EU AI Act Guide: Obligations, Fines & Compliance Checklist 2026
- Home
- EU AI Act Guide: Obligations, Fines & Compliance Checklist 2026
EU AI Act
Resource Center
The definitive compliance reference for the world's first comprehensive AI regulation. Navigate 113 articles, assess your readiness, map obligations to your systems, and follow a structured path to full compliance before the August 2026 deadline.
Check your EU AI Act obligations in minutes
Four grounded, interactive checkers. Each gives you a personal answer with the exact article behind it, no signup required.
Overview
Why the EU AI Act Changes Everything
The EU AI Act (Regulation (EU) 2024/1689) is the world's first binding, comprehensive AI law. It applies not just to EU-based organisations: any provider or deployer whose AI systems reach EU persons is in scope. Enforcement is already underway for the most prohibited uses, and full high-risk obligations arrive August 2, 2026.
Binding on providers, deployers, importers, and distributors of AI used in the EU, regardless of where your organisation is headquartered. Article 2 has extraterritorial reach equivalent to GDPR.
max fine for prohibited AI
Like GDPR, the EU AI Act is rapidly becoming the de facto global standard. Compliance prepares you for regulatory waves across the UK, Canada, US, and APAC, one framework, broad coverage.
AI regulation 2025–2026
Compliant high-risk AI systems carry CE conformity marking, a visible trust signal for enterprise buyers and a prerequisite for EU public procurement. Early compliance separates credible providers from the field.
EU public procurement
Key Application Dates
High-Risk Deadline Countdown
NOW IN EFFECT
Full high-risk obligations (risk management systems, technical documentation, transparency requirements, and human oversight) must be in place before this date.
Prohibited AI (Art. 5) and GPAI (Ch. V) are already active.
Start Here, Choose Your Role
Select your primary role for a curated panel sequence. Each path takes you through the most critical tools for your situation in the right order.
Where Do You Want to Go?
Article Navigator
All 12 Chapters · 113 Articles
Select a chapter to explore its key articles, obligations, and practical implications. Numbered as they appear in Regulation (EU) 2024/1689.
Obligations Reference
Providers of high-risk AI systems must satisfy all seven obligations in Articles 9–15 before placing their system on the EU market or putting it into service. These are cumulative, not optional or risk-proportionate at this stage.
View all 15 Annex IV required content areas ▾
- General description of the AI system and its intended purpose
- Description of elements and development process (design specifications)
- Design and development procedures and techniques
- Training methodology, training datasets, and data governance measures (Art. 10)
- Algorithm design, architecture, and key design choices
- Validation and testing procedures, including metrics and results by subgroup
- Standards applied and solutions adopted where standards not applied
- Conformity assessment procedure used (Annex VI or VII)
- Performance metrics including accuracy, robustness, and cybersecurity (Art. 15)
- Instructions for use provided to deployers (Art. 13)
- Human oversight interface and measures taken (Art. 14)
- Hardware and software requirements for intended use
- Description of foreseeable misuse scenarios and risk management measures
- Logging specification, what events are recorded and retention period
- Post-market monitoring plan reference (Art. 72)
Risk Tier Navigator
The EU AI Act classifies every AI system into one of four risk tiers. Tier determines which obligations apply, and failing to classify correctly exposes providers to market withdrawal and significant fines.
• Annex III standalone systems → Aug 2, 2026 (Art. 6(2))
• Annex I safety components → Aug 2, 2027 (Art. 6(1), Art. 113(c)). A proposed Digital Omnibus extension (PROPOSED, not yet law) could defer high-risk obligations to Aug 2, 2028.
Scope Checker
Work through these questions in order. A "Yes" answer that stops here means the Act applies to your activity. Follow the questions to your result, no legal advice, but a reliable first-pass scope assessment.
Check whether you are in a prohibited category (Art. 5), then assess your risk tier (Annex III / Art. 6).
If an exemption applies or you fall outside the definition, document your reasoning, regulators may challenge scope determinations.
Prohibited AI
These prohibitions have been enforceable since February 2, 2025, the first chapter of the EU AI Act to take effect. No transition period, no exemptions for existing systems. Violations carry the maximum penalty under the regulation.
Readiness Assessment
Answer 12 questions across six compliance domains. Your responses generate a readiness score and highlight priority gaps. No data is collected or transmitted. This runs entirely in your browser.
Compliance Roadmap
A structured five-phase approach to EU AI Act compliance, aligned with the regulation's enforcement timeline. Phases 1–2 should be complete before August 2, 2026, when the main provisions take effect.
Key Dates
The regulation entered into force on August 1, 2024. Its obligations take effect in stages, with prohibited practices already active, GPAI obligations already in force, and the main compliance deadline arriving August 2, 2026.
- Art. 9–15 high-risk AI technical requirements, providers must have completed conformity assessments, CE marking, and EU database registration (Art. 49(1))
- Art. 50 transparency obligations, AI systems interacting with natural persons must disclose they are AI
- Art. 27 FRIA, public-sector bodies and qualifying private deployers must conduct and document a Fundamental Rights Impact Assessment before deployment
- Art. 57, Member States must have at least one national AI regulatory sandbox operational
PROPOSED, not yet law. The European Commission's Digital Omnibus (COM(2025) 836, November 2025) is in trilogue. The Council of the EU adopted a negotiating position on 13 March 2026 (per the Council of the EU), a negotiating position, not final law. If it were adopted through trilogue, the proposal could make the following changes:
- PROPOSED, high-risk obligations may extend to 2 August 2028: under the Council negotiating position of 13 March 2026. The original high-risk application date, 2 August 2026, has not changed and remains binding.
- Annex III standalone high-risk AI: Deadline unchanged. 2 August 2026 remains the binding legal deadline.
- PROPOSED, Art. 50 synthetic-content marking shift: a Commission proposal of 2 February 2027 is under discussion, with competing dates (2 November 2026, 2 December 2026) still under negotiation. The core Art. 50 date remains 2 August 2026.
- GPAI (Chapter V): NOT affected. GPAI obligations remain binding from 2 August 2025. (The Omnibus separately proposes to ADD a prohibition on non-consensual intimate-image / nudifier tools to Art. 5, expanding it, not weakening it.)
- Prohibited AI (Art. 5): NOT affected. Prohibitions remain fully active from 2 February 2025.
The 2 August 2026 deadline remains legally binding until the Omnibus is formally adopted and published in the Official Journal. Trilogue negotiations collapsed once (April 2026); outcomes may change. Verify current status before adjusting compliance timelines.
GPAI Guide
Chapter V obligations apply to all providers of general-purpose AI (GPAI) models placed on the EU market, including open-source models, with narrow exceptions. GPAI obligations have been enforceable since August 2, 2025. Models above 10²⁵ FLOPs of training compute face additional systemic-risk requirements.
Models with training compute above 10²⁵ floating-point operations (FLOPs) are designated systemic-risk models. The Commission may also designate models based on other criteria (reach, capability, societal impact). These models must comply with all Art. 53 requirements plus enhanced obligations under Art. 55.
CONFIRMED: GPAI obligations are NOT affected by the proposed Digital Omnibus. The Digital Omnibus (Commission COM(2025) 836, November 2025) is in trilogue and is not yet law; the Council of the EU adopted a negotiating position on 13 March 2026 (a negotiating position, not final law). Under that proposal:
- PROPOSED: high-risk obligations may extend to 2 August 2028; the original 2 August 2026 date has not changed.
- Annex III standalone high-risk AI: Deadline unchanged. 2 August 2026 remains the binding deadline.
- GPAI (Chapter V): NOT affected, binding from 2 August 2025. The Omnibus proposes to ADD a prohibition on non-consensual intimate-image / nudifier tools to Art. 5, expanding it, not weakening it.
- Prohibited AI (Art. 5): NOT affected, active from 2 February 2025.
The 2 August 2026 deadline remains legally binding until the Omnibus is formally adopted and published in the Official Journal. Trilogue negotiations collapsed once (April 2026); outcomes may change.
Providers of open-source GPAI models are partially exempt from the full Art. 53 requirements: they must only comply with Art. 53(1)(c) (copyright policy) and Art. 53(1)(d) (training content summary), unless they are also providers of systemic-risk models, in which case all Art. 55 obligations apply regardless of open-source status.
The AI Office is facilitating development of codes of practice for GPAI providers. Adherence to an adopted code creates a presumption of conformity with Chapter V obligations. GPAI providers may demonstrate compliance either through codes of practice or directly against the applicable provisions.
Framework Crosswalk
Organisations that have already implemented ISO 42001, NIST AI RMF, or GDPR controls have a significant compliance head-start. This crosswalk shows where existing controls provide direct coverage, and where EU AI Act compliance requires additional work.
ISO/IEC 42001:2023 (AI Management System) aligns closely with EU AI Act governance, risk management, and documentation requirements. ISO 42001 certification provides strong evidence of conformity with Art. 9, 10, 17 obligations. Key gaps: ISO 42001 does not mandate CE marking, conformity assessment procedures, or the EU database registration required by the Act.
| EU AI Act Obligation | EU AI Act Article | ISO 42001 Reference | Coverage |
|---|---|---|---|
| Risk Management System | Art. 9 | Cl. 6.1.2, 8.3, 8.4 | Strong, AI risk assessment is core to ISO 42001 scope |
| Data Governance | Art. 10 | A.7.2–A.7.6 | Moderate, data quality covered, bias assessment is additional work |
| Technical Documentation | Art. 11 | Cl. 7.5, 8.2 | Moderate, documented information requirements align; Annex IV specifics are additional |
| Transparency / Instructions | Art. 13 | A.8.2, A.8.5 | Moderate, use-case documentation covers intent; Art. 13 specifics require additional detail |
| Human Oversight | Art. 14 | Cl. 6.1.4, 8.4 | Moderate, human review processes in scope; technical override mechanisms are additional |
| AI Governance / Roles | Art. 17 | Cl. 5.1, 5.3, 6.1 | Strong, leadership accountability and roles are central ISO 42001 requirements |
| Conformity Assessment | Art. 43 | N/A | Gap, ISO 42001 certification ≠ EU AI Act conformity assessment; CE marking required separately |
| Post-Market Monitoring | Art. 72 | Cl. 9.1, 9.3, 10.1 | Strong, continual improvement and performance evaluation directly map |
The NIST AI RMF (January 2023) maps well to EU AI Act risk and governance requirements. Organisations that have implemented GOVERN, MAP, MEASURE, and MANAGE functions have strong foundational coverage. The RMF is voluntary and US-focused, it does not cover conformity assessment, CE marking, or the regulatory penalties structure of the Act.
| EU AI Act Obligation | EU AI Act Article | NIST AI RMF | Coverage |
|---|---|---|---|
| Risk Management System | Art. 9 | MAP 1–5, MEASURE 2 | Strong, context, risk identification, and measurement functions directly map |
| Data Governance | Art. 10 | MAP 2.2, MEASURE 2.5 | Moderate, data quality and bias addressed in RMF; EU specificity requires additional documentation |
| Human Oversight | Art. 14 | GOVERN 6.1, MANAGE 4.1 | Moderate, human review in scope; Art. 14 technical specifications are more prescriptive |
| Post-Market Monitoring | Art. 72 | MANAGE 4.1–4.3, MEASURE 4 | Strong, MANAGE function covers ongoing monitoring and incident response |
| Governance / Accountability | Art. 17 | GOVERN 1–6 | Strong, organisational accountability and policy structures fully mapped |
The EU AI Act does not replace GDPR. It applies in addition to it. Many AI use cases are subject to both. GDPR controls on data minimisation, purpose limitation, and data subject rights all remain mandatory and provide partial coverage of Art. 10 (data governance) obligations.
ISO 27001 is a regulatory expectation for EU financial services firms under EBA ICT Risk Guidelines. Its controls map directly to EU AI Act cybersecurity and incident management requirements. Key gap: ISO 27001 does not cover conformity assessment (Art. 43), CE marking (Art. 48), or Annex IV technical documentation.
| EU AI Act Obligation | EU AI Act Article | ISO 27001:2022 | Coverage |
|---|---|---|---|
| Accuracy, Robustness, Cybersecurity | Art. 15 | ISO 27001 A.8.7, A.8.8, A.8.16 | Strong, technology controls (malware protection, vulnerability management, monitoring) map directly to cybersecurity requirements |
| Security in Quality Management | Art. 17(1)(g) | ISO 27001 A.5.37 (Organisational Controls) | Moderate, documented operating procedures provide partial QMS security alignment |
| Post-Market Monitoring / Incidents | Art. 72–73 | ISO 27001 A.5.24–A.5.28 | Strong, information security incident management clauses map to monitoring and reporting obligations |
| Conformity Assessment | Art. 43 | N/A | Gap, ISO 27001 certification does not satisfy EU AI Act conformity assessment; CE marking required separately |
| Annex IV Technical Documentation | Art. 11 | N/A | Gap, no ISO 27001 equivalent; must be produced independently per Annex IV requirements |
For a detailed crosswalk of 131 EU AI Act articles mapped to ISO 42001, NIST AI RMF, GDPR, and four additional frameworks, visit the EU AI Act Framework Explorer, an interactive tool with clause-level mapping, risk data, and template recommendations.
Enforcement & Fines
Administrative fines are tiered by violation severity. The penalty is whichever is higher, the fixed amount or the percentage of worldwide annual turnover. For SMEs and startups, the fine is the lower of the fixed amount or the percentage (Art. 99(6)). All fines must be effective, proportionate, and dissuasive.
Art. 99(7) requires national competent authorities to consider these factors when setting the fine amount. Fines must be effective, proportionate, and dissuasive, these factors determine where within the tier the penalty lands.
Enter your organisation's worldwide annual turnover to see indicative maximum exposure per tier. Actual fines depend on proportionality factors under Art. 99(7). SME cap applies automatically where it produces a lower figure.
INDICATIVE ONLY, not legal advice. Actual fines reflect Art. 99(7) proportionality factors.
Resources
Free, professionally crafted templates covering every major EU AI Act obligation. Each template cites the specific articles it addresses. Download links go directly to our compliance template library, no signup required.
High-risk AI providers must establish, implement, document, and maintain a Quality Management System under Art. 17. The QMS must address all seven components below and be proportionate to the size of the provider.
01Strategy for Regulatory Compliance
02Design, Development and Quality Verification Techniques
03Design & Development Procedures
04Validation, Testing & Verification
05Technical Standards & Harmonised Norms
06Data Management Procedures
07Post-Market Monitoring & Authority Communication
Three-tier guide series covering the EU AI Act from introductory overview to advanced legal and technical implementation. Each guide is free to download, no account required.
FAQ
Common questions about scope, classification, deadlines, GPAI, and compliance obligations, answered with article references so you can verify the source.
- Provider name, registration number, and contact details
- AI system name, version number, and intended purpose
- Annex III category (e.g., Annex III(4)(a), employment/worker management)
- Conformity assessment procedure used (Annex VI self-assessment or Annex VII third-party)
- EU Declaration of Conformity reference (Art. 47)
- CE marking details
- Summary of technical documentation accessible to the public
- Member States where the system has been or is intended to be placed on the market
- (a) The deployer's processes in which the high-risk AI system will be used, in line with its intended purpose
- (b) The period of time within which, and the frequency with which, the system is intended to be used
- (c) The categories of natural persons and groups likely to be affected in the specific context
- (d) The specific risks of harm likely to affect those persons, taking into account the information provided by the provider under Art. 13
- (e) The human-oversight measures to be implemented, according to the instructions for use
- (f) The measures to take if those risks materialise, including internal governance arrangements and complaint mechanisms
- Assess and mitigate: Immediately assess the impact and implement any available mitigation within your control.
- Notify your provider (Art. 26(5)): Report the incident to your AI system provider without undue delay. For a serious incident, Art. 26(5) requires you to inform first the provider, then the importer or distributor and the relevant market surveillance authorities. If you cannot reach the provider, Art. 73 applies to you directly. The provider's own reporting duty to the authority is under Art. 73(1).
- Provider reports to the authority: Your provider has at most 15 days from becoming aware to report a serious incident to the relevant market surveillance authority (Art. 73(2)). Where a person has died, the cap is 10 days (Art. 73(4)); for widespread infringements or serious disruption to critical infrastructure, 2 days (Art. 73(3)).
- Preserve logs: Maintain all relevant system logs for a minimum of 6 months to support investigation (Art. 26(6)).
- Cooperate: Support your provider's investigation and any subsequent market surveillance inquiry under Art. 74.
Definitions Art. 3 · Regulation (EU) 2024/1689
Every term below is drawn verbatim or paraphrased from Art. 3 of Regulation (EU) 2024/1689. Use these definitions to verify scope decisions, draft internal policies, and align documentation with the statutory language regulators will reference.
No definitions match your search.
Annex III Sector Guides Art. 6(2) · 8 High-Risk Sectors
Annex III lists eight sectors where AI systems are presumed high-risk under Art. 6(2). If your AI system's intended purpose falls in any sector below, you must complete conformity assessment, draw up Annex IV technical documentation, and apply for CE marking by August 2, 2026, unless Art. 6(3) applies. Click each sector to see which specific use cases are in-scope.
Healthcare AI (diagnostic support, triage, imaging analysis, clinical decision support) is classified high-risk via Art. 6(1) + Annex I, as a safety component in a medical device regulated under MDR (EU) 2017/745 or IVDR (EU) 2017/746. This pathway does not require Annex III classification and is separate from the 8 Annex III sectors listed above.
Notified Bodies Art. 33–39 · Conformity Assessment
Third-party assessment by an accredited notified body is required in two scenarios: (1) High-risk AI systems listed in Annex III(1), remote biometric identification systems in publicly accessible spaces (not limited to law enforcement contexts). (2) AI systems that are safety components of Annex I regulated products (medical devices under MDR/IVDR, machinery, vehicles, etc.) where the governing Union harmonisation legislation mandates third-party conformity assessment for that product category, see Art. 43(2) and Art. 6(1). All other Annex III systems use the internal conformity assessment procedure (Annex VI). A notified body cannot substitute for the provider's own quality management obligations.
Under Annex VI, providers of Annex III high-risk AI conduct internal conformity assessment. For Annex III point 1 systems (a, b and c) this internal-control route is available where harmonised standards are applied; otherwise a notified-body assessment under Annex VII is required (Art. 43(1)). The internal control procedure is:
As of June 2026, notified bodies for the EU AI Act are in the accreditation process across Member States. The Commission maintains the authoritative list in NANDO. The link below directs to the official EU database, verify any prospective body's notification number and scope against NANDO before signing an engagement letter.
ISO 42001 Gap Bridge What ISO 42001 Covers, and What It Misses
ISO 42001 certification gives you a strong governance foundation but does not cover conformity assessment, CE marking, EU database registration, or specific Annex IV technical documentation. Use this tool to identify exactly which EU AI Act obligations your ISO 42001 implementation already addresses, and where the gaps require additional work before August 2026.
Board Summary
One-page executive briefing · Regulation (EU) 2024/1689 · June 2026
Calculate your organisation's actual maximum exposure →
Even where a vendor provides the AI system, deployers face direct fines of up to 3% of global turnover or €15M for failures of their own Art. 26 obligations, human oversight, logging, instructions compliance, and FRIA.
Vendor compliance does not substitute for deployer compliance. Substantially modifying a high-risk AI system reclassifies the deployer as provider under Art. 25, assuming all provider obligations.
- PROPOSED: high-risk obligations may extend to Aug 2, 2028 (Council negotiating position, 13 Mar 2026); original Aug 2, 2026 date not yet changed
- Annex III standalone high-risk AI: Deadline unchanged, August 2, 2026
- GPAI, Prohibited AI: NOT affected
The 2 August 2026 deadline remains legally binding until the Omnibus is formally adopted and published in the Official Journal. Trilogue negotiations collapsed once (April 2026); outcomes may change.
Regulatory Updates Live Tracker, June 2026
The EU AI Act entered into force August 1, 2024 but implementation guidance, delegated acts, and soft-law instruments have continued to emerge. This tracker covers material developments that affect compliance obligations, prioritised by operational impact.
Each digest aggregates the month's regulatory briefs, enforcement developments, and implementation guidance, synthesised from primary sources and published automatically by our AI News Hub pipeline.
This resource is published by Tech Jacks Solutions for educational and informational purposes only. It does not constitute legal advice and should not be relied upon as such. While we endeavour to keep this content accurate and up to date with Regulation (EU) 2024/1689 and related guidance, we make no representations or warranties of any kind, express or implied, as to its completeness, accuracy, or fitness for a particular purpose. Consult a qualified legal professional before making compliance decisions. Tech Jacks Solutions accepts no liability for any loss or damage arising from reliance on this content.
EU AI Act Compliance Updates
Regulation changes, compliance deadlines, and enforcement actions — as they happen.