Skip to main content
EU AI Act: Frequently Asked Questions Answered
Compliance Guides

EU AI Act: Frequently Asked Questions Answered

AI Comply HQ Team19 min read

Your EU AI Act Questions, Answered

The EU AI Act is the world's first complete legal framework for artificial intelligence. It was published in the Official Journal on July 12, 2024 and entered into force on August 1, 2024. Ever since, the same three questions have followed us into nearly every conversation with a worried team: Does this apply to me? What do I actually have to do? And how much time is left on the clock?

So we wrote them all down. This FAQ pulls together the questions we hear most often from compliance officers, legal teams, CTOs, and business leaders. Every answer points back to the specific articles, annexes, and deadlines in the regulation, so you can trace each obligation to its source instead of taking our word for it.

Want the structured version first? Start with our EU AI Act Compliance Checklist.

1. Who Does the EU AI Act Apply To?

The reach here is wider than most people expect. Under Article 2, the regulation pulls in far more than just the companies building AI:

  • Providers who develop AI systems or general-purpose AI (GPAI) models and place them on the EU market or put them into service, regardless of whether those providers are established in the EU or in a third country.
  • Deployers of AI systems who are established in the EU or who use AI systems whose output is used in the EU.
  • Importers and distributors who make AI systems available on the EU market.
  • Product manufacturers who place AI systems on the market as part of or alongside their product.
  • Authorised representatives of providers established outside the EU.

It comes down to one idea: territorial reach. If your system's output is used inside the EU, or the system is placed on the EU market, the regulation applies. It does not matter whether you are headquartered in San Francisco, Singapore, or anywhere else outside Europe.

A few things sit outside the net. There are limited exemptions for AI used exclusively for military or defence purposes, for purely personal non-professional activities, and for research and development work before a system is placed on the market.

2. What Is High-Risk AI Under the EU AI Act?

"High-risk" is the label that triggers the heaviest obligations, so getting it right matters. Article 6 defines it in two ways:

Category 1 (Article 6(1)): AI systems intended to be used as a safety component of a product, or that are themselves a product, covered by the Union harmonisation legislation listed in Annex I. These include toys, machinery, medical devices, motor vehicles, aviation systems, and more. A conformity assessment is already required under those product safety frameworks.

Category 2 (Article 6(2) and Annex III): AI systems that fall into one of eight use-case areas listed in Annex III:

  1. Biometric identification and categorisation of natural persons
  2. Management and operation of critical infrastructure
  3. Education and vocational training (admissions, assessment, monitoring)
  4. Employment, workers management, and access to self-employment (recruitment, task allocation, performance monitoring)
  5. Access to and enjoyment of essential private and public services (credit scoring, insurance pricing, emergency services dispatching)
  6. Law enforcement
  7. Migration, asylum, and border control management
  8. Administration of justice and democratic processes

Land in one of these areas, with no narrow exemption from Article 6(3) to lean on, and your system is high-risk. That pulls in the full compliance regime: conformity assessments, technical documentation, quality management systems, post-market monitoring, and registration in the EU database. It is a lot, and it is the part teams underestimate most.

Want help working out where your system actually sits? Our EU AI Act Risk Assessment Guide walks through it.

3. Do I Need to Register My AI System?

If it is high-risk, yes. Article 49 requires providers of high-risk AI systems to register in the EU database (established under Article 71) before the system goes on the market or into service. Deployers count too when they are public authorities, EU institutions, or entities acting on their behalf.

The registration has to include the information specified in Annexes VIII and IX: the system's intended purpose, a summary of the conformity assessment, and contact details for the provider.

For GPAI models with systemic risk, providers must also notify the European AI Office under Article 52.

4. What Are the Fines for Non-Compliance?

The penalties are steep, and they are tiered by how serious the breach is. Article 99 sets out three levels of administrative fine:

  • Up to 35 million EUR or 7% of global annual turnover (whichever is higher) for violations involving prohibited AI practices under Article 5.
  • Up to 15 million EUR or 3% of global annual turnover for non-compliance with high-risk AI system requirements, provider/deployer obligations, or GPAI model obligations.
  • Up to 7.5 million EUR or 1% of global annual turnover for supplying incorrect, incomplete, or misleading information to regulatory authorities or notified bodies.

There is some relief built in for smaller players. For SMEs and startups, the fixed-amount caps act as the effective ceiling, and the regulation's proportionality provisions require enforcement authorities to weigh the entity's size, market share, and economic viability before they set a number.

We break the whole framework down in our EU AI Act Fines and Enforcement guide.

5. Does the EU AI Act Apply Outside the EU?

Yes, and this catches a lot of teams off guard. Article 2(1) gives the AI Act real extraterritorial reach. The regulation applies to:

  • Providers placing AI systems on the EU market or putting them into service in the EU, regardless of where they are established.
  • Providers and deployers located in a third country where the output produced by the AI system is used in the EU.
  • Importers and distributors making AI systems available on the EU market.

Put plainly: a US-based SaaS company with European customers is captured. A Chinese manufacturer whose AI system gets imported into Europe is captured. If your system produces outputs (decisions, recommendations, predictions) that land on people in the EU, you are very likely in scope.

So if you sit outside the EU, you must appoint an authorised representative established in the EU before your system goes on the market (Article 22).

6. What About Open-Source AI?

There is an open-source carve-out, but read the fine print before you rely on it. It is narrower than most people assume.

Under Article 2(12), providers of free and open-source AI systems are generally exempt from the high-risk requirements unless the system is:

  • Listed as high-risk under Article 6 and Annex III
  • Subject to transparency obligations under Article 50
  • A prohibited practice under Article 5

For GPAI models released under open-source licences, Article 53(2) provides a lighter-touch regime. Lighter, not empty. Open-source GPAI providers still have obligations, including making available a sufficiently detailed summary of the training data and complying with EU copyright law. What they skip are several of the documentation and risk management requirements that apply to proprietary GPAI models.

One important catch: if an open-source GPAI model is classified as presenting systemic risk (Article 51), the full GPAI systemic risk obligations apply no matter the licence.

7. When Do I Need to Comply? What Are the Key Deadlines?

The Act does not switch on all at once. It rolls out in phases, and the dates matter:

DeadlineObligation
February 2, 2025Prohibited practices ban enforceable (Article 5)
August 2, 2025GPAI model obligations enforceable (Articles 51-55); National competent authorities designated
August 2, 2026Full obligations for high-risk AI systems (Chapter III); Conformity assessments, quality management, technical documentation, post-market monitoring all required
August 2, 2027Obligations for high-risk AI systems that are safety components of products in Annex I

Run a high-risk AI system under Annex III? August 2, 2026 is your deadline, and it is only months out now. If your high-risk system is instead a safety component of a product covered by Annex I harmonisation legislation, you get a little longer: August 2, 2027.

8. What Is a Conformity Assessment?

Think of a conformity assessment as the proof step. It is how a provider demonstrates that a high-risk AI system meets every requirement in Chapter III, Section 2 of the AI Act before the system reaches the market.

Under Article 43, most high-risk AI systems go through a self-assessment (conformity assessment based on internal control, as described in Annex VI). The provider checks its own compliance across the full set of requirements: risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy, robustness, and cybersecurity.

Certain high-risk AI systems, particularly those used for real-time remote biometric identification, must undergo a third-party conformity assessment performed by a notified body (Annex VII procedure).

After completing the assessment, the provider draws up an EU declaration of conformity (Article 47) and affixes the CE marking (Article 48).

9. Do I Need an AI Literacy Programme?

Yes, and this one applies to everyone. Article 4 sets a cross-cutting obligation for AI literacy that reaches all providers and deployers, whatever your risk classification. It has been enforceable since February 2, 2025, so the clock already started.

You have to make sure your staff, and anyone else operating or using AI systems on your behalf, carry a sufficient level of AI literacy. That means understanding:

  • The capabilities and limitations of the AI system
  • The potential impact on fundamental rights
  • How the system operates and what its outputs mean
  • How to interpret and act on the system's results

How much literacy is enough? It scales with the context, the intended purpose, and the people affected. The regulation does not hand you a fixed curriculum, but our advice is simple: document your literacy programmes, your training materials, and who attended. If you cannot show it, you cannot prove it.

10. How Does the EU AI Act Interact with GDPR?

These two do not compete: they stack. Article 2(7) says it outright, the AI Act does not affect how the GDPR applies.

So in practice:

  • If your AI system processes personal data, you must comply with both the AI Act and the GDPR. No picking one.
  • The GDPR's requirements for lawful basis, data minimisation, purpose limitation, and data subject rights all continue to apply.
  • The AI Act adds additional data governance requirements under Article 10, specifically for training, validation, and testing data sets used for high-risk AI systems.
  • Where the AI Act requires a fundamental rights impact assessment (Article 27), this complements but does not replace a GDPR Data Protection Impact Assessment (DPIA) under Article 35 of the GDPR.
  • Enforcement may be coordinated: the AI Act designates market surveillance authorities, while GDPR is enforced by data protection authorities. Some member states may combine these functions.

Our strong recommendation: wire your AI Act compliance work into the GDPR processes you already run. Two parallel workstreams that never talk to each other is how things fall through the cracks.

11. What Documentation Do I Need?

Be honest with yourself here: for high-risk AI systems, the paperwork is heavy. Article 11 and Annex IV spell out the technical documentation you need, and the list runs deep:

  • General description of the AI system (intended purpose, developer identity, version history)
  • Detailed description of the system's elements and development process (methods, design specifications, system architecture, algorithms, data requirements)
  • Information about training, validation, and testing data (data sets used, data preparation methodology, data labelling, data cleaning, bias detection)
  • Risk management documentation (the risk management system per Article 9, known risks, risk mitigation measures)
  • Description of human oversight measures (Article 14)
  • Information on accuracy, robustness, and cybersecurity (metrics, test results, known limitations)
  • Quality management system documentation (Article 17)
  • EU declaration of conformity (Article 47)
  • Post-market monitoring plan (Article 72)
  • Logs and records of automatic logging (Article 12)

Deployers get off lighter, but not free. You still have to keep logs of the system's operation (Article 26(5)) and run fundamental rights impact assessments where they are required.

If you provide a GPAI model, Article 53 asks for detailed technical documentation: training methodology and the compute you used, a sufficiently detailed summary of the training data, and compliance with EU copyright law.

12. What Are Prohibited AI Practices?

Some uses of AI are simply off the table. Article 5 bans them outright, and the bans have been enforceable since February 2, 2025:

  • AI systems using subliminal, manipulative, or deceptive techniques that distort behaviour and cause significant harm
  • AI systems exploiting vulnerabilities related to age, disability, or socio-economic circumstances
  • Social scoring systems by public authorities leading to detrimental or unfavourable treatment
  • AI systems assessing individual criminal offending risk based solely on profiling or personality traits
  • Untargeted scraping of facial images from the internet or CCTV to create facial recognition databases
  • Emotion recognition in workplaces or educational institutions (with narrow exceptions)
  • Biometric categorisation using sensitive characteristics (race, political opinion, sexual orientation, etc.)
  • Real-time remote biometric identification in publicly accessible spaces for law enforcement (with narrow exceptions)

Cross this line and you face the top fine tier: up to 35 million EUR or 7% of global annual turnover. We go through each prohibition in detail in our EU AI Act Prohibited Practices guide.

13. What Is a Fundamental Rights Impact Assessment?

This is the deployer's homework, not the provider's. Article 27 requires deployers of high-risk AI systems to assess the impact on fundamental rights before the system goes into use. It is a separate exercise from the risk management system providers run under Article 9, and people mix the two up constantly.

The fundamental rights impact assessment (FRIA) must include:

  • A description of the deployer's processes in which the high-risk AI system will be used
  • A description of the period of time and frequency of use
  • The categories of natural persons and groups likely to be affected
  • The specific risks of harm likely to impact the identified groups
  • A description of human oversight measures
  • The measures to be taken if risks materialise, including internal governance and complaint mechanisms

Who has to do it? Deployers that are bodies governed by public law, private entities providing public services, and deployers running high-risk AI in certain sensitive areas (credit scoring, insurance pricing, and the like).

One practical tip: line the FRIA up with your existing GDPR Data Protection Impact Assessments. You skip the duplicated effort and keep the two consistent.

14. What Are GPAI Obligations?

General-purpose AI (GPAI) models, the large language models among them, get their own rulebook under Articles 51 to 56.

Every GPAI model provider must:

  • Draw up and keep up-to-date technical documentation (Article 53(1)(a) and Annex XI)
  • Make information and documentation available to downstream AI system providers (Article 53(1)(b))
  • Establish a policy to comply with EU copyright law (Article 53(1)(c))
  • Publish a sufficiently detailed summary of the training data (Article 53(1)(d))

Cross into systemic risk territory (Article 51) and the bar rises. On top of the above, you must:

  • Perform model evaluations, including adversarial testing (Article 55(1)(a))
  • Assess and mitigate possible systemic risks (Article 55(1)(b))
  • Track, document, and report serious incidents to the AI Office and national authorities (Article 55(1)(c))
  • Ensure adequate cybersecurity protections (Article 55(1)(d))

What tips a model into that category? Either high-impact capabilities, or cumulative training compute above 10^25 FLOPs. The European Commission can also designate a model as systemic risk through its own decision process.

These obligations took effect on August 2, 2025.

15. How Do I Classify My AI System's Risk Level?

Everything else hangs off this one step. Get the risk level right and the rest of your compliance plan falls into place. The Act does not assign these levels at random: it runs a structured decision tree, and you can run it too.

Step 1: Is it banned? Check whether your AI system falls under any of the prohibited practices in Article 5. If yes, you cannot operate it in the EU.

Step 2: Is it high-risk? Check two pathways:

  • Does it serve as a safety component of a product regulated under Annex I? (Article 6(1))
  • Does its intended purpose fall into one of the eight areas listed in Annex III? (Article 6(2))

If either answer is yes, check whether the narrow exception in Article 6(3) applies: if the system does not pose a significant risk of harm to health, safety, or fundamental rights, and is not used for profiling or decision-making, it may be exempted. Either way, you must document this assessment. No exceptions.

Step 3: Does it have transparency obligations? Under Article 50, systems that interact with people (chatbots), generate synthetic content (deepfakes, synthetic audio/video), or perform emotion recognition or biometric categorisation carry specific transparency requirements regardless of risk level.

Step 4: Minimal or no risk. If none of the above categories apply, your AI system falls into the minimal-risk category with no specific regulatory obligations (though codes of conduct under Article 95 are encouraged).

We will say this loudly: write down your classification reasoning, even for the systems you decide are minimal risk. When an auditor comes knocking, showing that you did a careful assessment is itself a point in your favour.

If you would rather have a tool walk you through it, see our comparison of the Best EU AI Act Compliance Tools.

16. Do I Need to Notify Users They Are Interacting with AI?

For certain systems, yes, and the risk tier does not let you off. Article 50 sets transparency obligations that apply whatever your classification:

  • AI systems that interact with natural persons must be designed so that the person is informed they are interacting with an AI system, unless this is obvious from the circumstances.
  • AI systems generating synthetic audio, image, video, or text must ensure the output is marked in a machine-readable format and is detectable as artificially generated.
  • Deployers of emotion recognition or biometric categorisation systems must inform the persons exposed.
  • Deployers of deepfake systems must disclose that the content is artificially generated or manipulated.

These apply to limited-risk systems and up. Skip them and you land in the Tier 2 fine bracket: up to 15 million EUR or 3% of global annual turnover.

17. What Role Do National Authorities Play?

Enforcement does not all happen in Brussels. Each EU member state has to designate at least one national competent authority and one market surveillance authority to oversee and enforce the AI Act (Article 70). Their job:

  • Monitoring compliance in their jurisdiction
  • Conducting investigations and market surveillance activities
  • Imposing corrective measures (requiring modifications, withdrawals, or recalls)
  • Issuing administrative fines

Sitting above them, the European AI Office (established within the European Commission) coordinates enforcement, runs the EU database for high-risk AI systems, and holds direct supervisory powers over GPAI model providers.

Member states had to name their national competent authorities by August 2, 2025.

18. Can I Still Deploy AI Systems During the Transition Period?

Yes. The AI Act does not block or restrict deploying AI systems while the transition period runs. The catch is that the phased rollout means several obligations are already live:

  • Since February 2, 2025: Prohibited practices cannot be deployed. AI literacy obligations apply.
  • Since August 2, 2025: GPAI model obligations are enforceable.
  • By August 2, 2026: Full high-risk AI system requirements must be met.

Use the time you have left. Run your gap analyses, stand up your compliance frameworks, and get the technical documentation drafted now. Waiting for the deadline is a gamble, and a bad one, because conformity assessments and the documentation pile both take longer than anyone plans for.

Start Your Compliance Journey Today

The EU AI Act is not a someday problem. It is a live obligation with deadlines stacking up behind it. Classifying your systems, preparing technical documentation, running a fundamental rights impact assessment: all of it is on the clock right now.

We built AI Comply HQ to take the dread out of that work. It is a guided, conversational assessment that helps you pin down your obligations, classify your systems, and generate the documentation you need, in hours, not months.

Start Your Free Compliance Assessment

This FAQ is based on Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 (the EU AI Act). It is provided for informational purposes and does not constitute legal advice. Consult qualified legal counsel for guidance specific to your organisation.

Update: Where the Digital Omnibus Stands (June 12, 2026)

A quick note before you act on any date in this article. The Digital Omnibus is a simplification package the European Commission proposed on November 19, 2025. It would amend several EU digital laws at once, and for the AI Act it proposes two big changes: the high-risk obligations would apply later (December 2, 2027 for the stand-alone high-risk systems listed in Annex III, and August 2, 2028 for high-risk AI embedded in regulated products), and a number of requirements would be simplified along the way.

Here is the part that matters: none of this is law yet. The European Parliament and the Council reached a provisional agreement on May 7, 2026, and formal adoption is expected, but until the final text is adopted and published, nothing changes. The dates and obligations described in this article are the ones in force today. And the rules that already apply, like the prohibited practices and the AI literacy duty, stay exactly where they are no matter what happens to the Omnibus.

We are watching this closely. The moment the Omnibus is adopted, amended, or rejected, we will update this article to reflect the new EU AI compliance dates. Check back, or run the free 90-second risk check to see your obligations under the rules as they stand right now.

Ready to assess your EU AI Act compliance?

Start a guided compliance interview, get your AI system's risk classification, and generate an audit-ready report.

Start Your Free 7-Day Trial

Not ready to sign up? Take the free 90-second risk check →