# EU AI Act - Reference Fact Set (verified)

Regulation (EU) 2024/1689 ("EU AI Act"). Verified against EUR-Lex, the European Commission Digital Strategy, the EU AI Office, Council and Parliament press, and the AI Act Explorer (artificialintelligenceact.eu). Last verified **2026-06-15**.

> **Live status flag (mid-June 2026):** The "Digital Omnibus on AI" reached a **provisional political agreement on 6/7 May 2026** that postpones the high-risk deadlines and adds a new prohibition. It is **NOT YET LAW** - pending Parliament plenary vote, formal Council adoption, and Official Journal publication (intended before 2 Aug 2026). Until published in the OJ, the original dates remain binding. All affected items below are marked `[OMNIBUS - PROPOSED]`. Re-verify before relying on any deadline.

---

## 1. Identity

| Attribute | Detail | Source |
|---|---|---|
| Official name | Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) | https://eur-lex.europa.eu/eli/reg/2024/1689/oj |
| Common name | EU AI Act | https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai |
| Entry into force | 1 August 2024 (20 days after OJ publication 12 July 2024) | https://artificialintelligenceact.eu/article/113/ |
| Full application (default) | 2 August 2026, with phased exceptions | https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai |
| Nature | Directly applicable EU Regulation; no national transposition | https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai |

---

## 2. Phased timeline

### 2a. Original legal timeline (as enacted)

| Date | What applies | Source |
|---|---|---|
| 1 Aug 2024 | Entry into force | https://artificialintelligenceact.eu/article/113/ |
| 2 Feb 2025 | Chapter I general provisions + Art. 5 prohibited practices + Art. 4 AI literacy | https://artificialintelligenceact.eu/implementation-timeline/ |
| 2 Aug 2025 | GPAI model rules (Ch. V) + governance (AI Office/Board/national authorities) + confidentiality + penalties | https://artificialintelligenceact.eu/implementation-timeline/ |
| 2 Aug 2026 | Most remaining obligations incl. high-risk Annex III + Art. 50 transparency | https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai |
| 2 Aug 2027 | High-risk AI as safety component of Annex I products; pre-2 Aug 2025 GPAI models must comply | https://artificialintelligenceact.eu/article/113/ |

### 2b. `[OMNIBUS - PROPOSED, NOT YET LAW]` Digital Omnibus on AI

Commission proposal published 19 Nov 2025. First trilogue 28 Apr 2026 failed; provisional political agreement 6/7 May 2026, confirmed by Member State representatives 13 May 2026. As of 2026-06-15 still pending Parliament plenary vote, formal Council adoption, and OJ publication (intended before 2 Aug 2026; only binds once published in the OJ).

| Item | Original | Proposed new date |
|---|---|---|
| High-risk obligations - stand-alone Annex III | 2 Aug 2026 | 2 December 2027 |
| High-risk obligations - Annex I product safety component | 2 Aug 2027 | 2 August 2028 |
| Art. 50 transparency - effective date | 2 Aug 2026 | unchanged 2 Aug 2026; watermarking grace for existing systems extended to 2 Dec 2026 |
| National AI regulatory sandboxes | 2 Aug 2026 | 2 August 2027 |
| NEW Art. 5 prohibition - AI "nudifier" apps (non-consensual intimate imagery) + AI-generated CSAM | - | added; transitional period to 2 Dec 2026 |

Sources: https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-ai-regulation-proposal ; https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/ ; https://www.europarl.europa.eu/news/en/press-room/20260427IPR42011/ai-act-deal-on-simplification-measures-ban-on-nudifier-apps

**Unaffected:** 2 Feb 2025 (prohibitions + AI literacy) and 2 Aug 2025 (GPAI + governance + penalties) are already in force and NOT postponed.

---

## 3. Risk tiers

### 3a. Prohibited practices (Article 5) - in force since 2 Feb 2025

Source: https://artificialintelligenceact.eu/article/5/

| # | Prohibited practice |
|---|---|
| 1 | Subliminal / manipulative / deceptive techniques materially distorting behaviour, causing significant harm |
| 2 | Exploiting vulnerabilities (age, disability, socio-economic situation) to distort behaviour and cause harm |
| 3 | Social scoring leading to detrimental or unjustified treatment |
| 4 | Predictive policing of individuals based solely on profiling / personality traits |
| 5 | Untargeted scraping of facial images from internet/CCTV to build facial-recognition databases |
| 6 | Emotion recognition in the workplace and education (except medical or safety reasons) |
| 7 | Biometric categorisation inferring sensitive attributes (race, political opinions, union membership, religion/beliefs, sex life, sexual orientation) |
| 8 | "Real-time" remote biometric identification in publicly accessible spaces for law enforcement (narrow authorised exceptions) |
| 9 | `[OMNIBUS - PROPOSED]` AI generating non-consensual intimate imagery ("nudifiers") + AI-generated CSAM |

### 3b. High-risk - two routes

**Route 1 - Annex I (AI as safety component of regulated products).** AI that is a safety component of, or is itself, a product covered by EU harmonisation legislation in Annex I and required to undergo third-party conformity assessment. Examples: machinery, medical devices, in-vitro diagnostic devices, toys, lifts, radio equipment, pressure equipment, cableways, PPE, motor vehicles, aviation, rail, marine equipment. Source: https://artificialintelligenceact.eu/article/6/

**Route 2 - Annex III (8 use-case areas).** Source: https://artificialintelligenceact.eu/annex/3/

| # | Area | Examples |
|---|---|---|
| 1 | Biometrics | Remote biometric ID; biometric categorisation; emotion recognition (where not prohibited) |
| 2 | Critical infrastructure | Safety components in road traffic, water, gas, heating, electricity, digital infrastructure |
| 3 | Education & vocational training | Admission/assignment; assessing learning outcomes; evaluating learning level; exam proctoring |
| 4 | Employment & worker management | Recruitment, screening, promotion/termination, task allocation, performance/behaviour monitoring |
| 5 | Access to essential private & public services | Credit scoring/creditworthiness (excl. fraud detection); public-benefit eligibility; life & health insurance risk/pricing; emergency dispatch/triage |
| 6 | Law enforcement | Offending/re-offending risk; polygraphs; evidence-reliability evaluation; profiling in investigations |
| 7 | Migration, asylum & border control | Polygraphs; risk assessments; examining asylum/visa applications; person detection/recognition |
| 8 | Administration of justice & democratic processes | Assisting judicial authorities in researching/interpreting/applying law; influencing elections/voting behaviour |

**Article 6(3) filter:** An Annex III system is NOT high-risk if it does not pose a significant risk to health, safety or fundamental rights - e.g. narrow procedural task; improves the result of a prior human activity; detects decision patterns without replacing human judgement; preparatory tasks. **Exception does not apply if the system profiles natural persons.** Source: https://artificialintelligenceact.eu/article/6/

### 3c. Limited / transparency risk (Article 50)

Source: https://artificialintelligenceact.eu/article/50/
- Chatbots/conversational AI: inform users they are interacting with AI (unless obvious).
- AI-generated/synthetic content: providers mark outputs (audio, image, video, text) machine-readably as artificial.
- Deepfakes: deployers disclose content is AI-generated/manipulated (limited art/satire carve-outs).
- AI-generated public-interest text: disclose.
- Emotion recognition & biometric categorisation: inform exposed persons.

### 3d. Minimal / no risk

Everything else (spam filters, AI in games, recommendation/inventory). No mandatory obligations; voluntary codes encouraged. AI literacy still applies. Source: https://artificialintelligenceact.eu/high-level-summary/

---

## 4. Roles (Article 3)

| Role | Definition |
|---|---|
| Provider | Develops an AI system/GPAI model (or has it developed) and places it on the market / into service under its own name or trademark |
| Deployer | Uses an AI system under its authority in a professional capacity |
| Importer | EU-located; places on the EU market an AI system bearing a non-EU entity's name/trademark |
| Distributor | Supply-chain actor (not provider/importer) making an AI system available on the EU market |

Reclassification (Art. 25): a deployer/importer/distributor/third party becomes a **provider** with full provider obligations if it puts its name on a high-risk system, substantially modifies it, or changes its intended purpose. Source: https://artificialintelligenceact.eu/article/16/

### 4a. High-risk PROVIDER obligations

Source: https://artificialintelligenceact.eu/article/16/

| Obligation | Article |
|---|---|
| Risk-management system (lifecycle) | 9 |
| Data & data governance | 10 |
| Technical documentation (Annex IV) | 11 |
| Record-keeping / automatic logging | 12 |
| Transparency & instructions for use to deployers | 13 |
| Human oversight (designed in) | 14 |
| Accuracy, robustness & cybersecurity | 15 |
| Quality management system | 17 |
| Conformity assessment (self or notified body) | 43 |
| EU declaration of conformity + CE marking | 47-48 |
| Registration in EU database | 49 |
| Post-market monitoring + serious-incident reporting | 72-73 |
| Corrective actions / cooperation with authorities | 20-21 |
| Non-EU providers: appoint EU authorised representative | 22 |

### 4b. High-risk DEPLOYER obligations (Article 26)

Source: https://artificialintelligenceact.eu/article/26/
- Use per instructions for use.
- Assign human oversight to competent, trained, authorised people.
- Ensure input data relevant/representative (to the extent controlled).
- Monitor operation; suspend and inform provider/authority if risks arise.
- Keep logs at least 6 months.
- Inform workers / their reps before workplace deployment.
- Inform individuals subject to high-risk decisions.
- FRIA (Art. 27) for public bodies/public-service providers, and for credit scoring and insurance risk/pricing. Source: https://artificialintelligenceact.eu/article/27/

### 4c. Importer / distributor (lighter) duties

Verify the provider has done conformity assessment, technical documentation, CE marking, registration; do not place non-conforming systems on the market; cooperate with authorities; keep documentation available. Sources: https://artificialintelligenceact.eu/article/23/ ; https://artificialintelligenceact.eu/article/24/

---

## 5. GPAI (in force since 2 Aug 2025)

Sources: Ch. V https://artificialintelligenceact.eu/chapter/5/ ; Art. 53 https://artificialintelligenceact.eu/article/53/ ; Art. 55 https://artificialintelligenceact.eu/article/55/ ; GPAI Guidelines https://artificialintelligenceact.eu/gpai-guidelines-overview/

**Definition:** A model with significant generality, able to perform a wide range of distinct tasks and be integrated into many downstream systems. Commission GPAI Guidelines use an indicative marker of **>10^23 FLOP** training compute (for models that generate language / text-to-image / text-to-video) to identify GPAI.

**All GPAI providers (Art. 53):** technical documentation; info/documentation for downstream providers; EU copyright-compliance policy (respect TDM opt-outs); public summary of training content (AI Office template). Open-source exemption from Art. 53(1)(a)-(b) unless systemic risk.

**GPAI with systemic risk (Art. 55; presumed at >10^25 FLOP, Art. 51):** model evaluation incl. adversarial testing (red-teaming); assess & mitigate systemic risks at EU level; track/report serious incidents to AI Office; cybersecurity for model and infrastructure. Applies even to open-source.

**GPAI Code of Practice:** voluntary AI-Office tool to demonstrate compliance pending harmonised standards; chapters on transparency, copyright, safety & security. Source: https://artificialintelligenceact.eu/introduction-to-code-of-practice/

---

## 6. Penalties (Article 99; Art. 101 for GPAI) - in force since 2 Aug 2025

Source: https://artificialintelligenceact.eu/article/99/

| Violation | Max fine (whichever higher) |
|---|---|
| Art. 5 prohibited practices | €35,000,000 or 7% of worldwide annual turnover |
| Other obligations (provider/deployer/importer/distributor/notified body; high-risk, transparency) | €15,000,000 or 3% |
| Incorrect/incomplete/misleading info to authorities | €7,500,000 or 1% |
| GPAI model providers (Art. 101) | €15,000,000 or 3% |

SMEs/start-ups: fine capped at the **lower** of percentage or fixed amount. EU institutions (Art. 100): fined by the EDPS, up to €1,500,000 (Art. 5) / €750,000 (other).

---

## 7. Scope / extraterritorial reach (Article 2)

Source: https://artificialintelligenceact.eu/article/2/

Applies to: providers placing AI systems on the EU market / into service in the EU **regardless of establishment**; deployers established/located in the EU; **providers and deployers in third countries where the output of the AI is used in the EU**; importers, distributors, product manufacturers, authorised representatives, and affected persons in the EU.

**Exclusions:** military/defence/national-security uses; AI solely for scientific R&D; pure personal non-professional use; free/open-source AI (except where high-risk, prohibited, or GPAI with systemic risk).

---

## 8. AI literacy (Article 4) - in force since 2 Feb 2025

Source: https://artificialintelligenceact.eu/article/4/

Providers and deployers must ensure, to their best extent, a sufficient level of AI literacy among staff and others operating AI on their behalf, considering their knowledge/experience and the context of use. Applies to all AI systems and to EU + non-EU entities in scope. No prescribed curriculum; document a tailored programme. Not postponed by the omnibus.

---

## 9. ISO/IEC 42001 & harmonised standards

- ISO/IEC 42001 is the international AI Management System (AIMS) standard; certifiable; a governance baseline.
- It is **not** a harmonised European standard under the Act and gives **no automatic presumption of conformity**.
- Presumption of conformity (Art. 40) comes from harmonised standards published in the OJEU. CEN-CENELEC JTC 21 is drafting them (Commission standardisation request, May 2023; draft prEN 18286 maps to ISO/IEC 42001). Sources: https://artificialintelligenceact.eu/article/40/ ; https://www.isms.online/frameworks/iso-42001/iso-42001-harmonised-standards-eu-ai-act-presumption-of-conformity/

---

## Master source list

- EUR-Lex full text: https://eur-lex.europa.eu/eli/reg/2024/1689/oj
- EC regulatory framework on AI: https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
- EC Digital Omnibus on AI proposal: https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-ai-regulation-proposal
- EU AI Office: https://digital-strategy.ec.europa.eu/en/policies/ai-office
- AI Act Explorer: https://artificialintelligenceact.eu/ai-act-explorer/
- High-level summary: https://artificialintelligenceact.eu/high-level-summary/
- Implementation timeline: https://artificialintelligenceact.eu/implementation-timeline/
- Council press (omnibus, 7 May 2026): https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/
- Parliament press (nudifier ban / omnibus): https://www.europarl.europa.eu/news/en/press-room/20260427IPR42011/ai-act-deal-on-simplification-measures-ban-on-nudifier-apps
- Article 113 (entry into force/application): https://artificialintelligenceact.eu/article/113/

*Re-verify Section 2b omnibus status before publishing any deadline - the postponement may have become law (or changed) after 2026-06-15.*