The EU AI Act is the world’s first binding legal framework for artificial intelligence. It entered into force on 1 August 2024 and applies to any organisation that develops, deploys, imports, or distributes AI systems affecting people in the European Union, regardless of where that organisation is established.
The Act regulates AI systems by risk level, not by industry or technology type. Your obligations depend on two things: what your AI system does, and what role you play in its lifecycle.
Key Definitions
| Term | Definition | Legal basis |
|---|---|---|
| AI system | A machine-based system that infers from inputs how to generate outputs such as predictions, recommendations, decisions, or content, and that operates with varying degrees of autonomy | Article 3(1) |
| Provider | A natural or legal person that develops an AI system or general-purpose AI model and places it on the market or puts it into service under their own name or trademark | Article 3(3) |
| Deployer | A natural or legal person that uses an AI system under their authority in a professional context | Article 3(4) |
| Authorised representative | An EU-established natural or legal person mandated in writing by a non-EU provider to act on its behalf | Article 3(5) |
| Importer | An EU-established person that places on the market an AI system bearing the name or trademark of a non-EU person | Article 3(6) |
| Distributor | A person in the supply chain, other than provider or importer, that makes an AI system available on the EU market | Article 3(7) |
| GPAI model | An AI model trained on large amounts of data that can competently perform a wide range of distinct tasks | Article 3(63) |
| High-risk AI system | An AI system listed in Annex III or forming a safety component of a product covered by Annex I legislation | Articles 6–7 |
| Operator | A collective term covering providers, deployers, authorised representatives, importers, and distributors | Article 3(8) |
Risk Classification Framework
The Act organises AI systems into four risk tiers. Your compliance obligations depend entirely on which tier your system falls into.
| Risk tier | Description | Examples | Consequence |
|---|---|---|---|
| Unacceptable | AI that poses a clear threat to fundamental rights or safety | Social scoring by public authorities, subliminal manipulation, real-time biometric surveillance in public spaces | Prohibited outright. Operating these systems is unlawful from February 2025 |
| High | AI used in sensitive domains listed in Annex III, or safety components in Annex I products | CV screening, credit scoring, medical devices, biometric identification, critical infrastructure | Full compliance obligations: conformity assessment, technical documentation, registration, human oversight |
| Limited | AI with specific transparency risks | Chatbots, deepfake generators, emotion recognition systems | Disclosure and transparency obligations only |
| Minimal or none | All other AI systems | Spam filters, AI-powered playlists, basic recommendation engines | No mandatory obligations under the Act |
Implementation Timeline
| Date | What applies |
|---|---|
| 1 August 2024 | Act enters into force |
| 2 February 2025 | Prohibited practices banned. AI literacy obligation (Article 4) applies |
| 2 August 2025 | GPAI model obligations apply. Authorised Representative requirement for GPAI providers |
| 2 August 2026 | High-risk AI system obligations apply (Annex III). Authorised Representative requirement for high-risk AI providers |
| 2 August 2027 | High-risk AI systems embedded in Annex I products. GPAI models placed on market before August 2025 |
Role-by-Role Obligations
Providers
A provider is any organisation that develops an AI system and places it on the EU market or puts it into service under its own name, whether or not it built the underlying model.
Who this covers in practice: SaaS companies, AI product companies, enterprises that fine-tune or substantially modify third-party models and deploy them under their own brand.
If your system is high-risk, you must:
| Obligation | Legal basis |
|---|---|
| Implement a quality management system | Article 17 |
| Prepare and maintain technical documentation | Article 18, Annex IV |
| Retain automatically generated logs | Article 19 |
| Conduct a conformity assessment before market placement | Article 43 |
| Register the system in the EU database | Article 49 |
| Affix CE marking | Article 48 |
| Issue an EU Declaration of Conformity | Article 47 |
| Establish post-market monitoring | Article 72 |
| Report serious incidents to authorities | Article 73 |
| Appoint an Authorised Representative if established outside the EU | Article 22 |
| Ensure AI literacy among staff | Article 4 |
If your system is a GPAI model, you must:
| Obligation | Applies to | Legal basis |
|---|---|---|
| Prepare and maintain technical documentation | All GPAI providers | Article 53, Annex XI |
| Publish summary of training data (copyright transparency) | All GPAI providers | Article 53 |
| Comply with EU copyright law | All GPAI providers | Article 53 |
| Conduct adversarial testing | Systemic risk models only | Article 55 |
| Report incidents to AI Office | Systemic risk models only | Article 55 |
| Appoint Authorised Representative if non-EU established | All GPAI providers | Article 54 |
Key risk for providers: If you substantially modify a third-party AI system, the Act may treat you as a new provider with full provider obligations, regardless of who built the original system.
Deployers
A deployer is any organisation using an AI system in a professional context under its own authority. If your company uses ChatGPT, Copilot, an AI-powered ATS, or any third-party AI tool in a business process, you are a deployer.
Who this covers in practice: Banks, hospitals, insurers, HR teams, law firms, retailers, manufacturers — any organisation using AI to support or automate decisions affecting people.
If your system is high-risk, you must:
| Obligation | Legal basis |
|---|---|
| Implement appropriate human oversight measures | Article 26(1) |
| Use the system in accordance with the provider’s instructions | Article 26(3) |
| Monitor the system for risks during operation | Article 26(5) |
| Conduct a Fundamental Rights Impact Assessment before deployment | Article 27 |
| Keep logs of operation for at least six months | Article 26(6) |
| Inform affected individuals that they are subject to a high-risk AI system | Article 26(8) |
| Notify the provider or authorities of serious incidents | Article 26(5) |
| Ensure AI literacy among staff using the system | Article 4 |
Key risk for deployers: Using an AI tool for a purpose not covered by the provider’s instructions, or in a context that triggers Annex III classification, can make you liable as a provider rather than a deployer. The shift in role carries a significant shift in compliance burden.
Authorised Representatives
An authorised representative is an EU-established entity appointed by written mandate to act on behalf of a non-EU provider. The role carries direct regulatory obligations and direct liability.
Who needs to appoint one: Any provider of a high-risk AI system or GPAI model that is established outside the EU and places products on the EU market.
What the role requires:
| Obligation | High-risk AI (Art. 22) | GPAI model (Art. 54) |
|---|---|---|
| Verify technical documentation is correctly prepared | Yes | Yes |
| Hold technical documentation for 10 years | Yes | Yes |
| Provide documentation to authorities on request | Yes (market surveillance authorities) | Yes (AI Office) |
| Cooperate with competent authorities | Yes | Yes |
| Assist with Article 49 registration | Yes | Not applicable |
| Terminate mandate and notify authorities if provider breaches the Act | Yes | Yes |
Key risk for authorised representatives: The obligation to terminate the mandate and immediately notify the relevant market surveillance authority or AI Office is mandatory, not discretionary. A representative that becomes aware of provider non-compliance and fails to act faces direct regulatory liability.
Importers
An importer is an EU-established entity that places on the EU market an AI system bearing the name or trademark of a non-EU provider. Importers are not the same as authorised representatives, although one entity can hold both roles.
What importers must do:
| Obligation | Legal basis |
|---|---|
| Verify the provider has completed conformity assessment | Article 23(1)(a) |
| Verify technical documentation is available | Article 23(1)(b) |
| Verify CE marking is affixed and Declaration of Conformity is issued | Article 23(1)(c) |
| Verify the provider has appointed an Authorised Representative | Article 23(1)(d) |
| Indicate name, registered trade name, and contact address on the system | Article 23(2) |
| Retain copies of Declaration of Conformity and technical documentation for 10 years | Article 23(5) |
| Report serious incidents and non-compliance to authorities | Article 23(6) |
Key risk for importers: Placing a high-risk AI system on the EU market without verifying the above exposes the importer to the same enforcement consequences as the provider.
Distributors
A distributor makes an AI system available on the EU market without being the provider or importer. Distributors sit further down the supply chain but carry verification obligations before making systems available.
What distributors must do:
| Obligation | Legal basis |
|---|---|
| Verify CE marking is affixed (for high-risk systems) | Article 24(1) |
| Verify required documentation accompanies the system | Article 24(1) |
| Inform provider or importer of suspected non-compliance before making system available | Article 24(2) |
| Report serious incidents and non-compliance | Article 24(4) |
Key risk for distributors: A distributor that modifies a high-risk AI system is treated as a provider under the Act and assumes the full provider compliance burden.
Product Manufacturers
A product manufacturer that incorporates an AI system into a product covered by Annex I legislation (medical devices, machinery, vehicles, civil aviation equipment, and others) and places that product on the market under its own name is treated as a provider of the AI system.
This means medical device companies, automotive manufacturers, and industrial equipment producers integrating AI into regulated products must meet the full provider obligations for the AI component, in addition to sector-specific product safety requirements.
What Is Already in Force
| Obligation | In force since | Who it applies to |
|---|---|---|
| Prohibited AI practices | 2 February 2025 | Everyone |
| AI literacy obligation (Article 4) | 2 February 2025 | All providers and deployers |
| GPAI model obligations | 2 August 2025 | Providers of GPAI models |
| Authorised Representative (GPAI) | 2 August 2025 | Non-EU GPAI providers |
| High-risk AI system obligations | 2 August 2026 | Providers and deployers of Annex III systems |
| Authorised Representative (high-risk AI) | 2 August 2026 | Non-EU high-risk AI providers |
Annex III: High-Risk Use Cases
These are the eight domains where AI systems are presumptively classified as high-risk:
| Domain | Examples |
|---|---|
| Biometric identification and categorisation | Remote biometric identification systems, emotion recognition |
| Critical infrastructure | AI managing electricity, water, transport, digital infrastructure |
| Education and vocational training | Systems determining access to education, evaluating students |
| Employment and workers management | CV screening, interview assessment, performance monitoring, task allocation |
| Access to essential private and public services | Credit scoring, insurance risk assessment, emergency services dispatch |
| Law enforcement | Risk assessment of individuals, polygraph-type tools, crime analytics |
| Migration, asylum, and border control | Risk assessment of applicants, document verification |
| Administration of justice | AI assisting courts in fact-finding or applying law |
Penalties
| Infringement | Maximum fine |
|---|---|
| Prohibited AI practices (Article 5) | EUR 35,000,000 or 7% of worldwide annual turnover |
| High-risk AI obligations, GPAI obligations, Authorised Representative obligations | EUR 15,000,000 or 3% of worldwide annual turnover |
| Supplying incorrect or misleading information to authorities | EUR 7,500,000 or 1% of worldwide annual turnover |
For SMEs and start-ups, fines are capped at the lower of the applicable percentage or fixed amount.
Frequently Asked Questions
I use a third-party AI tool. Does the AI Act apply to me?
Yes. Using an AI system in a professional context makes you a deployer. If the tool is used in a high-risk context (employment decisions, credit assessments, safety-critical processes), deployer obligations under Article 26 apply to you regardless of whether you built the system.
My company is based outside the EU. Does this regulation apply to me?
Yes, if your AI system or GPAI model affects people in the EU. The Act’s territorial scope follows the same extraterritorial logic as the GDPR. Market location determines scope, not company location.
What is the difference between a provider and a deployer?
A provider places an AI system on the market or into service under its own name. A deployer uses a system provided by someone else. The distinction matters because providers carry the heaviest compliance burden. A deployer can become a provider if it substantially modifies the system or uses it outside the scope of the original provider’s instructions.
Does the AI Act apply to open-source AI models?
Partially. Open-source GPAI models are exempt from some Article 53 obligations if the provider publicly discloses the required information. The exemption does not apply to GPAI models with systemic risk, regardless of whether they are open-source.
What counts as a substantial modification that triggers provider status?
The Act does not define a precise threshold. The relevant test is whether the modification changes the intended purpose of the system in a way that would have required a new conformity assessment. Fine-tuning a model for a new high-risk use case is likely to cross this threshold.
What does AI literacy actually require in practice?
Article 4 requires providers and deployers to ensure staff dealing with AI systems have a sufficient level of AI literacy, taking into account their technical background, training, and the context of use. The obligation is assessed against what is reasonably achievable, not against an absolute standard. At minimum, staff using high-risk AI systems should understand the system’s purpose, its risk category, the organisation’s obligations as deployer, and how to escalate concerns.
What is the Fundamental Rights Impact Assessment?
Deployers of high-risk AI systems listed in Annex III must carry out a FRIA before deployment. It requires assessing the categories of individuals affected, the potential impact on fundamental rights, the measures taken to mitigate that impact, and the human oversight arrangements in place. The FRIA must be registered where the Act requires registration.
Can one entity hold multiple roles under the Act?
Yes. A company can be simultaneously a provider of its own AI system, a deployer of third-party AI tools, and an importer of AI systems from non-EU vendors. Each role carries separate obligations and must be managed independently.
This guide reflects the text of Regulation (EU) 2024/1689 as published in the Official Journal on 12 July 2024 and applicable guidance issued by the European AI Office through May 2026. It does not constitute legal advice.
