EveryAILaw.comEU AI Act
Amendments:
- —
Obligations Covered
AI Literacy & Training Human Oversight Transparency & Disclosure Risk Assessment Conformity Assessment Record-Keeping & Documentation
AI Literacy (Article 4) #
Requirements
| Requirement | Details |
|---|---|
| Staff AI literacy | Providers AND deployers must ensure sufficient AI literacy for staff dealing with operation and use of AI systems |
| Context-specific | Training must account for technical knowledge, experience, education, usage context, and affected persons/groups |
| No method prescribed | Compliance method is flexible; Commission Q&A confirms no strict measurement obligation |
| AI Office guidance | Commission AI Office published Q&A and repository of AI literacy practices (non-exhaustive, aligned with Article 4) |
Penalties
| Violation | Fine |
|---|---|
| Non-compliance | Up to EUR 15M or 3% global turnover (aggravating factor) |
Human Oversight (Article 14) #
Requirements
| Requirement | Details |
|---|---|
| Effective oversight | High-risk AI must enable oversight by natural persons (Article 14(1)) |
| Understand capabilities | Overseers must understand system capacities and limitations (Article 14(4)(a)) |
| Monitor for anomalies | Must monitor operation and detect unexpected performance, anomalies, and dysfunctions (Article 14(4)(a)) |
| Address automation bias | Must remain aware of automation-bias risk in oversight (Article 14(4)(b)) |
| Interpret output | Must be able to correctly interpret output using available tools (Article 14(4)(c)) |
| Override/reverse | Must be able to decide not to use, disregard, override, or reverse AI output (Article 14(4)(d)) |
| Intervene or halt | Must be able to intervene or interrupt system operation via stop button or equivalent halt procedure (Article 14(4)(e)) |
| Competent personnel | Deployers must assign persons with necessary competence, training, and authority (Article 26(2)) |
| Dual verification (biometric) | For Annex III point 1(a) systems (remote biometric ID), no action or decision may be taken unless separately verified and confirmed by at least two natural persons with competence, training, and authority — except where EU/national law deems disproportionate for law enforcement, migration, border, or asylum purposes (Article 14(5)) |
Penalties
| Violation | Fine |
|---|---|
| High-risk non-compliance | Up to EUR 15M or 3% global turnover |
Transparency Requirements #
Requirements
| Requirement | Details |
|---|---|
| Usage disclosure | Deployers must inform users they're interacting with AI |
| Deepfake labeling | Providers must mark AI-generated content |
| Technical docs | Providers must document system capabilities and limits |
Penalties
| Violation | Fine |
|---|---|
| Prohibited practices | Up to EUR 35M or 7% global turnover |
| High-risk non-compliance | Up to EUR 15M or 3% global turnover |
| Incorrect information | Up to EUR 7.5M or 1% global turnover |
Risk Management (Article 9) #
Requirements
| Requirement | Details |
|---|---|
| Risk management system | Establish and maintain throughout AI lifecycle (Article 9(1)) |
| Identify and analyze | Identify known and reasonably foreseeable risks to health, safety, and fundamental rights during intended use (Article 9(2)(a)) |
| Estimate and evaluate | Estimate and evaluate risks that may emerge under intended use and reasonably foreseeable misuse conditions (Article 9(2)(b)) |
| Post-market evaluation | Evaluate risks based on data from post-market monitoring (Article 9(2)(c)) |
| Risk mitigation | Take appropriate and targeted mitigation measures addressing identified risks (Article 9(2)(d)) |
| Design-based reduction | Eliminate or reduce risks through adequate design and development where technically feasible (Article 9(5)(a)) |
| Residual risk | Ensure residual risk associated with each hazard and overall residual risk is judged acceptable (Article 9(5)) |
| Testing | Test to identify appropriate risk management measures and ensure consistent performance and compliance; tested against prior defined metrics and probabilistic thresholds (Article 9(6)-(8)) |
| Continuous monitoring | Ongoing performance monitoring throughout the system lifecycle |
Penalties
| Violation | Fine |
|---|---|
| High-risk non-compliance | Up to EUR 15M or 3% global turnover |
Conformity Assessment #
Requirements
| Requirement | Details |
|---|---|
| Conformity assessment | Must undergo before placing on market or putting into service (Article 43) |
| CE marking | Required for high-risk AI systems once assessment complete (Article 48) |
| Quality management | Must establish quality management system (Article 17) |
| Documentation | Maintain technical documentation throughout lifecycle (Article 18) |
| Annex III phasing | Annex III high-risk systems: 2027-12-02 (deferred from 2026-08-02 by Digital Omnibus, political agreement 2026-05-07, not yet in OJ). Annex I high-risk (safety components covered by other EU product laws, e.g., medical devices): 2028-08-02 (deferred from 2027-08-02) |
Penalties
| Violation | Fine |
|---|---|
| High-risk non-compliance | Up to EUR 15M or 3% global turnover |
Record-Keeping & Automatic Logging (Article 12) #
Requirements
| Requirement | Details |
|---|---|
| Automatic logging | High-risk AI systems must log events automatically throughout lifecycle |
| Traceability | Logs must enable risk identification and post-market monitoring |
| Deployer monitoring | Logs must support operational monitoring by deployers (Article 26(5)) |
| Tamper-evident storage | Best-practice/conformity expectation — Article 12 does not itself use "immutable" or "tamper-evident"; integrity of logs is derived from broader auditability and conformity-assessment requirements |
| Biometric ID specifics | Remote biometric systems (Annex III point 1(a)) must log period of use, reference database, input data, and verifying personnel (Article 12(3)) |
Penalties
| Violation | Fine |
|---|---|
| High-risk non-compliance | Up to EUR 15M or 3% global turnover |