By responsible AI element

Art. 5 lists the eight prohibited AI practices, including subliminal manipulation, exploitation of vulnerable groups, social scoring, and untargeted facial-recognition scraping. These prohibitions are absolute, apply to every organisation regardless of size, and have been in force since 2 February 2025.

AI recruitment systems fall under Annex III of the EU AI Act as high-risk, which triggers the full deployer obligations of Article 26, human oversight, data quality, monitoring, log retention, and a Fundamental Rights Impact Assessment under Article 27. These duties cannot be transferred to the software vendor.

A Fundamental Rights Impact Assessment (FRIA) under Art. 27 is conducted step by step: describe the system and its purpose, identify affected persons, assess the impact on each fundamental rights dimension, define mitigation measures, and document the residual risk before deployment.

Art. 26.4 requires deployers of high-risk AI to ensure that input data is relevant and sufficiently representative for the system's intended purpose. The deployer is responsible for data quality in operation, even though the provider sets the specifications under Art. 10.

Art. 26.5 requires deployers of high-risk AI to monitor the system's operation against the provider's instructions and to report risks and serious incidents. Monitoring is the early-warning mechanism that connects to incident reporting under Art. 73.

Art. 5 lists the eight prohibited AI practices, including subliminal manipulation, exploitation of vulnerable groups, social scoring, and untargeted facial-recognition scraping. These prohibitions are absolute, apply to every organisation regardless of size, and have been in force since 2 February 2025.

Art. 6 sets out how to classify a high-risk AI system: a system is high-risk if it is a safety component of a product under Annex I, or falls within one of the Annex III use cases. Misclassification is itself a violation, and the responsibility rests with the organisation, not the supplier.

Art. 73 requires deployers and providers to report serious incidents involving high-risk AI to the competent market-surveillance authority without undue delay, within roughly 15 days for most incidents. An incident that is also a personal-data breach must additionally be reported under GDPR Art. 33.

Regulatory sandboxes under Art. 57-63 are controlled environments, supervised by the national authority, in which organisations can develop and test innovative AI systems with guidance and temporary relief from certain administrative requirements, without suspending the material safeguards or incident-reporting duties.

Whether an AI system is high-risk depends on Art. 6: it is high-risk if it is a safety component under Annex I or falls within an Annex III use case (such as employment, credit, or essential services). The Art. 6.3 exception can apply where the system performs only a narrow, non-decisive task.

An SME that develops an AI system and makes it available to others is a provider under the EU AI Act and carries a substantially heavier burden than a deployer: for high-risk AI this includes a risk management system (Art. 9), data governance (Art. 10), technical documentation (Annex IV), conformity assessment (Art. 43), CE marking (Art. 48), and EU database registration (Art. 49).

Art. 26.4 requires deployers of high-risk AI to ensure that input data is relevant and sufficiently representative for the system's intended purpose. The deployer is responsible for data quality in operation, even though the provider sets the specifications under Art. 10.

Art. 26.9 links the EU AI Act to the GDPR: where a data protection impact assessment (DPIA) is required under GDPR Art. 35, deployers of high-risk AI must use the information from the provider's documentation to support that assessment.

The EU AI Act and the GDPR create overlapping but distinct obligations for AI systems that process personal data. They align on data quality, impact assessments, transparency, and individual rights, but differ in scope, accountability roles, and incident-reporting timelines, so the efficient approach is integrated compliance, such as a combined DPIA/FRIA.

Art. 26.7 requires deployers of high-risk AI to inform the people who are subject to the system's decisions that a high-risk AI system is being used. This applies even where there is no direct interaction, such as CV screening or credit scoring.

Art. 26.8 requires deployers that are public authorities (or act on their behalf) to verify that a high-risk AI system is registered in the EU database before putting it into use, and to refrain from using it if it is not.

Art. 49 requires providers of high-risk AI systems to register the system in the EU database before placing it on the market. The database serves both market surveillance and public accountability, letting citizens see which high-risk systems are in use.

AI recruitment systems fall under Annex III of the EU AI Act as high-risk, which triggers the full deployer obligations of Article 26, human oversight, data quality, monitoring, log retention, and a Fundamental Rights Impact Assessment under Article 27. These duties cannot be transferred to the software vendor.

Art. 50 of the EU AI Act requires deployers to tell people when they interact with an AI system, when content is AI-generated, and when emotion-recognition or biometric categorisation is used. The obligation applies from 2 August 2026, with fines up to €15 million or 3% of global annual turnover.

Ready-to-use transparency templates help deployers meet the EU AI Act information duties: a chatbot disclosure, an AI-generated-content label, and an Art. 26.7 notice for individuals subject to a high-risk system. The disclosure must be active and comprehensible at the moment of interaction.

Art. 26.1 requires deployers to use high-risk AI systems strictly in accordance with the provider's instructions for use. This means using the system only for its intended purpose, within its specified technical configuration, and by qualified users, and documenting that compliance. Deviating from the instructions can shift liability entirely to the deployer.

Art. 26.6 requires deployers of high-risk AI to retain the system-generated logs for at least six months, unless other law requires longer. The logs are the primary evidence that the system was used in accordance with its instructions.

Art. 26.8 requires deployers that are public authorities (or act on their behalf) to verify that a high-risk AI system is registered in the EU database before putting it into use, and to refrain from using it if it is not.

Art. 26.9 links the EU AI Act to the GDPR: where a data protection impact assessment (DPIA) is required under GDPR Art. 35, deployers of high-risk AI must use the information from the provider's documentation to support that assessment.

Art. 27 requires certain deployers, public bodies and private deployers in defined sectors such as credit and insurance, to conduct a Fundamental Rights Impact Assessment (FRIA) before deploying a high-risk AI system, examining the impact on fundamental rights and the mitigation measures.

Art. 4 has required organisations since 2 February 2025 to ensure a sufficient level of AI literacy among staff who operate or use AI systems, proportionate to the system and the role. It applies to all AI use, not only high-risk systems, and must be demonstrable.

Art. 49 requires providers of high-risk AI systems to register the system in the EU database before placing it on the market. The database serves both market surveillance and public accountability, letting citizens see which high-risk systems are in use.

Art. 6 sets out how to classify a high-risk AI system: a system is high-risk if it is a safety component of a product under Annex I, or falls within one of the Annex III use cases. Misclassification is itself a violation, and the responsibility rests with the organisation, not the supplier.

Art. 73 requires deployers and providers to report serious incidents involving high-risk AI to the competent market-surveillance authority without undue delay, within roughly 15 days for most incidents. An incident that is also a personal-data breach must additionally be reported under GDPR Art. 33.

For SMEs, EU AI Act compliance is manageable but not optional: the Art. 5 prohibitions and Art. 4 literacy apply regardless of size, and SME deployers of high-risk AI carry the full Art. 26 obligations in proportionate form. Micro-enterprises gain administrative simplifications, not exemptions.

Regulatory sandboxes under Art. 57-63 are controlled environments, supervised by the national authority, in which organisations can develop and test innovative AI systems with guidance and temporary relief from certain administrative requirements, without suspending the material safeguards or incident-reporting duties.

The AI Officer is the organisation-wide director of responsible AI use, broader than a compliance role: it covers AI strategy, ethics, risk and literacy. The EU AI Act (Art. 26) makes the coordinating function necessary, but the need for an AI Officer extends beyond the law itself.

An audit trail for EU AI Act compliance is the structured, retained record, combining the system logs (Art. 12) with the deployer's own oversight and monitoring documentation, that lets you demonstrate to a supervisor that a high-risk AI system was used lawfully.

The EU AI Act and the GDPR create overlapping but distinct obligations for AI systems that process personal data. They align on data quality, impact assessments, transparency, and individual rights, but differ in scope, accountability roles, and incident-reporting timelines, so the efficient approach is integrated compliance, such as a combined DPIA/FRIA.

EU AI Act obligations per department depend on the risk class of the AI system. HR selection and credit scoring are high-risk (Annex III) and carry the full Art. 26 obligations; marketing AI and chatbots usually fall under the transparency obligation of Art. 50. A per-system Art. 6 analysis determines the exact obligation.

The EU AI Act phases in between 2025 and 2028: the Art. 5 prohibitions and Art. 4 AI literacy applied from 2 February 2025, the Art. 50 transparency obligations from 2 August 2026, and the full high-risk obligations for Annex III systems from 2 December 2027 following the Omnibus amendments.

The first steps to EU AI Act compliance for deployers are: build an AI inventory, classify each system against Art. 6, request the provider documentation, start AI-literacy training under Art. 4, and assign ownership. These steps create the foundation for the Art. 26 obligations.

A Fundamental Rights Impact Assessment (FRIA) under Art. 27 is conducted step by step: describe the system and its purpose, identify affected persons, assess the impact on each fundamental rights dimension, define mitigation measures, and document the residual risk before deployment.

Deployers using GPAI models like ChatGPT or Copilot are generally not subject to the provider obligations of Art. 52-55, but two frameworks do apply: the Art. 50 transparency obligations and a high-risk use-case analysis. If the way you deploy the GPAI creates a high-risk AI system under Annex III, the full Art. 26 deployer obligations apply.

Whether an AI system is high-risk depends on Art. 6: it is high-risk if it is a safety component under Annex I or falls within an Annex III use case (such as employment, credit, or essential services). The Art. 6.3 exception can apply where the system performs only a narrow, non-decisive task.

An oversight log is the contemporaneous record that proves human oversight of a high-risk AI system under Art. 26.2 of the EU AI Act. It must capture, per oversight event, who reviewed the AI output, what they decided and why, and it must be retained for at least six months under Art. 26.6.

An SME that develops an AI system and makes it available to others is a provider under the EU AI Act and carries a substantially heavier burden than a deployer: for high-risk AI this includes a risk management system (Art. 9), data governance (Art. 10), technical documentation (Annex IV), conformity assessment (Art. 43), CE marking (Art. 48), and EU database registration (Art. 49).

Joining a national AI regulatory sandbox under Art. 57-63 follows a structured path: prepare a project dossier, apply in one of the submission windows, sign a sandbox agreement with the supervisor, report progress and incidents during testing, and produce a final report that supports full compliance afterwards.

Micro-enterprises (fewer than 10 employees and turnover up to €2 million) can use a simplified compliance pathway under the EU AI Act, mainly for the provider role: simplified technical documentation (Art. 11.3) and a proportionate quality management system (Art. 17.3). The material obligations, the Art. 5 prohibitions, human oversight, and incident reporting, still apply in full.

A supplier checklist for AI procurement verifies what a provider must deliver before you can comply as a deployer: the instructions for use (Art. 13.3), the conformity declaration, the risk classification, update notification, and cooperation in a supervisory investigation.

An AI policy is the governance instrument that translates the EU AI Act's obligations into organisational commitments and accountabilities. An EU AI Act-aligned policy covers at least the scope, AI principles, the governance structure, the AI inventory and classification, the Art. 5 prohibitions, the approval process, human oversight, literacy, and incident reporting.

Art. 26.2 requires deployers to ensure that the people assigned to oversee a high-risk AI system have the competence, training, and authority to do so effectively. Valid oversight is substantive, not formal: the overseer must understand the system, be trained on its limitations, and hold genuine authority to override its outputs.

Art. 27 requires certain deployers, public bodies and private deployers in defined sectors such as credit and insurance, to conduct a Fundamental Rights Impact Assessment (FRIA) before deploying a high-risk AI system, examining the impact on fundamental rights and the mitigation measures.

Art. 4 has required organisations since 2 February 2025 to ensure a sufficient level of AI literacy among staff who operate or use AI systems, proportionate to the system and the role. It applies to all AI use, not only high-risk systems, and must be demonstrable.

AI recruitment systems fall under Annex III of the EU AI Act as high-risk, which triggers the full deployer obligations of Article 26, human oversight, data quality, monitoring, log retention, and a Fundamental Rights Impact Assessment under Article 27. These duties cannot be transferred to the software vendor.

The AI Officer is the organisation-wide director of responsible AI use, broader than a compliance role: it covers AI strategy, ethics, risk and literacy. The EU AI Act (Art. 26) makes the coordinating function necessary, but the need for an AI Officer extends beyond the law itself.

Deployers using GPAI models like ChatGPT or Copilot are generally not subject to the provider obligations of Art. 52-55, but two frameworks do apply: the Art. 50 transparency obligations and a high-risk use-case analysis. If the way you deploy the GPAI creates a high-risk AI system under Annex III, the full Art. 26 deployer obligations apply.

An oversight log is the contemporaneous record that proves human oversight of a high-risk AI system under Art. 26.2 of the EU AI Act. It must capture, per oversight event, who reviewed the AI output, what they decided and why, and it must be retained for at least six months under Art. 26.6.