Docs

Appearance

EU AI Act

EU AI Act illustration

The EU AI Act — Regulation (EU) 2024/1689 — is the European Union's horizontal regulation on artificial intelligence. It governs AI systems in context (model + pipeline + human process + deployment environment) and general-purpose AI models as a separate regime, with directly applicable obligations across every Member State.

Quick decision

  • Just want to know if your AI system is in scope → if you place an AI system on the EU market, put one into service in the Union, or use the output in the Union, the Regulation applies under Article 2. Designate an authorised representative under Article 22 if you are a non-EU provider of a high-risk system.
  • Building or shipping a high-risk AI system → the substantive Articles 8–15 obligations bite. See High-risk AI systems.
  • Building or deploying a chatbot, emotion-recognition system, biometric categoriser, or anything that outputs deepfakes / synthetic media → Article 50 transparency duties apply independently of high-risk classification. See Prohibited practices and transparency.
  • Provider of a general-purpose AI model → Chapter V (Articles 51–56) applies at the model level. The 10²⁵ FLOPs training-compute threshold triggers the systemic-risk regime. See General-purpose AI models.
  • Worried the four-tier pyramid you read about everywhere is misleading → good. The Regulation does not use that framing. See Common misreadings of the AI Act below.

TL;DR

  • Regulation (EU) 2024/1689; OJ L of 12 July 2024; CELEX 32024R1689. Entered into force 1 August 2024.
  • Four obligation regimes can apply to the same system, independently and stacking: Article 5 prohibited practices; Article 6 + Annex I / III high-risk; Article 50 transparency on specific deployments; Chapter V GPAI at model level.
  • "Limited risk" and "minimal risk" are not defined categories in the Regulation. They are journalistic shorthand. See Common misreadings.
  • Article 4 AI literacy applies to all providers and deployers of any AI system — not just high-risk — from 2 February 2025. The four regimes above govern system-classification obligations; Article 4 sits on top of them.
  • Phased application: Article 5 from 2 February 2025; Chapter V from 2 August 2025; Annex III from 2 August 2026; Annex I from 2 August 2027. The May 2026 provisional Omnibus agreement, if adopted, defers Annex III to 2 December 2027 and Annex I to 2 August 2028.
  • Penalties under Article 99 reach up to €35 million or 7% of worldwide annual turnover for Article 5 infringements; up to €15 million or 3% for most other obligations on operators.
  • Modulos operationalises the AI Act through the OFF-1 (organisation) and MFF-1 (AI application) framework templates; GPAI is folded into MFF-1 via the scoping questionnaire, not a separate template.

AI Omnibus provisional agreement (May 2026)

Status: provisional political agreement, pending formal adoption

On 7 May 2026 the Council presidency and European Parliament negotiators reached a provisional political agreement on the Digital Omnibus on AI (originally proposed by the Commission on 19 November 2025, part of the 'Omnibus VII' simplification package). The deal must still be formally endorsed by the Council and the Parliament and undergo legal/linguistic revision before adoption. This framework page will be updated once the Omnibus is formally adopted. Until then, the existing EU AI Act text remains legally binding.

Headline outcomes of the agreement (all conditional on formal adoption):

  • High‑risk deadlines would shift to fixed new dates — Annex III standalone obligations would move from 2 August 2026 to 2 December 2027, and Annex I product‑safety obligations from 2 August 2027 to 2 August 2028. The provisional deal would replace the Commission's readiness‑decision model with fixed application dates.
  • Article 50(2) synthetic-content marking grace period would be 4 months — providers of synthetic-content AI systems placed on the EU market before 2 August 2026 would have until 2 December 2026 to comply with Article 50(2) (provider-side machine-readable marking). The grace covers Article 50(2) only; deployer-side Article 50(4) is not extended. Down from the Commission's proposed 6 months.
  • New prohibition on AI‑generated NCII and CSAM — co‑legislators agreed to add a new AI Act prohibited practice covering AI systems used to generate non‑consensual sexual or intimate content or child sexual abuse material (placement within the prohibited‑practices article to be confirmed in the consolidated text).
  • Annex III non‑high‑risk registrations would be reinstated — providers that determine an Annex III use case is not high‑risk would still need to register the system in the EU database (the Commission's proposal had removed this).
  • National regulatory sandboxes deadline would shift to 2 August 2027 — the deadline for member states to establish AI regulatory sandboxes would be delayed by one year.
  • Sensitive‑data exemption for bias correction would be kept, with "strict necessity" standard reinstated — processing of special‑category personal data for bias detection and correction would remain permitted, but only when strictly necessary.
  • Simplified compliance for Small Mid‑Caps (SMCs) — SMCs as defined in Commission Recommendation (EU) 2025/1099 would get simplified documentation and QMS obligations (final scope subject to the consolidated text).
  • AI Office competence clarified — the AI Office would supervise AI systems based on general‑purpose AI models when the model and the system come from the same provider, with carve‑outs (including law enforcement, border management, judicial authorities and financial institutions) where national authorities would remain competent.
  • Sectoral overlaps would be resolved through implementing acts — where sectoral law (e.g., medical devices, toys, lifts, watercraft) contains AI‑specific requirements similar to the AI Act's, the Commission would be empowered to limit the AI Act's application in those specific cases through implementing acts. Machinery would be treated separately (see next bullet).
  • Machinery Regulation would be exempted from direct AI Act applicability — the Machinery Regulation would be fully exempted from direct AI Act applicability; the Commission would be empowered to adopt delegated acts under the Machinery Regulation to add health‑and‑safety requirements for AI systems classified as high‑risk under the AI Act.

Do not pause compliance work. Today's dates and obligations remain the legally binding reference until the Omnibus is formally adopted. For Modulos' public analysis, see modulos.ai/eu-ai-act/.

Primary source

Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 — EUR-Lex CELEX 32024R1689 · OJ L, 12.7.2024. Verbatim quotes on this page reflect the OJ-published text. The AI Omnibus consolidated text, when published, will supersede where it amends.

Article 1 — subject matter

The purpose of this Regulation is to improve the functioning of the internal market and promote the uptake of human-centric and trustworthy artificial intelligence (AI), while ensuring a high level of protection of health, safety, fundamental rights enshrined in the Charter, including democracy, the rule of law and environmental protection, against the harmful effects of AI systems in the Union and supporting innovation.

— Article 1(1), Regulation (EU) 2024/1689

The Regulation is built on Articles 16 and 114 TFEU (data protection + internal market) with a fundamental-rights overlay. The result is product-safety mechanics (classification, conformity assessment, CE marking, post-market monitoring, market surveillance) anchored to a fundamental-rights protective purpose.

Article 3(1) — what counts as an 'AI system'

‘AI system’ means a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments;

— Article 3(1), Regulation (EU) 2024/1689

This definition is system-level, not model-level. Compliance work includes the model, the surrounding pipeline, the human process, and the environment where outputs influence decisions.

If you only govern "the model", you will miss what auditors and regulators actually care about: data governance, deployment constraints, monitoring, human oversight, and traceability.

Background note (external): A taxonomy of AI systems and models in the EU AI Act.

Go deeper: the Commission has issued interpretive guidance on the Article 3(1) definition (Communication C(2025) 5053 final, 29 July 2025) decomposing the definition into seven elements and identifying four categories of systems that fall outside it.

Four obligation regimes (not a 'risk pyramid')

The Regulation defines four independent gates that can apply to the same AI system. Each gate has its own trigger; the same system can fire several at once and the obligations apply in parallel.

Important: these regimes stack, they don't tier

The Regulation does not describe a hierarchy. A high-risk AI system can also be subject to Article 50 transparency duties. A GPAI model can be deployed inside a high-risk AI system. "Limited risk" and "minimal risk" are not defined categories in the Regulation — see Common misreadings.

Classification flow

  1. Define the AI system and its intended purpose under Article 3(1).
  2. Article 5 prohibited? If the use case falls within Article 5(1)(a)–(h), the system cannot be deployed in the EU — except where a statutory exception applies (notably the 5(1)(h)(i)–(iii) real-time RBI law-enforcement objectives under the 5(2)–(7) authorisation regime). Outside those narrow exceptions, the route is redesign, scope-out, or stop.
  3. Article 6 high-risk? Article 6(1) covers AI systems that are themselves products, or safety components of products, covered by the Annex I Union harmonisation legislation (medical devices, machinery, vehicles, etc.) and required to undergo a third-party conformity assessment under that legislation. Article 6(2) covers Annex III standalone use cases (biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration / border, justice / democratic processes). Articles 8–15 obligations apply across the lifecycle.
  4. Article 50 transparency applies independently to chatbots, emotion recognition, biometric categorisation, deepfakes, and AI-generated content — whether or not the system is high-risk.
  5. Built on a GPAI model? The upstream model provider has obligations under Articles 53–55 (transparency, copyright policy, downstream documentation; systemic-risk obligations if above 10²⁵ FLOPs). System-level obligations on the deployer are separate.

Go deeper: High-risk AI systems · Prohibited practices and transparency · General-purpose AI models.

Common misreadings of the AI Act

Public commentary about the Regulation is uneven. The frequent mistakes — most of them inherited from pre-final-text drafts — are worth calling out explicitly. Each is anchored to the Article that proves it wrong.

  • "The AI Act is a four-tier risk pyramid (unacceptable / high / limited / minimal)." The Regulation does not use the word pyramid anywhere, and "limited" and "minimal" are not defined categories. Articles 5, 6, and 50 define three separate operative regimes that can stack on the same system; Chapter V (Articles 51–56) is a fourth, model-level regime that doesn't fit the visual hierarchy at all.
  • "Limited risk = Article 50 transparency tier." Article 50 imposes transparency duties on specific deployments (chatbots, emotion recognition, biometric categorisation, deepfakes, AI-generated content). The system carrying those duties may also be high-risk. "Limited risk" is not a tier — it is shorthand for "Article 50 may apply".
  • "Minimal risk systems must follow voluntary codes." The Regulation imposes no system-classification obligations outside the four regimes above. But Article 4 (AI literacy) applies to providers and deployers of any AI system — not only high-risk — from 2 February 2025. Voluntary codes of conduct under Article 95 are voluntary. The residual is "no Articles 5/6/50/Chapter V obligations", not "no AI Act obligations at all".
  • "Prohibited = top of the pyramid; just the strictest tier of compliance." Article 5 prohibitions are bans with narrow statutory exceptions (most notably the conditional 5(1)(h) real-time RBI law-enforcement regime under 5(2)–(7)). There is no "compliance" route outside those exceptions — the operative duty is don't place on the market, don't put into service, don't use. Compliance-style framing for prohibited practices misleads.
  • "Generative AI / foundation models are automatically high-risk." General-purpose AI models are regulated under Chapter V (Articles 51–56) at the model level, with their own provider obligations and systemic-risk threshold (10²⁵ FLOPs). High-risk classification under Article 6 is a system-level question driven by intended purpose; a GenAI model becomes part of a high-risk system only when integrated into one whose use case falls under Annex III or Annex I.
  • "High-risk is one bucket." Article 6(1) covers AI systems that are safety components of products covered by Annex I sectoral law (medical devices, machinery, vehicles, …). Article 6(2) covers Annex III standalone use cases. The two routes have different conformity-assessment paths (Annex I uses the sectoral product law; Annex III generally uses Annex VI internal control unless the system performs biometric identification).
  • "Article 22 GDPR and Article 14 EU AI Act are the same human-oversight obligation." They are not. Article 14 is a design duty on providers of high-risk AI systems (oversight measures built into the system). Article 22 GDPR is a data-subject right against solely-automated decisions producing legal or similarly significant effects. The duties have different addressees, scopes, and remedies.
  • "Article 33 GDPR and Article 73 EU AI Act are the same 72-hour breach duty." They are not. Article 33 GDPR governs notification of personal-data breaches to supervisory authorities. Article 73 EU AI Act governs reporting of serious incidents (death, serious harm to health, serious and irreversible disruption of critical infrastructure, infringement of fundamental rights) by providers of high-risk AI systems to market-surveillance authorities. Reporting deadlines differ and the events are different.

How this lands in Modulos

The active project setting is Use Case (High Risk / Limited Risk / Transparency), a deployment-context filter that scopes the active requirements set. It is not a legal high-risk classification. The Article 6 + Annex I / III rationale on the MFF-1 classification requirement is the legal answer. See Operationalizing in Modulos for the full settings surface.

Timeline

1 August 2024
Regulation (EU) 2024/1689 enters into force
2 February 2025
Article 5 prohibited practices apply
2 August 2025
Chapter V GPAI provider obligations apply
2 August 2026
Annex III high-risk obligations apply (provisional Omnibus would defer to 2 December 2027)
2 August 2027
Annex I high-risk obligations apply (provisional Omnibus would defer to 2 August 2028)

Roles and responsibilities (at a glance)

The Regulation assigns obligations by legal role (Article 3 definitions). These are distinct from Modulos project roles (Owner, Editor, Reviewer, Auditor).

  • Provider (Article 3(3)): develops or has developed an AI system or general-purpose AI model and places it on the EU market or puts it into service under its own name or trademark. Provider duties on high-risk AI systems sit in Article 16; provider duties on GPAI models sit in Article 53 (and additional duties for systemic-risk GPAI in Article 55).
  • Deployer (Article 3(4); high-risk-system duties in Article 26): uses an AI system under its own authority (other than for personal non-professional activity).
  • Importer (Article 3(6); duties in Article 23) and distributor (Article 3(7); duties in Article 24): make systems available in the EU supply chain.
  • Authorised representative (Article 3(5)): represents non-EU providers in the Union. For high-risk AI systems the duties sit in Article 22; for GPAI model providers they sit in Article 54.

Article 25 — accidental provider

A deployer, importer, or distributor becomes a provider under Article 25 if it (a) puts its own name or trademark on a high-risk AI system, (b) makes a substantial modification to a high-risk AI system on the market, or (c) modifies the intended purpose of a non-high-risk AI system so that it becomes high-risk. The original provider's obligations transfer.

Go deeper: Roles and responsibilities.

High-risk obligations (at a glance)

For high-risk AI systems, Articles 8–15 impose continuous lifecycle obligations on the provider:

ArticleTopicWhat it requires
Article 9Risk-management systemContinuous identification, analysis, and mitigation across the lifecycle
Article 10Data and data governanceTraining, validation, and testing data quality and bias considerations
Article 11 + Annex IVTechnical documentationMaintained current; specific Annex IV content list
Article 12Record-keeping (logging)Automatic event logs sufficient for traceability and post-market monitoring
Article 13Transparency and provision of information to deployersInstructions for use, system characteristics, intended purpose, limitations
Article 14Human oversightOversight measures designed into the system before market placement
Article 15Accuracy, robustness, and cybersecurityPerformance and resilience against errors, faults, attacks

Go deeper: High-risk AI systems.

Conformity assessment and CE marking (at a glance)

Before placing a high-risk AI system on the market, providers must complete a conformity assessment under Article 43:

RouteWhat it meansWhen it applies
Annex VI internal controlProvider self-assesses against the Section 2 requirementsAnnex III high-risk systems other than Annex III point 1 (biometrics); and Annex III point 1 systems where the provider has applied harmonised standards or common specifications
Annex VII notified bodyAccredited third party audits the QMS and the technical documentationAnnex III point 1 (biometrics) systems where the provider has not applied harmonised standards or common specifications. For Annex III points 2–8, Article 43(2) requires Annex VI internal control — Annex VII is not a voluntary alternative.
Sectoral conformity (Annex I)Follow the conformity-assessment in the sectoral product legislation, integrating the AI Act requirementsAI systems that are safety components of Annex I regulated products, or that are themselves such products

A successful assessment leads to an EU declaration of conformity under Article 47 and CE marking under Article 48. Annex III systems must be registered in the EU database under Article 49 — with a narrow exception for Annex III point 2 (critical infrastructure) and specific carve-outs for law-enforcement / migration / border deployments where public-authority deployers register in a non-public section of the database.

Go deeper: Conformity assessment and CE marking.

General-purpose AI models (at a glance)

Chapter V (Articles 51–56) regulates general-purpose AI models separately from AI systems. Key triggers:

  • Article 51 — a GPAI model is classified as having systemic risk under Article 51(1)(a) if the cumulative training compute exceeds 10²⁵ floating-point operations, or under Article 51(1)(b) if the Commission designates it (procedure in Article 52).
  • Article 53 — provider obligations: technical documentation, downstream-provider documentation, copyright policy, training-data summary.
  • Article 55 — additional obligations for systemic-risk GPAI: model evaluation, systemic-risk assessment and mitigation, serious-incident reporting to the AI Office, cybersecurity.
  • Article 56 — Codes of Practice as a compliance tool until harmonised standards exist.

Go deeper: General-purpose AI models.

Post-market monitoring and serious incidents (at a glance)

  • Article 72 — providers of high-risk AI systems establish and document a post-market monitoring plan proportionate to the system.
  • Article 73 — providers report serious incidents to the market-surveillance authority of the Member State where the incident occurred. A serious incident is defined as one resulting in (a) death or serious harm to health, (b) serious and irreversible disruption of critical infrastructure, (c) infringement of fundamental rights under Union law, or (d) serious harm to property or environment. Article 73 sets event-specific deadlines (15 days as the general rule; 10 days where the incident resulted in a person's death; as soon as possible and not later than 2 days where it involved a widespread infringement or serious and irreversible disruption of critical infrastructure). These are distinct duties from Article 33 GDPR — different event types, different recipients, different deadlines.

Go deeper: Post-market monitoring.

Penalties and enforcement

Article 99 sets three administrative-fine tiers, calculated on the higher of an absolute amount or a percentage of total worldwide annual turnover of the preceding financial year (the lower of the two for SMEs and startups):

InfringementFine ceiling
Article 5 prohibited practicesUp to €35 million or 7% of worldwide annual turnover
Most other operator obligations (high-risk, transparency, conformity assessment, etc.)Up to €15 million or 3%
Supplying incorrect, incomplete or misleading information to notified bodies / competent authoritiesUp to €7.5 million or 1%

Article 101 sets a separate ceiling for GPAI model providers (up to €15 million or 3%). National-level penalties are set by Member States under Article 99(1) subject to the ceilings.

How Modulos operationalises EU AI Act compliance

Modulos models the Regulation through two framework templates:

  • OFF-1 (EU AI Act — org) — 18 mapped requirements across the ORF-1…ORF-224 range; covers organisation-level obligations including QMS (Article 17), conformity-assessment governance (Article 43), serious-incident reporting workflow (Article 73), and the GPAI organisation-level obligations.
  • MFF-1 (EU AI Act — app) — 56 mapped requirements across the MRF-1…MRF-131 range; covers per-AI-system technical and operational obligations including Articles 9–15 high-risk obligations, Article 27 FRIA, Article 50 transparency, post-market monitoring (Article 72), and Chapter V GPAI obligations (MRF-111…MRF-131 with GPAIM / GPAIM-SR / GPAIM:FOSS scoping tags).

Two first-class UI surfaces: project-level role tagging (Article 3 enums — Provider / Deployer / Importer / Distributor / Authorised Representative) and a project-level risk-classification setting (the four common industry labels — kept as a pragmatic filter, not a legal taxonomy). Everything else — FRIA, post-market monitoring plan, serious-incident reporting, CE marking and declaration, GPAI Codes of Practice, conformity-assessment route selection — is recorded as evidence linked to the relevant requirement, not as a dedicated workflow surface.

Go deeper: Operationalizing in Modulos.

Cross-framework mapping (preview)

ConceptEU AI ActAdjacent framework
Human oversight (design duty on provider)Article 14NIST AI RMF MEASURE 2.6; ISO 42001 Annex A; ISO 9241 ergonomics analogy
Automated-decision data-subject right(No direct provision)Article 22 GDPR (data subject right; not the same as Article 14 EU AI Act)
Personal-data breach(No direct provision)Article 33 GDPR (personal-data breach within 72 hours; not the same as Article 73 EU AI Act serious incident)
Serious-incident reportingArticle 73NIS2 Article 23 incident notification (different threshold, different recipients)
Data governance for training/validation/test dataArticle 10GDPR Articles 5, 6, 9; ISO 42001 Annex A controls
Risk-management systemArticle 9NIST AI RMF Core Functions (Govern/Map/Measure/Manage); ISO 42001 Clauses 6–10; ISO 27001 Annex A
Quality-management system for providersArticle 17ISO 9001; ISO 42001
Cybersecurity of high-risk AI systemsArticle 15(5)NIS2 Article 21; ISO 27001 Annex A
Prohibited practices and transparency

Article 5 prohibited practices + Article 50 transparency duties

High-risk AI systems

Article 6 + Annex I / III routing; Articles 8–15 obligations

Roles and responsibilities

Provider, deployer, importer, distributor, authorised representative; Article 25 accidental-provider

Conformity assessment and CE marking

Article 43 routes; Annex VI / VII; declaration; CE marking; EU database registration

General-purpose AI models

Chapter V (Articles 51–56); 10²⁵ FLOPs systemic-risk threshold; Codes of Practice

Post-market monitoring

Article 72 PMM plan; Article 73 serious-incident reporting (distinct from GDPR Art 33)

Operationalizing in Modulos

OFF-1 + MFF-1 rollout, scoping, evidence, exports

Commission guidance

Interpretive guidance on the AI-system definition, prohibited practices, and high-risk classification — soft law, not binding

EU AI Act vs GDPR

Side-by-side comparison of the two regimes

Source attribution

Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 (the EU AI Act) is published in the Official Journal of the European Union L of 12 July 2024. Verbatim quotes on this page reflect the OJ-published 2024/1689 text. The Council press release of 7 May 2026 announcing the AI Omnibus provisional political agreement and the Commission's Digital Omnibus on AI proposal (COM(2025) 836 final, procedure 2025/0359(COD), 19 November 2025) are descriptive references — neither is legally binding. The AI Omnibus consolidated text, when published in the OJ, will supersede where it amends.

Disclaimer

This page is for general informational purposes and does not constitute legal advice.