EU AI Act & AI Governance
EU AI Regulation (EU 2024/1689) fully applicable for Annex III from 02 August 2026 (Digital Omnibus proposal of 19 November 2025: postponement to 02 December 2027 — trilogue ongoing, not yet decided): risk classification, Annex III, GPAI, AI Literacy since 02 February 2025, transparency obligations Article 50.
Who is subject to the EU AI Act?
Regulation (EU) 2024/1689 distinguishes four roles with different obligations — your organisation's classification determines the entire compliance programme.
Provider (Art. 3(3) EU AI Act): any entity that develops an AI system, places it on the market under its own name or distributes it as own-brand — irrespective of whether for payment or free of charge. Typical providers are model vendors, AI SaaS platforms and companies that resell a procured model under their own brand. Providers bear the main burden of obligations (risk management, technical documentation, conformity assessment).
Deployer (Art. 3(4) EU AI Act): any entity that uses an AI system under its own authority in a professional context. This role applies to an estimated 90 per cent of all organisations — SaaS users of ChatGPT Enterprise, Microsoft 365 Copilot, Gemini for Workspace or Claude for Work are also deployers and are bound, amongst other things, by the AI literacy obligation under Art. 4 EU AI Act.
Importer and Distributor (Art. 3(6) and (7) EU AI Act): any entity that places an AI system from a third country on the EU market or further distributes it without being the provider. Obligations range from verifying the provider's identity and conformity to maintaining the CE marking and the EU declaration of conformity.
Risk classification — 4 tiers
The EU AI Act follows a risk-based approach: the higher the potential for harm, the stricter the obligations. Classification proceeds along four tiers.
1. Prohibited practices (Art. 5 EU AI Act, applicable since 02 February 2025): social scoring by public authorities, manipulative subliminal targeting, untargeted facial image databases scraped from the internet, emotion recognition in the workplace and in educational settings, and real-time biometric identification in publicly accessible spaces (subject to narrowly defined exceptions).
2. High-risk AI (Annex III, applicable from 02 August 2026): systems used in human resources (recruitment, performance), education (examinations, admission), creditworthiness and insurance, law enforcement, migration and asylum procedures, critical infrastructure and the administration of justice. Obligations: risk-management system (Art. 9), data governance (Art. 10), technical documentation (Art. 11 and Annex IV), logging, human oversight and conformity assessment.
3. Limited risk (Art. 50, transparency obligations): chatbots must disclose their AI nature, deepfakes must be labelled as artificially generated, and AI-generated text on matters of public interest must be flagged accordingly.
4. Minimal risk: spam filters, consumer-grade recommender systems — no mandatory obligations; voluntary codes of conduct (Art. 95) are encouraged.
Duties and deadlines
The Regulation enters into force in staggered phases — three milestones structure the compliance build-up.
Since 02 February 2025 — Art. 4 AI literacy obligation: providers and deployers must ensure a sufficient level of AI literacy of their staff and of all persons handling AI systems on their behalf. The duty applies to ALL employees with AI exposure — from the case worker using Copilot to the data science team. Content and scope must be tailored to prior knowledge, application context and the categories of persons affected.
From 02 August 2025 — Art. 53 ff. GPAI provider obligations: providers of General-Purpose AI models prepare technical documentation under Annex XI, downstream information under Annex XII and a copyright compliance policy (DSM Directive Art. 4(3)). Where systemic risk is present (training compute exceeding 10^25 FLOPs), additional duties apply: model evaluation, incident reporting and cybersecurity protection.
From 02 August 2026 — Art. 26 deployer obligations and full application of Annex III high-risk: intended-purpose use, human oversight, logging, information of affected persons and, in part, a Fundamental Rights Impact Assessment (FRIA, Art. 27). The Digital Omnibus proposal of 19 November 2025 envisages postponing Annex III to 02 December 2027 — the trilogue is ongoing; the postponement is not confirmed.
Fines (Art. 99): up to EUR 35 million or 7 per cent of the worldwide annual group turnover of the preceding year (whichever is higher) for prohibited practices. For high-risk violations up to EUR 15 million or 3 per cent, and for incorrect information up to EUR 7.5 million or 1 per cent.
The most important EU AI Act topics in detail
Step-by-step guides with templates, regulatory references and audit checklists.
EU AI Act compliance: 12-month roadmap
3 phases until 02 August 2026 (DO proposal 19 Nov 2025 — trilogue)
High-risk AI Annex III
Classification workbook + filter mechanism
AI system inventory in 8 steps
Excel + 12 SME examples + update cycle
AI Literacy curriculum (Art. 4)
8-module course · mandatory since 02 February 2025
Transparency Art. 50
Chatbots, deepfakes, watermarking
GPAI provider obligations from 08/2026
Art. 53-55 + Code of Practice
Digital Omnibus (proposal 11/2025)
Status [VOLATILE]: trilogue ongoing, not adopted
Listicles & top lists
Compact overviews — perfect for board meetings, newsletters or as an A4 print template.
Practice clusters & glossary
Special topics by industry, use case and mandatory terminology.
New templates for EU AI Act & GPAI
Compliance documentation for the key obligations under EU AI Act 2024/1689 and GPAI Art. 53-55.
Audit-ready in 2-4 hours
Instead of months of research: deployable templates, personalised with your company name, one-off investment instead of consultancy fees.
View EU AI Act Kit →Sources
- Regulation (EU) 2024/1689 (AI Act) — EUR-Lex English full text (as of 13 June 2024)
- AI Act Service Desk (article full texts with fine tiers 35M/15M/7.5M)
- EU AI Office (Commission)
- EU AI Office — GPAI Code of Practice (as of 10 July 2025)
- European Commission — Digital Omnibus proposal (press release) (as of 19 November 2025; trilogue ongoing)