Framework Explorer / EU AI Act
EU AI Act in the AI Governance Framework Explorer
The EU AI Act is the first comprehensive, legally binding AI regulation. It classifies AI systems by risk — prohibited practices, high-risk systems, transparency-risk systems, and general-purpose AI models — and attaches obligations to providers, deployers, importers, and distributors.
Open the Interactive ExplorerJump to EU AI Act
Every EU AI Act entry, explained
Titles identify each requirement; the one-line summaries below are original Tech Jacks plain-English descriptions, not official standard text. Click any ID to open the full entry — implementation guidance, evidence checklists, risk analysis, and FAQs — in the interactive explorer.
Title I — General Provisions5 entries
Defines key terms including AI system, provider, deployer, high-risk AI system, and others.
Providers and deployers shall ensure sufficient AI literacy of their staff and relevant persons.
Defines who and what falls under the regulation — providers, deployers, importers, and distributors placing or using AI in the EU market.
Establishes harmonised rules for AI systems placed on the market, put into service, or used in the Union, promoting trustworthy AI while ensuring protection of fundamental rights.
Title II — Prohibited AI Practices2 entries
Prohibits AI systems that use subliminal techniques, exploit vulnerabilities, social scoring, or real-time remote biometric identification.
Title III — High-Risk AI Systems50 entries
Articles 6-7 establishing the rules for determining whether an AI system qualifies as high-risk based on Annex I product legislation and Annex III use-case areas.
Articles 8-15 defining mandatory technical and organizational requirements for high-risk AI: risk management, data governance, documentation, logging, transparency, human oversight, accuracy, robustness, and cybersecurity.
Section 3 (Articles 16-27): Legal obligations for each actor in the high-risk AI value chain: providers, authorized representatives, importers, distributors, and deployers.
Articles 28-39 establishing the institutional framework for third-party conformity assessment of high-risk AI systems.
Section 5 (Articles 40-49): Harmonized standards, common specifications, conformity assessment, certificates, EU declaration of conformity, CE marking, and registration. This is the final section of Chapter III — there is no Section 6.
AI system is high-risk if used as a safety component or in areas listed in Annex III.
High-risk AI systems shall comply with the requirements laid down in this Chapter.
A risk management system shall be established, implemented, documented and maintained for high-risk AI.
High-risk AI training, validation and testing data sets shall be subject to data governance practices.
Technical documentation shall be drawn up before a high-risk AI system is placed on the market.
High-risk AI systems shall allow for automatic recording of events (logs) relevant to conformity.
High-risk AI systems shall be designed to ensure their operation is sufficiently transparent.
High-risk AI systems shall be designed to allow effective human oversight during use.
High-risk AI shall achieve appropriate levels of accuracy, robustness and cybersecurity.
Providers of high-risk AI shall ensure compliance, establish quality management, and maintain documentation.
Providers shall put a quality management system in place that ensures compliance with this Regulation.
Empowers the Commission to update the high-risk AI system list in Annex III via delegated acts.
Establishes obligations for distributors, importers, deployers, and authorized representatives within the AI supply chain.
Deployers must use AI in accordance with instructions, ensure human oversight, monitor operation, and conduct fundamental rights impact assessments.
Deployers of certain high-risk AI must assess impacts on fundamental rights before putting the system into use.
High-risk AI systems conforming to harmonised standards or parts thereof shall be presumed to be in conformity with the requirements of Section 2.
Providers of high-risk AI systems shall follow the conformity assessment procedure before placing on the market.
Provider must draw up a written EU declaration of conformity for each high-risk AI system and keep it for 10 years.
Before placing a high-risk AI system on the market, providers shall register themselves and their system in the EU database. Deployers who are public authorities shall also register.
Providers of high-risk AI systems shall keep documentation including technical documentation, EU declaration of conformity, and relevant records, making them available to national competent authorities upon request.
Providers of high-risk AI systems must keep logs automatically generated by the system for a period appropriate to the intended purpose, at least 6 months.
Providers who consider a high-risk AI system is not in conformity must immediately take corrective actions and inform distributors, deployers, and authorized representatives.
Providers of high-risk AI systems shall, upon a reasoned request by a national competent authority, provide that authority with all the information and documentation necessary to demonstrate conformity.
Non-EU providers must appoint an authorised representative established in the Union before making high-risk AI systems available on the Union market.
Importers must ensure high-risk AI systems bear CE marking, have conformity documentation, and that the provider has appointed an authorised representative.
Distributors must verify that high-risk AI systems bear CE marking, that required documentation exists, and that storage and transport do not jeopardise conformity.
Member States must designate or establish a notifying authority responsible for setting up procedures for the assessment and notification of conformity assessment bodies.
Conformity assessment bodies shall submit an application for notification to the notifying authority of the Member State in which they are established.
Notifying authorities shall only notify conformity assessment bodies which have satisfied the requirements set out in the regulation.
Notified bodies must be established under national law, have legal personality, and demonstrate competence, independence, and impartiality.
Conformity assessment bodies demonstrating conformity with harmonised standards or parts thereof shall be presumed to comply with notified body requirements.
Notified bodies may subcontract specific tasks with client consent, but must maintain responsibility and verify subcontractor competence.
Notified bodies must verify AI system conformity following the conformity assessment procedures, acting proportionately to avoid unnecessary burden on operators.
The Commission assigns identification numbers to notified bodies and makes the list publicly available including activity scope.
Notifying authorities shall notify the Commission and other Member States of any relevant changes to the notification of a conformity assessment body.
The Commission may investigate the competence of a notified body or its continued fulfillment of requirements at any time, including following concerns from Member States.
The Commission shall ensure appropriate coordination and cooperation between notified bodies active under the regulation through a sectoral group.
Conformity assessment bodies established under the law of a third country may be accepted through mutual recognition agreements.
Where harmonised standards do not exist or are insufficient, the Commission may adopt common specifications for high-risk AI system requirements.
High-risk AI systems trained and tested on data reflecting the specific geographic, behavioural and functional setting shall be presumed to comply with data quality requirements.
Certificates issued by notified bodies shall be valid for a maximum period of 5 years and may be extended upon reassessment.
Notified bodies shall inform the notifying authority of any refusal, restriction, suspension, or withdrawal of certificates.
Any market surveillance authority may authorise placing a specific high-risk AI system on the market without conformity assessment in exceptional circumstances.
The CE marking shall be affixed visibly, legibly, and indelibly for high-risk AI systems. For digitally provided systems, a digital CE marking shall be used.
Title IV — Transparency Obligations for Providers and Deployers of Certain AI Systems2 entries
Transparency obligations for providers and deployers of certain AI systems.
Providers shall ensure AI systems intended to interact with persons are designed so persons are informed they are interacting with AI. Deployers of emotion recognition and biometric categorisation systems shall inform the persons exposed.
Title V — General-Purpose AI Models7 entries
Classification rules and obligations for providers of general-purpose AI models, including those with systemic risk.
A GPAI model shall be classified as having systemic risk if it has high impact capabilities evaluated by technical tools, or by Commission designation based on criteria in Annex XIII.
All GPAI providers must maintain technical documentation, provide information to downstream providers, comply with copyright, and publish training content summaries.
Providers of systemic-risk GPAI must perform model evaluations, assess and mitigate systemic risks, ensure cybersecurity, and report serious incidents.
Procedure for the Commission to designate a GPAI model as having systemic risk, including notification, provider representations, and update of the list of GPAI models with systemic risk.
Non-EU GPAI model providers must appoint an authorised representative in the Union before making the model available on the Union market.
The AI Office shall encourage and facilitate drawing up of codes of practice covering obligations of GPAI model providers, including systemic risk evaluation.
Title VIII — EU Database for High-Risk AI Systems2 entries
Establishment and maintenance of an EU database for registration of high-risk AI systems listed in Annex III.
The Commission shall establish and maintain an EU database for registration of high-risk AI systems referred to in Annex III. Providers and deployers who are public authorities shall register before placing on market or putting into service.
Title XII — Penalties4 entries
Rules on penalties for infringements, administrative fines on EU institutions, and fines for providers of GPAI models.
Member States shall lay down rules on penalties applicable to infringements. Fines up to 35M EUR or 7% of turnover for prohibited practices; 15M EUR or 3% for other violations; 7.5M EUR or 1% for incorrect information.
The European Data Protection Supervisor may impose administrative fines on Union institutions, bodies, offices and agencies for infringements of this Regulation.
The Commission may impose fines on providers of GPAI models for intentional or negligent infringement of obligations under Chapter V, up to 3% of annual worldwide turnover or 15M EUR.
Title VI — Measures in Support of Innovation8 entries
AI regulatory sandboxes, real-world testing provisions, and measures supporting SMEs and startups with AI Act compliance.
Member States shall ensure that their competent authorities establish at least one AI regulatory sandbox at national level to facilitate the development and testing of innovative AI systems under regulatory oversight before placement on the market.
Sets out detailed rules for sandbox operation including eligibility criteria, application process, terms and conditions, exit procedures, and rights of participants.
Personal data lawfully collected for other purposes may be processed in AI regulatory sandboxes for developing AI systems in the public interest, subject to specific safeguards.
Testing of high-risk AI systems in real-world conditions outside sandboxes is permitted subject to a real-world testing plan, registration in the EU database, and informed consent of subjects.
Subjects of real-world testing must give freely given informed consent, may withdraw at any time without detriment, and must be informed of all relevant aspects of the testing.
Member States shall undertake measures to provide SMEs and startups with priority access to sandboxes, dedicated awareness channels, and guidance on AI Act implementation.
Micro enterprises and certain operators are granted specific derogations from quality management system requirements, with simplified approaches proportionate to their size.
Title VII — Governance8 entries
EU-level governance framework including the AI Office, European Artificial Intelligence Board, advisory forum, scientific panel, and national competent authorities.
The Commission establishes the AI Office to develop Union expertise and capabilities in AI, and to contribute to implementation, monitoring and supervision of AI systems and GPAI models.
The European Artificial Intelligence Board is established to advise and assist the Commission, facilitate consistent application of the Regulation across Member States.
The Board shall advise and assist the Commission and Member States on implementation, contribute to guidance and opinions, and share expertise and best practices among Member States.
An advisory forum is established to provide technical expertise and advise the Board and Commission, with balanced representation from industry, SMEs, startups, civil society, and academia.
A scientific panel of independent experts supports enforcement activities, provides qualified alerts on GPAI systemic risks, and advises on classification of GPAI models with systemic risk.
Member States may call upon the pool of experts established under Article 68 to support their enforcement activities under the Regulation.
Each Member State shall establish or designate at least one notifying authority and at least one market surveillance authority as national competent authorities, and designate a single point of contact.
Title IX — Post-Market Monitoring, Information Sharing and Market Surveillance24 entries
Post-market monitoring by providers, serious incident reporting, market surveillance enforcement, remedies, and supervision of GPAI model providers.
Providers of high-risk AI shall establish and document a post-market monitoring system proportionate to the nature of the AI technology and the risks, including a post-market monitoring plan as part of the technical documentation.
Providers of high-risk AI systems placed on the Union market shall report any serious incident to the market surveillance authorities of the Member States where that incident occurred.
Market surveillance authorities shall carry out market surveillance and enforcement activities in accordance with Regulation (EU) 2019/1020, adapted for AI systems under this Regulation.
Where an AI system is based on a GPAI model, the relevant market surveillance authority may request cooperation from the AI Office for enforcement of GPAI-related obligations.
Market surveillance authorities may require providers to provide information on real-world testing and may carry out unannounced inspections of such testing.
National public authorities supervising fundamental rights obligations may request and access documentation under the Regulation to assess AI system compliance with fundamental rights.
Authorities shall respect confidentiality of information and data obtained in the course of their tasks, particularly trade secrets and sensitive business information.
Where an AI system presents a risk, the market surveillance authority shall carry out an evaluation, and if non-compliant, require the operator to take corrective action.
Where a market surveillance authority considers that an AI system classified as non-high-risk by the provider does pose significant risk, it may challenge the classification and require corrective measures.
Where a Member State objects to a measure taken by another Member State, the Commission shall evaluate and decide whether the national measure is justified.
Even a compliant AI system may be found to present a risk — in such cases, the authority may require the provider to take measures to eliminate the risk.
Market surveillance authorities shall address formal non-compliance such as missing CE marking, missing documentation, or missing declaration of conformity.
The Commission shall designate Union AI testing support structures to provide independent testing capabilities, tools and scientific support to national competent authorities and notified bodies.
Natural or legal persons having grounds to consider that there has been an infringement of this Regulation may lodge a complaint with the relevant market surveillance authority.
Affected persons subject to decisions by deployers on the basis of high-risk AI system output that produces legal effects shall have the right to obtain clear and meaningful explanations of the role of the AI system.
Persons reporting infringements of this Regulation shall be protected under Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law.
The AI Office is responsible for enforcement of obligations of GPAI model providers under Chapter V, with investigation, evaluation, and measure request powers.
The AI Office may undertake actions to monitor compliance of GPAI model providers, including requesting documentation and information.
The scientific panel may issue a qualified alert to the AI Office when it has reason to suspect that a GPAI model may pose a concrete identifiable risk at Union level.
The AI Office may request GPAI model providers to provide the documentation drawn up pursuant to Articles 53 and 55, and any additional information necessary for enforcement.
The AI Office may conduct evaluations of GPAI models to assess compliance with obligations under Chapter V, including the right to request the provider to take measures.
Where necessary, the AI Office may request providers of GPAI models to take appropriate measures to comply with obligations or to address identified risks.
Providers of GPAI models shall enjoy procedural rights including the right to be heard before the AI Office takes enforcement decisions, and rights of defense.
Title X — Codes of Conduct and Guidelines3 entries
Voluntary codes of conduct for non-high-risk AI systems and Commission guidelines on implementation of the regulation.
The AI Office and Member States shall encourage and facilitate the drawing up of codes of conduct for voluntary application of requirements to AI systems other than high-risk AI systems.
The Commission shall develop guidelines on the practical implementation of the Regulation, including on the application of high-risk requirements, prohibited practices, and transparency obligations.
Title XI — Delegation of Power and Committee Procedure3 entries
Exercise of delegated powers conferred on the Commission and committee procedure for implementing acts.
The power to adopt delegated acts is conferred on the Commission subject to conditions including revocation by the European Parliament or Council and an objection period.
The Commission is assisted by a committee within the meaning of Regulation (EU) No 182/2011 for the purposes of this Regulation.
Title XIII — Final Provisions13 entries
Amendments to existing Union legislation, transitional provisions for systems already on the market, GPAI model compliance timelines, evaluation and review, and entry into force with phased application dates.
Amends Regulation (EC) No 300/2008 on common rules in the field of civil aviation security to reference AI system requirements.
Amends Regulation (EU) No 167/2013 on the approval and market surveillance of agricultural and forestry vehicles to include AI system requirements.
Amends Regulation (EU) No 168/2013 on the approval and market surveillance of two- or three-wheel vehicles and quadricycles to include AI system requirements.
Amends Directive 2014/90/EU on marine equipment to include AI system conformity assessment requirements.
Amends Directive (EU) 2016/797 on the interoperability of the rail system to include AI system requirements.
Amends Regulation (EU) 2018/858 on the approval and market surveillance of motor vehicles to include AI system requirements.
Amends Regulation (EU) 2018/1139 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency to include AI system requirements.
Amends Regulation (EU) 2019/2144 on type-approval requirements for motor vehicles regarding general safety to include AI system requirements.
Amends Directive (EU) 2020/1828 on representative actions for the protection of the collective interests of consumers to include this Regulation.
Transitional provisions: systems placed on market before enforcement dates may continue if not significantly modified. GPAI models placed on market before August 2025 must comply with Article 53 by August 2027.
The Commission shall assess the need for amendment of the list in Annex III once a year and evaluate and review this Regulation by 2 August 2029, with reports to the European Parliament and the Council.
This Regulation enters into force on the twentieth day following publication. Phased application: prohibited practices from 2 February 2025, GPAI obligations from 2 August 2025, high-risk (Annex III) from 2 August 2026, high-risk (Annex I) from 2 August 2027.
How EU AI Act maps to other frameworks
Sample audited mappings
All 63 mappings are browsable in the interactive explorer and its knowledge graph.
Implementation templates for EU AI Act
Related guides
Frequently asked questions
How many EU AI Act entries does the Framework Explorer cover?
131 entries, each with a plain-English explanation, implementation guidance at three organization sizes, evidence checklists, and risk context. 48 entries carry source-grounded risk profiles.
How does EU AI Act relate to the other AI governance frameworks?
The Framework Explorer documents 63 audited cross-framework mappings touching EU AI Act, connecting it to ISO/IEC 42001, NIST AI RMF, ISO/IEC 27001, OWASP LLM Top 10, OWASP Agentic AI Top 10, MITRE ATLAS. Every mapping was verified against the source documents.
Is this content the official EU AI Act text?
No. Entry titles identify each requirement, and all explanations are original plain-English summaries written by Tech Jacks Solutions. For official text, consult the publishing body directly.