Gallery

Contacts

405 W. Greenlawn Ave Lansing, Michigan 48910

contact@techjacksolutions.com

+1-616-320-4064

Framework Explorer / EU AI Act

EU AI Act in the AI Governance Framework Explorer

131 entries 63 cross-framework mappings 48 risk profiles Regulation Legally binding in the EU

The EU AI Act is the first comprehensive, legally binding AI regulation. It classifies AI systems by risk — prohibited practices, high-risk systems, transparency-risk systems, and general-purpose AI models — and attaches obligations to providers, deployers, importers, and distributors.

Open the Interactive ExplorerJump to EU AI Act

Every EU AI Act entry, explained

Titles identify each requirement; the one-line summaries below are original Tech Jacks plain-English descriptions, not official standard text. Click any ID to open the full entry — implementation guidance, evidence checklists, risk analysis, and FAQs — in the interactive explorer.

Title I — General Provisions5 entries
Title IGeneral Provisions

Subject matter, scope, and definitions of the EU AI Act.

Article 3Definitions

Defines key terms including AI system, provider, deployer, high-risk AI system, and others.

Article 4AI literacy

Providers and deployers shall ensure sufficient AI literacy of their staff and relevant persons.

Article 2Scope

Defines who and what falls under the regulation — providers, deployers, importers, and distributors placing or using AI in the EU market.

Article 1Subject matter

Establishes harmonised rules for AI systems placed on the market, put into service, or used in the Union, promoting trustworthy AI while ensuring protection of fundamental rights.

Title II — Prohibited AI Practices2 entries
Title IIProhibited AI Practices

AI practices that are prohibited under the regulation.

Article 5Prohibited AI practices

Prohibits AI systems that use subliminal techniques, exploit vulnerabilities, social scoring, or real-time remote biometric identification.

Title III — High-Risk AI Systems50 entries
Title IIIHigh-Risk AI Systems

Requirements and obligations for high-risk AI systems.

Chapter 1Classification of AI Systems as High-Risk

Articles 6-7 establishing the rules for determining whether an AI system qualifies as high-risk based on Annex I product legislation and Annex III use-case areas.

Chapter 2Requirements for High-Risk AI Systems

Articles 8-15 defining mandatory technical and organizational requirements for high-risk AI: risk management, data governance, documentation, logging, transparency, human oversight, accuracy, robustness, and cybersecurity.

Chapter 3Obligations of Providers and Deployers of High-Risk AI Systems and Other Parties

Section 3 (Articles 16-27): Legal obligations for each actor in the high-risk AI value chain: providers, authorized representatives, importers, distributors, and deployers.

Chapter 4Notifying Authorities and Notified Bodies

Articles 28-39 establishing the institutional framework for third-party conformity assessment of high-risk AI systems.

Chapter 5Standards, Conformity Assessment, Certificates, Registration

Section 5 (Articles 40-49): Harmonized standards, common specifications, conformity assessment, certificates, EU declaration of conformity, CE marking, and registration. This is the final section of Chapter III — there is no Section 6.

Article 6Classification rules for high-risk AI

AI system is high-risk if used as a safety component or in areas listed in Annex III.

Article 8Compliance with requirements

High-risk AI systems shall comply with the requirements laid down in this Chapter.

Article 9Risk management system

A risk management system shall be established, implemented, documented and maintained for high-risk AI.

Article 10Data and data governance

High-risk AI training, validation and testing data sets shall be subject to data governance practices.

Article 11Technical documentation

Technical documentation shall be drawn up before a high-risk AI system is placed on the market.

Article 12Record-keeping

High-risk AI systems shall allow for automatic recording of events (logs) relevant to conformity.

Article 13Transparency and provision of information to deployers

High-risk AI systems shall be designed to ensure their operation is sufficiently transparent.

Article 14Human oversight

High-risk AI systems shall be designed to allow effective human oversight during use.

Article 15Accuracy, robustness and cybersecurity

High-risk AI shall achieve appropriate levels of accuracy, robustness and cybersecurity.

Article 16Obligations of providers of high-risk AI systems

Providers of high-risk AI shall ensure compliance, establish quality management, and maintain documentation.

Article 17Quality management system

Providers shall put a quality management system in place that ensures compliance with this Regulation.

Article 7Amendments to Annex III

Empowers the Commission to update the high-risk AI system list in Annex III via delegated acts.

Article 25Responsibilities along the AI value chain

Establishes obligations for distributors, importers, deployers, and authorized representatives within the AI supply chain.

Article 26Obligations of deployers of high-risk AI

Deployers must use AI in accordance with instructions, ensure human oversight, monitor operation, and conduct fundamental rights impact assessments.

Article 27Fundamental rights impact assessment for high-risk AI

Deployers of certain high-risk AI must assess impacts on fundamental rights before putting the system into use.

Article 40Harmonised standards and standardisation deliverables

High-risk AI systems conforming to harmonised standards or parts thereof shall be presumed to be in conformity with the requirements of Section 2.

Article 43Conformity assessment

Providers of high-risk AI systems shall follow the conformity assessment procedure before placing on the market.

Article 47EU declaration of conformity

Provider must draw up a written EU declaration of conformity for each high-risk AI system and keep it for 10 years.

Article 49Registration

Before placing a high-risk AI system on the market, providers shall register themselves and their system in the EU database. Deployers who are public authorities shall also register.

Article 18Documentation keeping

Providers of high-risk AI systems shall keep documentation including technical documentation, EU declaration of conformity, and relevant records, making them available to national competent authorities upon request.

Article 19Automatically generated logs

Providers of high-risk AI systems must keep logs automatically generated by the system for a period appropriate to the intended purpose, at least 6 months.

Article 20Corrective actions and duty of information

Providers who consider a high-risk AI system is not in conformity must immediately take corrective actions and inform distributors, deployers, and authorized representatives.

Article 21Cooperation with competent authorities

Providers of high-risk AI systems shall, upon a reasoned request by a national competent authority, provide that authority with all the information and documentation necessary to demonstrate conformity.

Article 22Authorised representatives of providers of high-risk AI systems

Non-EU providers must appoint an authorised representative established in the Union before making high-risk AI systems available on the Union market.

Article 23Obligations of importers

Importers must ensure high-risk AI systems bear CE marking, have conformity documentation, and that the provider has appointed an authorised representative.

Article 24Obligations of distributors

Distributors must verify that high-risk AI systems bear CE marking, that required documentation exists, and that storage and transport do not jeopardise conformity.

Article 28Notifying authorities

Member States must designate or establish a notifying authority responsible for setting up procedures for the assessment and notification of conformity assessment bodies.

Article 29Application of a conformity assessment body for notification

Conformity assessment bodies shall submit an application for notification to the notifying authority of the Member State in which they are established.

Article 30Notification procedure

Notifying authorities shall only notify conformity assessment bodies which have satisfied the requirements set out in the regulation.

Article 31Requirements relating to notified bodies

Notified bodies must be established under national law, have legal personality, and demonstrate competence, independence, and impartiality.

Article 32Presumption of conformity with requirements relating to notified bodies

Conformity assessment bodies demonstrating conformity with harmonised standards or parts thereof shall be presumed to comply with notified body requirements.

Article 33Subsidiaries of notified bodies and subcontracting

Notified bodies may subcontract specific tasks with client consent, but must maintain responsibility and verify subcontractor competence.

Article 34Operational obligations of notified bodies

Notified bodies must verify AI system conformity following the conformity assessment procedures, acting proportionately to avoid unnecessary burden on operators.

Article 35Identification numbers and lists of notified bodies

The Commission assigns identification numbers to notified bodies and makes the list publicly available including activity scope.

Article 36Changes to notifications

Notifying authorities shall notify the Commission and other Member States of any relevant changes to the notification of a conformity assessment body.

Article 37Challenge to the competence of notified bodies

The Commission may investigate the competence of a notified body or its continued fulfillment of requirements at any time, including following concerns from Member States.

Article 38Coordination of notified bodies

The Commission shall ensure appropriate coordination and cooperation between notified bodies active under the regulation through a sectoral group.

Article 39Conformity assessment bodies of third countries

Conformity assessment bodies established under the law of a third country may be accepted through mutual recognition agreements.

Article 41Common specifications

Where harmonised standards do not exist or are insufficient, the Commission may adopt common specifications for high-risk AI system requirements.

Article 42Presumption of conformity with certain requirements

High-risk AI systems trained and tested on data reflecting the specific geographic, behavioural and functional setting shall be presumed to comply with data quality requirements.

Article 44Certificates

Certificates issued by notified bodies shall be valid for a maximum period of 5 years and may be extended upon reassessment.

Article 45Information obligations of notified bodies

Notified bodies shall inform the notifying authority of any refusal, restriction, suspension, or withdrawal of certificates.

Article 46Derogation from conformity assessment procedure

Any market surveillance authority may authorise placing a specific high-risk AI system on the market without conformity assessment in exceptional circumstances.

Article 48CE marking

The CE marking shall be affixed visibly, legibly, and indelibly for high-risk AI systems. For digitally provided systems, a digital CE marking shall be used.

Title IV — Transparency Obligations for Providers and Deployers of Certain AI Systems2 entries
Title IVTransparency Obligations for Providers and Deployers of Certain AI Systems

Transparency obligations for providers and deployers of certain AI systems.

Article 50Transparency obligations for providers and deployers of certain AI systems

Providers shall ensure AI systems intended to interact with persons are designed so persons are informed they are interacting with AI. Deployers of emotion recognition and biometric categorisation systems shall inform the persons exposed.

Title V — General-Purpose AI Models7 entries
Title VGeneral-Purpose AI Models

Classification rules and obligations for providers of general-purpose AI models, including those with systemic risk.

Article 51Classification of GPAI models as GPAI models with systemic risk

A GPAI model shall be classified as having systemic risk if it has high impact capabilities evaluated by technical tools, or by Commission designation based on criteria in Annex XIII.

Article 53Obligations for providers of GPAI models

All GPAI providers must maintain technical documentation, provide information to downstream providers, comply with copyright, and publish training content summaries.

Article 55Obligations for providers of GPAI with systemic risk

Providers of systemic-risk GPAI must perform model evaluations, assess and mitigate systemic risks, ensure cybersecurity, and report serious incidents.

Article 52Procedure

Procedure for the Commission to designate a GPAI model as having systemic risk, including notification, provider representations, and update of the list of GPAI models with systemic risk.

Article 54Authorised representatives of providers of GPAI models

Non-EU GPAI model providers must appoint an authorised representative in the Union before making the model available on the Union market.

Article 56Codes of practice

The AI Office shall encourage and facilitate drawing up of codes of practice covering obligations of GPAI model providers, including systemic risk evaluation.

Title VIII — EU Database for High-Risk AI Systems2 entries
Title VIIIEU Database for High-Risk AI Systems

Establishment and maintenance of an EU database for registration of high-risk AI systems listed in Annex III.

Article 71EU database for high-risk AI systems listed in Annex III

The Commission shall establish and maintain an EU database for registration of high-risk AI systems referred to in Annex III. Providers and deployers who are public authorities shall register before placing on market or putting into service.

Title XII — Penalties4 entries
Title XIIPenalties

Rules on penalties for infringements, administrative fines on EU institutions, and fines for providers of GPAI models.

Article 99Penalties

Member States shall lay down rules on penalties applicable to infringements. Fines up to 35M EUR or 7% of turnover for prohibited practices; 15M EUR or 3% for other violations; 7.5M EUR or 1% for incorrect information.

Article 100Administrative fines on Union institutions, bodies, offices and agencies

The European Data Protection Supervisor may impose administrative fines on Union institutions, bodies, offices and agencies for infringements of this Regulation.

Article 101Fines for providers of general-purpose AI models

The Commission may impose fines on providers of GPAI models for intentional or negligent infringement of obligations under Chapter V, up to 3% of annual worldwide turnover or 15M EUR.

Title VI — Measures in Support of Innovation8 entries
Title VIMeasures in Support of Innovation

AI regulatory sandboxes, real-world testing provisions, and measures supporting SMEs and startups with AI Act compliance.

Article 57AI regulatory sandboxes

Member States shall ensure that their competent authorities establish at least one AI regulatory sandbox at national level to facilitate the development and testing of innovative AI systems under regulatory oversight before placement on the market.

Article 58Detailed arrangements for, and functioning of, AI regulatory sandboxes

Sets out detailed rules for sandbox operation including eligibility criteria, application process, terms and conditions, exit procedures, and rights of participants.

Article 59Further processing of personal data for developing certain AI systems in the public interest in the AI regulatory sandbox

Personal data lawfully collected for other purposes may be processed in AI regulatory sandboxes for developing AI systems in the public interest, subject to specific safeguards.

Article 60Testing of high-risk AI systems in real world conditions outside AI regulatory sandboxes

Testing of high-risk AI systems in real-world conditions outside sandboxes is permitted subject to a real-world testing plan, registration in the EU database, and informed consent of subjects.

Article 61Informed consent to participate in testing in real world conditions outside AI regulatory sandboxes

Subjects of real-world testing must give freely given informed consent, may withdraw at any time without detriment, and must be informed of all relevant aspects of the testing.

Article 62Measures for providers and deployers, in particular SMEs, including start-ups

Member States shall undertake measures to provide SMEs and startups with priority access to sandboxes, dedicated awareness channels, and guidance on AI Act implementation.

Article 63Derogations for specific operators

Micro enterprises and certain operators are granted specific derogations from quality management system requirements, with simplified approaches proportionate to their size.

Title VII — Governance8 entries
Title VIIGovernance

EU-level governance framework including the AI Office, European Artificial Intelligence Board, advisory forum, scientific panel, and national competent authorities.

Article 64AI Office

The Commission establishes the AI Office to develop Union expertise and capabilities in AI, and to contribute to implementation, monitoring and supervision of AI systems and GPAI models.

Article 65Establishment and structure of the European Artificial Intelligence Board

The European Artificial Intelligence Board is established to advise and assist the Commission, facilitate consistent application of the Regulation across Member States.

Article 66Tasks of the Board

The Board shall advise and assist the Commission and Member States on implementation, contribute to guidance and opinions, and share expertise and best practices among Member States.

Article 67Advisory forum

An advisory forum is established to provide technical expertise and advise the Board and Commission, with balanced representation from industry, SMEs, startups, civil society, and academia.

Article 68Scientific panel of independent experts

A scientific panel of independent experts supports enforcement activities, provides qualified alerts on GPAI systemic risks, and advises on classification of GPAI models with systemic risk.

Article 69Access to the pool of experts by the Member States

Member States may call upon the pool of experts established under Article 68 to support their enforcement activities under the Regulation.

Article 70Designation of national competent authorities and single points of contact

Each Member State shall establish or designate at least one notifying authority and at least one market surveillance authority as national competent authorities, and designate a single point of contact.

Title IX — Post-Market Monitoring, Information Sharing and Market Surveillance24 entries
Title IXPost-Market Monitoring, Information Sharing and Market Surveillance

Post-market monitoring by providers, serious incident reporting, market surveillance enforcement, remedies, and supervision of GPAI model providers.

Article 72Post-market monitoring by providers and post-market monitoring plan for high-risk AI systems

Providers of high-risk AI shall establish and document a post-market monitoring system proportionate to the nature of the AI technology and the risks, including a post-market monitoring plan as part of the technical documentation.

Article 73Reporting of serious incidents

Providers of high-risk AI systems placed on the Union market shall report any serious incident to the market surveillance authorities of the Member States where that incident occurred.

Article 74Market surveillance and control of AI systems in the Union market

Market surveillance authorities shall carry out market surveillance and enforcement activities in accordance with Regulation (EU) 2019/1020, adapted for AI systems under this Regulation.

Article 75Mutual assistance, market surveillance and control of general-purpose AI systems

Where an AI system is based on a GPAI model, the relevant market surveillance authority may request cooperation from the AI Office for enforcement of GPAI-related obligations.

Article 76Supervision of testing in real world conditions by market surveillance authorities

Market surveillance authorities may require providers to provide information on real-world testing and may carry out unannounced inspections of such testing.

Article 77Powers of authorities protecting fundamental rights

National public authorities supervising fundamental rights obligations may request and access documentation under the Regulation to assess AI system compliance with fundamental rights.

Article 78Confidentiality

Authorities shall respect confidentiality of information and data obtained in the course of their tasks, particularly trade secrets and sensitive business information.

Article 79Procedure at national level for dealing with AI systems presenting a risk

Where an AI system presents a risk, the market surveillance authority shall carry out an evaluation, and if non-compliant, require the operator to take corrective action.

Article 80Procedure for dealing with AI systems classified by the provider as non-high-risk in application of Annex III

Where a market surveillance authority considers that an AI system classified as non-high-risk by the provider does pose significant risk, it may challenge the classification and require corrective measures.

Article 81Union safeguard procedure

Where a Member State objects to a measure taken by another Member State, the Commission shall evaluate and decide whether the national measure is justified.

Article 82Compliant AI systems which present a risk

Even a compliant AI system may be found to present a risk — in such cases, the authority may require the provider to take measures to eliminate the risk.

Article 83Formal non-compliance

Market surveillance authorities shall address formal non-compliance such as missing CE marking, missing documentation, or missing declaration of conformity.

Article 84Union AI testing support structures

The Commission shall designate Union AI testing support structures to provide independent testing capabilities, tools and scientific support to national competent authorities and notified bodies.

Article 85Right to lodge a complaint with a market surveillance authority

Natural or legal persons having grounds to consider that there has been an infringement of this Regulation may lodge a complaint with the relevant market surveillance authority.

Article 86Right to explanation of individual decision-making

Affected persons subject to decisions by deployers on the basis of high-risk AI system output that produces legal effects shall have the right to obtain clear and meaningful explanations of the role of the AI system.

Article 87Reporting of infringements and protection of reporting persons

Persons reporting infringements of this Regulation shall be protected under Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law.

Article 88Enforcement of the obligations of providers of general-purpose AI models

The AI Office is responsible for enforcement of obligations of GPAI model providers under Chapter V, with investigation, evaluation, and measure request powers.

Article 89Monitoring actions

The AI Office may undertake actions to monitor compliance of GPAI model providers, including requesting documentation and information.

Article 90Alerts of systemic risks by the scientific panel

The scientific panel may issue a qualified alert to the AI Office when it has reason to suspect that a GPAI model may pose a concrete identifiable risk at Union level.

Article 91Power to request documentation and information

The AI Office may request GPAI model providers to provide the documentation drawn up pursuant to Articles 53 and 55, and any additional information necessary for enforcement.

Article 92Power to conduct evaluations

The AI Office may conduct evaluations of GPAI models to assess compliance with obligations under Chapter V, including the right to request the provider to take measures.

Article 93Power to request measures

Where necessary, the AI Office may request providers of GPAI models to take appropriate measures to comply with obligations or to address identified risks.

Article 94Procedural rights of economic operators of the general-purpose AI model

Providers of GPAI models shall enjoy procedural rights including the right to be heard before the AI Office takes enforcement decisions, and rights of defense.

Title X — Codes of Conduct and Guidelines3 entries
Title XCodes of Conduct and Guidelines

Voluntary codes of conduct for non-high-risk AI systems and Commission guidelines on implementation of the regulation.

Article 95Codes of conduct for voluntary application of specific requirements

The AI Office and Member States shall encourage and facilitate the drawing up of codes of conduct for voluntary application of requirements to AI systems other than high-risk AI systems.

Article 96Guidelines from the Commission on the implementation of this Regulation

The Commission shall develop guidelines on the practical implementation of the Regulation, including on the application of high-risk requirements, prohibited practices, and transparency obligations.

Title XI — Delegation of Power and Committee Procedure3 entries
Title XIDelegation of Power and Committee Procedure

Exercise of delegated powers conferred on the Commission and committee procedure for implementing acts.

Article 97Exercise of the delegation

The power to adopt delegated acts is conferred on the Commission subject to conditions including revocation by the European Parliament or Council and an objection period.

Article 98Committee procedure

The Commission is assisted by a committee within the meaning of Regulation (EU) No 182/2011 for the purposes of this Regulation.

Title XIII — Final Provisions13 entries
Title XIIIFinal Provisions

Amendments to existing Union legislation, transitional provisions for systems already on the market, GPAI model compliance timelines, evaluation and review, and entry into force with phased application dates.

Article 102Amendment to Regulation (EC) No 300/2008

Amends Regulation (EC) No 300/2008 on common rules in the field of civil aviation security to reference AI system requirements.

Article 103Amendment to Regulation (EU) No 167/2013

Amends Regulation (EU) No 167/2013 on the approval and market surveillance of agricultural and forestry vehicles to include AI system requirements.

Article 104Amendment to Regulation (EU) No 168/2013

Amends Regulation (EU) No 168/2013 on the approval and market surveillance of two- or three-wheel vehicles and quadricycles to include AI system requirements.

Article 105Amendment to Directive 2014/90/EU

Amends Directive 2014/90/EU on marine equipment to include AI system conformity assessment requirements.

Article 106Amendment to Directive (EU) 2016/797

Amends Directive (EU) 2016/797 on the interoperability of the rail system to include AI system requirements.

Article 107Amendment to Regulation (EU) 2018/858

Amends Regulation (EU) 2018/858 on the approval and market surveillance of motor vehicles to include AI system requirements.

Article 108Amendments to Regulation (EU) 2018/1139

Amends Regulation (EU) 2018/1139 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency to include AI system requirements.

Article 109Amendment to Regulation (EU) 2019/2144

Amends Regulation (EU) 2019/2144 on type-approval requirements for motor vehicles regarding general safety to include AI system requirements.

Article 110Amendment to Directive (EU) 2020/1828

Amends Directive (EU) 2020/1828 on representative actions for the protection of the collective interests of consumers to include this Regulation.

Article 111AI systems already placed on the market or put into service and general-purpose AI models already placed on the market

Transitional provisions: systems placed on market before enforcement dates may continue if not significantly modified. GPAI models placed on market before August 2025 must comply with Article 53 by August 2027.

Article 112Evaluation and review

The Commission shall assess the need for amendment of the list in Annex III once a year and evaluate and review this Regulation by 2 August 2029, with reports to the European Parliament and the Council.

Article 113Entry into force and application

This Regulation enters into force on the twentieth day following publication. Phased application: prohibited practices from 2 February 2025, GPAI obligations from 2 August 2025, high-risk (Annex III) from 2 August 2026, high-risk (Annex I) from 2 August 2027.

How EU AI Act maps to other frameworks

ISO/IEC 4200128 audited mappingsview framework →
NIST AI RMF8 audited mappingsview framework →
ISO/IEC 2700110 audited mappingsview framework →
OWASP LLM Top 104 audited mappingsview framework →
OWASP Agentic AI Top 105 audited mappingsview framework →
MITRE ATLAS8 audited mappingsview framework →

Sample audited mappings

High6.1.2Article 9Both require systematic, documented risk management for AI systems throughout the lifecycle
High6.1.4Article 9Impact assessment of AI systems on individuals and society feeds directly into risk management
High8.4Article 9Operational impact assessment requirements align with continuous risk management
HighA.5.2Article 9Impact assessment process requirements serve AI risk management system needs
MediumA.5.4Article 14Individual impact assessment informs but does not directly address human oversight design requirements
HighA.7.2Article 10Data governance and management practices for AI training, validation, and testing data

All 63 mappings are browsable in the interactive explorer and its knowledge graph.

Implementation templates for EU AI Act

Related guides

Frequently asked questions

How many EU AI Act entries does the Framework Explorer cover?

131 entries, each with a plain-English explanation, implementation guidance at three organization sizes, evidence checklists, and risk context. 48 entries carry source-grounded risk profiles.

How does EU AI Act relate to the other AI governance frameworks?

The Framework Explorer documents 63 audited cross-framework mappings touching EU AI Act, connecting it to ISO/IEC 42001, NIST AI RMF, ISO/IEC 27001, OWASP LLM Top 10, OWASP Agentic AI Top 10, MITRE ATLAS. Every mapping was verified against the source documents.

Is this content the official EU AI Act text?

No. Entry titles identify each requirement, and all explanations are original plain-English summaries written by Tech Jacks Solutions. For official text, consult the publishing body directly.

Explore the other frameworks