Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

Twitter Facebook-f Pinterest-p Instagram

AI Governance EU AI ACT Guide

// EU AI Act Hub
FULL EFFECT IN
Live
AUG 2, 2026·High-risk Annex III obligations take effect (Art. 113) AUG 2, 2027·Annex I safety-component deadline (Art. 113) MAR 18, 2026·Parliament IMCO/LIBE committee vote on omnibus amendments MAY 1, 2026·Council–Parliament trilogue on simplification package AUG 2, 2026·High-risk Annex III obligations take effect (Art. 113) AUG 2, 2027·Annex I safety-component deadline (Art. 113) MAR 18, 2026·Parliament IMCO/LIBE committee vote on omnibus amendments MAY 1, 2026·Council–Parliament trilogue on simplification package
§ I Regulation (EU) 2024/1689 In force Aug 1, 2024 · Staggered application per Art. 113
EU AI ACT · Compliance Hub

The EU AI Act reaches full enforcement in

Days
Hours
Minutes
Target · Aug 2, 2026 · 00:00 UTC · Article 113 main enforcement

The world's first binding AI law. Prohibited practices under Article 5 have been enforceable since February 2, 2025. GPAI obligations began August 2, 2025. On August 2, 2026, Annex III high-risk duties and Article 50 transparency rules go live for every provider and deployer whose output reaches the EU. Non-EU organizations are in scope too.

4 Risk Tiers Prohibited → Minimal
€35M Max Fine or 7% global turnover
27 Member States Single-market reach
Run Scope Check Latest updates →
§ 02 · Scope Assessment Art. 2~2 min
02 Territorial & personal scope

Does the Act apply to you?

Scope isn't geographical. It's functional. Article 2 reaches any organization whose AI system is placed on the EU market, put into service in the EU, or whose output is used in the EU, regardless of where the provider is established. Start by identifying your legal role. Obligations flow from role, not job title.

Art. 3(3) · Provider
You develop an AI system

Or have one developed with a view to placing it on the EU market or putting it into service under your name or trademark. Paid or free, the duty set is the same.

Heaviest duty set · Arts. 16, 9–15, 17, 43
Art. 3(4) · Deployer
You use an AI system in your work

Under your authority, other than for personal non-professional use. Most enterprises are deployers for most tools they adopt.

Operational duties · Arts. 26, 27
Art. 3(6) · Importer
You bring a non-EU AI system into the EU

You verify the provider completed conformity assessment, CE-marked the system, and appointed an EU representative before you place it on the market.

Gatekeeper duties · Art. 23
Art. 3(7) · Distributor
You make an AI system available in the EU

In the supply chain, other than as provider or importer. Before distributing, verify CE mark, documentation, and provider/importer identity.

Chain-of-custody duties · Art. 24
Extraterritorial reach Art. 2(1)(a–c)
The Act binds you even if your company isn't established in the EU. Article 2(1)(c) captures providers and deployers established in a third country where the output produced by the AI system is used in the Union. Think of a US-based HR SaaS scoring candidates for a Dutch employer: fully in scope. Non-EU providers must appoint an EU-established authorised representative before placing a high-risk system on the market (Art. 22).
Role can change Art. 25 reclassification
A distributor, importer, deployer, or other third party who puts their name or trademark on a high-risk AI system, substantially modifies it, or modifies its intended purpose in a way that turns a non-high-risk system into a high-risk one becomes the provider and assumes the full provider obligation set. White-labelling and significant fine-tuning are the most common triggers.
STEP 01 · YOUR ROLE
What's your relationship to the AI system?
STEP 02 · REACH
Does output or use touch the EU?
STEP 03 · ANNEX III
Any of these high-risk use cases?
§ 03 · Risk Classification Arts. 5, 6, 50, 954 tiers
03 Every system lands in one of four categories

Four tiers. One framework.

Every AI system in EU scope is sorted by the harm it could cause, not by the technology it uses. The tier decides whether the system is banned outright, must pass a formal conformity assessment, must disclose itself to users, or carries no new duties at all. Select a tier to see the concrete rules, examples, and enforcement exposure.

Two paths into high-risk Arts. 6(1) & 6(2)

Annex I: safety components of regulated products. AI that acts as a safety component of, or is itself, a product covered by EU harmonisation legislation already requiring third-party conformity assessment (medical devices, machinery, toys, vehicles, aviation, rail). Becomes enforceable Aug 2, 2027.

Annex III: eight standalone use-case categories. Systems placed on the EU market for the following purposes are high-risk regardless of the product they sit in: (1) biometrics, (2) critical infrastructure, (3) education and vocational training, (4) employment, worker management and access to self-employment, (5) access to essential private and public services and benefits, (6) law enforcement, (7) migration, asylum and border control, (8) administration of justice and democratic processes. Annex III high-risk duties apply from Aug 2, 2026.

03·a Article 5 in detail · what is banned

The eight prohibited practices.

Article 5(1) lists eight AI uses that are banned outright across the EU since February 2, 2025. Breaching any of them carries the highest penalty band: €35M or 7% of worldwide annual turnover, whichever is higher. Each is paraphrased below alongside its paragraph reference.

Art. 5(1)(a)
Subliminal or manipulative techniques

AI deployed with the objective, or effect, of materially distorting a person's behaviour by using techniques beyond their consciousness, in a way that causes or is likely to cause significant harm.

Example: dark-pattern nudging that coerces a vulnerable user into a loan.
Art. 5(1)(b)
Exploiting vulnerabilities

AI that exploits vulnerabilities due to age, disability, or a specific social or economic situation, with the objective or effect of materially distorting behaviour and causing significant harm.

Example: gamified apps targeting children with addictive reward loops.
Art. 5(1)(c)
Social scoring by authorities or on behalf of them

Classifying natural persons over time based on their social behaviour or personality traits, where the score leads to detrimental treatment in contexts unrelated to the data's origin, or that is unjustified or disproportionate.

Example: denying welfare eligibility based on unrelated social-media scoring.
Art. 5(1)(d)
Individual predictive policing by profiling

AI that assesses or predicts a natural person's risk of committing a criminal offence based solely on profiling or personality traits. Allowed only if supporting a human assessment already grounded in objective, verifiable facts.

Example: algorithmic pre-crime scores with no human-led investigative basis.
Art. 5(1)(e)
Untargeted scraping of facial images

Creating or expanding facial-recognition databases through untargeted scraping of images from the internet or CCTV footage.

Example: Clearview-style bulk ingestion of public photos into an identity database.
Art. 5(1)(f)
Emotion recognition in workplace and education

Inferring emotions of a natural person in the areas of workplace and education, except for medical or safety reasons.

Example: camera system scoring call-centre agent "engagement" in real time.
Art. 5(1)(g)
Biometric categorisation of sensitive attributes

Categorising persons individually based on biometric data to deduce race, political opinions, trade-union membership, religious beliefs, sex life or sexual orientation.

Example: face-analysis tool that infers political leaning for ad targeting.
Art. 5(1)(h)
Real-time remote biometric identification in public spaces, by law enforcement

Prohibited by default. Narrow exceptions exist for targeted search of missing persons, prevention of a genuine and imminent threat, or localisation of suspects of a closed list of serious crimes. Each requires prior judicial or independent authorisation (Art. 5(3)) plus a fundamental-rights impact assessment (Art. 27).

Even when permitted, two-person verification is required under Art. 14(5).
Who enforces? Art. 99(3)
National market-surveillance authorities in each Member State can impose administrative fines up to €35,000,000 or 7% of worldwide annual turnover, whichever is higher. These prohibitions entered into application on February 2, 2025, well before any of the high-risk obligations. They're live today, not a future concern.
Source: EU AI Act Arts. 5(1)(a–h), 5(2–4), 14(5), 27, 99(3); Recitals 28–44. Cross-checked against TJS Practitioner Guide § 2.1 and Advanced Guide §§ 1.3–1.4, § 7 (RBI exception architecture).
§ 04 · Obligations by Role Arts. 9–2710 roles
04 Article-to-role accountability map

Who owns what.

The Act defines four legal actors (provider, deployer, importer, distributor per Art. 3). Inside most organisations those obligations fan out across ten operational roles: engineering, product, ML, legal, risk/GRC, procurement, MLOps, data protection, the business owner who deploys the system, and internal audit. Pick your role to see which articles land on your desk.

04·a Fundamental Rights Impact Assessment

FRIA. The deployer-side duty most teams underestimate.

Article 27 is unusual. It applies to the deployer of a high-risk system, not the provider. Before first use, specific deployer categories must assess the impact on fundamental rights. When GDPR is also engaged, the FRIA supplements (not replaces) a Data Protection Impact Assessment.

Who must complete a FRIA? Art. 27(1)

The FRIA duty is not for every deployer of every high-risk system. It applies to three categories:

  • Bodies governed by public law: national, regional or local authorities.
  • Private operators providing public services: schools, hospitals, housing, social security, welfare and similar services.
  • Deployers of two Annex III categories regardless of status: creditworthiness and credit scoring (Annex III 5(b)) and risk assessment / pricing in life and health insurance (Annex III 5(c)).
Six required elements Art. 27(1)(a–f)
  • (a) a description of the deployer's processes where the system will be used;
  • (b) the period of time and frequency of intended use;
  • (c) the categories of natural persons and groups likely to be affected;
  • (d) the specific risks of harm likely to impact those categories, taking into account provider information;
  • (e) the measures for human oversight under the instructions for use;
  • (f) measures to be taken if those risks materialise, including arrangements for internal governance and complaint-handling.
Timing & notification Art. 27(2–4)
Complete the FRIA before first use. Update it whenever any element materially changes. Notify the national market-surveillance authority of the results using the template the AI Office will publish. Where a GDPR DPIA already covers the same processing, the FRIA complements that DPIA. It doesn't substitute it (Art. 27(4)).
04·b Individual rights under the Act

What people can demand from you.

Compliance isn't just paperwork between you and a regulator. The Act creates individual rights. Natural persons affected by a high-risk system can lodge complaints and obtain explanations, and workers who raise compliance concerns are protected.

Art. 85 · Right to complain
Lodge a complaint with a market-surveillance authority

Any natural or legal person with grounds to consider the Act has been infringed may file a complaint with the relevant national authority, which has a duty to investigate as part of its monitoring role.

Practical impact: treat inbound complaints like a GDPR DSR. Triage, investigate, respond.
Art. 86 · Right to explanation
Explanation of individual decision-making

Any affected person subject to a decision taken by the deployer on the basis of a high-risk Annex III system's output that produces legal effects, or similarly significantly affects them, has the right to obtain clear and meaningful explanations of the role of the AI system in the decision procedure and the main elements of the decision.

Practical impact: your deployer UX needs a plain-language "why this decision?" surface.
Directive (EU) 2019/1937 · Whistleblower
Protection when reporting breaches

Workers who report suspected AI Act infringements benefit from the protections of the Whistleblower Directive (retaliation-free reporting channels and remedies), as extended by Art. 87 of the AI Act.

Practical impact: your internal AI-ethics hotline must meet the Directive's standard.
Source: EU AI Act Arts. 3, 16, 22–27, 50, 85, 86, 87. Cross-checked against TJS Practitioner Guide §§ 3.1–3.3 (provider/deployer duties) and Advanced Guide § 2 (FRIA) and § 6.3 (individual rights).
04·c Framework crosswalk · NIST AI RMF & ISO/IEC 42001

Fit the Act into the frameworks you already run.

🔍 Explore EU AI Act Requirements Interactively

Navigate all 125 EU AI Act articles with cross-framework alignments to ISO 42001, NIST AI RMF, ISO 27001, OWASP, and MITRE ATLAS — with risk profiles and implementation guidance.

Launch Framework Explorer →
class="tj-euai-section-lead">If your programme already follows NIST's AI Risk Management Framework or an ISO/IEC 42001 AI management system, most of the Act's article duties map directly onto existing controls. The mappings don't replace compliance. An authority will still cite articles. But they let you reuse evidence and avoid rebuilding a parallel governance stack.

NIST AI RMF 1.0 (Jan 2023)
  • GOVERN: organisational policy, accountability, culture. Anchors Arts. 17 (quality management), 26 (deployer policies) and 4 (AI literacy).
  • MAP: context, purpose, impacts. Anchors Arts. 9(2) (risk identification), 6 & Annex III (use-case classification) and 27 (FRIA).
  • MEASURE: testing, evaluation, metrics. Anchors Arts. 9(5–7), 15 (accuracy, robustness, cybersecurity) and 55 (GPAI evaluations).
  • MANAGE: prioritisation, response, continuous improvement. Anchors Arts. 9(3) (risk treatment), 72 (post-market monitoring), 73 (serious-incident reporting) and 20 (corrective actions).
ISO/IEC 42001:2023 AI Management System
  • AIMS scope & Clause 5 leadership: directly operationalises Art. 17 (QMS) and Art. 26 deployer governance duties.
  • Clause 6.1 risk and opportunity: the structural home for the Art. 9 risk management system across the lifecycle.
  • Annex B objectives / Annex C controls: data quality, documentation, transparency and human-oversight controls that satisfy Arts. 10, 11, 13 and 14.
  • Clauses 9 & 10 performance and improvement: the continuous-monitoring engine that feeds Art. 72 post-market monitoring and Art. 73 incident reporting.
Gaps that still need Act-specific work Do not assume coverage
Even with mature NIST and ISO programmes, eight items rarely come "for free" and must be built explicitly against the Act:
  • Art. 5 prohibited-practice screening in your intake process;
  • Art. 6 + Annex III use-case classification gate;
  • Art. 22 authorised representative (for non-EU providers);
  • Art. 27 FRIA with the six required elements and authority notification;
  • Art. 43 conformity-assessment route selection (Annex VI internal-control vs. Annex VII notified-body);
  • Art. 47 EU declaration of conformity kept for ten years;
  • Art. 49 EU-database registration of high-risk systems;
  • Art. 86 right-to-explanation surface in the deployer UX.
Source: NIST AI RMF 1.0 (GOVERN/MAP/MEASURE/MANAGE); ISO/IEC 42001:2023 Clauses 4–10 and Annexes A–D; mapped to EU AI Act Arts. 4, 5, 6, 9, 10, 11, 13, 14, 15, 17, 20, 22, 26, 27, 43, 47, 49, 55, 72, 73, 86. See TJS Advanced Guide § 3.3 for the full crosswalk.
§ 05 · Fines & Enforcement Arts. 99–1013 tiers
05 Penalty scale, whichever is higher

What non-compliance costs.

Penalties scale by the class of breach, not by your size or sector. Fines are decided per incident by national authorities (by the AI Office for GPAI), using a published list of mitigating and aggravating factors. For SMEs the rule flips: the lower of the two amounts applies, not the higher.

Tier 1 Prohibited practices (Art. 5) Art. 99(3)
€35M or 7% worldwide annual turnover
Tier 2 Other requirements + GPAI violations Art. 99(4)
€15M or 3% worldwide annual turnover
Tier 3 Incorrect or misleading information Art. 99(5)
€7.5M or 1% worldwide annual turnover

Whichever amount is higher applies. SMEs: the lower applies (Art. 99(6)).

How fines are calibrated Art. 99(7)
National authorities must consider seven factors when setting the amount. A cooperative operator with a single, quickly-remedied breach is treated very differently from a repeat offender that concealed the problem:
  • (a) nature, gravity and duration of the infringement and of its consequences;
  • (b) whether other authorities have already imposed penalties for the same infringement;
  • (c) size, annual turnover and market share of the operator;
  • (d) any financial benefit gained, or loss avoided, through the infringement;
  • (e) degree of cooperation with the competent authority to remedy the infringement and mitigate effects;
  • (f) degree of responsibility taking into account technical and organisational measures;
  • (g) manner in which the authority became aware, in particular whether the operator self-notified.
SME & start-up rule Art. 99(6)
For SMEs and start-ups, the amounts in 99(3)–(5) are caps, not floors. The lower of either the fixed amount or the percentage of worldwide turnover applies. This reverses the default "whichever is higher" rule and is the Act's main concession to proportionality for smaller operators.
Worked scenario Tier 1 · Art. 5(1)(f)
A 200-employee EU company deploys a camera-based "focus and mood" tool that scores call-centre agents in real time. It isn't medical. It isn't a safety system. Inferring emotions of employees in a workplace falls squarely under Art. 5(1)(f). Prohibited. Exposure: up to €35,000,000 or 7% of worldwide annual turnover, whichever is higher (Art. 99(3)). If the operator qualifies as an SME, the lower of the two applies (Art. 99(6)). Because this is a Tier 1 breach, no conformity assessment cures it. The deployment must end.
Source: EU AI Act Arts. 5(1)(f), 99(3)–(7), 101. Cross-checked against TJS Practitioner Guide § 5 and Advanced Guide § 6.2.
§ 06 · General-Purpose AI Arts. 51–5610²⁵ FLOPs
06 Baseline plus systemic-risk overlay

General-purpose AI has its own chapter.

Chapter V (Arts. 51–56) governs GPAI models. These are systems trained on large amounts of data using self-supervision at scale and displaying significant generality. Every GPAI model carries a baseline of documentation and copyright duties. Models that cross the systemic-risk threshold pick up an evaluation, mitigation and incident-reporting overlay. They're also supervised centrally by the AI Office rather than by Member-State authorities.

ALL GPAI · Art. 53
4 baseline obligations

Applies to every GPAI model placed on the EU market, regardless of compute.

  • Technical documentation for the AI Office and downstream providers
  • Instructions for integration into downstream systems
  • Copyright policy compliant with Directive (EU) 2019/790
  • Public summary of training data content
Systemic Risk · Arts. 51, 55
+4 additional obligations

Triggered when cumulative training compute exceeds the threshold or the AI Office designates the model.

  • Model evaluations including adversarial testing
  • Systemic risk assessment and mitigation
  • Incident reporting to the AI Office
  • Adequate cybersecurity protection
1025 FLOPs
Systemic risk threshold. Cumulative training compute measured in floating-point operations, per Article 51(2). Currently captures the frontier models. The Commission can update the threshold.
Two documentation packets Annexes XI & XII

Annex XI: model technical documentation. Kept by the provider and made available to the AI Office on request. Covers the model's intended tasks and acceptable-use policy, architecture, number of parameters, input/output modalities, licence, training methodology and data, compute used, energy consumption, and known limitations.

Annex XII: downstream-provider documentation. Shared with providers who integrate the GPAI into their own AI systems. A tighter packet focused on capabilities, limitations, integration instructions, and the technical means for downstream conformity. Required even for models whose Annex XI is shielded from publication.

Designation as systemic-risk Art. 51(1)(b) · Annex XIII
Crossing 1025 FLOPs is one trigger. The Commission can also designate a model as systemic-risk by applying the Annex XIII criteria: number of parameters, dataset quality/size, input and output modalities, benchmarks for capabilities, business-user and end-user reach, its integration into critical systems, and registered users. Designation is effective without further procedure.
Compliance path Art. 56 codes of practice
Until a harmonised standard exists, adherence to an approved code of practice drawn up by the AI Office with providers and civil society provides the operational route to demonstrating compliance with Arts. 53 and 55. The first GPAI Code of Practice was finalised in 2025; non-signatories must demonstrate compliance by other means deemed adequate by the AI Office.
Enforcement seat Arts. 88, 101
GPAI supervision and enforcement sits with the AI Office inside the European Commission, not national market-surveillance authorities. Penalties are capped at €15M or 3% of worldwide annual turnover, whichever is higher (Art. 101), using the same seven calibrating factors as national fines. Downstream integrators who substantially modify a GPAI model may inherit provider status under Art. 25.
Source: EU AI Act Arts. 3(63), 25, 51–56, 88, 101; Annexes XI, XII, XIII. Cross-checked against TJS Practitioner Guide § 4 and Advanced Guide § 5 (GPAI operational specifics).
§ 07 · Enforcement Timeline Art. 113Auto-synced
07 Staggered entry into application

What's live. What's coming.

Article 113 staggers application over three years so different parts of the Act take effect at different times. "In force" (Aug 1, 2024) means the text is law. "In application" means the articles are enforceable. Two duties (the Art. 5 prohibitions and the Art. 4 AI-literacy obligation) have been enforceable since February 2, 2025.

Complete Current window Upcoming
AUG 1, 2024 Entered force
Regulation (EU) 2024/1689 enters into force

The Act is published in the Official Journal. Staggered application begins under Article 113.

FEB 2, 2025 Prohibited
Article 5 prohibitions apply

The eight banned practices, from subliminal manipulation to workplace emotion recognition, become enforceable across the EU. National authorities can impose up to €35M or 7% of worldwide annual turnover under Art. 99(3).

FEB 2, 2025 Literacy
Article 4 AI literacy duty applies

Providers and deployers must ensure their staff and anyone operating AI on their behalf have a sufficient level of AI literacy. Training is calibrated to technical knowledge, context of use and the persons affected. Applies to every risk tier.

MAY 2, 2025 Codes
GPAI Codes of Practice deadline

Article 56 set this as the target for codes of practice to be ready. Until harmonised standards exist, adherence to an approved code is the operational route to demonstrating compliance with Arts. 53 and 55 for GPAI providers.

AUG 2, 2025 GPAI
GPAI obligations + Arts. 64–68 governance apply

Articles 53–55 take effect for GPAI models placed on the market after this date. The AI Office, AI Board, Advisory Forum and Scientific Panel become operational under Arts. 64–68, along with penalty provisions.

MAR 18, 2026 Committee vote
IMCO/LIBE omnibus amendments vote

European Parliament committees vote on the simplification package. Outcome informs trilogue scope.

March 2026 digest →
MAY 1, 2026 Trilogue
Council–Parliament trilogue opens

Interinstitutional negotiations on omnibus simplification amendments begin.

AUG 2, 2026 Main enforcement
Annex III high-risk + Article 50 transparency + sandboxes apply

Full provider obligations (Arts. 9–15, 17, 43) and deployer obligations (Arts. 26, 27) for Annex III systems take effect. Article 50 transparency duties for chatbots, deepfakes and AI-generated media go live. Each Member State must have at least one operational regulatory sandbox (Art. 57).

AUG 2, 2027 Annex I
Annex I safety-component deadline

High-risk obligations extend to AI that is a safety component of, or is itself, a regulated product under existing EU harmonisation legislation (medical devices, machinery, toys, vehicles, rail, aviation). These producers already run third-party conformity assessment. The Act overlays on top.

DEC 2, 2027 Backstop
Legacy GPAI compliance backstop

GPAI models placed on the market before Aug 2, 2025 must reach full conformity by this date. The "grandfather" window for pre-existing frontier models closes.

Source: EU AI Act Art. 113 (entry into application); Arts. 4, 5, 50, 53–55, 57, 64–68, 99, 111. Cross-checked against TJS Practitioner Guide § 6 (critical deadlines).
§ 08 · Latest Intelligence AI News Hub pipelineMonthly digests
08 News & enforcement updates

Regulatory intelligence, live.

Monthly enforcement updates, commission guidance, and compliance news drawn from verified sources across the EU AI Office, European Parliament, and Council. Updated automatically as new developments publish.

Latest Digest March 2026

Council agrees AI Act amendments. Parliament approves CoE Framework Convention. New prohibited practices proposed in the omnibus package. Read the March digest →
Jan 2026 Prohibited practices enforcement begins. AI literacy obligations take effect. First GPAI Code of Practice draft published. Feb 2026 Commission misses Art. 6 guidelines deadline. Parliament publishes Digital Omnibus analysis. Ireland AI enforcement bill. GPAI Code signatory taskforce launches. Mar 2026 Council agrees AI Act amendment position. Parliament approves CoE AI Convention. New prohibited practices proposed. Content labeling Code second draft published.
DOCX
Beginner's Guide What the EU AI Act is, who it affects, and what to do first
DOCX
Practitioner Guide Risk management, conformity assessment, and implementation
DOCX
Advanced Guide Article-by-article analysis, incident reporting, and penalties
Browse all digests →
§ 09 · Next Steps ResourcesCarry the context
09 From briefing to execution

From scope check to compliance plan.

📊 Explore All 7 Frameworks Side by Side

Compare EU AI Act requirements with ISO 42001, NIST AI RMF, ISO 27001, and more — 517 clauses with risk profiles, implementation guidance, and cross-framework mappings.

Launch Framework Explorer →

The hub is a briefing, not a substitute for legal advice. Its job is to get you from "never read the Act" to "know which five articles we need help with" in an hour. Your scope and tier selections above already filtered the obligations, fines and timeline. These resources carry that context into execution.

I · Template Pack
Compliance Checklist

Article-by-article kit mapped to provider and deployer duties. Downloadable DOCX + PDF.

→ Download
II · Compliance Templates
EU AI Act Documentation

73+ article-referenced templates covering risk classification, technical documentation, and conformity assessment.

→ Get templates
III · Risk Register
AI Risk Management

Build and maintain your AI risk register with ISO 42001 and NIST AI RMF mappings. 5x5 scoring matrix included.

→ Get template
IV · Career Paths
AI Governance Roles

Chief AI Officer, AI Risk Manager, AI Auditor. Job families that own the obligations above.

→ View roles
V · AI News Hub
Regulation Intelligence

Daily briefs across regulation, industry, and research pillars. The upstream source for this hub's news feed.

→ Read briefs
VI · Digest Archive
Monthly EU AI Act Digests

Monthly roundups with downloadable Beginner, Practitioner, and Advanced compliance guides.

→ Browse archive
09·a Methodology & sources

How this hub is built and kept honest.

Every factual claim on this page is written against the four primary-source documents below and cross-checked to three internal reference guides. The hub is updated from those sources on a rolling basis. News cards and deadline rails refresh automatically as new developments are verified.

Methodology Editorial provenance

Primary text is Regulation (EU) 2024/1689 as published in the Official Journal of the European Union. Article numbering, penalty bands, and application dates all resolve to the consolidated EUR-Lex text. Interpretive points rely on official Commission / AI Office guidance, the artificialintelligenceact.eu tracker, and the TJS in-house Beginner, Practitioner and Advanced guides. No claims on this page were generated from model training data alone. Each section cites the article(s) and guide section(s) it's built from.

News cards and deadline tickers are published into marker regions by automated pipelines (sync-euai-news.py, sync-euai-timeline.py, gen-digest.py). Those regions are the only non-editorial surfaces on the page.

EUR-Lex · Regulation text
Official Regulation (EU) 2024/1689

Consolidated, authoritative text of the AI Act in 24 EU languages.

eur-lex.europa.eu
AI Office · Commission
European AI Office guidance

Central enforcer for GPAI; publishes codes of practice, templates, and FAQs.

digital-strategy.ec.europa.eu/en/policies/ai-office
Tracker · Future of Life
artificialintelligenceact.eu

Article-by-article explorer with recital cross-references and comparison tools.

artificialintelligenceact.eu
Commission · Service Desk
AI Act Service Desk

Commission-run implementation support for providers, deployers and SMEs.

digital-strategy.ec.europa.eu/en/policies/ai-act-service-desk
NIST · Framework
AI Risk Management Framework 1.0

Voluntary framework used in this hub's §04 crosswalk (GOVERN / MAP / MEASURE / MANAGE).

nist.gov/itl/ai-risk-management-framework
ISO/IEC · 42001:2023
AI Management System standard

Certifiable AIMS used as the ISO crosswalk basis. Buy through ISO or a national body.

iso.org/standard/81230.html
Regulation (EU) 2024/1689 · Hub Edition v2026.04 Primary sources: EUR-Lex · AI Office · artificialintelligenceact.eu · NIST · ISO Last verified: April 16, 2026 © Tech Jacks Solutions
How useful is this resource?

Buy Us a Coffee

We publish hundreds of free guides, templates, and intelligence briefs. If this resource saved you time or helped your career, consider buying us a coffee.

cup border Support Tech Jacks on Ko-fi

Every coffee helps us create more free resources for the community.

EU AI Act Compliance Updates

Regulation changes, compliance deadlines, and enforcement actions — as they happen.