
Why a Canadian business should keep reading
The instinct of a Canadian founder is "this is European law — not my problem." That instinct is wrong, and the reason is the single most important concept in this course: the AI Act applies based on where an AI system's outputs are used, not where the company sits. If your software touches the EU market or produces outputs consumed in the EU, you can be squarely in scope from an office in Toronto or Halifax. Module 2 is entirely devoted to this.
If you want the broader governance context around this law, see the sibling guide AI Governance guide; for the certifiable management-system standard that pairs well with AI Act compliance, see the ISO 42001 guide.
Module Quiz
1. What is the official legal identifier of the EU AI Act?
2. When did the EU AI Act enter into force?
3. The core organizing principle of the EU AI Act is:
4. A basic deterministic spreadsheet formula that performs a fixed calculation is:
All Modules
Written and maintained by Vivek Chakravarthy, founder of Canuckt.
Related articles
Go deeper with these reads from the Canuckt blog.
The EU AI Act for Canadian SMBs: When It Actually Applies to You
Most Canadian SMBs treat the EU AI Act as a European problem. Here is exactly when it reaches across the Atlantic to a business run out of Halifax or Calgary — and what to do about it.
ReadDoes the EU AI Act Apply to My Canadian Business? A 2026 Decision Guide
You don't need an office in Europe for the EU AI Act to reach you. If your AI touches people in the EU, or your output lands there, you may be in scope. Here's a decision guide built for Canadian businesses.
ReadWhat the OPC's ChatGPT Ruling Means for Your Canadian Business
Canada's federal and provincial privacy regulators found that OpenAI collected personal information without valid consent and gave people no real way to correct or delete it. Here's what the ChatGPT finding actually changes for a business using AI.
ReadWhy Open-Source PII Tools Like Presidio Are Not Enough for Canadian Compliance
Presidio is a well-engineered open-source tool. It's also US-centric, requires significant configuration for Canadian identifiers, and puts the compliance burden entirely on your engineering team.
Read