What EU AI Act obligations are already in force right now?

Several EU AI Act obligations are already in force. Prohibited AI practices (Article 5) have applied since 2 February 2025. The AI literacy obligation (Article 4) — requiring companies to ensure employees have adequate AI knowledge — has also applied since 2 February 2025. GPAI model provider obligations apply from 2 August 2025. High-risk system obligations were extended to 2 December 2027 by the EU AI Omnibus agreement (May 2026).

What companies does the EU AI Act apply to?

The EU AI Act applies to any company that develops, deploys, or uses AI systems that affect people in the EU — regardless of where the company is headquartered. This includes startups, SMBs, and multinational corporations. Even US or UK companies with EU customers or EU employees using AI tools fall within scope.

What is the difference between a deployer and a provider under the EU AI Act?

A provider develops an AI system, trains or substantially fine-tunes a model, or places an AI system on the market under its own name or trademark. A deployer uses an AI system under its own authority in the course of business. Providers carry the heavier obligations (technical documentation, conformity assessment, post-market monitoring under Article 16), while deployers have lighter duties under Article 26: use the system per the provider's instructions, ensure human oversight, inform affected people, keep logs, and conduct a Fundamental Rights Impact Assessment where required.

Am I a deployer or a provider if I use the OpenAI or Anthropic API in my product?

You are a deployer. Using a third-party AI tool or API — including ChatGPT, Microsoft Copilot, Google Gemini, or the OpenAI/Anthropic API inside your own application — makes you a deployer, not a provider. You only become a provider if you train or substantially fine-tune your own model, or sell an AI system to others under your own brand. As a deployer you do not need to produce provider-only documents such as technical documentation or a declaration of conformity.

Can EU AI Act compliance documents be generated in languages other than English?

Yes. ComplyLayer generates EU AI Act compliance documents and audit reports in 7 languages — English, French, German, Spanish, Portuguese, Dutch, and Italian — so documentation can be produced in the local language of the relevant EU member state. The output language is set per organization in Settings.

What do high-risk AI systems need to comply with?

High-risk AI systems (as defined in Annex III of the EU AI Act) must have: a risk management system, high-quality training data, technical documentation, logging and audit trail capabilities, human oversight mechanisms, accuracy and robustness measures, and a transparency notice for end users. Companies must also register their high-risk AI systems in the EU database.

How quickly can I set up EU AI Act compliance with ComplyLayer?

Most companies complete their initial EU AI Act compliance setup in under 1 hour using ComplyLayer. You add your AI systems, classify their risk tier with a guided wizard, generate all required compliance documents in one click, distribute policies to your team for acknowledgement, and download an audit-ready compliance report. Ongoing monitoring is automated.

EU Regulation 2024/1689

EU AI Act Compliance Guide

Q: What is the EU AI Act?

The EU AI Act is the world's first comprehensive legal framework for artificial intelligence. It classifies AI systems into four risk tiers (unacceptable, high, limited, minimal) and imposes obligations on developers and deployers of AI in the EU. Enforcement began in stages from 2024, with high-risk AI system requirements applying from December 2027.

Several obligations are already in force: prohibited AI practices since February 2025, AI literacy requirements (Article 4) since February 2025, and GPAI model rules since August 2025. High-risk AI system obligations apply from 2 December 2027 (updated via EU AI Omnibus, May 2026).

What is the EU AI Act?

The EU AI Act (Regulation 2024/1689) is the European Union's landmark legislation establishing a harmonised legal framework for artificial intelligence. It applies to providers, deployers, importers, distributors, and product manufacturers placing or putting AI systems into service in the EU market — regardless of where those companies are established.

The regulation takes a risk-based approach, imposing requirements proportional to the potential harm an AI system could cause. Non-compliance can result in fines of up to €35 million or 7% of global annual turnover.

The Four Risk Tiers

The EU AI Act classifies all AI systems into one of four risk categories, each with a different compliance burden.

Unacceptable Risk

BANNED

AI systems deemed a clear threat to fundamental rights are prohibited outright.

Subliminal manipulation or deceptive techniques
Exploitation of vulnerabilities of specific groups
Social scoring by public authorities
Real-time remote biometric ID in public spaces (with narrow exceptions)
Emotion recognition in workplaces and schools

High Risk

STRICT OBLIGATIONS

Systems posing significant risk to health, safety, or fundamental rights. Permitted but subject to extensive requirements before market placement.

Critical infrastructure management (water, electricity, transport)
Education and vocational training (admissions, grading)
Employment: CV screening, interview analysis, task allocation
Essential private/public services: credit scoring, benefits assessment
Law enforcement and border control
Administration of justice and democratic processes

Limited Risk

TRANSPARENCY OBLIGATIONS

Systems that interact with people must disclose that the user is interacting with an AI, or that content is AI-generated.

Chatbots and conversational AI
Deepfake generation systems
AI-generated text published for public information

Minimal Risk

FEW OBLIGATIONS

The vast majority of AI systems fall here — spam filters, AI-enabled video games, inventory management tools. No mandatory requirements, though voluntary codes of conduct are encouraged.

Key Obligations for High-Risk Systems

Providers of high-risk AI systems must satisfy all of the following before placing a system on the EU market.

Risk Management System

Establish, implement, document and maintain a continuous risk management process throughout the entire lifecycle of the AI system.

Data Governance

Training, validation and testing data must meet quality criteria: relevance, representativeness, freedom from errors, and completeness.

Technical Documentation

Detailed technical documentation must be drawn up before the system is placed on the market and kept up to date throughout its lifecycle.

Human Oversight

Systems must be designed to allow effective oversight by natural persons during the period of use, including the ability to intervene or halt.

Accuracy & Cybersecurity

Systems must achieve an appropriate level of accuracy, robustness, and cybersecurity, and must perform consistently throughout their lifecycle.

Conformity Assessment

Before market placement, providers must undergo a conformity assessment — either self-assessment or third-party audit, depending on the use case.

Deployer vs Provider: which are you?

The EU AI Act assigns different obligations depending on your role. Most companies are deployers, not providers — and that distinction decides how much documentation you actually need.

Deployer (most companies)

You use a third-party AI system under your own authority — including building features on top of the OpenAI or Anthropic API. Using ChatGPT, Copilot, Gemini, or an API inside your own app makes you a deployer.

Deployer duties (Art. 26) are lighter: use the system per the provider's instructions, ensure human oversight, inform affected people, keep logs, and run a Fundamental Rights Impact Assessment where required. You do not draw up the provider's technical documentation or conformity declaration.

Provider

You develop an AI system, train or substantially fine-tune a model, or place an AI system on the market under your own name or brand. Simply calling a third-party API does not make you a provider.

Providers carry the full Art. 16 obligations: risk management system, data governance, technical documentation, conformity assessment, CE marking, and post-market monitoring.

How ComplyLayer helps: when you add an AI system, ComplyLayer records whether you're a deployer or provider and generates only the documents that role requires — so deployers aren't burdened with provider-only paperwork they don't need. Documents and audit reports can be generated in 7 languages (English, French, German, Spanish, Portuguese, Dutch, Italian) for compliance across EU member states.

Enforcement Timeline

August 2024

Regulation enters into force

The EU AI Act officially entered into force 20 days after publication in the Official Journal.

February 2025

Prohibited practices banned

Unacceptable risk AI systems (Article 5) are prohibited. Governance bodies and AI Office established.

August 2025

GPAI model obligations

Rules for general-purpose AI (GPAI) models apply, including transparency obligations and codes of practice.

2 Dec 2027Key Deadline

High-risk system obligations

Standalone high-risk AI systems (Annex III) must fully comply. Extended from August 2026 via EU AI Omnibus agreement (May 2026).

2 Aug 2028

Embedded high-risk systems

High-risk AI systems embedded in regulated products (medical devices, machinery, toys, lifts, watercraft) must comply.

Official Sources & Further Reading

Primary regulatory texts and official guidance referenced in this guide.

EU AI Act — Full Regulation Text

Regulation (EU) 2024/1689 — complete legal text as published in the EU Official Journal

EUR-Lex ↗

European Commission — AI Act Hub

Official EC page on the AI Act regulatory framework, implementation status, and guidance documents

European Commission ↗

EU AI Office

The EU body responsible for overseeing GPAI models and coordinating with national market surveillance authorities

European Commission ↗

Article-by-Article Navigator

Plain-language breakdown of every article in the EU AI Act with explanatory notes and cross-references

Future of Life Institute ↗

Article 5 — Prohibited AI Practices

Complete list of AI applications unconditionally banned in the EU, in force since February 2025

AI Act Navigator ↗

Annex III — High-Risk AI Categories

The definitive list of use cases classified as high-risk under Annex III, requiring full compliance obligations