--- title: "EU AI Act FAQ: scope, roles, high-risk AI, GPAI, FRIA, and dates" canonical_url: "https://www.sorena.io/artifacts/eu/artificial-intelligence-act/faq" source_url: "https://www.sorena.io/artifacts/eu/artificial-intelligence-act/faq/items" author: "Sorena AI" description: "Grounded EU AI Act FAQ covering scope, provider and deployer roles, prohibited practices, high-risk classification, GPAI duties, transparency notices, FRIAs, EU database registration, serious incidents, and staged application dates." published_at: "2026-05-09" updated_at: "2026-05-17" keywords: - "EU AI Act FAQ" - "high-risk AI" - "GPAI obligations" - "AI Act FRIA" - "AI Act registration" - "Article 50 transparency" - "EU AI Act" - "AI Act FAQ" - "GPAI" - "FRIA" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU AI Act FAQ: scope, roles, high-risk AI, GPAI, FRIA, and dates Grounded EU AI Act FAQ covering scope, provider and deployer roles, prohibited practices, high-risk classification, GPAI duties, transparency notices, FRIAs, EU database registration, serious incidents, and staged application dates. *FAQ* *EU* ## EU AI Act frequently asked questions Answers to the recurring EU AI Act questions that decide whether a product team is in scope, which operator role applies, whether the system is prohibited or high-risk, and which records must exist before launch or deployment. Use the citations to check the underlying legal source before applying an answer to a specific product, supplier, model, customer use case, or Member State enforcement route. This EU AI Act FAQ answers practical questions about scope, operator roles, prohibited practices, high-risk AI systems, general-purpose AI models, transparency, fundamental rights impact assessments, registration, serious incidents, and staged application. It avoids penalty figures and other details unless they are needed for this FAQ and supported by the cited grounding sources. ## Browse sub-FAQ modules ### [Are industry AI use cases high-risk under EU AI Act Annex III?](/artifacts/eu/artificial-intelligence-act/faq/annex-iii-industry-use-cases.md) FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep. - 4 items ### [EU AI Act AI System Classification Edge Cases FAQ](/artifacts/eu/artificial-intelligence-act/faq/ai-system-classification-edge-cases.md) Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence. - 4 items ### [EU AI Act Article 50 transparency disclosures FAQ](/artifacts/eu/artificial-intelligence-act/faq/article-50-transparency-disclosures.md) Article 50 FAQ for EU AI Act transparency duties covering chatbot notices, synthetic content marking, biometric and emotion notices, deepfakes, public-interest text, timing, accessibility, and exceptions. - 5 items ### [EU AI Act Article 73 serious incident FAQ](/artifacts/eu/artificial-intelligence-act/faq/serious-incidents.md) FAQ on EU AI Act serious incident handling for high-risk AI systems, including Article 73 reporting, deployer escalation, corrective action, and GPAI systemic-risk distinctions. - 3 items ### [EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification](/artifacts/eu/artificial-intelligence-act/faq/fria.md) Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration. - 3 items ### [EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55 FAQ](/artifacts/eu/artificial-intelligence-act/faq/gpai-and-systemic-risk-duties.md) FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement. - 5 items ### [EU AI Act post-market monitoring FAQ for high-risk AI systems](/artifacts/eu/artificial-intelligence-act/faq/post-market-monitoring.md) Answer to how providers and deployers should handle EU AI Act post-market monitoring for high-risk AI systems under Article 72, with serious-incident, log, corrective-action, and lifecycle-change triggers. - 4 items ### [EU AI Act provider vs deployer role boundaries: Article 3 and Article 25 FAQ](/artifacts/eu/artificial-intelligence-act/faq/provider-and-deployer-role-boundaries.md) FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries. - 5 items ### [EU AI Act technical documentation FAQ | Article 11 and Annex IV](/artifacts/eu/artificial-intelligence-act/faq/technical-documentation.md) What Article 11 and Annex IV require in high-risk AI technical documentation: system identity, intended purpose, architecture, data, testing, oversight, cybersecurity, conformity, and post-market monitoring. - 3 items ### [FAQ: EU AI Act conformity assessment procedures and notified body selection](/artifacts/eu/artificial-intelligence-act/faq/conformity-assessment-and-notified-bodies.md) source-linked FAQ on EU AI Act Article 43 conformity assessment routes, Annex VI internal control, Annex VII notified-body review, CE marking, declarations, and registration. - 4 items Browse all indexed questions: [/artifacts/eu/artificial-intelligence-act/faq/items](/artifacts/eu/artificial-intelligence-act/faq/items.md) ## All FAQ items *Page 1 of 2. Showing 20 of 40 items.* ### [What is the direct answer for industry AI use cases?](/artifacts/eu/artificial-intelligence-act/faq/annex-iii-industry-use-cases.md#what-is-the-direct-answer-for-industry-ai-use-cases) *Module: [Are industry AI use cases high-risk under EU AI Act Annex III?](/artifacts/eu/artificial-intelligence-act/faq/annex-iii-industry-use-cases.md)* An industry AI use case is high-risk under Annex III only when the AI system is intended to be used for one of the listed Annex III areas or when it separately meets the product safety-component rule in Article 6(1). The Commission FAQ explains that high-risk classification is based on intended purpose: the function performed by the system and the specific purpose and modalities for which it is used. - Start with the provider's intended purpose, instructions for use, technical documentation, sales materials, and actual deployment context. - Check Article 6(1) first if the AI is a product or safety component covered by Annex I legislation and the product requires third-party conformity assessment. - Check Article 6(2) and Annex III next if the system is used for a listed area involving people, rights, access, employment, public services, infrastructure safety, or public authority decisions. - Do not classify a system as high-risk just because the customer is in an industrial sector or the model uses operational, employee, financial, or safety-related data. - Treat profiling of natural persons differently: Article 6(3) says an Annex III system is always high-risk where it performs profiling of natural persons. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Supports the Article 6 classification sequence, Annex III high-risk areas, Article 6(3) exception, provider documentation duty, and Annex VIII registration fields. - [European Commission FAQ - Navigating the AI Act](https://digital-strategy.ec.europa.eu/en/faqs/navigating-ai-act?ref=sorena.io) - Supports the intended-purpose classification approach and Commission examples of Annex III high-risk areas. ### [Which Annex III boundaries matter most for industry?](/artifacts/eu/artificial-intelligence-act/faq/annex-iii-industry-use-cases.md#which-annex-iii-boundaries-matter-most-for-industry) *Module: [Are industry AI use cases high-risk under EU AI Act Annex III?](/artifacts/eu/artificial-intelligence-act/faq/annex-iii-industry-use-cases.md)* The practical boundary is not the customer's industry label; it is the legal use case. Annex III covers eight areas: biometrics; critical infrastructure; education and vocational training; employment, workers' management and access to self-employment; access to essential private and public services and benefits; law enforcement; migration, asylum and border control management; and administration of justice and democratic processes. - Critical infrastructure: check whether the AI is a safety component in management or operation of critical digital infrastructure, road traffic, or water, gas, heating or electricity supply. - Employment and worker management: check recruitment, candidate evaluation, task allocation based on personal traits or behaviour, and worker performance or behaviour monitoring. - Essential services: check eligibility for public benefits, creditworthiness of natural persons, life and health insurance risk assessment and pricing, and emergency response triage or dispatch. - Biometrics: distinguish permitted remote biometric identification, sensitive biometric categorisation, and emotion recognition from simple verification whose sole purpose is confirming a claimed identity. - Public-authority areas: law enforcement, migration, asylum, border control, justice, and democratic-process use cases need specific legal-purpose review and may have restricted registration visibility. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Provides the full Annex III list and the Article 3 definition of intended purpose used to classify borderline industry systems. - [European Commission - AI Act regulatory framework](https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai?ref=sorena.io) - Supports the public Commission explanation that high-risk systems include safety components in critical infrastructure and other listed sensitive uses. ### [When can Article 6(3) support a non-high-risk conclusion?](/artifacts/eu/artificial-intelligence-act/faq/annex-iii-industry-use-cases.md#when-can-article-63-support-a-non-high-risk-conclusion) *Module: [Are industry AI use cases high-risk under EU AI Act Annex III?](/artifacts/eu/artificial-intelligence-act/faq/annex-iii-industry-use-cases.md)* Article 6(3) is an exception to the Annex III rule, not a shortcut around it. It can apply where an Annex III-referred system does not pose a significant risk of harm to health, safety, or fundamental rights, including because it does not materially influence the outcome of decision-making. - Evidence for a narrow procedural task should show the system only structures, routes, deduplicates, translates, indexes, searches, or formats information without deciding the person-facing outcome. - Evidence for improving a completed human activity should show the human decision or assessment was already complete before the AI improved wording, presentation, consistency checks, or other non-substantive output. - Evidence for pattern or deviation detection should show the AI flags anomalies for proper human review and does not supersede or influence the underlying completed assessment. - Evidence for a preparatory task should show the AI output has very low impact on the later Annex III assessment and is not treated as the deciding recommendation. - If the system profiles natural persons, record that Article 6(3) cannot be used to classify the Annex III system as non-high-risk. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Supports the four Article 6(3) conditions, the profiling carve-out, the provider documentation duty, and the Article 49(2) registration link. - [AI Act Service Desk - Article 49 registration](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-49?ref=sorena.io) - Supports that providers concluding a system is not high-risk under Article 6(3) must register themselves and that system in the EU database. ### [What provider evidence and EU database records should exist?](/artifacts/eu/artificial-intelligence-act/faq/annex-iii-industry-use-cases.md#what-provider-evidence-and-eu-database-records-should-exist) *Module: [Are industry AI use cases high-risk under EU AI Act Annex III?](/artifacts/eu/artificial-intelligence-act/faq/annex-iii-industry-use-cases.md)* For an Annex III high-risk conclusion, provider evidence should connect the intended purpose to the relevant Annex III point, then show the high-risk system records needed for conformity, traceability, and registration. The Commission FAQ identifies provider obligations before EU market placement or putting into service, including conformity assessment, quality management, and EU database registration. - High-risk provider registration evidence: provider contact details, AI system trade name, intended purpose, supported functions, inputs and operating logic, status, Member States, EU declaration of conformity, instructions for use, and certificate details where applicable. - Article 6(3) provider evidence: provider contact details, AI system trade name, intended purpose, the Article 6(3) condition relied on, short grounds for the non-high-risk conclusion, system status, and Member States where made available or used. - Public-authority deployer evidence: when Article 49(3) applies, record the deployer details, the person submitting information, the system selected, and the registered use before putting the system into service or using it. - Visibility boundary: most Article 49 registrations feed the EU database, but Article 49 provides secure non-public registration for specified law enforcement, migration, asylum, and border-control systems, and national-level registration for Annex III point 2 critical infrastructure systems. - Change trigger: reassess the classification when intended purpose, user population, human-review design, instructions for use, deployment setting, or supplier claims change. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Supports Annex VIII registration fields for high-risk systems, Article 6(3) non-high-risk systems, and public-authority deployer registration. - [European Commission FAQ - Navigating the AI Act](https://digital-strategy.ec.europa.eu/en/faqs/navigating-ai-act?ref=sorena.io) - Supports provider and deployer obligation summaries for high-risk systems, including conformity assessment, quality management, monitoring, human oversight, and EU database registration. - [AI Act Service Desk - Article 49 registration](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-49?ref=sorena.io) - Supports registration timing, public-authority deployer registration, secure non-public sections, and national-level registration for Annex III point 2 critical infrastructure systems. ### [When is borderline software an AI system under the EU AI Act?](/artifacts/eu/artificial-intelligence-act/faq/ai-system-classification-edge-cases.md#when-is-borderline-software-an-ai-system-under-the-eu-ai-act) *Module: [EU AI Act AI System Classification Edge Cases](/artifacts/eu/artificial-intelligence-act/faq/ai-system-classification-edge-cases.md)* A borderline tool is more likely to be an AI system when it is machine-based, operates with some autonomy, and infers from inputs how to generate outputs such as predictions, content, recommendations, or decisions that can influence a physical or virtual environment. - Record the inputs, objective, output type, autonomy level, and whether the system derives a model, algorithm, recommendation, prediction, content, or decision from data or encoded knowledge. - Separate deterministic automation from inference: a manually written rule that always produces the same result from the same fields is not enough by itself. - Treat logic- and knowledge-based systems as possible AI systems when they infer from encoded knowledge or symbolic representations, even without machine learning. - Keep the intended-purpose evidence from instructions, sales material, product specifications, and technical documentation because Article 6 high-risk classification depends on purpose and use context. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Supports the Article 3 AI system definition and Recital 12 distinction between inference-based AI and simpler human-defined rule execution. ### [How should GPAI model, AI system, and embedded product edge cases be classified?](/artifacts/eu/artificial-intelligence-act/faq/ai-system-classification-edge-cases.md#how-should-gpai-model-ai-system-and-embedded-product-edge-cases-be-classified) *Module: [EU AI Act AI System Classification Edge Cases](/artifacts/eu/artificial-intelligence-act/faq/ai-system-classification-edge-cases.md)* Do not collapse a general-purpose AI model and an AI system into the same record. The model is the reusable capability; the AI system is the deployed or supplied system that uses a model to serve an intended purpose. A downstream provider can integrate a GPAI model into an AI system and then have system-level obligations for that integration. - For GPAI, identify the model, the provider placing the model on the Union market, and any downstream provider integrating it into a specific AI system. - For embedded software, document whether the AI system is physically integrated into the product or serves product functionality without being physically integrated. - For product safety cases, check whether the AI system is a safety component of a product or is itself a product covered by Annex I legislation and subject to third-party conformity assessment. - For Annex III cases, check whether the intended use falls into a listed sensitive area, then assess whether Article 6(3) permits a not-high-risk conclusion; profiling of natural persons remains high-risk. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Supports the separate definitions for AI systems, general-purpose AI models, general-purpose AI systems, safety components, and Article 6 high-risk classification. - [European Commission - Guidelines for providers of general-purpose AI models](https://digital-strategy.ec.europa.eu/en/policies/guidelines-gpai-providers?ref=sorena.io) - Supports the distinction between GPAI model-provider scope and downstream AI ecosystem roles. - [AI Act Service Desk - Article 6 classification rules](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-6?ref=sorena.io) - Official article page for the high-risk classification rules used to screen product-linked and Annex III edge cases. ### [Which scope and role questions change the EU AI Act answer?](/artifacts/eu/artificial-intelligence-act/faq/ai-system-classification-edge-cases.md#which-scope-and-role-questions-change-the-eu-ai-act-answer) *Module: [EU AI Act AI System Classification Edge Cases](/artifacts/eu/artificial-intelligence-act/faq/ai-system-classification-edge-cases.md)* Territorial scope is not limited to EU-established providers. The Act can apply to providers placing AI systems or GPAI models on the Union market, EU deployers, non-EU providers or deployers whose AI-system output is used in the Union, importers, distributors, product manufacturers, authorised representatives, and affected persons located in the Union. - Map the market path: who develops, brands, imports, distributes, deploys, integrates, or productizes the system or GPAI model. - Record the EU connection: Union market placement, Union putting into service, EU establishment or location of the deployer, Union use of outputs, or affected persons located in the Union. - Check whether a supplier answer covers only the model, only the AI system, only the deployment, or the product into which the system is integrated. - Reclassify after material changes to intended purpose, branding, integration, safety function, user population, EU market availability, or human-impacting use case. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Supports Article 2 territorial scope, Article 3 operator definitions, and Article 25 role changes along the AI value chain. - [European Commission - Navigating the AI Act](https://digital-strategy.ec.europa.eu/en/faqs/navigating-ai-act?ref=sorena.io) - Commission FAQ source explaining that the framework applies to public and private actors inside and outside the EU in relevant market or use scenarios. ### [What classification evidence should teams keep for EU AI Act edge cases?](/artifacts/eu/artificial-intelligence-act/faq/ai-system-classification-edge-cases.md#what-classification-evidence-should-teams-keep-for-eu-ai-act-edge-cases) *Module: [EU AI Act AI System Classification Edge Cases](/artifacts/eu/artificial-intelligence-act/faq/ai-system-classification-edge-cases.md)* A defensible classification file should show the same facts a reviewer would need to reach the answer again: the object classified, why it is or is not an AI system, whether it is a GPAI model or a system, the intended purpose, the EU nexus, the operator role, and the high-risk screening result. - AI system definition evidence: autonomy, inputs, objectives, output type, inference method, model or algorithm derivation, and why simple human-defined rules are or are not enough to describe the tool. - GPAI evidence: model identity, model provider, downstream system provider, integration method, tasks the model can perform, and system-specific intended purpose. - High-risk evidence: Article 6(1) product-safety check, Annex III use-case check, any Article 6(3) not-high-risk rationale, and profiling status. - Role and scope evidence: provider, deployer, importer, distributor, product manufacturer, authorised representative, EU market or output-use facts, branding, substantial modifications, and intended-purpose changes. - Change evidence: version history, technical modifications, deployment context changes, supplier changes, instructions for use, and the date and approver of each reclassification. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Supports the evidence fields from Article 3 definitions, Article 6 classification documentation, Article 25 role changes, and Annex IV technical-documentation content. - [AI Act Service Desk - Article 6 classification rules](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-6?ref=sorena.io) - Supports keeping a documented high-risk or not-high-risk assessment for Annex III edge cases. ### [What does Article 50 require for direct interactions with AI systems?](/artifacts/eu/artificial-intelligence-act/faq/article-50-transparency-disclosures.md#what-does-article-50-require-for-direct-interactions-with-ai-systems) *Module: [EU AI Act Article 50 transparency disclosures](/artifacts/eu/artificial-intelligence-act/faq/article-50-transparency-disclosures.md)* Providers must design and develop AI systems intended to interact directly with natural persons so that the people concerned are informed that they are interacting with an AI system. - Place the notice in the product experience before or during the first AI interaction, not only in back-office documentation. - Test whether a normal user can tell they are interacting with an AI system in the actual context, language, device, and channel. - Keep a short record of the notice text, placement, version, language coverage, and the reason any obviousness or law-enforcement exception was used. Sources for this answer: - [Regulation (EU) 2024/1689 (Artificial Intelligence Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Primary legal text for Article 50 provider and deployer transparency duties, timing, accessibility, exceptions, and the 2 August 2026 application date for Chapter IV. - [European Commission - Code of Practice on marking and labelling of AI-generated content](https://digital-strategy.ec.europa.eu/en/policies/code-practice-ai-generated-content?ref=sorena.io) - Commission and AI Office page explaining the Article 50(2) and Article 50(4) workstreams for machine-readable marking, deepfake disclosures, and AI-generated public-interest publications. - [European Commission - European Artificial Intelligence Act comes into force](https://ec.europa.eu/commission/presscorner/api/files/document/print/en/ip_24_4123/IP_24_4123_EN.pdf?ref=sorena.io) - Commission press release summarising Article 50-style specific transparency risks, including chatbot disclosures, deepfake labelling, biometric categorisation notices, emotion recognition notices, and machine-readable synthetic content marking. ### [What must providers do for synthetic audio, image, video, or text outputs?](/artifacts/eu/artificial-intelligence-act/faq/article-50-transparency-disclosures.md#what-must-providers-do-for-synthetic-audio-image-video-or-text-outputs) *Module: [EU AI Act Article 50 transparency disclosures](/artifacts/eu/artificial-intelligence-act/faq/article-50-transparency-disclosures.md)* Providers of AI systems, including general-purpose AI systems, that generate synthetic audio, image, video, or text content must ensure the outputs are marked in a machine-readable format and detectable as artificially generated or manipulated. - Record which output types the system can generate or manipulate: audio, image, video, text, or a combination. - Document the marking or detection mechanism, where it is applied in the generation pipeline, and how it behaves across export, editing, compression, and publication channels. - Do not treat standard editing assistance as automatically in scope when it does not substantially alter the deployer's input data or its semantics; keep the product facts that support that conclusion. - Escalate any law-enforcement exception to legal review because Article 50 limits it to uses authorised by law for detecting, preventing, investigating, or prosecuting criminal offences. Sources for this answer: - [Regulation (EU) 2024/1689 (Artificial Intelligence Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Primary legal text for Article 50 provider and deployer transparency duties, timing, accessibility, exceptions, and the 2 August 2026 application date for Chapter IV. - [European Commission - Code of Practice on marking and labelling of AI-generated content](https://digital-strategy.ec.europa.eu/en/policies/code-practice-ai-generated-content?ref=sorena.io) - Commission and AI Office page explaining the Article 50(2) and Article 50(4) workstreams for machine-readable marking, deepfake disclosures, and AI-generated public-interest publications. - [European Commission - European Artificial Intelligence Act comes into force](https://ec.europa.eu/commission/presscorner/api/files/document/print/en/ip_24_4123/IP_24_4123_EN.pdf?ref=sorena.io) - Commission press release summarising Article 50-style specific transparency risks, including chatbot disclosures, deepfake labelling, biometric categorisation notices, emotion recognition notices, and machine-readable synthetic content marking. ### [What notices do deployers need for emotion recognition and biometric categorisation?](/artifacts/eu/artificial-intelligence-act/faq/article-50-transparency-disclosures.md#what-notices-do-deployers-need-for-emotion-recognition-and-biometric-categorisation) *Module: [EU AI Act Article 50 transparency disclosures](/artifacts/eu/artificial-intelligence-act/faq/article-50-transparency-disclosures.md)* Deployers of an emotion recognition system or a biometric categorisation system must inform the natural persons exposed to the operation of the system. - Identify where people are exposed to the system: app flow, physical premises, camera zone, call center, interview, testing setting, or public service counter. - Make the notice visible before or at first exposure and align it with accessibility requirements for the channel. - Keep the biometric or emotion-recognition purpose, data-protection role, notice text, placement evidence, and any legal basis analysis together. - Use the Article 50 law-enforcement exception only where the system is permitted by law to detect, prevent, or investigate criminal offences, subject to safeguards and Union law. Sources for this answer: - [Regulation (EU) 2024/1689 (Artificial Intelligence Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Primary legal text for Article 50 provider and deployer transparency duties, timing, accessibility, exceptions, and the 2 August 2026 application date for Chapter IV. - [European Commission - Code of Practice on marking and labelling of AI-generated content](https://digital-strategy.ec.europa.eu/en/policies/code-practice-ai-generated-content?ref=sorena.io) - Commission and AI Office page explaining the Article 50(2) and Article 50(4) workstreams for machine-readable marking, deepfake disclosures, and AI-generated public-interest publications. - [European Commission - European Artificial Intelligence Act comes into force](https://ec.europa.eu/commission/presscorner/api/files/document/print/en/ip_24_4123/IP_24_4123_EN.pdf?ref=sorena.io) - Commission press release summarising Article 50-style specific transparency risks, including chatbot disclosures, deepfake labelling, biometric categorisation notices, emotion recognition notices, and machine-readable synthetic content marking. ### [How should deployers disclose deepfakes and AI-generated public-interest text?](/artifacts/eu/artificial-intelligence-act/faq/article-50-transparency-disclosures.md#how-should-deployers-disclose-deepfakes-and-ai-generated-public-interest-text) *Module: [EU AI Act Article 50 transparency disclosures](/artifacts/eu/artificial-intelligence-act/faq/article-50-transparency-disclosures.md)* Deployers that use an AI system to generate or manipulate image, audio, or video content constituting a deep fake must disclose that the content has been artificially generated or manipulated. - For image, audio, or video, assess whether the content resembles existing persons, objects, places, entities, or events and would falsely appear authentic or truthful. - For artistic, creative, satirical, fictional, or analogous works, Article 50 limits the disclosure to the existence of generated or manipulated content in an appropriate manner that does not hamper display or enjoyment. - For public-interest text, document whether the publication underwent human review or editorial control and whether a natural or legal person holds editorial responsibility. - Keep disclosure copy, publication URL or placement, content type, review owner, and exception rationale with the release record. Sources for this answer: - [Regulation (EU) 2024/1689 (Artificial Intelligence Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Primary legal text for Article 50 provider and deployer transparency duties, timing, accessibility, exceptions, and the 2 August 2026 application date for Chapter IV. - [European Commission - Code of Practice on marking and labelling of AI-generated content](https://digital-strategy.ec.europa.eu/en/policies/code-practice-ai-generated-content?ref=sorena.io) - Commission and AI Office page explaining the Article 50(2) and Article 50(4) workstreams for machine-readable marking, deepfake disclosures, and AI-generated public-interest publications. - [European Commission - European Artificial Intelligence Act comes into force](https://ec.europa.eu/commission/presscorner/api/files/document/print/en/ip_24_4123/IP_24_4123_EN.pdf?ref=sorena.io) - Commission press release summarising Article 50-style specific transparency risks, including chatbot disclosures, deepfake labelling, biometric categorisation notices, emotion recognition notices, and machine-readable synthetic content marking. ### [What evidence should teams keep for Article 50 transparency disclosures?](/artifacts/eu/artificial-intelligence-act/faq/article-50-transparency-disclosures.md#what-evidence-should-teams-keep-for-article-50-transparency-disclosures) *Module: [EU AI Act Article 50 transparency disclosures](/artifacts/eu/artificial-intelligence-act/faq/article-50-transparency-disclosures.md)* A useful evidence file separates provider technical marking duties from deployer disclosure duties. It should show the triggering capability, affected natural persons, notice or marking mechanism, timing, accessibility handling, and any exception relied on. - Map the relevant Article 50 paragraph to the system activity it affects, then note the concrete check or record needed for direct interaction, synthetic output marking, emotion recognition, biometric categorisation, deepfake disclosure, or public-interest text. - Provider or deployer owner, with supplier inputs if the product uses a third-party model or hosted AI system. - Notice text, label text, or machine-readable marking description, including language and accessibility coverage. - Screenshots, rendered pages, exported files, logs, or test results showing first interaction, first exposure, or published disclosure placement. - Exception record for obvious interactions, standard editing assistance, law-enforcement authorisation, artistic or satirical works, or human review with editorial responsibility. Sources for this answer: - [Regulation (EU) 2024/1689 (Artificial Intelligence Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Primary legal text for Article 50 provider and deployer transparency duties, timing, accessibility, exceptions, and the 2 August 2026 application date for Chapter IV. - [European Commission - Code of Practice on marking and labelling of AI-generated content](https://digital-strategy.ec.europa.eu/en/policies/code-practice-ai-generated-content?ref=sorena.io) - Commission and AI Office page explaining the Article 50(2) and Article 50(4) workstreams for machine-readable marking, deepfake disclosures, and AI-generated public-interest publications. - [European Commission - European Artificial Intelligence Act comes into force](https://ec.europa.eu/commission/presscorner/api/files/document/print/en/ip_24_4123/IP_24_4123_EN.pdf?ref=sorena.io) - Commission press release summarising Article 50-style specific transparency risks, including chatbot disclosures, deepfake labelling, biometric categorisation notices, emotion recognition notices, and machine-readable synthetic content marking. ### [When does an EU AI Act serious-incident report become required for a high-risk AI system?](/artifacts/eu/artificial-intelligence-act/faq/serious-incidents.md#when-does-an-eu-ai-act-serious-incident-report-become-required-for-a-high-risk-ai-system) *Module: [EU AI Act Article 73 serious incident](/artifacts/eu/artificial-intelligence-act/faq/serious-incidents.md)* For a high-risk AI system, Article 73 requires the provider to report any serious incident to the market surveillance authorities of the Member States where the incident occurred. Article 3, point (49), defines a serious incident as an incident or malfunctioning of an AI system that directly or indirectly leads to death or serious harm to health, serious and irreversible disruption of critical infrastructure management or operation, infringement of Union-law obligations protecting fundamental rights, or serious harm to property or the environment. - Confirm that the system is a high-risk AI system and that the event fits one of the Article 3 serious-incident outcomes. - Identify the Member State or Member States where the incident occurred because Article 73 points the report to those market surveillance authorities. - Record when the provider, or where applicable the deployer, became aware of the serious incident. - Record when the causal link or reasonable likelihood of a causal link was established, because that determines when the report must be made immediately. Sources for this answer: - [Regulation (EU) 2024/1689 (Artificial Intelligence Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Supports the Article 3 serious-incident definition, Article 26 deployer escalation, and Article 73 reporting duty for high-risk AI systems. ### [What timing and follow-up steps should the provider track under Article 73?](/artifacts/eu/artificial-intelligence-act/faq/serious-incidents.md#what-timing-and-follow-up-steps-should-the-provider-track-under-article-73) *Module: [EU AI Act Article 73 serious incident](/artifacts/eu/artificial-intelligence-act/faq/serious-incidents.md)* Article 73 sets a default outer deadline of 15 days after the provider, or where applicable the deployer, becomes aware of the serious incident. Shorter outer deadlines apply for two categories: a widespread infringement or a serious and irreversible disruption of critical infrastructure management or operation must be reported not later than two days after awareness, and a death-related incident must be reported not later than 10 days after awareness. - Keep separate timestamps for awareness, causal-link or reasonable-likelihood assessment, initial report, complete report, authority acknowledgements, and corrective actions. - Escalate critical-infrastructure disruption, widespread-infringement, and death-related cases into the shorter Article 73 timing track instead of using the default timing. - Do not alter the AI system in a way that may affect later evaluation of incident causes before informing competent authorities of that action. - Link the Article 73 report to the provider quality-management procedure for serious incidents and to the post-market monitoring evidence for the affected high-risk AI system. Sources for this answer: - [Regulation (EU) 2024/1689 (Artificial Intelligence Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Supports Article 73 timing, incomplete initial reports, post-report investigations, risk assessment, corrective action, and Article 20 corrective-action options. ### [How should deployers, importers, distributors, and GPAI model providers be separated?](/artifacts/eu/artificial-intelligence-act/faq/serious-incidents.md#how-should-deployers-importers-distributors-and-gpai-model-providers-be-separated) *Module: [EU AI Act Article 73 serious incident](/artifacts/eu/artificial-intelligence-act/faq/serious-incidents.md)* A deployer is not the normal Article 73 reporter, but it has an explicit escalation duty when it identifies a serious incident: inform the provider first, then the importer or distributor and the relevant market surveillance authorities. Importers and distributors have their own high-risk AI system duties to withhold, notify, or help correct non-conforming or risky systems, so incident intake should route them into the communication record even when the provider owns the Article 73 report. - Check whether an importer, distributor, deployer, or other third party has become the provider by putting its name or trademark on the high-risk AI system, making a substantial modification, or changing intended purpose so the system becomes high-risk. - Use Article 23 importer records for provider, authorised-representative, and market surveillance authority notice when the importer has sufficient reason to consider the high-risk AI system is non-conforming, falsified, or risky. - Use Article 24 distributor records for provider or importer notice, authority notice, and corrective-action handling when the distributor has sufficient reason to consider a high-risk AI system it made available is non-conforming or risky. - Use a separate Article 55 record when the incident concerns a general-purpose AI model with systemic risk, including the model involved, resulting harm, chain of events, evidence of model involvement, response, root-cause analysis, and any corrective measures. Sources for this answer: - [Regulation (EU) 2024/1689 (Artificial Intelligence Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Supports Article 23 importer duties, Article 24 distributor duties, Article 25 value-chain role changes, Article 26 deployer escalation, and Article 55 GPAI systemic-risk reporting. - [European Commission - GPAI serious-incident reporting template](https://digital-strategy.ec.europa.eu/en/library/ai-act-commission-publishes-reporting-template-serious-incidents-involving-general-purpose-ai?ref=sorena.io) - Supports the distinction between Article 55 GPAI systemic-risk incident reporting and Article 73 high-risk AI system serious-incident reporting. - [European Commission - Guidelines for providers of general-purpose AI models](https://digital-strategy.ec.europa.eu/en/policies/guidelines-gpai-providers?ref=sorena.io) - Supports the AI Office submission context for GPAI model provider documents, including Article 55 serious-incident reports. ### [When does Article 27 require a FRIA?](/artifacts/eu/artificial-intelligence-act/faq/fria.md#when-does-article-27-require-a-fria) *Module: [EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification](/artifacts/eu/artificial-intelligence-act/faq/fria.md)* Article 27 requires the assessment before deployment of a high-risk AI system referred to in Article 6(2), which points to the Annex III high-risk areas. The rule expressly excludes high-risk AI systems intended to be used in the area listed in point 2 of Annex III, the critical-infrastructure area. - Start with Article 6(2): confirm that the system is an Annex III high-risk AI system. - Check the carve-out: Annex III point 2 critical-infrastructure systems are excluded from Article 27 FRIA, even though they may still be high-risk and are registered at national level under Article 49(5). - Check the deployer category: public-law bodies, private entities providing public services, and deployers using Annex III point 5(b) or 5(c) systems are the Article 27 categories. - Do not treat a provider's high-risk classification memo as a FRIA; Article 27 is a deployer-side assessment of the specific use. Sources for this answer: - [Regulation (EU) 2024/1689, Article 27](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Supports the Article 27 trigger, covered deployer categories, critical-infrastructure carve-out, first-use rule, notification duty, DPIA complement rule, and FRIA content list. - [AI Act Service Desk - Article 27](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-27?ref=sorena.io) - Commission-hosted AI Act Explorer page for Article 27 used to cross-check the FRIA article citation and official article title. - [Regulation (EU) 2024/1689, Article 49 and Annex VIII](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Supports registration details, including deployer EU database registration for public authorities, national registration for Annex III point 2 systems, and the Annex VIII requirement to keep FRIA and DPIA summaries up to date where applicable. ### [What must the FRIA contain?](/artifacts/eu/artificial-intelligence-act/faq/fria.md#what-must-the-fria-contain) *Module: [EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification](/artifacts/eu/artificial-intelligence-act/faq/fria.md)* Article 27 gives a concrete assessment list. The record should describe the deployer's process in which the high-risk AI system will be used, the intended period and frequency of use, the categories of natural persons and groups likely to be affected, and the specific risks of harm for those groups. - Process evidence: workflow map, intended purpose, provider instructions for use, and the deployer's use case. - Use evidence: expected start, duration or period of use, frequency, countries or operating units, and whether this is a first use or a similar case relying on an earlier assessment. - Affected-person evidence: natural-person categories, affected groups, dependency or vulnerability factors, and the decision or service the AI output influences. - Risk evidence: specific fundamental-rights harms, provider Article 13 information considered, residual risks, and escalation criteria. - Control evidence: human oversight procedure, complaint route, internal governance owner, operational playbook for risk materialisation, and approval record. Sources for this answer: - [Regulation (EU) 2024/1689, Article 27](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Supports the required FRIA contents: deployer process, period and frequency, affected persons and groups, specific risks, human oversight, and measures for risk materialisation. - [Regulation (EU) 2024/1689, Article 13](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Supports the need to use provider instructions and information about intended purpose, performance limitations, foreseeable risks, and output interpretation when assessing deployer-side risk. - [Regulation (EU) 2024/1689, Annex VIII Section C](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Supports the practical evidence fields for deployer registration, including FRIA findings and DPIA summary fields that must be provided and kept up to date where Article 49(3) registration applies. ### [How does FRIA connect to DPIA, notification, and registration?](/artifacts/eu/artificial-intelligence-act/faq/fria.md#how-does-fria-connect-to-dpia-notification-and-registration) *Module: [EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification](/artifacts/eu/artificial-intelligence-act/faq/fria.md)* The FRIA is not a replacement for a GDPR or law-enforcement data protection impact assessment. Article 27 says that where Article 27 obligations are already met through a DPIA under GDPR Article 35 or Directive (EU) 2016/680 Article 27, the FRIA complements that DPIA. - Link the DPIA and FRIA where personal-data risk and fundamental-rights risk overlap, but do not assume one automatically covers the other. - Keep the market-surveillance authority notification proof with the completed Article 27 template once the FRIA is performed. - For public-authority deployers, confirm Article 49 registration before putting the Annex III high-risk system into service or use. - For law enforcement, migration, asylum, and border-control Annex III systems, expect restricted EU database registration rules under Article 49(4). - For Annex III point 2 critical-infrastructure systems, route registration evidence to the national-level process described in Article 49(5). Sources for this answer: - [Regulation (EU) 2024/1689, Article 27](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Supports the FRIA notification duty, DPIA complement rule, first-use rule, update rule, and AI Office template requirement. - [Regulation (EU) 2024/1689, Article 49](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Supports the EU database registration obligations for public-authority deployers, restricted sections for certain Annex III areas, and national registration for Annex III point 2 systems. - [Regulation (EU) 2024/1689, Article 6 and Annex III](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Supports the difference between Article 6(1) product-safety high-risk systems and Article 6(2) Annex III high-risk systems, including the Annex III areas relevant to FRIA scope. ### [What does Article 53 require from GPAI model providers?](/artifacts/eu/artificial-intelligence-act/faq/gpai-and-systemic-risk-duties.md#what-does-article-53-require-from-gpai-model-providers) *Module: [EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55](/artifacts/eu/artificial-intelligence-act/faq/gpai-and-systemic-risk-duties.md)* Article 53 requires providers of general-purpose AI models to keep technical documentation for authorities, provide information to downstream AI system providers, maintain a copyright-compliance policy, and publish a sufficiently detailed summary of the content used for training. - Keep model technical documentation up to date, including the training and testing process and evaluation results, for the AI Office and national competent authorities on request. - Provide integration documentation to downstream providers, including capabilities, limitations, acceptable use policies, release and distribution details, architecture, software dependencies, and other Annex XII information. - Put in place a policy to comply with Union copyright and related-rights law, including rights reservations under Article 4(3) of Directive (EU) 2019/790. - Publish the Article 53(1)(d) public summary of training content using the AI Office template. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Primary legal text for Article 53 duties and Annex XI and XII documentation content. - [European Commission - GPAI provider guidelines](https://digital-strategy.ec.europa.eu/en/policies/guidelines-gpai-providers?ref=sorena.io) - Commission guidance on GPAI model provider scope, lifecycle documentation, downstream information, open-source exemptions, and staged application. ## FAQ Pagination - Canonical index (page 1): [/artifacts/eu/artificial-intelligence-act/faq/items](/artifacts/eu/artificial-intelligence-act/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 1 of 2 Pages: [1](/artifacts/eu/artificial-intelligence-act/faq/items.md) | [2](/artifacts/eu/artificial-intelligence-act/faq/items/page/2.md) [Next page](/artifacts/eu/artificial-intelligence-act/faq/items/page/2.md) *Recommended next step* *Placement: before sources* ## Map each answer to a role, risk class, source, and artifact Sorena can help convert EU AI Act FAQ decisions into scope records, role maps, high-risk assessments, GPAI files, transparency notices, FRIA records, registration checks, and incident workflows. - [Open Research Copilot for EU AI Act](/solutions/research-copilot.md): Ask cited questions about EU AI Act scope, high-risk classification, GPAI duties, transparency, FRIA, registration, and incident records. - [Talk through implementation](/contact.md): Review your EU AI Act role map, risk classification, source gaps, and evidence plan with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/artificial-intelligence-act/faq/items