ComplicerAUDIT GRADE
MethodologyUse casesEU AI ActPricingBlogDocsSign inSTART FREE AUDIT
REGULATION (EU) 2024/1689 · OBLIGATIONS APPLYING IN STAGES, 2025–2028

The EU AI Act, organised by risk — not by technology.

A practical, interactive guide for companies across the EU. Obligations vary by your role, the type of system, and the level of risk. Classify first — everything downstream depends on it.

UNACCEPTABLE
Prohibited
up to €35M / 7%
HIGH
High-risk
full obligation set
SYSTEMIC / LIMITED
GPAI models
tiered duties
LIMITED / MINIMAL
Transparency
tell people it's AI
AS OF 30 JUNE 2026 · REG (EU) 2024/1689 + AGREED OMNIBUS · INFORMATIONAL, NOT LEGAL ADVICE — VERIFY THE CURRENT TEXT, DATES AND AUTHORITIES BEFORE RELYING ON THEM.
BY SECTOR — TAILORED SUMMARY

Select your sector.

The Act applies differently across industries. Pick the closest match for your likely role, the practices most relevant to you, and priority actions.

All sectorsALL FOUR TIERS IN PLAY
YOUR LIKELY ROLE

Usually deployer; provider if you build or ship AI features under your own name.

PROHIBITIONS TO WATCH

Run your AI inventory against the eight Article 5 bans before anything else.

HIGH-RISK EXPOSURE

High-risk only where a use falls in Annex I (regulated products) or Annex III (e.g. HR, credit, education).

TRANSPARENCY & GPAI

Disclose chatbots and mark synthetic content; label deepfakes and certain public-interest text. GPAI duties flow down via vendor contracts.

PRIORITY ACTIONS
0Inventory all AI uses and tag them by purpose
1Classify each against prohibited / high-risk / transparency
2Set up disclosures and AI-literacy training
WHO IT APPLIES TO — ART. 2–3, 25

Obligations depend on your role — most organisations hold more than one.

Not big tech alone. It reaches anyone who develops, markets, builds into a product, uses, imports or distributes AI — and it catches organisations outside the EU whenever a system's output is used inside it.

01
Provider

Develops a system (or has it developed) and puts it on the market under its own name — paid or free. Heaviest duties.

02MOST COMPANIES ARE HERE
Deployer

Uses AI in its own activity. The most common role for ordinary companies.

03
Importer

Places a non-EU provider’s system on the EU market.

04
Distributor

Anyone else in the chain — not provider or importer — making a system available on the EU market.

05
Product manufacturer

Puts a product with embedded AI on the market under its own name.

06
Authorised representative

An EU entity mandated in writing to act for a non-EU provider.

WHEN YOUR ROLE CHANGES — ARTICLE 25

A deployer, distributor or importer becomes a provider — with the full provider obligation set — the moment it puts its own name on a high-risk system, substantially modifies one, or changes the intended purpose so a system turns high-risk. If you fine-tune or rebrand someone else's model and ship it, the heavier role may now be yours.

PROHIBITED PRACTICES — ART. 5

Eight AI practices are prohibited outright.

Banned since 2 February 2025, with the highest penalties. Some everyday marketing, HR and security tools sit closer to a prohibited practice than expected. Select any item to expand.

MAXIMUM PENALTY
€35M

or 7% of total worldwide annual turnover, whichever is higher. For SMEs, start-ups and small mid-caps, the lower applies.

RISK-CLASSIFICATION ENGINE — ART. 6 · ANNEX I & III

Classify a system. The engine follows Article 6 exactly.

Answer in order — including the Annex III derogation and the profiling override. Classification comes first, because everything downstream depends on it.

LIVE · ART. 6
STEP 01 / ROUTE A
Is the system a safety component of — or itself — a product covered by EU harmonisation law that needs third-party conformity assessment?

Examples: medical devices, machinery, lifts, toys. Under the Omnibus, "safety component" is narrowed to systems whose purpose is to prevent or mitigate risks to health and safety — pure convenience features may fall outside.

ROUTE A — ANNEX I

Safety component of — or itself — a product under EU harmonisation law needing third-party conformity assessment (medical devices, machinery, lifts, toys).

ROUTE B — ANNEX III

Biometrics · critical infrastructure · education · employment & worker management · essential services (incl. credit and life/health insurance) · law enforcement · migration & border · justice & democratic processes.

THE PROFILING OVERRIDE

An Annex III system that profiles natural persons is always high-risk — the derogation never applies.

Provider
10 DUTIES · ART. 16–22
01Meet the high-risk requirements — risk management, data governance, technical docs, logging, instructions, human oversight, accuracy, robustness, cybersecurity.
02Quality management system — establish and maintain a working QMS.
03Conformity assessment — before placing on the market or into service.
04Declaration of conformity + CE mark — draw up, keep, and affix CE marking.
05Register in the EU database — yourself and the system — including systems you self-assess as not high-risk.
06Identification & instructions — name and contact on the system or docs; clear instructions for use.
07Post-market monitoring — set up, document and run a monitoring plan.
08Serious-incident reporting — to market-surveillance authorities.
09Corrective action & cooperation — fix non-conformity; grant access to docs, data and — on reasoned request — source code.
10Accessibility — comply with applicable EU accessibility requirements.
Deployer
8 DUTIES · ART. 26–27
01Use as instructed — technical and organisational measures to follow the provider’s instructions.
02Human oversight — people with competence and authority to act.
03Input-data quality — relevant and representative input data, where you control it.
04Monitor & flag risk — inform the provider and authorities of risks and incidents.
05Keep logs — retain logs the system generates automatically.
06Inform workers — before workplace use, tell representatives and affected staff.
07Inform affected people — those subject to decisions the system makes or supports.
08Fundamental-rights impact assessment — a FRIA before first use, where required.
FRIA — Art. 27. Required of deployers that are public bodies or private entities providing public services, and for creditworthiness / credit scoring and life & health insurance pricing. A FRIA can build on an existing GDPR DPIA.
Existing systems — Article 111. The high-risk regime is not retroactive. A system already on the market before its application date is not caught unless it undergoes a significant design change afterward — public-sector systems are treated more strictly.
GENERAL-PURPOSE AI — CH. V · ART. 51–55

GPAI: a separate, two-tier regime.

Duties applying since 2 August 2025; the Commission can fine GPAI providers from 2 August 2026. A model is presumed to carry systemic risk above 10²⁵ FLOP of training compute, or where the Commission designates it.

BASELINE — ALL GPAI MODELS
Technical documentation — kept current; provided to the AI Office and national authorities on request.
Information for downstream providers who integrate the model.
Copyright policy aligned with EU law, incl. the text-and-data-mining reservation.
Public training-content summary using the AI Office template.
Cooperate with the Commission and authorities.
Open-source carve-out: parts of the documentation duties fall away for genuinely free and open models — but the copyright policy and training-content summary still apply, and the carve-out doesn't extend to systemic-risk models.
TOP TIER — SYSTEMIC RISK (ADDED DUTIES)
Model evaluation to the state of the art, incl. adversarial testing, documented.
Assess and mitigate systemic risks at EU level, including their sources.
Serious-incident reporting to the AI Office without undue delay.
Cybersecurity for the model and its physical infrastructure.
EU authorised representative for non-EU providers.
TRANSPARENCY DUTIES — ART. 50

People must be told when they are dealing with AI.

Disclosures must be clear, no later than first interaction — never buried in terms.

WHOSITUATIONDUTY
PROVIDERSystem talks directly to people (chatbot, assistant)Make sure people know they’re dealing with AI — unless it’s already obvious.
PROVIDERSystem generates synthetic audio, image, video or textMark output as artificially generated in a machine-readable way. Under the Omnibus this starts 2 December 2026.
DEPLOYEREmotion recognition / biometric categorisationInform the people exposed. GDPR duties still apply on top.
DEPLOYERDeepfakes (image, audio, video)Disclose that the content is artificially generated or manipulated.
DEPLOYERAI text on matters of public interestDisclose the artificial origin — unless it went through human editorial review with responsibility.
Dates that catch people out: deployer-facing duties (chatbots, deepfakes, emotion-recognition disclosure) apply from 2 August 2026. Only the provider's machine-readable marking of synthetic output (Art. 50(2)) was pushed to 2 December 2026 by the Omnibus.
TIMELINE OF APPLICABILITY — ART. 113 · OMNIBUS

The rules take effect in stages.

Dates reflect the agreed Omnibus text — Parliament endorsed it on 16 June 2026, with formal adoption expected before 2 August 2026. Until publication in the Official Journal, the original dates technically remain law.

1 Aug 2024

The AI Act enters into force.

2 Feb 2025

The Article 5 bans and the Article 4 AI-literacy duty start to apply.

2 Aug 2025◀ TODAY · 30 JUN 2026

GPAI model obligations, the governance framework and most penalty provisions apply.

2 Aug 2026

Most provisions apply, including deployer-facing transparency and the power to fine GPAI providers.

2 Dec 2026OMNIBUS

Provider machine-readable marking of synthetic output (Art. 50(2)) starts; the new Article 5 nudifier/CSAM prohibition applies.

2 Aug 2027OMNIBUS

Deadline for member states to establish AI regulatory sandboxes (pushed back one year).

2 Dec 20272 Aug 2026OMNIBUS

High-risk obligations for stand-alone Annex III systems (biometrics, employment, credit, law enforcement, education).

2 Aug 20282 Aug 2027OMNIBUS

High-risk obligations for AI embedded in regulated products (medical devices, machinery, toys, lifts).

€35M / 7%
Prohibited practices
Breaching the Article 5 bans
€15M / 3%
Most other obligations
High-risk duties, transparency, GPAI (from 2 Aug 2026)
€7.5M / 1%
Misleading information
Supplying wrong information to authorities
FINES ARE THE HIGHER OF THE FIXED CAP OR TURNOVER PERCENTAGE · FOR SMEs AND START-UPS, THE LOWER APPLIES.
NATIONAL SUPERVISION — ART. 70 · 28 · 77

Same rules Union-wide; each country names its own supervisor.

Member states had to designate authorities by 2 August 2025. As of mid-June 2026, 9 of 27 had done so, 12 had proposals or partial designations, and 6 had not yet appointed any. Drawn from the Future of Life Institute tracker and the Commission's consolidated list — confirm against the official list before relying on it.

ATAustria
NOT YET DESIGNATED
Lead / contact point: Not yet appointed
National law: In preparation
BEBelgium
NOT YET DESIGNATED
Lead / contact point: Not yet appointed
National law: In preparation
BGBulgaria
NOT YET DESIGNATED
Lead / contact point: Not yet appointed
National law: In preparation
HRCroatia
NOT YET DESIGNATED
Lead / contact point: Not yet appointed
National law: In preparation
CYCyprus
DESIGNATED
Lead / contact point: Commissioner of Communications (single point of contact)
National law: Designated by national decision
CZCzech Republic
IN LEGISLATION
Lead / contact point: Czech Telecommunication Office (ČTÚ) — proposed
National law: Legislative proposal in progress
DKDenmark
DESIGNATED
Lead / contact point: Agency for Digital Government (coordinating); DPA; Court Administration
National law: Law No. 467 — in force 2 Aug 2025
EEEstonia
NOT YET DESIGNATED
Lead / contact point: Not yet appointed
National law: In preparation
FIFinland
DESIGNATED
Lead / contact point: Several existing regulators; Traficom is the single point of contact
National law: Law 1377/2025 — in force 1 Jan 2026
FRFrance
IN LEGISLATION
Lead / contact point: DGCCRF — coordinating, single point of contact (proposed)
National law: Legislative proposal in progress
DEGermany
IN LEGISLATION
Lead / contact point: Federal Network Agency (Bundesnetzagentur) — proposed
National law: Draft KI-MIG adopted by Cabinet Feb 2026; awaiting Bundestag
ELGreece
NOT YET DESIGNATED
Lead / contact point: Not yet appointed
National law: Draft legislation expected mid-2026
HUHungary
DESIGNATED
Lead / contact point: Minister for Enterprise Development (single point of contact)
National law: Government Decree 344/2025
IEIreland
DESIGNATED
Lead / contact point: 15 existing bodies; Minister for Enterprise is the contact point
National law: S.I. No. 366 of 2025
ITItaly
DESIGNATED
Lead / contact point: National Cybersecurity Agency (ACN) — single point of contact
National law: Law No. 132/2025 — in force 10 Oct 2025
LVLatvia
IN LEGISLATION
Lead / contact point: 12–14 authorities proposed; Consumer Rights Protection Centre as contact
National law: Implementation plan published
LTLithuania
DESIGNATED
Lead / contact point: Communications Regulatory Authority (single point of contact)
National law: Designated by national decision
LULuxembourg
IN LEGISLATION
Lead / contact point: National Commission for Data Protection (CNPD) — proposed
National law: Draft law introduced Dec 2024
MTMalta
DESIGNATED
Lead / contact point: Malta Digital Innovation Authority (MDIA) — lead and contact point
National law: Designated under the national AI framework
NLNetherlands
IN LEGISLATION
Lead / contact point: Ten sectoral authorities; RDI as single point of contact (proposed)
National law: Draft legislation published Apr 2026
PLPoland
IN LEGISLATION
Lead / contact point: New Commission on Development and Safety of AI (proposed)
National law: Passed lower house 11 Jun 2026; awaiting upper house
PTPortugal
IN LEGISLATION
Lead / contact point: ANACOM — single point of contact (announced)
National law: Announced Sep 2025
RORomania
IN LEGISLATION
Lead / contact point: ANCOM — single point of contact (proposed)
National law: Government memorandum, Mar 2026
SKSlovakia
IN LEGISLATION
Lead / contact point: Office for Digital Integrity (proposed); sectoral roles for DPA
National law: Draft legislation in progress
SISlovenia
DESIGNATED
Lead / contact point: AKOS — single point of contact; others participate
National law: National law — in force Nov 2025
ESSpain
IN LEGISLATION
Lead / contact point: AESIA — single point of contact; sectoral authorities participate
National law: Draft law in progress; AESIA established 2023
SESweden
IN LEGISLATION
Lead / contact point: Post and Telecom Authority (PTS) — coordinating (proposed)
National law: Government proposal published
EEA EFTA states — pending incorporation. The Act is EEA-relevant but not yet incorporated into the EEA Agreement, so it does not yet bind Iceland, Liechtenstein or Norway; they observe AI Board meetings. Norway has named Nkom as coordinating supervisor ahead of an implementing law expected summer 2026.
Two fixed points Union-wide. For AI used by EU institutions, the supervisor is the EDPS. For GPAI models — and systems where model and system share a provider — the EU AI Office holds market-surveillance powers directly.
AI LITERACY — ART. 4 · IN FORCE NOW
An obligation already in force.

Since 2 February 2025, every provider and deployer must ensure staff operating AI have a sufficient level of AI literacy, proportionate to their role. Not limited to high-risk systems — for most organisations it's the most immediately actionable requirement here.

What "good enough" looks like: a baseline policy on approved tools, what must never be entered as input, how to sanity-check outputs, role-appropriate training. Document it — supervisors expect evidence, not intentions.
ADJACENT REGULATION — GDPR · PLD
Rules that apply alongside it.

GDPR — still binding. Legal basis, transparency, automated-decision and profiling rules, and a DPIA where required. Run them as one risk process, not two audits — a FRIA can build on the DPIA.

Revised Product Liability Directive. To be transposed by 9 December 2026, expressly covering defective software — AI included. The standalone AI Liability Directive was withdrawn, so the PLD is the live liability track.

GETTING STARTED — SIX STEPS

A practical path to compliance.

STEP 01
Inventory your AI

Map where AI is used in practice — including tools teams adopted on their own.

STEP 02
Classify the risk

Place each use on the tier scale, from prohibited to no special duties.

STEP 03
Pin down your role

Provider, deployer, importer, distributor or manufacturer — and watch for Article 25.

STEP 04
Check contracts & vendors

Documentation, security, data, audit rights, incidents and liability.

STEP 05
Policy & training

Adopt an AI policy and train people: approved tools, banned inputs, output checks.

STEP 06
Document & monitor

It doesn’t end at launch — models change, and so does the legal picture.

AI ACT ASSESSMENT

Turn this guide into your own inventory.

Complicer runs a structured AI Act assessment against your systems — classification, role, and obligations — inside the same audit workspace as your GDPR and accessibility checks.

RUN AN EU AI ACT ASSESSMENT →
Create a free account to start. The assessment lives in your audit workspace.
COMMON QUESTIONS
Informational, not legal advice. This guide reflects the state of play on 30 June 2026 and creates no advisor–client relationship. The Omnibus is mid-adoption and national designations are still settling — verify the current text, dates and authorities before relying on them, and take advice on your specific situation.
EVIDENCE CHAIN INTACT · SHA-256 · Ed25519 · RFC 3161 TSA
HOMEMETHODOLOGYPRIVACY
© 2026 COMPLICER