Answers to the recurring EU AI Act questions that decide whether a product team is in scope, which operator role applies, whether the system is prohibited or high-risk, and which records must exist before launch or deployment.
Use the citations to check the underlying legal source before applying an answer to a specific product, supplier, model, customer use case, or Member State enforcement route.
Structured answer sets in this page tree.
Cited legal and guidance references.
This EU AI Act FAQ answers practical questions about scope, operator roles, prohibited practices, high-risk AI systems, general-purpose AI models, transparency, fundamental rights impact assessments, registration, serious incidents, and staged application. It avoids penalty figures and other details unless they are needed for this FAQ and supported by the cited grounding sources.
These focused FAQ modules break this artifact into narrower answer sets so teams can move straight to the right source-backed guidance.
FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep.
Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence.
Article 50 FAQ for EU AI Act transparency duties covering chatbot notices, synthetic content marking, biometric and emotion notices, deepfakes, public-interest text, timing, accessibility, and exceptions.
FAQ on EU AI Act serious incident handling for high-risk AI systems, including Article 73 reporting, deployer escalation, corrective action, and GPAI systemic-risk distinctions.
Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration.
FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement.
Answer to how providers and deployers should handle EU AI Act post-market monitoring for high-risk AI systems under Article 72, with serious-incident, log, corrective-action, and lifecycle-change triggers.
FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries.
What Article 11 and Annex IV require in high-risk AI technical documentation: system identity, intended purpose, architecture, data, testing, oversight, cybersecurity, conformity, and post-market monitoring.
source-linked FAQ on EU AI Act Article 43 conformity assessment routes, Annex VI internal control, Annex VII notified-body review, CE marking, declarations, and registration.
Start every EU AI Act question with Article 2 scope and Article 3 roles. A company can be a provider for one AI system, a deployer for another, and a downstream provider when it integrates a general-purpose AI model into its own system.
The AI Act also has staged application dates. Chapters I and II apply from 2 February 2025, Chapter V GPAI duties and several governance and penalty provisions apply from 2 August 2025, the Regulation generally applies from 2 August 2026, and Article 6(1) with corresponding obligations applies from 2 August 2027.
Yes, if the provider places an AI system or general-purpose AI model on the Union market, puts an AI system into service in the Union, or is established outside the Union but the AI system output is used in the Union. The answer should record the market, customer, output-use location, and operator role.
A provider is responsible for developing, placing on the market, or putting into service an AI system or GPAI model under its own name or trademark. A deployer is the organisation using an AI system under its authority. The same organisation may hold different roles for different systems or lifecycle steps.
Track 2 February 2025 for Chapters I and II, including prohibited practices and AI literacy; 2 August 2025 for GPAI obligations, notified-body and governance provisions, penalties, and Article 78; 2 August 2026 for general application; and 2 August 2027 for Article 6(1) high-risk product-safety classification and related obligations.
Article 5 is the first stop for unacceptable-risk uses. It prohibits specific practices, including manipulative or exploitative systems causing or likely to cause significant harm, certain social scoring, certain criminal-risk prediction based solely on profiling or personality traits, untargeted scraping for facial recognition databases, workplace and education emotion recognition except for medical or safety reasons, certain sensitive biometric categorisation, and law-enforcement real-time remote biometric identification in publicly accessible spaces except within narrow conditions.
If Article 5 does not prohibit the use, the next question is whether Article 6 classifies it as high-risk. High-risk status can come from a covered product-safety route under Article 6(1), or from an Annex III use case under Article 6(2), subject to the Article 6(3) narrow non-high-risk derogation.
No. The AI Act uses a risk-based approach. Some practices are prohibited, some systems are high-risk, some systems have specific transparency obligations, GPAI models have their own rules, and many AI systems are outside high-risk classification unless a product-safety route or Annex III use case applies.
Article 6(1) applies when the AI system is intended as a safety component of a product, or is itself a product, covered by listed Union harmonisation legislation and that product or system must undergo third-party conformity assessment before market placement or putting into service.
Sometimes. Article 6(3) allows a derogation where the Annex III system does not pose a significant risk of harm to health, safety, or fundamental rights, including because it does not materially influence decision-making. The provider must document the assessment and register the non-high-risk conclusion. If the system profiles natural persons, it is always high-risk.
For high-risk AI systems, the FAQ answer should separate provider obligations from deployer obligations. Providers carry the core pre-market compliance package: Section 2 requirements, quality management, technical documentation, logs where under their control, conformity assessment, EU declaration of conformity, CE marking, registration, corrective actions, and authority cooperation.
Deployers have operational duties once they use the system, including using instructions for use, assigning competent human oversight, monitoring operation, using relevant input data where under their control, keeping logs under their control for an appropriate period of at least six months unless another law says otherwise, informing affected workers before workplace use, and informing natural persons when Annex III high-risk systems make or assist decisions about them.
A provider should have the Article 16 compliance package: quality management, technical documentation, logs where under its control, conformity assessment records, EU declaration of conformity, CE marking evidence, Article 49 registration, corrective-action records, and materials needed to demonstrate conformity to competent authorities.
A FRIA is required before first deployment for the deployers listed in Article 27 when they deploy covered Article 6(2) high-risk AI systems, except the Annex III critical-infrastructure area. The FRIA complements any DPIA where overlapping obligations are already met through data-protection assessment work.
For covered Annex III high-risk systems, the provider or authorised representative registers itself and the system before market placement or putting into service. Public authorities, Union institutions, bodies, offices, agencies, and persons acting on their behalf must register themselves, select the system, and register their use before putting the system into service or using it.
For high-risk systems, keep the event chronology, affected system, harm, affected persons or groups, provider and deployer notifications, authority notifications, corrective measures, logs, and post-market monitoring evidence. For GPAI models with systemic risk, the Commission template asks for start and end dates, harm, chain of events, model involved, evidence of involvement, response, recommendations, root cause analysis, and post-market monitoring patterns.
General-purpose AI model providers have a separate Chapter V rule set. Article 53 requires technical documentation, downstream information, a copyright-policy control, and a public summary of training content using the AI Office template. Providers of GPAI models with systemic risk also have Article 55 duties for model evaluation, systemic-risk assessment and mitigation, serious-incident tracking and reporting, and cybersecurity protection.
Transparency questions should be answered under Article 50, not treated as generic AI disclosure advice. The rule distinguishes direct human interaction, synthetic content marking by providers, notices for emotion recognition and biometric categorisation by deployers, deepfake disclosures, and AI-generated or manipulated public-interest text disclosures.
Article 53 requires GPAI model providers to maintain model technical documentation, provide downstream information needed by AI-system providers, maintain a policy for EU copyright compliance, publish a summary of training content using the AI Office template, and cooperate with the Commission and competent authorities.
Article 55 adds model evaluation with state-of-the-art protocols and adversarial testing, assessment and mitigation of systemic risks at Union level, serious-incident tracking and reporting without undue delay, and adequate cybersecurity protection for the model and physical infrastructure.
Article 50 requires providers of AI systems intended to interact directly with natural persons to design and develop the system so people are informed they are interacting with an AI system, unless that is obvious to a reasonably well-informed, observant, and circumspect person in the circumstances and context of use.
Article 50 requires provider-side machine-readable marking for synthetic audio, image, video, or text outputs where the rule applies. Deployers must disclose deepfakes, and must disclose AI-generated or manipulated public-interest text unless a listed exception applies, such as human review or editorial control with editorial responsibility.
A useful FAQ answer should leave behind enough evidence for product, legal, engineering, procurement, security, and compliance teams to reproduce the decision later. The evidence should identify the exact AI system or model, the operator role, the intended purpose, the market or output-use location, and the cited source that supports the answer.
Do not treat vendor claims, model cards, or policy summaries as a substitute for the applicable AI Act source. They can support implementation evidence, but the FAQ answer should still map the fact pattern to Article 2 scope, Article 3 roles, Article 5 prohibitions, Article 6 high-risk classification, Chapter V GPAI duties, Article 50 transparency, Article 27 FRIA, Article 49 registration, or incident duties as applicable.
Avoid unsupported deadlines, penalty figures, thresholds, exemptions, or authority routes. If the grounding source does not support the answer, mark the issue as unresolved instead of filling the gap from memory or vendor marketing.
Keep the AI system or model name, intended purpose, operator role, risk classification, source citation, decision owner, affected launch or deployment, required artifact, approval history, and reassessment trigger for product, model, supplier, market, or legal changes.
Sorena can help convert EU AI Act FAQ decisions into scope records, role maps, high-risk assessments, GPAI files, transparency notices, FRIA records, registration checks, and incident workflows.
Ask cited questions about EU AI Act scope, high-risk classification, GPAI duties, transparency, FRIA, registration, and incident records.
Review your EU AI Act role map, risk classification, source gaps, and evidence plan with Sorena.
"Prior to deploying a high-risk AI system"
"Before placing on the market or putting into service"
"The following AI practices shall be prohibited:"
"The AI Act is the first-ever comprehensive legal framework on AI worldwide."
"marking and labelling of AI-generated content"
"These obligations enter into application on 2 August 2025."
"serious incidents involving general-purpose AI models with systemic risk"
"What are the obligations"
"common minimal baseline"
"harmonised rules for the placing on the market"