The EU AI Act, organised by risk — not by technology.
A practical, interactive guide for companies across the EU. Obligations vary by your role, the type of system, and the level of risk. Classify first — everything downstream depends on it.
Select your sector.
The Act applies differently across industries. Pick the closest match for your likely role, the practices most relevant to you, and priority actions.
Obligations depend on your role — most organisations hold more than one.
Not big tech alone. It reaches anyone who develops, markets, builds into a product, uses, imports or distributes AI — and it catches organisations outside the EU whenever a system's output is used inside it.
A deployer, distributor or importer becomes a provider — with the full provider obligation set — the moment it puts its own name on a high-risk system, substantially modifies one, or changes the intended purpose so a system turns high-risk. If you fine-tune or rebrand someone else's model and ship it, the heavier role may now be yours.
Eight AI practices are prohibited outright.
Banned since 2 February 2025, with the highest penalties. Some everyday marketing, HR and security tools sit closer to a prohibited practice than expected. Select any item to expand.
or 7% of total worldwide annual turnover, whichever is higher. For SMEs, start-ups and small mid-caps, the lower applies.
Classify a system. The engine follows Article 6 exactly.
Answer in order — including the Annex III derogation and the profiling override. Classification comes first, because everything downstream depends on it.
Examples: medical devices, machinery, lifts, toys. Under the Omnibus, "safety component" is narrowed to systems whose purpose is to prevent or mitigate risks to health and safety — pure convenience features may fall outside.
Safety component of — or itself — a product under EU harmonisation law needing third-party conformity assessment (medical devices, machinery, lifts, toys).
Biometrics · critical infrastructure · education · employment & worker management · essential services (incl. credit and life/health insurance) · law enforcement · migration & border · justice & democratic processes.
An Annex III system that profiles natural persons is always high-risk — the derogation never applies.
10 DUTIES · ART. 16–2201Meet the high-risk requirements — risk management, data governance, technical docs, logging, instructions, human oversight, accuracy, robustness, cybersecurity.02Quality management system — establish and maintain a working QMS.03Conformity assessment — before placing on the market or into service.04Declaration of conformity + CE mark — draw up, keep, and affix CE marking.05Register in the EU database — yourself and the system — including systems you self-assess as not high-risk.06Identification & instructions — name and contact on the system or docs; clear instructions for use.07Post-market monitoring — set up, document and run a monitoring plan.08Serious-incident reporting — to market-surveillance authorities.09Corrective action & cooperation — fix non-conformity; grant access to docs, data and — on reasoned request — source code.10Accessibility — comply with applicable EU accessibility requirements.8 DUTIES · ART. 26–2701Use as instructed — technical and organisational measures to follow the provider’s instructions.02Human oversight — people with competence and authority to act.03Input-data quality — relevant and representative input data, where you control it.04Monitor & flag risk — inform the provider and authorities of risks and incidents.05Keep logs — retain logs the system generates automatically.06Inform workers — before workplace use, tell representatives and affected staff.07Inform affected people — those subject to decisions the system makes or supports.08Fundamental-rights impact assessment — a FRIA before first use, where required.GPAI: a separate, two-tier regime.
Duties applying since 2 August 2025; the Commission can fine GPAI providers from 2 August 2026. A model is presumed to carry systemic risk above 10²⁵ FLOP of training compute, or where the Commission designates it.
People must be told when they are dealing with AI.
Disclosures must be clear, no later than first interaction — never buried in terms.
The rules take effect in stages.
Dates reflect the agreed Omnibus text — Parliament endorsed it on 16 June 2026, with formal adoption expected before 2 August 2026. Until publication in the Official Journal, the original dates technically remain law.
The AI Act enters into force.
The Article 5 bans and the Article 4 AI-literacy duty start to apply.
GPAI model obligations, the governance framework and most penalty provisions apply.
Most provisions apply, including deployer-facing transparency and the power to fine GPAI providers.
Provider machine-readable marking of synthetic output (Art. 50(2)) starts; the new Article 5 nudifier/CSAM prohibition applies.
Deadline for member states to establish AI regulatory sandboxes (pushed back one year).
High-risk obligations for stand-alone Annex III systems (biometrics, employment, credit, law enforcement, education).
High-risk obligations for AI embedded in regulated products (medical devices, machinery, toys, lifts).
Same rules Union-wide; each country names its own supervisor.
Member states had to designate authorities by 2 August 2025. As of mid-June 2026, 9 of 27 had done so, 12 had proposals or partial designations, and 6 had not yet appointed any. Drawn from the Future of Life Institute tracker and the Commission's consolidated list — confirm against the official list before relying on it.
ATAustriaBEBelgiumBGBulgariaHRCroatiaCYCyprusCZCzech RepublicDKDenmarkEEEstoniaFIFinlandFRFranceDEGermanyELGreeceHUHungaryIEIrelandITItalyLVLatviaLTLithuaniaLULuxembourgMTMaltaNLNetherlandsPLPolandPTPortugalRORomaniaSKSlovakiaSISloveniaESSpainSESwedenSince 2 February 2025, every provider and deployer must ensure staff operating AI have a sufficient level of AI literacy, proportionate to their role. Not limited to high-risk systems — for most organisations it's the most immediately actionable requirement here.
GDPR — still binding. Legal basis, transparency, automated-decision and profiling rules, and a DPIA where required. Run them as one risk process, not two audits — a FRIA can build on the DPIA.
Revised Product Liability Directive. To be transposed by 9 December 2026, expressly covering defective software — AI included. The standalone AI Liability Directive was withdrawn, so the PLD is the live liability track.
A practical path to compliance.
STEP 01Map where AI is used in practice — including tools teams adopted on their own.
STEP 02Place each use on the tier scale, from prohibited to no special duties.
STEP 03Provider, deployer, importer, distributor or manufacturer — and watch for Article 25.
STEP 04Documentation, security, data, audit rights, incidents and liability.
STEP 05Adopt an AI policy and train people: approved tools, banned inputs, output checks.
STEP 06It doesn’t end at launch — models change, and so does the legal picture.
Turn this guide into your own inventory.
Complicer runs a structured AI Act assessment against your systems — classification, role, and obligations — inside the same audit workspace as your GDPR and accessibility checks.
RUN AN EU AI ACT ASSESSMENT →