Gallery

Contacts

405 W. Greenlawn Ave Lansing, Michigan 48910

contact@techjacksolutions.com

+1-616-320-4064

 EU AI Act Compliance Hub | Tech Jacks Solutions Skip to main content
Tech Jacks / Resources / Overview
Regulation (EU) 2024/1689  ·  In Force

EU AI Act
Resource Center

The definitive compliance reference for the world's first comprehensive AI regulation. Navigate 113 articles, assess your readiness, map obligations to your systems, and follow a structured path to full compliance before the August 2026 deadline.

113Articles
4Risk Tiers
12Chapters
€35MMax Fine
Aug 22026 Deadline

Overview

The Urgency

Why the EU AI Act Changes Everything

The EU AI Act (Regulation (EU) 2024/1689) is the world's first binding, comprehensive AI law. It applies not just to EU-based organisations: any provider or deployer whose AI systems reach EU persons is in scope. Enforcement is already underway for the most prohibited uses, and full high-risk obligations arrive August 2, 2026.

🌐
Global Benchmark

Like GDPR, the EU AI Act is rapidly becoming the de facto global standard. Compliance prepares you for regulatory waves across the UK, Canada, US, and APAC, one framework, broad coverage.

40+jurisdictions developing
AI regulation 2025–2026
🏆
Competitive Advantage

Compliant high-risk AI systems carry CE conformity marking, a visible trust signal for enterprise buyers and a prerequisite for EU public procurement. Early compliance separates credible providers from the field.

CEconformity marking unlocks
EU public procurement
Enforcement Timeline

Key Application Dates

Aug 1, 2024
Act entered into force
Complete
Feb 2, 2025
Prohibited AI practices apply (Art. 5)
Active
Aug 2, 2025
GPAI obligations apply (Ch. V)
Active
Aug 2, 2026
High-risk AI obligations fully apply
Upcoming
Aug 2, 2027
Annex I safety components + legacy GPAI comply (Art. 111(3), 113(c))
Future
Time Remaining

High-Risk Deadline Countdown

Until Aug 2, 2026, High-Risk AI Deadline
--Days
--Hours
--Mins
--Secs

Full high-risk obligations (risk management systems, technical documentation, transparency requirements, and human oversight) must be in place before this date.

Prohibited AI (Art. 5) and GPAI (Ch. V) are already active.

Persona-Based Quick Start

Start Here, Choose Your Role

Select your primary role for a curated panel sequence. Each path takes you through the most critical tools for your situation in the right order.

🏗️
AI Provider / Developer
You build or place AI on the market
Scope → Prohibited → Risk Tier → Obligations → Roadmap
🏢
AI Deployer / Procurer
You use or procure AI built by others
Scope → Sectors → Obligations (Deployer) → Assessment
📊
Executive / Board
Exposure overview and board briefing
Board Summary → Enforcement → Dates → Updates → Roadmap
⚖️
Legal / Compliance Professional
Deep citation reference and gap analysis
Articles → Definitions → Gap Bridge → Crosswalk
Navigate the Hub

Where Do You Want to Go?

📋
Article Navigator
12 chapters · 113 articles
🔺
Risk Tier Navigator
4 tiers · which applies to you?
📌
Obligations Reference
Art. 9–15 high-risk requirements
Readiness Assessment
Where do you stand today?
🔍
Scope Checker
Are you in scope?
🚫
Prohibited AI
Art. 5 · already in force
🔗
Framework Crosswalk
ISO 42001 · NIST AI RMF · GDPR
🗺️
Compliance Roadmap
5 phases to full compliance

Article Navigator

The Regulation

All 12 Chapters · 113 Articles

Select a chapter to explore its key articles, obligations, and practical implications. Numbered as they appear in Regulation (EU) 2024/1689.

12 Chapters  ·  113 Articles
Ch. I · Art. 1–4General Provisions
Ch. II · Art. 5Prohibited AI Practices
Ch. III · Art. 6–49High-Risk AI Systems
Ch. V · Art. 51–56General Purpose AI Models
Ch. III §5 · Art. 40–49Conformity Assessment
Ch. IV · Art. 50Transparency Obligations
Ch. VI · Art. 57–63AI Regulatory Sandboxes
Ch. X · Art. 81–82Codes of Conduct & Guidelines
Ch. IX · Art. 74–80Market Surveillance
Ch. VII · Art. 64–70Governance & AI Office
Art. 99–101Penalties & Enforcement
Art. 111–113Final Provisions

Obligations Reference

High-Risk AI Systems · Chapter III
Seven Requirements Before Market Placement

Providers of high-risk AI systems must satisfy all seven obligations in Articles 9–15 before placing their system on the EU market or putting it into service. These are cumulative, not optional or risk-proportionate at this stage.

Art. 9 Provider
Risk Management System
A continuously operating, documented risk management process, not a one-time document. Providers must identify, analyse, and mitigate foreseeable risks throughout the entire AI lifecycle. Residual risks must be acceptable to proceed.
Art. 10 Provider
Data and Data Governance
Training, validation, and test datasets must satisfy quality criteria appropriate to the intended purpose. Providers must examine datasets for biases, errors, and gaps, and take measures to address them. Relevant statistical properties must be documented.
Using an open-source foundation model (Llama, Mistral, Phi)? See the GPAI Guide, the open-source exemption applies to the model provider, not to you. Your Art. 9–15 obligations are unchanged.
Art. 11 Provider
Technical Documentation
Providers must draw up technical documentation before market placement, following Annex IV. Documentation must demonstrate compliance with all applicable requirements and include information sufficient for competent authorities to assess conformity. Must be kept up to date.
View all 15 Annex IV required content areas ▾
  1. General description of the AI system and its intended purpose
  2. Description of elements and development process (design specifications)
  3. Design and development procedures and techniques
  4. Training methodology, training datasets, and data governance measures (Art. 10)
  5. Algorithm design, architecture, and key design choices
  6. Validation and testing procedures, including metrics and results by subgroup
  7. Standards applied and solutions adopted where standards not applied
  8. Conformity assessment procedure used (Annex VI or VII)
  9. Performance metrics including accuracy, robustness, and cybersecurity (Art. 15)
  10. Instructions for use provided to deployers (Art. 13)
  11. Human oversight interface and measures taken (Art. 14)
  12. Hardware and software requirements for intended use
  13. Description of foreseeable misuse scenarios and risk management measures
  14. Logging specification, what events are recorded and retention period
  15. Post-market monitoring plan reference (Art. 72)
Art. 12 Provider & Deployer
Record-Keeping (Logging)
High-risk AI systems must technically allow for the automatic recording of events (logs) over the lifetime of the system, enabling monitoring for conformity with requirements and facilitating post-market surveillance. Art. 12 governs the logging capability itself and sets no retention period. Retention is set separately: at least six months for providers (Art. 19(1)) and for deployers (Art. 26(6)), unless other Union or national law provides otherwise.
Art. 13 Provider
Transparency and Instructions for Use
Systems must be designed and developed to enable deployers to interpret outputs and use them appropriately. Providers must supply instructions covering intended purpose, performance levels, known or foreseeable limitations, and accuracy across population subgroups.
Art. 14 Provider & Deployer
Human Oversight
High-risk AI must be designed to allow natural persons to effectively oversee, understand, and, where necessary, override or stop AI outputs. Systems must include functionality enabling oversight measures specified in the instructions for use. Deployers must assign qualified oversight personnel.
In practice (deployers): Designate a named professional with the domain expertise and authority to review and override the AI output before it influences any consequential decision. Document who reviewed each decision, their qualification, the decision made, and any override. If the vendor's system lacks a visible override mechanism, require rectification via your contract, this is the provider's obligation under Art. 14.
Art. 15 Provider
Accuracy, Robustness, and Cybersecurity
High-risk AI must achieve appropriate accuracy levels for its intended purpose and perform consistently throughout the lifecycle. Systems must be resilient against errors, faults, inconsistencies, and adversarial inputs, including model evasion attacks and data poisoning. Technical redundancy solutions required.
Deployer Obligations
What You Must Do If You Deploy High-Risk AI
Art. 26(1)
Use high-risk AI systems in accordance with the provider's instructions for use. Operating a system outside intended purpose can trigger deployer-becomes-provider reclassification.
Art. 26(2)
Assign human oversight to individuals with the necessary competence, training, and authority. The oversight persons must be capable of understanding outputs and acting on anomalies.
Art. 26(3)
The oversight and instruction-use duties above are without prejudice to your other obligations under Union or national law, and to your freedom to organise your own resources and activities in implementing the human-oversight measures indicated by the provider.
Art. 26(4)
To the extent you exercise control over the input data, ensure that input data is relevant and sufficiently representative in view of the intended purpose of the high-risk AI system.
Art. 26(5)
Monitor the operation of the high-risk AI system on the basis of the instructions for use. Where you have reason to consider that use in accordance with the instructions may present a risk under Art. 79(1), inform the provider or distributor and the relevant market surveillance authority without undue delay and suspend use. Where you identify a serious incident, inform first the provider, then the importer or distributor and the relevant market surveillance authorities. Preserve all relevant evidence.
Art. 27
FRIA required: Public-sector deployers and certain private deployers must conduct a Fundamental Rights Impact Assessment before deployment. Art. 27 sets out the detailed FRIA requirements, the assessment must identify and mitigate risks to rights including non-discrimination, privacy, access to public services, and effective remedy.
Note: FRIA is mandatory for bodies governed by public law, private entities providing public services, and deployers of Annex III points 5(b) and (c) systems such as credit scoring and life or health insurance risk pricing (Art. 27(1)). Verify your classification before conducting a FRIA.
Art. 26(6)
Maintain logs of use of high-risk AI systems during the period of your responsibility. Logs must be available to supervisory authorities for at least 6 months.
Art. 26(7)
If you are an employer, before putting a high-risk AI system into service at the workplace, inform workers' representatives and the affected workers that they will be subject to its use, in accordance with applicable rules on informing workers.
Art. 26(11)
Where an Annex III high-risk AI system makes or assists decisions about natural persons, inform those persons that they are subject to its use. This is separate from the reactive right to an explanation of an individual decision, which affected persons may exercise under Art. 86.
Art. 49(3)
EU Database Registration: Public authorities and bodies governed by public law deploying Annex III high-risk AI must register their use in the EU AI Act database before deployment (Art. 26(8), Art. 49(3)). The FRIA results are notified to the market surveillance authority under Art. 27(3), and a summary reaches the EU database through this Art. 49(3) registration profile (Annex VIII Section C). Private-sector deployers not providing services with a public character are not required to register under Art. 49(3).
Art. 25(1)
Deployer becomes provider when substantially modifying a high-risk AI system, at which point all provider obligations (Art. 9–15, CE marking, EU database registration) apply to the modifier.
VENDOR CONTRACT REQUIREMENTS
Before procuring high-risk AI from a third-party provider, require the following in your vendor contract or due diligence: (1) Confirmation that the system complies with Art. 9–15 and has completed conformity assessment; (2) Access to Annex IV technical documentation on request; (3) Instructions for use covering capabilities, limitations, and performance data by subgroup (Art. 13); (4) Commitment to notify you of post-market monitoring findings and serious incidents under Art. 72–73; (5) Clear ownership of any substantial modification obligation. Deployers cannot outsource their regulatory obligation by contract, but you can hold providers contractually liable for non-compliance.

Risk Tier Navigator

Classification Framework
Four Risk Tiers, Four Regulatory Regimes

The EU AI Act classifies every AI system into one of four risk tiers. Tier determines which obligations apply, and failing to classify correctly exposes providers to market withdrawal and significant fines.

Tier 1, Unacceptable Risk
Prohibited AI Practices
Eight practices are absolutely prohibited under Art. 5, no exemptions, no transition. Violations carry the maximum penalty: €35M or 7% of global turnover. These have been unlawful since February 2, 2025.
Active Feb 2025 Art. 5 €35M max fine
Tier 2, High Risk
Full Regulatory Compliance Required
High-risk AI must satisfy all seven obligations in Art. 9–15 before market placement. Classification is determined by Annex III (8 sectors, standalone AI systems) or Annex I (safety components in regulated products: machinery, medical devices, vehicles, etc.). Art. 6 sets out the classification rules.
Annex III high-risk sectors: Biometrics · Critical infrastructure · Education · Employment · Essential private and public services and benefits · Law enforcement · Migration/asylum/border control · Administration of justice and democratic processes
Deadline split, Annex III vs Annex I:
Annex III standalone systems → Aug 2, 2026 (Art. 6(2))
Annex I safety components → Aug 2, 2027 (Art. 6(1), Art. 113(c)). A proposed Digital Omnibus extension (PROPOSED, not yet law) could defer high-risk obligations to Aug 2, 2028.
Annex III: Aug 2026 Annex I: Aug 2027 Art. 6 + Annex III/I CE Marking Required
Tier 3, Limited Risk
Transparency Obligations Only
AI systems interacting with humans (chatbots, emotion recognition systems, and AI-generated content tools) must disclose their AI nature. Mandatory disclosure under Art. 50 applies from August 2, 2026.
Covered systems: Conversational AI (chatbots) · Emotion recognition · Biometric categorisation · Synthetic media (deepfakes) · AI-generated text on public interest matters
Active Aug 2026 Art. 50 Disclosure Only
Tier 4, Minimal / No Risk
No Mandatory Obligations
AI systems with minimal or no risk (spam filters, inventory management, video games) face no mandatory obligations under the Act. Providers may voluntarily commit to codes of conduct under Art. 95.
Examples: AI-powered spam filters · Product recommendation engines · Manufacturing optimisation tools · Grammar checkers · AI in video games
No Mandatory Obligations Art. 95, Voluntary Codes
Classification Tips
Key Classification Rules
Art. 6(1)
AI systems that are safety components in Annex I regulated products (machinery, medical devices, aviation, automotive) are classified as high-risk if the product itself requires third-party conformity assessment.
Art. 6(2)
AI systems listed in Annex III are classified as high-risk unless they pose no significant risk of harm (Art. 6(3) exception). Providers must document the exception reasoning.
Art. 6(3)
An Annex III AI system is not high-risk if it does not pose a significant risk of harm to the health, safety, or fundamental rights of natural persons, including by not materially influencing decision-making outcomes.
Art. 7
The Commission may update Annex III via delegated act where new AI systems present risks comparable to those already listed. Operators should monitor Commission updates.

Scope Checker

Article 2, Scope of Application
Does the EU AI Act Apply to You?

Work through these questions in order. A "Yes" answer that stops here means the Act applies to your activity. Follow the questions to your result, no legal advice, but a reliable first-pass scope assessment.

Question 1 of 6
Does your system meet the EU AI Act definition of an "AI system"?
Art. 3(1) defines an AI system as a machine-based system designed to operate with varying levels of autonomy, inferring from inputs how to generate outputs such as predictions, content, recommendations, or decisions that influence real or virtual environments. Traditional software with deterministic logic is generally excluded.
Yes, it learns or infers No, it's deterministic rules
Question 2 of 6
Are you a provider, developing or placing an AI system on the market or putting it into service?
Art. 3(3) defines "provider" as a natural or legal person that develops an AI system or has it developed with the intention of placing it on the market or putting it into service, under the provider's own name or trademark. A provider is in scope regardless of whether they are established in the EU.
Yes, I develop/supply AI No, I only use AI others built
Question 3 of 6
Are you a deployer, using an AI system under your responsibility in a professional context?
Art. 3(4) defines a "deployer" as any natural or legal person using an AI system under their responsibility, except for personal, non-professional use. Deployers face separate but significant obligations, particularly for high-risk AI systems under Art. 26.
Yes, I deploy AI professionally No, personal use only
Question 4 of 6
Is the AI placed on the EU market, put into service in the EU, or are its outputs used by persons in the EU?
Art. 2(1) establishes extraterritorial reach. Non-EU providers and deployers are in scope if their AI system is placed on the EU market (offered to EU customers), put into service in the EU, or if the AI's outputs are used by persons in the EU, even if the provider never enters the EU market directly.
Yes, EU connection exists No, fully outside the EU
Question 5 of 6
Does an exemption apply to your AI system?
Art. 2(3) exempts AI used exclusively for military, national security, or defence purposes. Art. 2(6) exempts AI developed and put into service for the sole purpose of scientific research and development. Art. 2(8) separately excludes any research, testing, or development activity prior to a system being placed on the market or put into service (testing in real-world conditions is not covered). GPAI models used exclusively for personal, non-professional purposes are excluded from GPAI obligations.
Yes, exemption applies No, no exemption
Question 6 of 6
What risk tier does your AI system fall into?
Your obligations depend on the risk tier. Navigate to the Risk Tier Navigator to determine whether your system is prohibited (Art. 5), high-risk (Art. 6 + Annex III), limited-risk (Art. 50, transparency obligations only), or minimal risk (no mandatory obligations). Tier determines everything. Healthcare / medical device AI: if your system is used in healthcare or embedded in a medical device, it may be classified high-risk via Art. 6(1) + Annex I (MDR/IVDR pathway), not via Annex III.
Art. 2, Who Is Covered
Providers
Any entity placing AI on the EU market or into EU service, regardless of where the provider is established. Art. 2(1)(a).
Deployers
Any entity using high-risk AI under their own responsibility in the EU, in a professional context. Art. 2(1)(b).
Importers
Any EU-established entity placing high-risk AI from a third country on the EU market. Art. 2(1)(c) + Art. 23.
Distributors
Any entity in the supply chain making high-risk AI available in the EU without altering it. Art. 2(1)(d) + Art. 24.
3rd-Country
Non-EU providers and deployers where outputs are used by persons in the EU. Art. 2(1)(e)–(f).
Next Steps Based on Your Scope Result
Where to Go from Here
IF YOU ARE IN SCOPE

Check whether you are in a prohibited category (Art. 5), then assess your risk tier (Annex III / Art. 6).

IF YOU MAY BE OUT OF SCOPE

If an exemption applies or you fall outside the definition, document your reasoning, regulators may challenge scope determinations.

Prohibited AI

Article 5 · Active Since 2 February 2025
Eight Practices That Are Already Unlawful

These prohibitions have been enforceable since February 2, 2025, the first chapter of the EU AI Act to take effect. No transition period, no exemptions for existing systems. Violations carry the maximum penalty under the regulation.

Maximum Penalty
€35,000,000
or 7% of total worldwide annual turnover, whichever is higher · Art. 99(3)
Art. 5(1)(a)
Subliminal Manipulation
AI systems deploying subliminal techniques beyond a person's consciousness (or other manipulative or deceptive techniques) that materially distort the behaviour of a person or group of persons so as to cause or likely cause that person or another person significant harm.
Art. 5(1)(b)
Exploitation of Vulnerabilities
AI systems exploiting vulnerabilities of specific groups (based on age, disability, or socio-economic situation) in a manner that distorts the behaviour of persons belonging to those groups, causing or likely causing those persons or others significant harm.
Art. 5(1)(c)
Social Scoring
AI systems that evaluate or classify natural persons or groups over a period of time, based on their social behaviour or inferred personal or personality characteristics, with the social score leading to detrimental or unfavourable treatment in unrelated contexts, or treatment that is unjustified or disproportionate. This applies to public and private actors alike (Recital 31).
Art. 5(1)(d)
Individual Criminal Risk Prediction
AI systems used to make risk assessments of natural persons to assess or predict the risk of a natural person committing a criminal offence based solely on profiling or personality traits, without objective verifiable facts directly linked to a criminal activity.
Art. 5(1)(e)
Untargeted Facial Scraping
AI systems creating or expanding facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage. Creating biometric databases from indiscriminate mass collection is prohibited.
Art. 5(1)(f)
Emotion Recognition (Workplace / Education)
AI systems used to infer emotions of natural persons in workplaces or educational institutions, except where used for medical or safety reasons. Inferring emotional states of employees or students from facial expressions, body language, or voice is prohibited.
Art. 5(1)(g)
Biometric Categorisation by Protected Characteristics
AI systems categorising natural persons based on their biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation. This prohibition does not cover the labelling or filtering of lawfully acquired biometric datasets, or the categorisation of biometric data in the area of law enforcement.
Art. 5(1)(h)
Real-Time Remote Biometric ID in Public Spaces (Law Enforcement)
The use of real-time remote biometric identification systems in publicly accessible spaces for law enforcement purposes is prohibited, except under three narrowly defined exceptions requiring prior judicial or independent administrative authorisation. Any permitted use must be logged and reported to supervisory authorities.
Important
Recital 44
The prohibitions are intended to be exhaustive. The list in Art. 5 is not illustrative, if a practice is not on the list, it is not automatically prohibited under Art. 5, though it may still be regulated under other provisions.
Art. 5(5)
Member States may maintain or adopt more restrictive national measures in relation to remote biometric identification, provided these are compatible with Union law.
Art. 99(3)
Non-compliance with Art. 5 attracts the highest fine tier: up to €35,000,000 or 7% of worldwide annual turnover, whichever is higher. For SMEs, the lower of those amounts applies.

Readiness Assessment

6-Domain Self-Assessment
Where Does Your Organisation Stand?

Answer 12 questions across six compliance domains. Your responses generate a readiness score and highlight priority gaps. No data is collected or transmitted. This runs entirely in your browser.

Your Role
Domain 1 · Governance
Has your organisation designated a responsible person or team accountable for AI Act compliance and AI literacy (Art. 4)?
Yes, formally designated
In progress
Not yet
Domain 1 · Governance
Do you maintain an inventory of AI systems in use or development across your organisation?
Yes, documented and current
Partially documented
No inventory exists
Domain 2 · Risk Classification
Have you completed a classification assessment for each AI system to determine its risk tier under Art. 5, Art. 6, and Annex III?
Yes, all systems classified
Some systems classified
No classification done
Domain 2 · Risk Classification
For any high-risk AI systems, have you verified that no prohibited practices under Art. 5 are present in your AI portfolio?
Yes, confirmed no Art. 5 systems
Review in progress
Not reviewed
Domain 3 · Technical Compliance
For high-risk AI systems you provide: have you established a risk management system (Art. 9) and technical documentation (Art. 11)?
Yes, both in place
Started, not complete
Not applicable / not started
Domain 3 · Technical Compliance
Do your high-risk AI systems provide meaningful human oversight capability as required by Art. 14?
Yes, override mechanisms in place
Partial controls exist
Not yet addressed
Domain 4 · Data Governance
For high-risk AI systems you provide: do you have documented data governance practices addressing dataset quality, bias examination, and training data provenance (Art. 10)?
Yes, documented policies in place
Informal practices only
Not addressed
Domain 4 · Data Governance
If using or providing GPAI models: do you have evidence of EU copyright law compliance and a training content summary (Art. 53(1)(d))?
Yes, documentation available
Working on it
Not applicable / not started
Domain 5 · Transparency
For chatbots or AI systems interacting directly with persons: do you disclose the AI nature to users as required by Art. 50(1)?
Yes, clear disclosure in place
Partial disclosure
Not yet / not applicable
Domain 5 · Transparency
As a provider: do you supply instructions for use to deployers of your high-risk AI, covering capabilities, limitations, and accuracy characteristics (Art. 13)?
Yes, complete documentation
Partial documentation
Not yet / not applicable
Domain 6 · Incidents & Monitoring
Do you have a post-market monitoring plan (Art. 72) and serious incident reporting process (Art. 73, all high-risk AI; deployers must notify their provider under Art. 26(5)) in place?
Yes, process documented and tested
Process being developed
Not yet addressed
Domain 6 · Incidents & Monitoring
Do you have a process to report serious incidents involving high-risk AI without undue delay (Art. 73)? (Deployers: notify your provider first under Art. 26(5), the provider reports to the NCA within 15 days under Art. 73(2). Do not report directly to the NCA as a first step.)
Yes, defined process in place
Process outlined, not formalised
No process
Art. 73 reporting windows: General serious incident: immediately once a causal link is established, and no later than 15 days after awareness (Art. 73(2)). Death of a person: no later than 10 days (Art. 73(4)). Widespread infringement or serious and irreversible disruption to critical infrastructure: no later than 2 days (Art. 73(3)). These are statutory maximums, not internal targets. Deployers must notify their provider without undue delay (Art. 26(5)); the provider then reports to the NCA. Do not report directly to the NCA as a first step.
0/ 24 points
Complete all questions above to see your readiness score and recommended next steps.
Download AI Roles & Responsibilities Policy Template →
0 of 12 questions answered

Compliance Roadmap

5-Phase Programme
From Inventory to Full Conformity

A structured five-phase approach to EU AI Act compliance, aligned with the regulation's enforcement timeline. Phases 1–2 should be complete before August 2, 2026, when the main provisions take effect.

Phase 1 · Recommended: Completed
Inventory and Classification
Map all AI systems in use, development, or procurement. Classify each by risk tier under Art. 5, Art. 6, and Annex III. Identify any prohibited practices immediately, these require action by February 2025.
Create an AI systems register with intended purpose, deployment context, and risk tier
Screen all systems for Art. 5 prohibited practices, remediate immediately if found
Classify remaining systems: high-risk (Annex III), limited-risk (Art. 50), or minimal-risk
Identify role: provider, deployer, importer, or distributor, each has different obligations
Phase 2 · Recommended: Q1–Q2 2026
Governance and Policy Framework
Establish the governance structures and internal policies required to operate AI compliantly. Designate accountable roles, develop AI policy suite, and deliver AI literacy training to relevant staff as required by Art. 4.
Designate an AI compliance lead and define roles and responsibilities (Art. 4 + Art. 17)
Develop AI governance charter, acceptable use policy, and AI risk management framework
Deliver AI literacy training to staff whose roles involve AI systems (Art. 4)
Establish a process for reviewing new AI procurements before deployment
Phase 3 · Priority: Now, Deadline Aug 2026
Technical Compliance for High-Risk AI
For each high-risk AI system: implement the seven Art. 9–15 requirements. This phase is the most technically demanding and requires the most lead time, start now to have conformity assessment ready by August 2026.
Implement and document a risk management system (Art. 9), continuous, not one-time
Audit training/validation datasets for quality and bias (Art. 10)
Prepare Annex IV technical documentation (Art. 11) and configure logging (Art. 12)
Design human oversight mechanisms meeting Art. 14 standards
Prepare instructions for use for deployers (Art. 13)
Establish and document accuracy metrics by population subgroup; conduct robustness and adversarial-input testing; complete cybersecurity risk assessment (Art. 15)
⚠️ Phase 4 · URGENT, Complete by August 2, 2026
Conformity Assessment and Registration
Complete the conformity assessment, draw up the EU Declaration of Conformity, apply CE marking, and register qualifying systems in the EU AI database. All of these steps must be complete before placing the system on the market, the August 2, 2026 deadline is a hard legal cut-off. For most high-risk AI, internal control (Annex VI) applies, notified body assessment (Annex VII) is mandatory only for certain biometric and Annex I systems.
Determine applicable conformity assessment procedure, Annex VI (internal) or Annex VII (notified body)
Complete internal control documentation and sign EU Declaration of Conformity (Art. 47)
Apply CE marking to qualifying high-risk AI systems (Art. 48)
Register high-risk AI systems in the EU AI database (Art. 49(1)), required before market placement
Phase 5 · Ongoing from Aug 2026
Post-Market Monitoring and Continuous Compliance
Compliance is not a one-time event. Maintain ongoing conformity through post-market monitoring, incident reporting, and regular review. Substantial modifications to high-risk AI require re-assessment. Commission delegated acts may expand Annex III scope, monitor for updates.
Implement post-market monitoring plan (Art. 72) and serious incident reporting process (Art. 73)
Review AI systems after substantial modifications, re-assessment may be required
Monitor AI Office guidance, harmonised standards, and Annex III updates
Conduct annual AI literacy refresher training and governance review
Art. 73 reporting windows: General serious incident: immediately once a causal link is established, and no later than 15 days after awareness (Art. 73(2)). Death of a person: no later than 10 days (Art. 73(4)). Widespread infringement or serious and irreversible disruption to critical infrastructure: no later than 2 days (Art. 73(3)). These are statutory maximums, not internal targets. Deployers must notify their provider without undue delay (Art. 26(5)), the provider then reports to the national competent authority.

Key Dates

Full Enforcement Timeline
Every EU AI Act Deadline

The regulation entered into force on August 1, 2024. Its obligations take effect in stages, with prohibited practices already active, GPAI obligations already in force, and the main compliance deadline arriving August 2, 2026.

12 Jul 2024
Regulation PublishedPublished in the Official Journal of the EU, OJ L 2024/1689. The 20-day countdown to entry into force begins.
1 Aug 2024
Entry into ForceThe EU AI Act formally entered into force twenty days after publication. The 24-month application window opened.
2 Feb 2025
Chapters I & II Active, Prohibited AIChapters I and II applied from this date (Art. 113(a)). All eight Art. 5 prohibited practices became enforceable, and the Chapter I general provisions, including the Art. 4 AI-literacy obligation, took effect.
2 Aug 2025
GPAI and Governance ActiveChapter V (GPAI obligations, Art. 51–56), Chapter III Section 4 (notifying authorities and notified bodies), Chapter VII (governance and the AI Office), Chapter XII (penalties), and Art. 78 (confidentiality) became enforceable, with the exception of Art. 101 (GPAI fines). GPAI providers must now meet transparency, copyright, and systemic-risk obligations (Art. 113(b)).
2 Aug 2026
Main Provisions Active, HIGH-RISK AI DEADLINEChapters III (high-risk AI obligations Art. 6–49), IV (transparency Art. 50), VI (innovation measures), and VIII (EU database) take full effect. All of the following obligations become enforceable:
  • Art. 9–15 high-risk AI technical requirements, providers must have completed conformity assessments, CE marking, and EU database registration (Art. 49(1))
  • Art. 50 transparency obligations, AI systems interacting with natural persons must disclose they are AI
  • Art. 27 FRIA, public-sector bodies and qualifying private deployers must conduct and document a Fundamental Rights Impact Assessment before deployment
  • Art. 57, Member States must have at least one national AI regulatory sandbox operational
Aug 2026
AI Regulatory Sandboxes Must Be EstablishedArt. 57 requires at least one national AI sandbox per Member State to be operational, providing controlled testing environments for pre-market AI development.
2 Aug 2027
Annex I Safety-Component AI AppliesArt. 6(1) and its corresponding obligations apply from this date (Art. 113(c)). High-risk AI that is a safety component of an Annex I product (machinery, medical devices, vehicles, etc.) must meet the applicable high-risk requirements.
2 Aug 2027
Legacy GPAI Models Must ComplyGeneral-purpose AI models placed on the market before 2 August 2025 must be brought into compliance with their Chapter V obligations by this date (Art. 111(3)). This is the only transitional deadline that falls on 2 August 2027.
2 Aug 2029
Commission ReviewArt. 112(3) requires the European Commission to submit a report to the European Parliament and Council on the evaluation and review of the regulation by this date, and every four years thereafter. Earlier reports on Annex III and Art. 50 transparency are due by 2 August 2028 (Art. 112(2)).
2 Aug 2030
Legacy High-Risk AI, Public AuthoritiesHigh-risk AI systems (other than the Annex X large-scale IT systems) placed on the market before 2 August 2026 are caught only if they undergo significant changes in design after that date (Art. 111(2)). Providers and deployers of high-risk AI intended to be used by public authorities must comply by this date regardless.
31 Dec 2030
Annex X Large-Scale IT SystemsAI systems that are components of the large-scale EU IT systems listed in Annex X, placed on the market before 2 August 2027, must be brought into compliance by 31 December 2030 (Art. 111(1)).
DIGITAL OMNIBUS, PROPOSED, NOT YET LAW

PROPOSED, not yet law. The European Commission's Digital Omnibus (COM(2025) 836, November 2025) is in trilogue. The Council of the EU adopted a negotiating position on 13 March 2026 (per the Council of the EU), a negotiating position, not final law. If it were adopted through trilogue, the proposal could make the following changes:

  • PROPOSED, high-risk obligations may extend to 2 August 2028: under the Council negotiating position of 13 March 2026. The original high-risk application date, 2 August 2026, has not changed and remains binding.
  • Annex III standalone high-risk AI: Deadline unchanged. 2 August 2026 remains the binding legal deadline.
  • PROPOSED, Art. 50 synthetic-content marking shift: a Commission proposal of 2 February 2027 is under discussion, with competing dates (2 November 2026, 2 December 2026) still under negotiation. The core Art. 50 date remains 2 August 2026.
  • GPAI (Chapter V): NOT affected. GPAI obligations remain binding from 2 August 2025. (The Omnibus separately proposes to ADD a prohibition on non-consensual intimate-image / nudifier tools to Art. 5, expanding it, not weakening it.)
  • Prohibited AI (Art. 5): NOT affected. Prohibitions remain fully active from 2 February 2025.

The 2 August 2026 deadline remains legally binding until the Omnibus is formally adopted and published in the Official Journal. Trilogue negotiations collapsed once (April 2026); outcomes may change. Verify current status before adjusting compliance timelines.

What Applies Now
Active Now
Art. 5 (8 prohibited practices) · Art. 4 (AI literacy) · Art. 51–56 (GPAI obligations) · Art. 64–70 (governance / AI Office)
Aug 2026
Art. 6–49 (high-risk AI) · Art. 50 (transparency / chatbot disclosure) · Art. 27 (FRIA) · Art. 57 (sandboxes)
Transitional
Existing high-risk AI placed on the market before 2 Aug 2026 is caught only if significantly changed after that date; public-authority legacy systems must comply by 2 Aug 2030 (Art. 111(2)). Legacy GPAI models placed before 2 Aug 2025 must comply by 2 Aug 2027 (Art. 111(3)).

GPAI Guide

Chapter V · Art. 51–56 · Active August 2025
General-Purpose AI Models: What You Must Do

Chapter V obligations apply to all providers of general-purpose AI (GPAI) models placed on the EU market, including open-source models, with narrow exceptions. GPAI obligations have been enforceable since August 2, 2025. Models above 10²⁵ FLOPs of training compute face additional systemic-risk requirements.

Active Aug 2025 All GPAI Providers Systemic-Risk Threshold: 10²⁵ FLOPs
All GPAI Providers
Baseline Obligations, Art. 53
Art. 53(1)(a)
Technical Documentation: Draw up and maintain technical documentation per Annex XI before placing on the market. Includes model architecture, training methodology, compute resources used, data description, performance evaluations, and known limitations.
Art. 53(1)(b)
Downstream Information: Provide information and documentation to downstream providers integrating the GPAI model into their AI systems, enabling them to understand the model's capabilities and comply with their own obligations.
Art. 53(1)(c)
Copyright Compliance: Implement a policy to respect EU copyright law, including the text and data mining exceptions in Directive 2019/790. Compliance must be documented.
Art. 53(1)(d)
Training Content Summary: Publish and keep up to date a sufficiently detailed summary of content used for training, with enough detail to enable copyright assessment by rights holders. Format follows AI Office template.
Systemic-Risk GPAI Models Only
Enhanced Obligations, Art. 55

Models with training compute above 10²⁵ floating-point operations (FLOPs) are designated systemic-risk models. The Commission may also designate models based on other criteria (reach, capability, societal impact). These models must comply with all Art. 53 requirements plus enhanced obligations under Art. 55.

Art. 55(1)(a)
Model Evaluation and Adversarial Testing: Perform model evaluation using standardised protocols reflecting the state of the art, including conducting and documenting adversarial testing (red-teaming) to identify and mitigate systemic risks.
Art. 55(1)(b)
Assess and Mitigate Systemic Risks: Assess and mitigate possible systemic risks at Union level, including their sources, that may stem from the development, placing on the market, or use of the model.
Art. 55(1)(c)
Serious Incident Reporting: Keep track of, document, and report serious incidents and possible corrective measures to the AI Office and, as appropriate, national competent authorities, without undue delay.
Art. 55(1)(d)
Cybersecurity: Ensure an adequate level of cybersecurity protection for the model and its physical infrastructure, proportionate to the systemic risks posed.
DIGITAL OMNIBUS, PROPOSED, NOT YET LAW

CONFIRMED: GPAI obligations are NOT affected by the proposed Digital Omnibus. The Digital Omnibus (Commission COM(2025) 836, November 2025) is in trilogue and is not yet law; the Council of the EU adopted a negotiating position on 13 March 2026 (a negotiating position, not final law). Under that proposal:

  • PROPOSED: high-risk obligations may extend to 2 August 2028; the original 2 August 2026 date has not changed.
  • Annex III standalone high-risk AI: Deadline unchanged. 2 August 2026 remains the binding deadline.
  • GPAI (Chapter V): NOT affected, binding from 2 August 2025. The Omnibus proposes to ADD a prohibition on non-consensual intimate-image / nudifier tools to Art. 5, expanding it, not weakening it.
  • Prohibited AI (Art. 5): NOT affected, active from 2 February 2025.

The 2 August 2026 deadline remains legally binding until the Omnibus is formally adopted and published in the Official Journal. Trilogue negotiations collapsed once (April 2026); outcomes may change.

Open-Source GPAI Models
Modified Obligations, Art. 53(2)

Providers of open-source GPAI models are partially exempt from the full Art. 53 requirements: they must only comply with Art. 53(1)(c) (copyright policy) and Art. 53(1)(d) (training content summary), unless they are also providers of systemic-risk models, in which case all Art. 55 obligations apply regardless of open-source status.

Building a high-risk AI system using an open-source model? The open-source exemption applies to the GPAI model provider, not to you. If you use Llama, Mistral, Phi, or any other open-source GPAI model as a component in a high-risk AI system, your full Art. 9–15 obligations as a high-risk AI system provider remain unchanged. Open-source status of the underlying model does not reduce your compliance requirements. See Obligations panel →
Codes of Practice
Presumption of Conformity, Art. 56

The AI Office is facilitating development of codes of practice for GPAI providers. Adherence to an adopted code creates a presumption of conformity with Chapter V obligations. GPAI providers may demonstrate compliance either through codes of practice or directly against the applicable provisions.

Art. 56(1)
The AI Office encourages GPAI providers to draw up codes of practice or to adhere to codes covering one or more obligations. Codes may be developed at EU level or by individual providers.
Art. 101(1)
The European Commission may impose pecuniary sanctions and periodic penalty payments directly on GPAI providers for non-compliance with Chapter V. Fines up to €15M or 3% of worldwide annual turnover.

Framework Crosswalk

Multi-Framework Alignment
How the EU AI Act Maps to Leading Frameworks

Organisations that have already implemented ISO 42001, NIST AI RMF, or GDPR controls have a significant compliance head-start. This crosswalk shows where existing controls provide direct coverage, and where EU AI Act compliance requires additional work.

EU AI Act ↔ ISO 42001
ISO 42001 Alignment

ISO/IEC 42001:2023 (AI Management System) aligns closely with EU AI Act governance, risk management, and documentation requirements. ISO 42001 certification provides strong evidence of conformity with Art. 9, 10, 17 obligations. Key gaps: ISO 42001 does not mandate CE marking, conformity assessment procedures, or the EU database registration required by the Act.

EU AI Act ObligationEU AI Act ArticleISO 42001 ReferenceCoverage
Risk Management SystemArt. 9Cl. 6.1.2, 8.3, 8.4Strong, AI risk assessment is core to ISO 42001 scope
Data GovernanceArt. 10A.7.2–A.7.6Moderate, data quality covered, bias assessment is additional work
Technical DocumentationArt. 11Cl. 7.5, 8.2Moderate, documented information requirements align; Annex IV specifics are additional
Transparency / InstructionsArt. 13A.8.2, A.8.5Moderate, use-case documentation covers intent; Art. 13 specifics require additional detail
Human OversightArt. 14Cl. 6.1.4, 8.4Moderate, human review processes in scope; technical override mechanisms are additional
AI Governance / RolesArt. 17Cl. 5.1, 5.3, 6.1Strong, leadership accountability and roles are central ISO 42001 requirements
Conformity AssessmentArt. 43N/AGap, ISO 42001 certification ≠ EU AI Act conformity assessment; CE marking required separately
Post-Market MonitoringArt. 72Cl. 9.1, 9.3, 10.1Strong, continual improvement and performance evaluation directly map
EU AI Act ↔ NIST AI RMF
NIST AI Risk Management Framework Alignment

The NIST AI RMF (January 2023) maps well to EU AI Act risk and governance requirements. Organisations that have implemented GOVERN, MAP, MEASURE, and MANAGE functions have strong foundational coverage. The RMF is voluntary and US-focused, it does not cover conformity assessment, CE marking, or the regulatory penalties structure of the Act.

EU AI Act ObligationEU AI Act ArticleNIST AI RMFCoverage
Risk Management SystemArt. 9MAP 1–5, MEASURE 2Strong, context, risk identification, and measurement functions directly map
Data GovernanceArt. 10MAP 2.2, MEASURE 2.5Moderate, data quality and bias addressed in RMF; EU specificity requires additional documentation
Human OversightArt. 14GOVERN 6.1, MANAGE 4.1Moderate, human review in scope; Art. 14 technical specifications are more prescriptive
Post-Market MonitoringArt. 72MANAGE 4.1–4.3, MEASURE 4Strong, MANAGE function covers ongoing monitoring and incident response
Governance / AccountabilityArt. 17GOVERN 1–6Strong, organisational accountability and policy structures fully mapped
EU AI Act ↔ GDPR
GDPR Interaction and Overlap

The EU AI Act does not replace GDPR. It applies in addition to it. Many AI use cases are subject to both. GDPR controls on data minimisation, purpose limitation, and data subject rights all remain mandatory and provide partial coverage of Art. 10 (data governance) obligations.

Art. 10 ↔ GDPR
GDPR Art. 5 data quality principles (accuracy, data minimisation) and Art. 35 DPIA requirements provide partial Art. 10 coverage for AI systems processing personal data.
Art. 13 ↔ GDPR
GDPR Art. 13–14 information obligations (transparency notices) align with Art. 13 instructions for use requirements, particularly for AI systems making decisions about individuals.
Art. 27 ↔ GDPR
EU AI Act Art. 27 FRIA partially overlaps with GDPR Art. 35 DPIA for AI systems involving personal data. A single assessment may satisfy both, but each has distinct elements that must be addressed.
Enforcement
Both GDPR and EU AI Act supervisory authorities may investigate the same AI system. Supervisory arrangements are still being developed between data protection authorities and the AI Office.
EU AI Act ↔ ISO 27001:2022
ISO 27001 Information Security Alignment

ISO 27001 is a regulatory expectation for EU financial services firms under EBA ICT Risk Guidelines. Its controls map directly to EU AI Act cybersecurity and incident management requirements. Key gap: ISO 27001 does not cover conformity assessment (Art. 43), CE marking (Art. 48), or Annex IV technical documentation.

EU AI Act ObligationEU AI Act ArticleISO 27001:2022Coverage
Accuracy, Robustness, CybersecurityArt. 15ISO 27001 A.8.7, A.8.8, A.8.16Strong, technology controls (malware protection, vulnerability management, monitoring) map directly to cybersecurity requirements
Security in Quality ManagementArt. 17(1)(g)ISO 27001 A.5.37 (Organisational Controls)Moderate, documented operating procedures provide partial QMS security alignment
Post-Market Monitoring / IncidentsArt. 72–73ISO 27001 A.5.24–A.5.28Strong, information security incident management clauses map to monitoring and reporting obligations
Conformity AssessmentArt. 43N/AGap, ISO 27001 certification does not satisfy EU AI Act conformity assessment; CE marking required separately
Annex IV Technical DocumentationArt. 11N/AGap, no ISO 27001 equivalent; must be produced independently per Annex IV requirements
SOC 2 Type II and Art. 26(1) deployer verification: A provider's SOC 2 Type II report serves as a vendor due-diligence artifact for deployers verifying security, availability, and confidentiality controls. However, SOC 2 does not satisfy Art. 9–15 technical compliance obligations for high-risk AI systems, a deployer cannot rely on SOC 2 as evidence that the provider has met EU AI Act conformity requirements.
Full Framework Explorer

For a detailed crosswalk of 131 EU AI Act articles mapped to ISO 42001, NIST AI RMF, GDPR, and four additional frameworks, visit the EU AI Act Framework Explorer, an interactive tool with clause-level mapping, risk data, and template recommendations.

Enforcement & Fines

Chapter X · Art. 99–101
Tiered Penalty Structure

Administrative fines are tiered by violation severity. The penalty is whichever is higher, the fixed amount or the percentage of worldwide annual turnover. For SMEs and startups, the fine is the lower of the fixed amount or the percentage (Art. 99(6)). All fines must be effective, proportionate, and dissuasive.

€35,000,000
or
7% global turnover
Tier 1, Prohibited AI Violations · Art. 99(3)
Applies to any violation of Art. 5 prohibited practices. The highest fine tier, reflecting the fundamental rights and societal harm potential of these practices. Active since February 2, 2025. No transition period applies.
€15,000,000
or
3% global turnover
Tier 2, High-Risk AI Non-Compliance · Art. 99(4)
Applies to non-compliance by operators or notified bodies with obligations other than the Art. 5 prohibitions: provider obligations (Art. 16), deployer obligations under Art. 26, notified-body requirements, and transparency under Art. 50. GPAI-model fines are separate (Art. 101). The most broadly applicable fine tier from August 2026.
€7,500,000
or
1% global turnover
Tier 3, Supply of Incorrect Information · Art. 99(5)
Applies to supplying incorrect, incomplete, or misleading information to notified bodies, competent authorities, or market surveillance authorities. Also applies to misleading CE marking, false declarations of conformity, and unauthorised use of CE marking.
SME & Startup Cap · Art. 99(6)
Proportionate Caps for SMEs and Startups
Art. 99(6)
SME and startup rule: For small and medium-sized enterprises (including startups), the applicable fine is the lower of the fixed amount or the percentage of worldwide annual turnover, whichever produces the smaller figure. This prevents disproportionate deterrence for companies with modest revenues. The SME definition follows EU Recommendation 2003/361/EC (fewer than 250 employees, turnover <€50M or balance sheet <€43M).
Art. 100
EU institutions, bodies, offices, agencies: Separate fine caps apply, €1,500,000 for non-compliance with the Art. 5 prohibitions, and €750,000 for non-compliance with any other obligation under the Act. The European Data Protection Supervisor is the competent authority for EU institutions.
Proportionality Factors · Art. 99(7)
How Regulators Calculate the Actual Fine

Art. 99(7) requires national competent authorities to consider these factors when setting the fine amount. Fines must be effective, proportionate, and dissuasive, these factors determine where within the tier the penalty lands.

AGGRAVATINGNature, gravity, and duration of infringement
AGGRAVATINGNumber of persons affected and level of harm
AGGRAVATINGIntentional or negligent character of infringement
MITIGATINGCooperative actions taken to remedy the infringement
MITIGATINGFinancial capacity of the responsible operator
MITIGATINGDegree of cooperation and self-disclosure to authorities
Fine Estimator, Indicative Only
Maximum Exposure Calculator

Enter your organisation's worldwide annual turnover to see indicative maximum exposure per tier. Actual fines depend on proportionality factors under Art. 99(7). SME cap applies automatically where it produces a lower figure.

INDICATIVE ONLY, not legal advice. Actual fines reflect Art. 99(7) proportionality factors.

AI Office Enforcement · GPAI
Direct GPAI Enforcement by the AI Office
Art. 88(1)
The Commission holds exclusive powers to supervise and enforce the Chapter V obligations of GPAI providers, and entrusts implementation of these tasks to the AI Office. National competent authorities handle high-risk AI enforcement at the Member State level.
Art. 101(1)
The European Commission may impose pecuniary sanctions on GPAI providers for Chapter V non-compliance, up to €15,000,000 or 3% of total worldwide annual turnover, whichever is higher.
Art. 101
The European Commission may also impose periodic penalty payments on GPAI providers to compel them to cease or remedy an infringement. The Regulation does not set a fixed percentage or daily-turnover cap for these payments.
Market Surveillance · Chapter IX
How Enforcement Works in Practice
Art. 74
National market surveillance: Member States designate at least one competent authority per sector to monitor high-risk AI systems. Authorities may request documentation, conduct testing, require corrective action, and issue market restrictions.
Art. 75
Access to AI systems: Competent authorities may require access to training datasets, model documentation, and, with appropriate safeguards, source code of high-risk AI systems. Providers must cooperate.
Art. 79
Serious risk response: Where a high-risk AI system presents serious risk to health, safety, or fundamental rights, market surveillance authorities may require immediate corrective measures, including withdrawal or recall from the market.
Art. 82
AI Office GPAI powers: The AI Office may monitor GPAI models, request evaluations from qualified independent experts, and require adversarial testing of systemic-risk models. Actions are taken at EU level across all Member States simultaneously.
Art. 62 / 99
SME provisions: SMEs and startups benefit from priority access to sandboxes and reduced conformity assessment fees (Art. 62). Separately, penalties must take into account the interests and economic viability of SMEs and start-ups (Art. 99(1)), and for SMEs each fine is capped at the lower of the fixed amount or the turnover percentage (Art. 99(6)).

Resources

11 Free Templates · Verified Downloads
EU AI Act Compliance Template Library

Free, professionally crafted templates covering every major EU AI Act obligation. Each template cites the specific articles it addresses. Download links go directly to our compliance template library, no signup required.

Art. 17 Reference Tool
Quality Management System, 7 Required Components

High-risk AI providers must establish, implement, document, and maintain a Quality Management System under Art. 17. The QMS must address all seven components below and be proportionate to the size of the provider.

01Strategy for Regulatory Compliance
A documented strategy for regulatory compliance, including compliance with conformity assessment procedures and management of changes to the high-risk AI system. Must cover the full lifecycle from design to post-market monitoring. Art. 17(1)(a)
02Design, Development and Quality Verification Techniques
Defined techniques, processes, and systematic actions for the design, development, and quality verification of the AI system, including roles, reporting lines, and accountability for each phase of development. Art. 17(1)(b)
03Design & Development Procedures
Design specifications and development processes, including the identification and selection of training data, data management procedures, model training methodologies, and techniques for performance benchmarking and testing. Art. 17(1)(c)
04Validation, Testing & Verification
Systematic testing procedures, including pre-deployment validation, post-deployment performance monitoring, and procedures for managing risks identified during development or post-market monitoring. Validation must cover intended purpose, foreseeable misuse, and margin of error. Art. 17(1)(d), 9(5)
05Technical Standards & Harmonised Norms
Identification of applicable technical specifications, harmonised standards, and common specifications. Where harmonised standards are partially applied, the QMS must document which sections are used and justify any deviations. Compliance creates a presumption of conformity. Art. 17(1)(e), 40
06Data Management Procedures
Data governance and management practices for training, validation, and test datasets, including data collection, examination, possible biases, data gaps, and statistical properties. QMS must document how Art. 10 data requirements are met throughout the system lifecycle. Art. 17(1)(f), 10
07Post-Market Monitoring & Authority Communication
Post-market monitoring system design and procedures for reporting serious incidents and near-misses to market surveillance authorities (Art. 73). Must include communication channels with notified bodies (where applicable), competent authorities, and downstream deployers. Art. 17(1)(g), 72, 73

FAQ

20 Questions
Frequently Asked Questions

Common questions about scope, classification, deadlines, GPAI, and compliance obligations, answered with article references so you can verify the source.

Yes, if your AI system is placed on the EU market, put into service in the EU, or if its outputs are used by persons in the EU, you are in scope regardless of where your company is established. Art. 2(1) applies extraterritorial reach similar to GDPR. Non-EU providers of high-risk AI must appoint an authorised representative established in the EU before making the system available on the Union market. Art. 22(1) applies to all third-country high-risk providers, not only certain categories.
Art. 3(1) defines an AI system as a machine-based system designed to operate with varying levels of autonomy, that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers from inputs how to generate outputs such as predictions, content, recommendations, or decisions that influence real or virtual environments. Traditional rule-based software with purely deterministic logic is generally not an AI system under this definition.
A provider (Art. 3(3)) is any person that develops an AI system or has it developed and places it on the market or puts it into service under their own name. A deployer (Art. 3(4)) uses an AI system under their responsibility in a professional context. Providers face the most obligations (Art. 9–15, conformity assessment, CE marking). Deployers face separate but significant obligations under Art. 26, particularly for high-risk AI in public or rights-impacting contexts.
Yes, Chapter II (Art. 5 prohibited practices) has been enforceable since February 2, 2025. There was no transition period for these provisions. Any AI system that falls into one of the eight prohibited categories must have been remediated by that date. Violations can now attract fines of up to €35M or 7% of global annual turnover under Art. 99(3).
Under Art. 6(2), an AI system listed in Annex III is high-risk unless Art. 6(3) applies. Check whether your system's intended purpose falls within any of Annex III's eight sectors: biometrics, critical infrastructure, education/vocational training, employment, essential private services, law enforcement, migration/asylum/border control, or administration of justice and democratic processes. If it does, and the Art. 6(3) exception does not apply, you must comply with Art. 9–15 and complete conformity assessment.
Art. 6(3) creates an exception where an Annex III-listed AI system does not pose a significant risk of harm, specifically if it does not materially influence decision-making outcomes affecting persons, is used for narrow procedural tasks, improves a human action, or detects patterns for an output that will be reviewed by a human before any action. The provider must document and register the reasoning in the EU database. The Commission may challenge this determination.
August 2, 2026 is when Chapters III (high-risk AI, Art. 6–49), IV (transparency, Art. 50), VI (innovation), and VIII (EU database) take full effect. By that date, providers of high-risk AI must have completed their conformity assessment, drawn up the EU Declaration of Conformity, applied CE marking, and registered in the EU AI database. GPAI obligations (Chapter V) have already been active since August 2, 2025.
No, ISO 42001 certification is not equivalent to EU AI Act conformity. It does, however, provide strong coverage of Art. 9 (risk management), Art. 10 (data governance), Art. 17 (quality management), and Art. 72 (post-market monitoring) obligations. Key gaps: ISO 42001 does not address CE marking, conformity assessment procedures (Art. 43), EU database registration (Art. 49), or the specific Annex IV technical documentation requirements.
A general-purpose AI model (Art. 3(63)) is an AI model trained on large amounts of data using self-supervision at scale and capable of serving a wide range of tasks, including when integrated into downstream AI systems. All GPAI providers must comply with Art. 53 (transparency documentation, copyright compliance, training content summary). Models above 10²⁵ FLOPs of training compute are systemic-risk models and must additionally comply with Art. 55 (adversarial testing, incident reporting, cybersecurity, energy reporting).
Yes, with modified obligations. Open-source GPAI model providers (where weights are publicly available under open licence) are partially exempt from Art. 53, only Art. 53(1)(c) (copyright policy) and Art. 53(1)(d) (training content summary) apply. However, if an open-source model meets the systemic-risk threshold (>10²⁵ FLOPs), all Art. 55 systemic-risk obligations apply regardless of open-source status. Art. 53(2).
Conformity assessment (Art. 43) is the process by which providers verify that their high-risk AI system complies with all applicable requirements before market placement. Most providers use internal control (Annex VI), a self-assessment against Art. 9–15 requirements documented by the provider. Third-party assessment by a notified body (Annex VII) is mandatory only for certain biometric identification systems and certain Annex I products. The assessment results in an EU Declaration of Conformity and authorises CE marking.
Yes, providers of high-risk AI systems listed in Annex III must register before placing their system on the market or putting it into service (Art. 49(1)). The EU AI Act database is operated by the Commission and serves as a public registry of high-risk AI systems. Providers must also update their registration when substantial modifications occur. Deployers of certain public-sector high-risk AI must also register their use (Art. 49(2)).
Annex VIII mandatory registration fields:
  • Provider name, registration number, and contact details
  • AI system name, version number, and intended purpose
  • Annex III category (e.g., Annex III(4)(a), employment/worker management)
  • Conformity assessment procedure used (Annex VI self-assessment or Annex VII third-party)
  • EU Declaration of Conformity reference (Art. 47)
  • CE marking details
  • Summary of technical documentation accessible to the public
  • Member States where the system has been or is intended to be placed on the market
Art. 27 requires deployers who are bodies governed by public law, private entities providing public services, and deployers of Annex III points 5(b) and (c) systems (such as credit scoring and life or health insurance risk pricing), to conduct a Fundamental Rights Impact Assessment before deploying a high-risk AI system. It assesses the potential impact on fundamental rights listed in the EU Charter, including privacy, non-discrimination, and dignity. The deployer notifies the market surveillance authority of the results under Art. 27(3); a summary reaches the EU database through the deployer's Art. 49(3) registration profile (Annex VIII Section C). Private-sector deployers that neither provide public services nor deploy Annex III points 5(b) and (c) systems are not required to conduct a FRIA.
A FRIA under Art. 27(1) must assess:
  1. (a) The deployer's processes in which the high-risk AI system will be used, in line with its intended purpose
  2. (b) The period of time within which, and the frequency with which, the system is intended to be used
  3. (c) The categories of natural persons and groups likely to be affected in the specific context
  4. (d) The specific risks of harm likely to affect those persons, taking into account the information provided by the provider under Art. 13
  5. (e) The human-oversight measures to be implemented, according to the instructions for use
  6. (f) The measures to take if those risks materialise, including internal governance arrangements and complaint mechanisms
Conduct before first deployment. Update on any material change to the system or its use. Public-sector bodies must notify the market surveillance authority of the FRIA results under Art. 27(3).
The non-EU provider remains in scope and responsible for Art. 9–15 technical obligations and conformity assessment. However, the EU-based deployer cannot place the system on the market or into service unless the provider has met its obligations. If the provider is non-EU and without an EU representative, the deployer may be treated as the provider for the purposes of the Act under Art. 25, taking on the provider's obligations.
Yes, Art. 50(1) requires that persons interacting with an AI system intended to interact directly with natural persons must be informed they are interacting with an AI system, unless this is obvious from context. This applies from August 2, 2026. The disclosure must be provided at the beginning of the interaction. An exception applies where the AI system is authorised by law to detect, prevent, investigate, or prosecute criminal offences, subject to appropriate safeguards, unless the system is available for the public to report a criminal offence.
Art. 2(6) exempts AI systems used exclusively for the purpose of scientific research and development that have not yet been placed on the market or put into service. Once the system exits the R&D phase and is made commercially available, even in a pilot or beta, the exemption ceases to apply. AI regulatory sandboxes (Art. 57–63) provide an alternative controlled testing environment with reduced regulatory burden for pre-commercial AI development.
Art. 4 requires providers and deployers to ensure their staff, and other persons dealing with AI on their behalf, have sufficient AI literacy, taking into account their technical knowledge, experience, education, and training. The obligation applies on an ongoing basis and must be proportionate to the AI system's risk profile and the person's role. AI literacy requirements became active February 2, 2025. No specific curriculum is mandated, the standard is functional competency appropriate to the role.
Yes, the regulation applies to deployers using AI in a professional context, including for internal operations, when the AI system falls into a regulated category. An HR AI system used to screen internal job applications is an Annex III system (employment sector) subject to high-risk obligations, even if the AI is used entirely internally. The obligations are determined by the AI's intended purpose, not by whether it is customer-facing.
Art. 111(2) governs high-risk AI systems (other than the Annex X large-scale IT systems) that were already on the market or in service before August 2, 2026. Such legacy systems are brought into scope only if they undergo significant changes in their design after that date. However, providers and deployers of high-risk AI intended to be used by public authorities must comply by August 2, 2030 regardless. Two separate transitional deadlines exist: legacy GPAI models placed before August 2, 2025 must comply by August 2, 2027 (Art. 111(3)), and Annex X large-scale IT systems have until December 31, 2030 (Art. 111(1)).
Art. 3(23) defines a substantial modification as a change to a high-risk AI system after its placing on the market or putting into service that affects the system's compliance with applicable requirements or results in a change to the intended purpose for which it was assessed. Minor bug fixes, security patches, and performance improvements that do not change the system's behaviour in its intended purpose are generally not substantial modifications. The provider must assess each modification and document their determination.
  1. Assess and mitigate: Immediately assess the impact and implement any available mitigation within your control.
  2. Notify your provider (Art. 26(5)): Report the incident to your AI system provider without undue delay. For a serious incident, Art. 26(5) requires you to inform first the provider, then the importer or distributor and the relevant market surveillance authorities. If you cannot reach the provider, Art. 73 applies to you directly. The provider's own reporting duty to the authority is under Art. 73(1).
  3. Provider reports to the authority: Your provider has at most 15 days from becoming aware to report a serious incident to the relevant market surveillance authority (Art. 73(2)). Where a person has died, the cap is 10 days (Art. 73(4)); for widespread infringements or serious disruption to critical infrastructure, 2 days (Art. 73(3)).
  4. Preserve logs: Maintain all relevant system logs for a minimum of 6 months to support investigation (Art. 26(6)).
  5. Cooperate: Support your provider's investigation and any subsequent market surveillance inquiry under Art. 74.
Art. 73 statutory reporting windows (for providers): General serious incident: immediately once a causal link is established, and no later than 15 days after awareness (Art. 73(2)). Death of a person: no later than 10 days (Art. 73(4)). Widespread infringement or serious and irreversible disruption to critical infrastructure: no later than 2 days (Art. 73(3)). These are maximums, not internal targets.

Definitions Art. 3 · Regulation (EU) 2024/1689

65 Defined Terms
Official Statutory Definitions

Every term below is drawn verbatim or paraphrased from Art. 3 of Regulation (EU) 2024/1689. Use these definitions to verify scope decisions, draft internal policies, and align documentation with the statutory language regulators will reference.

AI system Art. 3(1)
A machine-based system designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment. For explicit or implicit objectives, it infers, from inputs, how to generate outputs such as predictions, content, recommendations, or decisions that can influence real or virtual environments.
Key boundary: purely deterministic, rule-based software does not meet this definition. The inference-from-input requirement is what separates AI systems from traditional software.
AI Office Art. 3(47)
The body within the Commission responsible for ensuring consistent application of the Act across Member States, overseeing GPAI model obligations, and administering the Code of Practice process. Established under Commission Decision 2024/903.
Authorised representative Art. 3(5)
A natural or legal person established or located in the Union who has received and accepted a written mandate from a provider of an AI system to perform the obligations and procedures established by the Act on the provider's behalf.
Required for non-EU providers placing high-risk AI on the EU market. Must be established in an EU Member State.
Biometric categorisation system Art. 3(40)
An AI system for the purpose of assigning natural persons to specific categories on the basis of their biometric data unless it is ancillary to another commercial service and strictly necessary for objective technical reasons.
Biometric data Art. 3(34)
Personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that person, such as facial images or dactyloscopic data.
CE marking Art. 3(24)
A marking by which a provider indicates that a high-risk AI system is in conformity with the applicable requirements set out in Chapter III, Section 2 and any other applicable Union harmonisation legislation providing for its affixing.
CE marking on high-risk AI is a legal declaration of conformity, not just a market access label. Providers are criminally liable for incorrect affixing.
Conformity assessment Art. 3(20)
The process of verifying whether the requirements set out in Chapter III, Section 2 relating to a high-risk AI system have been fulfilled. Most high-risk AI uses internal self-assessment (Annex VI); systems listed in Annex III(1) (remote biometric identification) require third-party conformity assessment by a notified body.
Deep fake Art. 3(60)
AI-generated or manipulated image, audio, or video content that resembles existing persons, objects, places, or other entities or events and would falsely appear to a person to be authentic or truthful. Providers of systems generating deep fakes must ensure machine-readable disclosure (Art. 50(4)).
Deployer Art. 3(4)
A natural or legal person, public authority, agency, or other body that uses an AI system under its authority except where the AI system is used in the course of a personal non-professional activity.
Most organisations procuring and operating AI from a third-party vendor are deployers. Key obligations under Art. 26. If you substantially modify a high-risk AI system, you become a provider.
Distributor Art. 3(7)
A natural or legal person in the supply chain, other than the provider or the importer, that makes an AI system available on the Union market without modifying its intended purpose or the AI system itself.
General-purpose AI model Art. 3(63)
An AI model, including where trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market, and which can be integrated into a variety of downstream systems or applications.
All GPAI model providers must comply with Art. 53. Models above 10²⁵ FLOPs training compute are "systemic risk" models with additional obligations under Art. 55.
General-purpose AI system Art. 3(66)
An AI system based on a general-purpose AI model that has the capability to serve a variety of purposes, both for direct use as well as for integration in other AI systems.
High-risk AI system Art. 3 + Art. 6
An AI system listed in Annex III or used as a safety component in a product covered by Union harmonisation legislation listed in Annex I, unless the Art. 6(3) exception applies (no significant risk of harm to health, safety, or fundamental rights). High-risk classification triggers full compliance with Art. 9–15 and conformity assessment.
The 8 Annex III sectors: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration/border control, justice/democratic processes.
Importer Art. 3(6)
A natural or legal person established or located in the Union that places on the market an AI system that bears the name or trademark of a natural or legal person established outside the Union.
Intended purpose Art. 3(12)
The use for which an AI system is intended by the provider, including the specific context and conditions of use, as specified in the information supplied by the provider in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation.
Risk classification is based on intended purpose, not actual use. Providers must document intended purpose in Annex IV technical documentation.
Market surveillance authority Art. 3(26)
A national authority that carries out market surveillance on the territory of a Member State pursuant to Regulation (EU) 2019/1020 or national law. Each Member State must designate one or more national competent authorities, including a market surveillance authority, to supervise application of the Act.
National competent authority Art. 3(48)
The market surveillance authority and the notifying authority designated by each Member State for the purposes of this Regulation. Must be established by August 2, 2025. Member States must notify the Commission of designations.
Notified body Art. 3(22)
A conformity assessment body that has been notified in accordance with this Regulation. Notified bodies conduct third-party conformity assessments for high-risk AI systems listed in Annex III(1), primarily biometric identification systems used by law enforcement and public authorities. They are accredited by national accreditation bodies.
Operator Art. 3(8)
The provider, the product manufacturer, the authorised representative, the importer, the distributor, or the deployer, collectively, all parties in the AI system supply chain with defined obligations under the Act.
Placing on the market Art. 3(9)
The first making available of an AI system on the Union market. Applies equally to providers outside the EU whose AI systems are made available to users in the Union, whether through direct supply, cloud access, or reseller channels.
Post-market monitoring Art. 3(25)
All activities carried out by providers of AI systems to proactively collect and review experience gained from AI systems placed on the market or put into service for the purpose of identifying any need to immediately apply any necessary corrective or preventive actions. Providers of high-risk AI must operate a post-market monitoring system under Art. 72.
Provider Art. 3(3)
A natural or legal person, public authority, agency, or other body that develops an AI system or a general-purpose AI model, or that has an AI system or a GPAI model developed, and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge.
A deployer who substantially modifies a high-risk AI system becomes a provider and assumes all provider obligations. Fine-tuning a third-party model for commercial deployment makes you a GPAI model provider.
Putting into service Art. 3(11)
The supply of an AI system for first use directly to the deployer or for own use in the Union for its intended purpose. Triggers provider obligations even where no monetary transaction occurs.
Reasonably foreseeable misuse Art. 3(13)
The use of an AI system in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems, including those arising from accidental or third-party misuse.
Providers must account for reasonably foreseeable misuse when designing risk management systems under Art. 9(2)(b). It is not a defence that an operator used the system incorrectly if the misuse was foreseeable.
Remote biometric identification system Art. 3(41)
An AI system for the purpose of identifying natural persons at a distance through the comparison of a person's biometric data with biometric data contained in a reference database, without prior knowledge of the user of the AI system whether the person will be present and can be identified. Divided into real-time (Art. 3(42)) and post-remote (Art. 3(43)) systems.
Risk management system Art. 9
A continuous iterative process run throughout the entire lifecycle of a high-risk AI system, establishing, implementing, documenting, and maintaining processes to identify, analyse, estimate, evaluate, and address foreseeable risks. Art. 9 prescribes specific requirements including residual risk documentation, testing protocols, and review cadence.
Safety component Art. 3(14)
A component of a product or of an AI system which fulfils a safety function for that product or AI system, or the failure or malfunctioning of which endangers the health and safety of persons or property. An AI system used as a safety component of a product covered by Annex I harmonisation legislation is automatically high-risk under Art. 6(1).
Serious incident Art. 3(49)
An incident or malfunctioning of an AI system that directly or indirectly leads to: death or serious harm to health, serious disruption in the provision and management of critical infrastructure, an infringement of obligations under Union law intended to protect fundamental rights, or serious harm to property or the environment. Must be reported under Art. 73.
Substantial modification Art. 3(23)
A change to an AI system after its placing on the market or putting into service which affects the compliance of the AI system with the requirements set out in Chapter III, Section 2, or results in a modification to the intended purpose for which the AI system has been assessed.
A substantial modification resets the conformity assessment obligation. Deployers who substantially modify a high-risk AI system become providers under Art. 25(1).
Systemic risk (GPAI) Art. 3(65)
A risk specific to GPAI models of high impact (owing to their reach, complexity, capabilities, or combination) that has or may have a significant negative impact on the Union market, public health, safety, public security, or fundamental rights. The Commission has set a rebuttable threshold of 10²⁵ FLOPs of training compute.
Technical documentation Art. 11 + Annex IV
Documentation that providers of high-risk AI systems must draw up before placing the system on the market or putting it into service, and keep up-to-date. Must cover the 15 items listed in Annex IV, including: general description, development lifecycle, dataset documentation, performance metrics, risk management, and human oversight measures.
Transparency obligation Art. 50
Requirements under Chapter IV (Art. 50) mandating disclosure when users interact with AI systems. Covers: chatbots must disclose AI nature; emotion recognition / biometric categorisation users must be informed; deep fakes must be machine-readably labelled; AI-generated content must be discernibly marked.

Annex III Sector Guides Art. 6(2) · 8 High-Risk Sectors

Annex III · Regulation (EU) 2024/1689
Does Your AI Fall in a High-Risk Sector?

Annex III lists eight sectors where AI systems are presumed high-risk under Art. 6(2). If your AI system's intended purpose falls in any sector below, you must complete conformity assessment, draw up Annex IV technical documentation, and apply for CE marking by August 2, 2026, unless Art. 6(3) applies. Click each sector to see which specific use cases are in-scope.

Annex III(1)(a) Remote biometric identification systems (excluding biometric verification whose sole purpose is to confirm a person is who they claim to be)
Annex III(1)(b) Biometric categorisation systems using sensitive characteristics (political, religious, philosophical beliefs, race, sexual orientation, trade union membership)
Annex III(1)(c) Emotion recognition systems (outside the workplace and education contexts prohibited by Art. 5)
Conformity assessment (Art. 43(1)): For all Annex III point 1 systems (a, b and c), where the provider applies harmonised standards it may opt for either internal control (Annex VI) or a notified-body assessment (Annex VII). A notified body is mandatory only where harmonised standards are absent or not applied. Real-time remote biometric identification in publicly accessible spaces is a separate matter, governed by the Art. 5(1)(h) prohibition rather than by this classification.
Annex III(2) AI systems intended to be used as safety components in the management and operation of critical digital infrastructure, road traffic, and the supply of water, gas, heating, and electricity
A predictive maintenance AI in a water treatment plant is Annex III in-scope. A general analytics dashboard is not a safety component and falls outside this category. Apply the "safety component" test from Art. 3(14) carefully.
Annex III(3)(a) AI systems intended to be used to determine access or admission to educational institutions
Annex III(3)(b) AI systems to evaluate learning outcomes, assess students, and detect prohibited behaviour during exams
Annex III(3)(c) AI systems intended to be used for assessing the appropriate level of education for a person
AI-powered proctoring tools are explicitly in-scope under (3)(b). LMS personalisation tools that recommend courses but do not determine access or assessment outcomes may fall outside Annex III, document your Art. 6(3) rationale if claiming exemption.
Annex III(4)(a) AI systems to be used for recruitment or selection, in particular to place targeted job advertisements, screen or filter applications, or evaluate candidates
Annex III(4)(b) AI intended for decisions on promotion and termination of employment, task allocation, and monitoring & evaluating work performance
CV screening tools, AI interview analysis platforms, and performance monitoring dashboards are all in-scope. Deployers using third-party HR AI must verify provider compliance, conduct FRIA (Art. 27), and maintain logs of AI-assisted decisions (Art. 26(6)).
Annex III(5)(b) AI to evaluate the creditworthiness of natural persons or establish their credit score (excluding fraud detection)
Annex III(5)(c) AI for risk assessment and pricing in relation to natural persons in life and health insurance
Annex III(5)(a) AI used by public authorities to evaluate eligibility for public assistance benefits and services, and to grant, reduce, revoke, or reclaim those benefits
Credit scoring AI is explicitly high-risk, even for lenders operating on third-party scoring platforms, the deployer obligation under Art. 26 applies. Pricing AI for insurance products triggers obligations for both the AI developer (provider) and the insurer (deployer).
Fraud detection AI excluded here? Check: (1) if your system processes biometric data → Annex III(1); (2) if it generates outputs that affect individual customers directly → Art. 50 transparency obligations; (3) if uncertain → use the Scope Checker.
Annex III(6)(a) AI for assessing the risk of a natural person becoming a victim of criminal offences
Annex III(6)(b) AI as polygraphs and similar tools to detect emotional state, deception, or cognitive state of a person
Annex III(6)(c) AI to evaluate the reliability of evidence in the course of criminal proceedings
Annex III(6)(d) AI for predicting recidivism risk or criminal offence risk based on profiling
Annex III(6)(e) AI for crime analytics to search or profile in police databases
Law enforcement AI is subject to the strictest oversight requirements. National authorities must conduct DPIAs and Fundamental Rights Impact Assessments. Deployers must notify the market surveillance authority of their FRIA results under Art. 27(3). Many law enforcement applications also intersect with GDPR Law Enforcement Directive obligations.
Annex III(7)(a) AI for lie detection and similar tools in the context of migration, asylum, and border control
Annex III(7)(b) AI for risk assessment and security screening of persons
Annex III(7)(c) AI to examine applications for asylum, visa, and residence permits
Annex III(7)(d) AI for detecting, recognising, or identifying natural persons in the context of border management
Migration applications intersect EU Charter of Fundamental Rights Art. 18 (right to asylum) and Art. 47 (right to effective remedy). Any adverse AI-assisted decision must include a meaningful right to explanation and human review.
Annex III(8)(a) AI to assist a judicial authority in researching and interpreting facts and the law, and in applying the law to a concrete set of facts
Annex III(8)(b) AI intended to be used for influencing the outcome of an election or referendum, or voting behaviour
Legal research AI used by courts is explicitly Annex III. AI legal research tools used by law firms advising clients are not automatically in-scope, scope depends on whether the output directly influences judicial decision-making. Election-targeted AI is in-scope regardless of who deploys it.
Healthcare & Medical Device AI, Art. 6(1) Pathway

Healthcare AI (diagnostic support, triage, imaging analysis, clinical decision support) is classified high-risk via Art. 6(1) + Annex I, as a safety component in a medical device regulated under MDR (EU) 2017/745 or IVDR (EU) 2017/746. This pathway does not require Annex III classification and is separate from the 8 Annex III sectors listed above.

Key obligations: Conformity assessment under MDR/IVDR + parallel EU AI Act Art. 9–15 obligations. Where the product legislation mandates a notified body (Class IIa/IIb/III medical devices), third-party conformity assessment is also required under the EU AI Act (Art. 43(2)).
Deadline: August 2, 2027 for Annex I safety-component systems (Art. 6(1), Art. 113(c)). A proposed Digital Omnibus extension (PROPOSED, not yet law; pending trilogue) could defer high-risk obligations to August 2, 2028. Do not rely on this extension: the binding deadline stands until the Omnibus is adopted and published in the Official Journal.
Worked example: An AI triage system in an emergency department that directly influences clinical decisions qualifies as a safety component in an MDR Class IIb device, high-risk AI requiring both MDR notified body review and EU AI Act technical documentation under Annex IV.

Notified Bodies Art. 33–39 · Conformity Assessment

Third-Party Conformity Assessment
When Do You Need a Notified Body?

Third-party assessment by an accredited notified body is required in two scenarios: (1) High-risk AI systems listed in Annex III(1), remote biometric identification systems in publicly accessible spaces (not limited to law enforcement contexts). (2) AI systems that are safety components of Annex I regulated products (medical devices under MDR/IVDR, machinery, vehicles, etc.) where the governing Union harmonisation legislation mandates third-party conformity assessment for that product category, see Art. 43(2) and Art. 6(1). All other Annex III systems use the internal conformity assessment procedure (Annex VI). A notified body cannot substitute for the provider's own quality management obligations.

Notified Body Obligations (Art. 33–39)
INDEPENDENCE (Art. 33(3))
Notified bodies must be established under national law, be legally distinct from the providers and deployers they assess, and have no financial dependence on the organisations whose AI systems they certify.
ACCREDITATION (Art. 33(7))
Notified bodies must hold accreditation from the national accreditation body designated under Regulation (EC) 765/2008. Accreditation covers specific scopes of assessment, verify the body's scope covers your AI system type.
NANDO DATABASE (Art. 35)
The Commission publishes notified bodies in the NANDO (New Approach Notified and Designated Organisations) database. Use NANDO to verify a body's notification status and scope before engaging them. Designation is member-state specific, a body notified in Germany operates under German accreditation, not EU-wide.
Self-Assessment Procedure (Most Providers)

Under Annex VI, providers of Annex III high-risk AI conduct internal conformity assessment. For Annex III point 1 systems (a, b and c) this internal-control route is available where harmonised standards are applied; otherwise a notified-body assessment under Annex VII is required (Art. 43(1)). The internal control procedure is:

1
Draw up Annex IV technical documentation, general description, development process, training data, performance metrics, risk management results, human oversight measures, logging capabilities.
2
Implement quality management system (Art. 17) covering development strategy, design controls, testing procedures, post-market monitoring, and corrective action.
3
Draw up EU Declaration of Conformity (Art. 47), formal declaration that the system meets all applicable requirements. Keep on file for 10 years.
4
Apply CE marking (Art. 48) and register in the EU AI database (Art. 49) before placing on the EU market.
Where to Find Notified Bodies NANDO Database ↗

As of June 2026, notified bodies for the EU AI Act are in the accreditation process across Member States. The Commission maintains the authoritative list in NANDO. The link below directs to the official EU database, verify any prospective body's notification number and scope against NANDO before signing an engagement letter.

IMPORTANT, VERIFICATION REQUIRED
Notified body availability is still maturing as Member States build out accreditation infrastructure. Some specialisations, particularly AI-specific conformity assessment, have limited capacity ahead of the August 2026 deadline. Engage prospective notified bodies early if Annex III(1) assessment is required.

ISO 42001 Gap Bridge What ISO 42001 Covers, and What It Misses

For Organisations with ISO 42001 Certification
ISO 42001 ≠ EU AI Act Compliance

ISO 42001 certification gives you a strong governance foundation but does not cover conformity assessment, CE marking, EU database registration, or specific Annex IV technical documentation. Use this tool to identify exactly which EU AI Act obligations your ISO 42001 implementation already addresses, and where the gaps require additional work before August 2026.

EU AI Act Requirement
ISO 42001
Coverage
Gap Action
Art. 9, Risk Management System
Continuous lifecycle risk process, residual risk docs
§ 6.1, 8.4
Strong
Extend with AI-specific risk taxonomy
Art. 10, Data Governance
Training data quality, bias detection, data lineage
§ 8.3
Partial
Add Annex IV data card documentation
Art. 11, Technical Documentation
Annex IV 15-item documentation package
§ 8.5
Partial
Build full Annex IV package
Art. 12, Record-Keeping (Logs)
Automatic event logging by design; retention set separately (at least 6 months, Art. 19(1) / 26(6))
§ 8.2
Partial
Implement technical logging capability
Art. 13, Transparency to Deployers
Instructions for use, capabilities/limitations disclosure
§ 8.6
Strong
Map existing docs to Art. 13 items
Art. 14, Human Oversight
Override/stop capability, trained operators, human review
§ 8.4, 6.2
Strong
Document override mechanisms explicitly
Art. 43, Conformity Assessment
Formal assessment procedure (Annex VI or notified body)
None
Not Covered
Complete Annex VI self-assessment
Art. 48, CE Marking
Affix CE marking before placing on EU market
None
Not Covered
CE marking separate process
Art. 49, EU Database Registration
Register system before market placement
None
Not Covered
Register in EU AI database

Board Summary

One-page executive briefing · Regulation (EU) 2024/1689 · June 2026

7% of turnover
or €35M (whichever is higher)
Prohibited AI · Art. 99(3)
3% of turnover
or €15M (whichever is higher)
High-risk non-compliance · Art. 99(4)
1% of turnover
or €7.5M (whichever is higher)
False information · Art. 99(5)

Calculate your organisation's actual maximum exposure →

Deployer Liability Chain

Even where a vendor provides the AI system, deployers face direct fines of up to 3% of global turnover or €15M for failures of their own Art. 26 obligations, human oversight, logging, instructions compliance, and FRIA.

Vendor compliance does not substitute for deployer compliance. Substantially modifying a high-risk AI system reclassifies the deployer as provider under Art. 25, assuming all provider obligations.

What the EU AI Act Requires of Your Organisation
IMMEDIATE, ACTIVE SINCE FEB 2025
Screen and remove prohibited AI systems. Eight categories are permanently banned: subliminal manipulation, social scoring, untargeted scraping for facial databases, emotion recognition in workplaces/education (mostly), real-time biometric surveillance in public. Penalties: up to €35M or 7% global turnover.
CRITICAL DEADLINE, AUGUST 2, 2026
High-risk AI systems must be fully conformity-assessed and registered. If your organisation develops or procures AI for biometrics, employment, credit, education, law enforcement, or infrastructure, you must complete technical documentation, risk management, conformity assessment, and EU database registration.
AI LITERACY, ACTIVE SINCE FEB 2025
All staff using or managing AI must have sufficient AI literacy. Art. 4 requires proportionate training and competency. No specific curriculum is prescribed, but regulators will expect documented evidence of AI literacy programmes during investigations.
Board-Level Questions to Ask
Do we have a complete inventory of every AI system we develop, procure, or deploy, with each system's intended purpose documented and risk category assessed?
Have our AI systems been screened against the 8 prohibited categories? Who owns that assessment and what evidence exists that it has been completed?
For high-risk AI systems, are we on track for conformity assessment and EU database registration before August 2, 2026? What is the resource plan and who is accountable?
Do our vendor and procurement contracts require AI suppliers to provide compliance documentation? Are we exposed through third-party AI tools our teams have adopted without central oversight?
Has a designated person been given authority and resources to coordinate EU AI Act compliance across the organisation? Does the board receive regular compliance reporting?
Compliance Readiness Snapshot
AI system inventory complete
Prohibited AI screening done
High-risk AI identified and classified
Technical documentation in progress
AI literacy training deployed
DIGITAL OMNIBUS, PROPOSED, NOT YET LAW (see Key Dates for details)
  • PROPOSED: high-risk obligations may extend to Aug 2, 2028 (Council negotiating position, 13 Mar 2026); original Aug 2, 2026 date not yet changed
  • Annex III standalone high-risk AI: Deadline unchanged, August 2, 2026
  • GPAI, Prohibited AI: NOT affected

The 2 August 2026 deadline remains legally binding until the Omnibus is formally adopted and published in the Official Journal. Trilogue negotiations collapsed once (April 2026); outcomes may change.

Regulatory Updates Live Tracker, June 2026

Post-Enactment Guidance & Developments
What Has Changed Since Publication

The EU AI Act entered into force August 1, 2024 but implementation guidance, delegated acts, and soft-law instruments have continued to emerge. This tracker covers material developments that affect compliance obligations, prioritised by operational impact.

2026Operational Impact
GPAI Codes of Practice, Finalisation
The AI Office finalised Codes of Practice for GPAI model providers under Art. 56. Adherence to the Code creates a presumption of conformity with Art. 53 and Art. 55 obligations. Key provisions cover: model documentation templates, copyright compliance procedures, incident classification criteria, and adversarial testing minimum standards. GPAI providers not adhering to the Code must independently demonstrate compliance, a significantly harder path. Verify the latest version and publication date at the AI Office portal (digital-strategy.ec.europa.eu/ai-office).
2025–2026Operational Impact
GPAI Codes of Practice, Consultation Rounds
The AI Office conducted structured public consultation on successive drafts of the GPAI Codes of Practice throughout 2025–2026. Successive drafts clarified: systemic risk evaluation criteria, adversarial testing requirements, SME proportionality provisions, and copyright compliance procedures. GPAI providers should track the latest published draft at the AI Office portal and engage in consultation if representing a significant volume of the EU market. Art. 56 gives the Commission authority to mandate adherence if voluntary uptake is insufficient.
Feb 2025Active, Enforceable Now
Chapter II (Prohibited AI) Became Enforceable
Art. 5 prohibitions and Art. 4 AI literacy requirements entered into force February 2, 2025. Member States were required to designate national competent authorities by August 2, 2025. Organisations should have completed prohibited AI screening before this date. If not yet done, treat this as an immediate priority, enforcement actions can already be brought.
Aug 2025Active
GPAI Model Obligations Became Enforceable
Chapter V (Art. 51–56) obligations for general-purpose AI model providers entered into force August 2, 2025. All GPAI model providers, including those providing models via API, must comply with Art. 53 documentation, copyright, and training summary requirements. Systemic-risk model providers must also comply with Art. 55 adversarial testing and incident reporting obligations.
2024–2025Procedural
EU AI Database Opened for Registration
The EU AI database required under Art. 71 opened for registration testing and provider pre-registration in late 2025. Full mandatory registration for high-risk AI providers is required before the August 2, 2026 deadline. Providers should initiate registration early, the database requires detailed Annex IV data fields and may require clarification iterations with national authorities.
UpcomingAug 2026 Deadline
Full High-Risk AI Obligations Effective
Chapters III (high-risk AI Art. 6–49), IV (transparency Art. 50), VI (sandboxes and innovation), VII (governance), and VIII (EU AI database) take full effect August 2, 2026. By this date, providers of high-risk AI must have completed conformity assessment, drawn up the EU Declaration of Conformity, applied CE marking, and registered in the EU AI database. See the countdown in the Overview panel for current days remaining.
Monthly Digest Archive, Pipeline-Generated
EU AI Act Monthly Digests

Each digest aggregates the month's regulatory briefs, enforcement developments, and implementation guidance, synthesised from primary sources and published automatically by our AI News Hub pipeline.

LEGAL NOTICE

This resource is published by Tech Jacks Solutions for educational and informational purposes only. It does not constitute legal advice and should not be relied upon as such. While we endeavour to keep this content accurate and up to date with Regulation (EU) 2024/1689 and related guidance, we make no representations or warranties of any kind, express or implied, as to its completeness, accuracy, or fitness for a particular purpose. Consult a qualified legal professional before making compliance decisions. Tech Jacks Solutions accepts no liability for any loss or damage arising from reliance on this content.