What are the main obligations under the EU AI Act?

Why work with us:

– We improve your accessibility
– We enhance your customer experience
– We increase your efficiency

Want to know how we’ve been using AI to enhance the customer experience for years?

“With Pegamento, we found not just a supplier, but a true partner in change. Thanks to their expertise and our joint DevOps approach, we have made great strides in a short time. The technology supports our people so they can focus on where they make a difference: personal contact with entrepreneurs.”

The EU AI Act requires organizations that develop, import, or deploy AI to comply with a series of legal requirements that depend on the risk level of the AI system being used. These obligations range from transparency requirements for simple chatbots to comprehensive conformity assessments for systems that impact fundamental rights. In this article, we answer the most frequently asked questions about the obligations, the timeline, and the consequences of non-compliance. Would you like to learn how AI can support your organization? Read more about AI-driven intelligence and what that means in practice.

Which organizations are subject to the EU AI Act?

The EU AI Act applies to any organization that develops, markets, imports, or deploys AI systems within the European Union, regardless of where the company is based. Organizations outside the EU are also subject to the law if their AI systems are used by people or companies in the EU.

The law distinguishes between various roles, each with its own responsibilities:

  • Providers are organizations that develop and market AI systems. They bear the heaviest obligations.
  • Deployers are organizations that deploy an existing AI system for their own use or for their customers.
  • Before placing a product on the market, importers must verify that the conformity assessment has been conducted, that the CE marking is affixed, and that the documentation is retained for ten years.
  • Distributors verify that the required documents are present and suspend distribution if they suspect nonconformity.

An important point to note: a distributor, importer, deployer, or third party becomes a provider in its own right—with all the associated obligations—when it places its name on a system, makes a substantial modification to it, or changes its intended purpose in such a way that the system falls into the high-risk category. Furthermore, organizations outside the EU are required to appoint an authorized representative in the EU.

How are AI systems classified into risk categories?

The EU AI Act identifies four risk levels: prohibited AI, high-risk AI, low-risk AI, and AI with minimal or no risk. This classification determines which obligations apply. Most AI applications in use today fall into the lowest category and remain largely unregulated.

Prohibited AI Applications

Certain AI applications are completely prohibited because they pose an unacceptable risk to fundamental rights and human dignity. These prohibitions have been in effect since February 2, 2025, and include, among others:

  • Subliminal or manipulative techniques that influence behavior without a person’s awareness and cause significant harm
  • Exploiting vulnerabilities based on age, disability, or socioeconomic status
  • Social scoring by governments
  • Predictive policing based solely on profiling
  • Building facial recognition databases through undirected scraping
  • Emotion recognition in the workplace or in educational institutions (except in cases involving medical or safety concerns)
  • Biometric categorization to infer sensitive characteristics such as race, political views, or sexual orientation
  • Real-time remote biometric identification in public spaces for law enforcement purposes, except in strictly defined situations

High-risk and lower-risk applications

High-risk AI is defined in Article 6 of the Act in two ways: the system is a safety component of a product covered by European harmonization legislation, or it falls under one of the eight use cases listed in Annex III. Those eight domains are biometrics, critical infrastructure, education and vocational training, employment and human resources management, access to essential services (including creditworthiness and emergency calls), law enforcement, migration and border control, and the administration of justice and democratic processes. Systems that perform profiling of natural persons are always high-risk, without exception.

AI with limited risk is subject to less stringent transparency requirements, such as the reporting requirement for chatbots. AI with minimal risk—such as spam filters or entertainment recommendation systems—is completely unregulated.

What requirements apply to high-risk AI systems?

Providers and deployers of high-risk AI systems must comply with a comprehensive set of requirements before the system may be placed on the market or put into service. The core requirements include risk management, data quality, technical documentation, and human oversight.

The main obligations are:

  • Risk Management System: an ongoing system that identifies, analyzes, and manages risks throughout the entire system lifecycle
  • Data quality requirements: training, validation, and test data must meet quality criteria regarding relevance, representativeness, and freedom from errors
  • Technical documentation: detailed documentation on the system’s design, operation, and performance
  • Transparency and user information: Deployers must receive sufficient information to be able to use the system responsibly
  • Human oversight: The system must be designed so that people can monitor it, understand it, and intervene if necessary
  • Accuracy, robustness, and cybersecurity: the system must perform consistently and be resistant to attempts at manipulation
  • Conformity assessment: depending on the type of system, either by the provider itself or by a third party
  • Registration in the EU database: high-risk systems must be registered in a central European database

An Annex III system that performs only a narrow procedural or preparatory function and does not pose a significant risk to fundamental rights may be excluded from the high-risk category, provided that the provider documents this with supporting evidence.

What are the transparency requirements for AI chatbots and assistants?

Low-risk AI systems, such as chatbots and virtual assistants, must clearly inform users that they are interacting with an AI system and not a human. This transparency requirement applies whenever there is direct contact between the system and an end user.

The disclosure requirement means that users must be informed at the time of interaction. This is not required if it is evident to a reasonable person that they are interacting with an AI system, for example, in a clearly marked automated customer service environment.

Additional obligations apply to General-Purpose AI (GPAI) models, such as large language models. All providers of GPAI models must:

  • Prepare and maintain technical documentation in accordance with Annex XI
  • Downstream providers shall provide information on capacities and limitations in accordance with Annex XII
  • Implement a policy to comply with the Copyright Directive
  • Make a summary of the training data used publicly available

Providers of models under a free and open-source license are exempt from the documentation and information requirements, unless the model poses a systemic risk. A GPAI model is classified as a model posing a systemic risk if its cumulative training compute exceeds 10 to the power of 25 floating-point operations (FLOP). Upon reaching that threshold, the provider must notify the European Commission within two weeks.

When must organizations comply with the EU AI Act?

The EU AI Act has a phased implementation timeline. Not all requirements take effect at the same time, which gives organizations the flexibility to comply in stages. The most urgent deadlines have already passed or are approaching in 2026.

The most important milestones are:

  • February 2, 2025: The prohibited AI practices listed in Article 5 took effect. Organizations that were using prohibited applications should have already stopped doing so by this date.
  • August 2, 2025: The requirements for providers of GPAI models took effect. This applies to organizations that offer large language models or comparable generative AI systems.
  • 2026 and beyond: All requirements for high-risk AI systems will take effect. Organizations that deploy high-risk systems will need this period to put their risk management systems, documentation, and compliance assessments in order.

Until harmonized standards are available, providers can follow a code of practice to establish a presumption of conformity. This provides practical guidance for organizations that want to take action now.

What are the penalties for noncompliance with the AI Act?

The EU AI Act provides for substantial fines for organizations that violate the rules. The amount of the penalty depends on the severity of the violation and the size of the organization, with higher absolute amounts applying to large companies.

The fine structure is organized as follows:

  • Prohibited AI practices: fines of up to 35 million euros or 7% of global annual revenue, whichever is higher
  • Other violations of obligations: fines of up to 15 million euros or 3% of global annual revenue
  • Providing inaccurate information to regulators: fines of up to 7.5 million euros or 1% of global annual revenue

Lower maximum amounts apply to small and medium-sized enterprises. In addition to financial penalties, regulators may also impose temporary or permanent market bans on non-compliant AI systems. Enforcement is the responsibility of national regulators in collaboration with the European AI Office, which is specifically responsible for overseeing GPAI models.

How Pegamento Helps with AI Compliance and the Smart Use of AI

Navigating the requirements of the EU AI Act is complex, especially if you also want to use AI to make your organization more efficient. We help Dutch organizations achieve both goals: deploying AI responsibly and in compliance with regulations, while also delivering real value.

What we can do for you:

  • Agentic AI assistants that take the initiative and act on their own, rather than simply following instructions. This is what we see as the evolution from traditional RPA to Agentic AI for customer service: self-thinking assistants that handle complex tasks autonomously.
  • Customized solutions using standard building blocks, so you don’t need costly custom work but still get a solution that fits your processes and systems perfectly.
  • Everything under one roof: from advice on risk classification and documentation to implementation, management, and support—without complex supplier management or silos.
  • An ISO 27001-certified process as the foundation for information security, supplemented by ISO 9001 and ISO 26000 for quality and social responsibility.

Would you like to know how your organization can make the transition to responsible AI while complying with the EU AI Act? Contact us, and we’d be happy to help you figure it out.

Frequently Asked Questions

How can I be sure which risk category my AI system falls into?

Start by checking whether your system is listed in Annex III of the EU AI Act, which describes the eight high-risk domains. Next, check whether the system performs profiling of natural persons—this is always considered high-risk. If you’re unsure, it’s strongly recommended that you have a formal risk analysis conducted and document the results in writing, as the burden of proof lies with the provider.

We use an AI tool from a third-party provider. Are we also responsible for compliance?

Yes, as the deployer, you share responsibility. You are required to verify that the provider has fulfilled its obligations, to use the tool in accordance with its intended purpose, and to ensure human oversight. Please note: as soon as you modify the tool, put your own name on it, or expand its use beyond the original purpose, you yourself are considered a provider with all the associated significant obligations.

What is the first concrete step my organization should take now?

Start with an AI inventory: identify all AI systems that your organization is currently developing, using, or considering implementing. Classify each system based on the risk categories outlined in the EU AI Act. This will give you immediate insight into which deadlines are relevant to you and where the highest priority lies for compliance measures.

Does the reporting requirement for chatbots also apply if we use them only internally, for example, for employees?

The transparency requirement applies to situations where end users interact directly with an AI system. In cases of internal use where employees know they are working with an AI tool, the exception may apply if it is ‘obvious to a reasonable person.’ Nevertheless, it is wise to include a clear AI disclosure even for internal tools, both for compliance and to foster trust within the organization.

What exactly does a 'substantial change' entail, and when does it suddenly make me a provider?

The EU AI Act defines a substantial change as a modification that affects the system’s compliance or alters its intended purpose, thereby placing the system in a higher risk category. Practical examples include retraining a model on new data, expanding functionality to a high-risk application, or integrating it into a new system that affects fundamental rights. When in doubt, a legal review prior to the modification is essential.

How does the EU AI Act relate to the GDPR? Do we need to manage those obligations separately?

The EU AI Act and the GDPR complement each other but are separate regulations with their own obligations. The GDPR governs the protection of personal data, while the AI Act focuses on the safety and reliability of AI systems themselves. In practice, they overlap when it comes to high-risk AI that processes personal data—think of requirements related to data quality and transparency. An integrated compliance approach that combines both laws is more efficient than treating them as completely separate.

What if my organization is already using a high-risk system that isn’t yet compliant?

The full obligations for high-risk systems will take effect in 2026, which means you still have time to get your affairs in order. Use this time to prioritize setting up a risk management system, preparing technical documentation, and establishing human oversight. Don’t wait until the deadline is approaching: conformity assessments and adapting existing systems take more time than organizations typically expect.

More blogs

Download the white paper here

Deepen your knowledge with Pegamento’s white papers.

Joost Schaap-Account manager Pegamento

Joost Schaap

Senoir Account Manager

When a customer contacts an organization because they have a complaint, it is crucial that the employee of the organization begin by listening carefully. What does this complaint mean for the customer and also for their own organization? How can this complaint be resolved? After listening carefully the employee needs the right information so that a solution can be offered.

This piece was written by Joost Schaap, working as an Account Manager at Pegamento.

Tim Treurniet-AI developer Pegamento

Tim Treurniet

Designer of Intelligent Systems

Real childhood heroes I never had. But in retrospect, I believe figures like Willie Carrot or Dexter’s lab may have had an influence on me. I get energy from actually making innovative and useful products myself. Nothing like seeing the effect of a project that automates a boring task, or makes a complex process suddenly accessible.

A nice bridge to my photograph is the physical aspect of my work. By working with image recognition, I am often very directly connected to the physical world and my work is more than just programming. For example, our image recognition software ensures safety on bridges, tracks players on a soccer field or uses your own smartphone to accurately measure yourself. This combination between physical and digital provides variety and extra challenge. For me, these are the main reasons for my interest and enthusiasm in what I do!

This piece was written by Tim Treurniet, employed Designer of intelligent systems at Pegamento.

Vera van der Plas-UI-UX designer

Vera van der Plas

UI/UX Designer

As a UX/UI designer, I deal daily with transforming complex data into user-friendly visualizations. All of this topped off with a digital lick of paint which should attract the visitor’s attention to take action.

One of the interesting aspects of this field I find the effects that small tweaks, both textual and visual, can have on conversion. The psychological impact that a simple background color of a CTA button has on our behavior is huge. After all, that color can determine whether or not you are going to buy that product.

What we see and how our brains process and interpret this information fascinates me. The possibilities of subconsciously pointing potential customers in your chosen direction are endless. I hope to apply my expertise more often within our solutions in the future.

This piece was written by Vera van der Plas, working as a UX/UI Designer at Pegamento.

Fouad Rahaoui-Finance Pegamento

Fouad Rahaoui

Financial Controller

A Financial Controller within a company should not only be an expert in Finance. You must also have knowledge of the latest IT developments. Because these are also moving very quickly in the world of Finance.

At Pegamento, I can learn all about the latest IT developments. Like the latest development in the field of Machine learning and deep learning.

Through these application areas, as Financial Controller, I can further automate the financial business processes within Pegamento and implement improvements for the automatic processing of financial data.

This piece was written by Fouad Rahaoui, working as a Financial Controller at Pegamento.

Ernst Vegter-Business consultant Pegamento

Ernst Vegter

Business Consultant

Hospitality is one of my deepest motivations.
Not surprisingly, of course, customer service is a common thread in my career. Aspects of hospitality is being able to connect, to facilitate but mainly to make someone feel genuinely welcome. My intuition is my greatest asset to be able to put myself in the shoes of a guest. A customer is my guest.

Fed by various senses, an image forms around the client. I listen to what is being said, watch facial expressions, taste the underlying tone and get a feel for the challenge to be addressed. An image literally forms on my retina. I have to be able to see it. If I can see it, I can create it.

In this, the trick is to pursue simplicity, give the client a warm feeling that the problem is understood, receive good advice, facilitated and carefully guided to the solution. Trust, connect and unburden.

The feeling when a guest arrives at your hotel after a long tiring journey, can sit in front of the fireplace, be handed a good glass of wine and stare carefree at the fire. My guest knows it will be okay.

This piece was written by Ernst Vegter, working as a Business Consultant at Pegamento.

Gunisch-AI developer Pegamento

Gunish Alag

AI Developer

A picture is worth a thousand words, is an expression most of us have heard. We see a lot of things around us on a daily basis and subconciously have the ability to recognize and understand them. This ability of humans to me seems bizarre.

As a computer vision developer at Pegamento that is what I do, break down complex problems and turn them into solutions using images by meticulously extracting useful data.
With the world moving forward and new technologies emerging, complicated problems which were difficult to solve a decade earlier suddenly seem possible and viable. The future is full of new challenges and I look forward to them.

This story is written by Gunish, working as an AI developer at Pegamento.

Ewold Jansen-Service engineer Pegamento

Ewold Jansen

Service & Support Engineer

Hearing the wishes a customer has or the problems a customer is facing is important in order to then be able to help them properly. In both cases, I help find the right solution.

When the customer comes to us with a desire, they don’t know what all the options are. In this I advise them to make the right choices. When problems arise, listening to them is important. For example, a problem arises from a wrong action. By communicating well in this, many problems can be solved quickly by explaining it well. Through poor communication, a small problem can become very big.

This piece was written by Ewold Jansen, working as a Service & Support Engineer at Pegamento.

Andre Glasbergen-Scrum master Pegamento

Andre Glasbergen

Scrum Master

After completing my studies, I started working as a developer at a young Pegamento with a lot of ambition and enthusiasm. In the first years I learned all about process automation, now better known as RPA. I often had to rack my brains to convert the work instruction into a logical function, with not too many If-statements, so that the robot could perform the work.

I developed further and went to work as a consultant. Listening well to the customer and supporting in the pre-sales phase of projects. Executing projects and listening suited me very well. It was a small, but logical, step to now work as a Scrum Master and Project Manager. I have been supervising projects for a few years now. Such as RPA, Cloud applications and AI, according to the Human lead agile approach, We build this with a large team of specialists.

This piece was written by André Glasbergen, working as a Scrum Master at Pegamento.

Ensar Ari-IT engineer Pegamento

Ensar Ari

IT Engineer

Good communication between customer and organization is very important. As an organization, you naturally want to be easily accessible to your customers. Either via social media channels or via the old familiar telephone. Often organizations do not know exactly how they want their telephone line set up. That is why I like to help them think along and give them ideas. I believe there is a solution to every problem. But sometimes you just need someone who looks at the situation a little differently.

This piece was written by Ensar Ari, working as an IT Engineer at Pegamento.

Nini Heerings-Chief Happiness Officer Pegamento

Nini Heerings

Chief Happiness Officer

“You get to know someone better by playing for an hour than by talking for a year.”

This quote from Plato is totally hitting home for me. That’s why I like to connect people through play. Because while playing, you are totally on, all your senses at work.
In my great role as Chief Happiness Officer, I want to do that by connecting colleagues with each other and with the organization. In a creative and playful way that suits Pegamento.

When I’m not at work, I also enjoy connecting people. I do this by organizing The Playground, where adults play games you used to play in the schoolyard, gymnasium or neighborhood playground. The pure feeling of fun, total relaxation and no thoughts of anything but playing. That feeling is the goal.

This piece was written by Nini, working as Chief Happiness Officer at Pegamento.

Ger Koedam-Communication & Marketing Pegamento

Ger Koedam

Marketing & Communications

How can I help you? That’s pretty much the first question I ask when talking to people who are curious about our services. In such a conversation, the use of senses is very important. Because not everyone is the same. One person thinks in images, while for another words are important or how something feels. For me, sight and hearing are the most beautiful senses, because both eyes and ears absorb information and can convey or process emotions.

Why hearing? Because listening is essential in contact. And it’s the key to unlocking valuable insights.

I developed this skill early on. As a child, I enjoyed radio plays on the radio, bringing the stories to life in my head.

Pim Ritmijer-Software developer Pegamento

Pim Ritmeijer

Software Developer

Programming is more than just “code knocking. For me, listening to what the customer wants and visualizing that is an important part of software development.

Actively listening to a customer to understand the customer’s full story is crucial before building a solution. When you understand a customer’s story, you can think together about a solution that truly helps the customer.

Visualizing solutions is the next step for me. What will be the route we will climb to get to a solution? What challenges are we going to face to get to the top?

Like climbing, good preparation is valuable. Even though you can’t prepare for everything, preparation helps make the application fit the client’s needs as well as possible.

What a beautiful and fascinating profession programming is.

This piece was written by Pim Ritmeijer, working as a Software Developer at Pegamento.

Denise Verhoef-Software developer Pegamento

Denise Verhoef

Software Developer

Hearing is something you do a lot of as a programmer but also thinking, for example, when you are tasked with putting together a customer need. If the customer wants a function for his application, it is important that as a programmer you think carefully about which functions are functional and which functions are not. In this way, you will put together the most functional application possible and the customer will have a good end product. Turning needs into code into functionality is something I find interesting.

I am currently doing an internship at Pegamento and studying Software Developer. I get a lot of information that you have to process and apply. The nice thing about this is that you can learn new things but also that you can experience how it works in real business. I started this training last year and knew nothing about programming beforehand. Now I can find my own way with programming and I enjoy working with it. That you can get from a blank page to a functional application through code is cool!

This piece was written by Denise Verhoef, working as a Software Developer intern at Pegamento.

Remco Pabst-Business consultant Pegamento

Remco Pabst

Computer Vision & AI Lead

Using innovative software technology for people or business to make “things” easier and smarter is really a driving force. That’s why the connection between the senses appeals to me the most. Our brains connect the senses just like a business process connects people, systems (data) and logic. They register and trigger an action, exactly how it should be in an optimal workflow. Very cool what is already possible today when we add a lot of computational power to that as well.

Hearing also means a lot. Not because I like to listen to Jazz, Soul, Deep House or Focus-like music every day AND have to be able to listen well to interpret a wish or pain point, but more because not everyone can have all the senses at their disposal. Think of him or her with a visual impairment. The fact that in close cooperation we were able to apply AI, TTS/STT technology (which is still in development) for this often underserved group of people in today’s digital world and to improve the interaction and experience with it gives me a lot of energy and meaning to what I try to do with technology; create value.

This piece was written by Remco, working as a Business Consultant at Pegamento.

Thomas de Wolf-Vision Engineer Pegamento

Thomas de Wolf

R&D Director

Once when I had to choose which study I was going to do, I had a hard time making that choice. I was interested in engineering, but what I most wanted to do was just work with a team toward a common goal.

To this day, that is still what I love doing most. The technology has become image recognition and the team the computer vision department of Pegamento. So it’s logical that in terms of sense, I end up with “seeing. By using our image recognition solutions to see things in the real world, our entire team solves relevant problems for our customers. And because of the variation in customers, the places where our solutions end up are never the same. For example, one moment I am in the control room of a bridge and the next day I am on a production line for sandwiches or between the fences of a TBS clinic.

This piece was written by Thomas de Wolf, working as a Computer Vision & AI Lead at Pegamento.

Rob Roode-Research Development

Rob Roode

Research & Development

Recognizing and automating patterns. Tasks we are constantly working on when implementing our robots at Pegamento. My 2 Drentsche Patrijshonden are hunting dogs and certainly not robots. The hunting instinct and intuition is basically in their genes. Continuing to offer new forms of training has taught them to recognize and act independently in hunting situations. Even “unsupervised,” even if I’m not around.

But when you try to teach a brain something, it also starts to see things you don’t expect. Dogs pick up on the slightest deviation in your voice or directions. To start recognizing that and correcting it again is perhaps the most complex challenge. But in our work, for the wonderful clients for whom we get to work, it often yields the most beautiful new insights!

This piece was written by Rob, founder of Pegamento and in charge of Marketing and R&D.

Serge Poppes-CEO Pegamento

Serge Poppes

CEO

Feeling. That’s the best thing Pegamento stands for. Feeling for technology in the broadest sense of the word. Not only feeling for the exciting stuff like AI, but also for the basics of communication.

The very best part of my job is selling, listening, translating and thinking about what really matters. We bring the digital transformation with a great team!
The diversity of our team, how sharp we are, but especially the wonderful things we get to make makes me feel extremely good. Hence, I intuitively chose the sense of “feeling.

Feeling gives life and differentiation!