Tallinn - For years, artificial intelligence developed in a regulatory vacuum. Companies built systems capable of recognising a face in a crowd, assessing the creditworthiness of a loan applicant, or producing in seconds an image indistinguishable from reality. They did so without any law setting out what was allowed and what was not. The European Union decided to fill that gap with the AI Act, Regulation (EU) 2024/1689: the world’s first comprehensive piece of legislation on artificial intelligence.
Artificial intelligence is no longer a matter for engineers alone. It influences who is hired and who is not, which news stories appear on a screen, and whether a mortgage application is approved or rejected. When a system gets something wrong, or is used to manipulate people, the consequences are borne by real individuals. The AI Act is intended to establish who is accountable for those mistakes and where the line must be drawn.
A pyramid of risks
The law rests on a simple principle: the greater the potential harm caused by a system, the stricter the rules it must meet. Brussels has set out four levels.
At the top is unacceptable risk. This includes applications that are banned outright across the Union: social scoring, whereby citizens are assigned a rating according to their behaviour, along lines already tested elsewhere in the world; systems that manipulate people through subliminal techniques; and emotion-recognition systems used in the workplace or in schools. There is no legitimate way to use them: the law prohibits them.
The next tier is high risk. These are systems that affect rights and safety: software used to screen CVs, algorithms deployed in healthcare, justice, lending and the management of infrastructure. They remain lawful, but only under strict conditions: technical documentation, human oversight, quality controls and traceability. Their developers must demonstrate that the systems work properly and that their decisions can be challenged.
Below that is limited risk, where the main obligation is transparency. This includes much of what people use every day. Anyone speaking to a chatbot must know that they are interacting with a machine. Where an image, audio recording or video has been artificially generated, it must be identified as such. The rule is designed to address deepfakes and is particularly relevant to journalism and the wider information sector. The credible part of it, at least.
At the bottom is minimal risk: spam filters, shopping recommendations and video games. No specific obligations apply, because the danger to individuals is negligible.
Large models and the timetable
A separate category applies to “general-purpose” models, the family to which systems capable of generating text or images on request belong. The law requires their developers to be transparent about training data, provide technical documentation and address systemic risks: those capable of spreading on a very large scale.
None of this takes effect all at once. The AI Act formally entered into force on 1 August 2024, but its provisions apply in stages. The ban on unacceptable-risk systems has applied since 2 February 2025. Obligations for large models and the European governance framework have applied since 2 August 2025. The bulk of the rules, including transparency requirements for artificially generated content, will apply from 2 August 2026, only a few weeks from now. The final provisions, covering high-risk systems embedded in products already subject to regulation, such as medical devices and machinery, will follow on 2 August 2027.
The system is backed by substantial penalties. For the most serious breaches, including the use of a prohibited system, fines can reach €35 million or 7 per cent of a company’s total worldwide annual turnover. The figures are intended to be felt even by the largest technology companies.
Estonia, Europe’s most digital country, still without a referee
The Regulation applies directly in every Member State, without the need for national implementing legislation. Governments have another task: appointing the authorities responsible for enforcement and setting penalties. The deadline was 2 August 2025, and a number of countries failed to meet it. Estonia is still completing the process.
Estonia remains one of Europe’s leading digital states: e-residency, digital signatures, public services that are almost entirely online, and Bürokratt, a state AI assistant that communicates with citizens. Tallinn took part in drafting the AI Act within the group of the EU’s nine digital countries, backing rules that took account of the needs of small businesses. The formal designation of national authorities is still under way.
According to the information available, responsibility for market surveillance is expected to be given to the Consumer Protection and Technical Regulatory Authority, or TTJA, working alongside the Ministry of Economic Affairs and Communications. Personal-data protection remains the responsibility of the Data Protection Inspectorate, or AKI, while the Information System Authority, RIA, has commissioned an assessment of the risks associated with adopting artificial intelligence. At a strategic level, Estonia is proceeding with its artificial intelligence and data action plan, known as “Kratt”, after the creature in Estonian folklore that carries out its master’s orders. The plan has been allocated €85 million for the 2024-2026 period.
The Digital Omnibus package
The timetable is also affected by a proposed revision. On 19 November 2025, the European Commission presented the Digital Omnibus package, a set of changes intended to reduce the administrative burden on businesses. Among the proposals is a postponement of the stricter rules for high-risk systems, with their entry into force tied to the availability of technical standards. The proposal must still pass through negotiations between Parliament and the Council. Unless it is approved, the 2 August 2026 deadline remains in force.
The debate is particularly relevant to Estonia, which during negotiations supported an approach mindful of the needs of small businesses and start-ups. Any relaxation would affect, above all, provisions concerning high-risk systems: those governing the use of algorithms in areas such as healthcare, employment and credit. It remains to be seen what balance the country will strike between promoting innovation and protecting citizens.
What changes in practice
For citizens, the AI Act provides a number of additional safeguards: the right to know when they are interacting with a machine; the ability to identify false content produced by an algorithm; the certainty that certain practices, from social scoring to emotional surveillance, are prohibited; and, when a high-risk system makes a decision affecting them, the right to demand an explanation.
For Estonian companies, many of which depend on advanced technologies, it means adapting quickly. They must map their systems, classify them according to risk, and put documentation and controls in place. Those who reach the August deadline unprepared face significant risks. Uncertainty over which authorities will supervise compliance does not suspend the obligations; it merely makes them harder to interpret.
Europe has chosen to move first, accepting the risk of writing rules for a technology that changes every month. For Estonia, accustomed to staying one step ahead, the challenge is an unusual one: not to lead innovation, but to show that it can govern it too. Whether those rules will hold, or be softened before they have had the chance to work, will become clear in the coming weeks.