EU AI Act (Regulation (EU) 2024/1689) FAQ

The Regulation entered into force on 1 August 2024. The prohibitions, the general provisions, and AI literacy apply from 2 February 2025. The GPAI rules in Chapter V apply from 2 August 2025. Most of the remaining rules apply from 2 August 2026, with some transition dates extending to 2 August 2027 and 31 December 2030.

That means the answer depends on the obligation. Teams should map each system or model to the exact date that matters for its obligation set.

Check Article 6 and both high risk routes. One route covers AI systems that are safety components of products under listed Union harmonisation laws. The other route covers the Annex III use cases. Even within Annex III, there is a derogation where the system does not pose a significant risk of harm and does not materially influence decision making, but the provider must document that conclusion and register the system if relying on it.

If the system performs profiling of natural persons in an Annex III use case, it is always treated as high risk.

The provider is the operator making the system available or otherwise carrying provider status under the Act. The deployer uses the system under its authority. The same company can be a provider in one context and a deployer in another. Role is assigned per system and per use case, not once for the whole company.

A distributor, importer, or deployer can become the provider if it rebrands a high risk system, makes a substantial modification, or changes the intended purpose so that a system becomes high risk.

Yes. Using a third party model does not remove your own system level duties. You may still be the deployer or even the provider of the system that wraps the model. If the system is high risk, your obligations continue. If Article 50 applies, your disclosures still have to work. You also need supplier evidence that supports your own compliance record.

The upstream model provider and the downstream system provider should be recorded separately in the role matrix.

Article 50 requires more than a policy statement. Users interacting directly with an AI system must be informed unless it is obvious. Providers of systems generating synthetic audio, image, video, or text must ensure the outputs are marked in a machine readable and detectable way where the article requires it. Deployers of deepfake systems and certain text publication uses have their own disclosure duties.

Teams should treat this as product work with design review, accessibility review, QA evidence, and change control.

Article 53 requires technical documentation, downstream documentation for system providers, a copyright compliance policy, and a sufficiently detailed public summary of training content using the AI Office template. If a model is a GPAI model with systemic risk, Articles 52 to 55 add notification, evaluation cooperation, risk mitigation, and serious incident reporting duties.

Providers of GPAI models placed on the market before 2 August 2025 have until 2 August 2027 to comply with the Chapter V obligations.

Article 99 sets the main operator penalty tiers. Non compliance with Article 5 prohibited practices can reach EUR 35,000,000 or 7 percent of worldwide annual turnover. Other listed operator and notified body duties can reach EUR 15,000,000 or 3 percent. Supplying incorrect, incomplete, or misleading information can reach EUR 7,500,000 or 1 percent.

For GPAI providers, the Commission also has a separate fine power that can reach EUR 15,000,000 or 3 percent under Article 101.