Section 3

EU AI Act
Obligations

A structured overview of what the EU AI Act requires from providers, deployers, importers, and distributors of AI systems and GPAI models.

Content update in progress

Additional detailed obligations text will be added to this page shortly. The structured framework below reflects the obligations as set out in Regulation (EU) 2024/1689. If you have specific obligation text you would like added, please get in touch.

Who Does the Act Apply To?

The Act distinguishes between different actors in the AI supply chain.

Providers

Any natural or legal person who develops an AI system or GPAI model for placing on the EU market or putting into service. Bear the heaviest obligations. Includes developers building on top of third-party models if they make substantial modifications.

Deployers

Any natural or legal person who uses an AI system under their authority in a professional context. Subject to a lighter set of obligations but must cooperate with providers and conduct fundamental rights impact assessments for certain high-risk uses.

Importers

Entities placing on the EU market AI systems that bear the name or trade mark of a natural or legal person established outside the EU. Must verify provider compliance before placing on the market.

Distributors

Any entity in the supply chain other than the provider or importer that makes an AI system available on the EU market without modifying it. Must verify CE marking and documentation before distribution.

High-Risk AI System Obligations

Providers of high-risk AI systems must comply with Chapter III, Section 2 of the Act.

  • 1

    Risk Management System (Article 9)

    Establish and maintain a continuous iterative risk management system throughout the lifecycle of the AI system. Identify, analyse, and evaluate foreseeable risks. Adopt risk mitigation measures.

  • 2

    Data Governance (Article 10)

    Training, validation, and testing data must be subject to appropriate data governance practices — covering relevance, representativeness, freedom from errors, and completeness. Examination of possible biases is mandatory.

  • 3

    Technical Documentation (Article 11)

    Draw up technical documentation before placing the AI system on the market. Keep it up to date. Demonstrate compliance to regulators on request. Follows Annex IV format.

  • 4

    Record-Keeping & Logging (Article 12)

    Ensure automatic recording of events ("logs") relevant to identifying risks and substantiating compliance throughout the system's lifetime. Logs must be retained for at least six months unless otherwise required by law.

  • 5

    Transparency & Instructions (Article 13)

    Provide deployers with clear instructions for use — covering the AI system's purpose, level of accuracy and robustness, known biases, human oversight measures, and expected lifetime of the system.

  • 6

    Human Oversight (Article 14)

    Design and develop AI systems to enable effective human oversight. Allow natural persons to monitor, intervene, interrupt, or override outputs. Ensure operators understand capabilities and limitations.

  • 7

    Accuracy, Robustness & Cybersecurity (Article 15)

    Achieve appropriate levels of accuracy and robustness for the intended purpose, including resilience to errors, faults, and adversarial manipulation. Maintain cybersecurity protections throughout the lifecycle.

  • 8

    Conformity Assessment (Article 43)

    Undergo a conformity assessment procedure before placing on the market. For most high-risk AI systems this is a self-assessment by the provider; some categories (e.g. biometrics) require third-party assessment by a notified body.

  • 9

    EU Database Registration (Article 71)

    Register the high-risk AI system in the EU-wide public database managed by the Commission before placing it on the market. Deployers of public-authority AI systems must also register.

  • 10

    Post-Market Monitoring (Article 72)

    Establish a post-market monitoring system proportionate to the nature of the AI system. Collect, document, and analyse data on performance throughout the lifecycle. Report serious incidents to national authorities.

GPAI Model Obligations (Articles 53–55)

Obligations on providers of General-Purpose AI models, applying from August 2025.

  • A

    Technical Documentation

    Draw up and keep up to date technical documentation — including training methodology, training data description, evaluation results on benchmarks, energy consumption, and known limitations. Available to the EU AI Office on request.

  • B

    Information to Downstream Providers

    Make available to downstream providers building on the GPAI model all information and documentation necessary for them to comply with their own obligations, including model capabilities and limitations.

  • C

    Copyright Transparency Policy

    Put in place a policy to respect EU copyright law, including the text and data mining exceptions in Directive 2019/790. Maintain and publish a summary of training data used.

  • D

    Systemic Risk: Adversarial Testing

    Providers of GPAI models with systemic risk must conduct model evaluations including adversarial testing (red-teaming) to identify and mitigate systemic risks.

  • E

    Systemic Risk: Incident Reporting

    Report serious incidents and corrective measures to the EU AI Office without undue delay. A "serious incident" includes any incident resulting in risk to health, safety, or fundamental rights.

  • F

    Systemic Risk: Cybersecurity

    Ensure adequate cybersecurity protection for the GPAI model and its physical infrastructure, covering model weights, training infrastructure, and API endpoints.

Open-source exception (Article 53(2))

Providers releasing GPAI model weights under a free and open-source licence are exempt from the documentation and copyright transparency obligations — but not from the systemic risk obligations if the 10^25 FLOP threshold is met.

Transparency Obligations for Limited-Risk AI

Article 50 — applies to AI systems interacting with users or generating synthetic content.

  • I

    Chatbot Disclosure

    AI systems designed to interact directly with natural persons must disclose that the user is interacting with an AI system, unless this is obvious from the context.

  • II

    Deepfake Disclosure

    AI-generated or manipulated image, audio, or video content (deepfakes) must be labelled as artificially generated or manipulated, with limited exceptions for legitimate purposes (satire, artistic expression) where disclosure is clear.

  • III

    Emotion Recognition & Biometric Categorisation

    Persons exposed to emotion recognition or biometric categorisation systems must be informed about the operation of the system, subject to applicable law.

Additional obligations content coming soon

More detailed obligations text — including sector-specific obligations, deployer requirements, and worked examples — will be added to this page. Please check back or contact us.

← EU AI Act Overview Guidance Document →