The EU AI Act requires organizations that develop, import, or deploy AI to comply with a series of legal requirements that depend on the risk level of the AI system being used. These obligations range from transparency requirements for simple chatbots to comprehensive conformity assessments for systems that impact fundamental rights. In this article, we answer the most frequently asked questions about the obligations, the timeline, and the consequences of non-compliance. Would you like to learn how AI can support your organization? Read more about AI-driven intelligence and what that means in practice.
Which organizations are subject to the EU AI Act?
The EU AI Act applies to any organization that develops, markets, imports, or deploys AI systems within the European Union, regardless of where the company is based. Organizations outside the EU are also subject to the law if their AI systems are used by people or companies in the EU.
The law distinguishes between various roles, each with its own responsibilities:
- Providers are organizations that develop and market AI systems. They bear the heaviest obligations.
- Deployers are organizations that deploy an existing AI system for their own use or for their customers.
- Before placing a product on the market, importers must verify that the conformity assessment has been conducted, that the CE marking is affixed, and that the documentation is retained for ten years.
- Distributors verify that the required documents are present and suspend distribution if they suspect nonconformity.
An important point to note: a distributor, importer, deployer, or third party becomes a provider in its own right—with all the associated obligations—when it places its name on a system, makes a substantial modification to it, or changes its intended purpose in such a way that the system falls into the high-risk category. Furthermore, organizations outside the EU are required to appoint an authorized representative in the EU.
How are AI systems classified into risk categories?
The EU AI Act identifies four risk levels: prohibited AI, high-risk AI, low-risk AI, and AI with minimal or no risk. This classification determines which obligations apply. Most AI applications in use today fall into the lowest category and remain largely unregulated.
Prohibited AI Applications
Certain AI applications are completely prohibited because they pose an unacceptable risk to fundamental rights and human dignity. These prohibitions have been in effect since February 2, 2025, and include, among others:
- Subliminal or manipulative techniques that influence behavior without a person’s awareness and cause significant harm
- Exploiting vulnerabilities based on age, disability, or socioeconomic status
- Social scoring by governments
- Predictive policing based solely on profiling
- Building facial recognition databases through undirected scraping
- Emotion recognition in the workplace or in educational institutions (except in cases involving medical or safety concerns)
- Biometric categorization to infer sensitive characteristics such as race, political views, or sexual orientation
- Real-time remote biometric identification in public spaces for law enforcement purposes, except in strictly defined situations
High-risk and lower-risk applications
High-risk AI is defined in Article 6 of the Act in two ways: the system is a safety component of a product covered by European harmonization legislation, or it falls under one of the eight use cases listed in Annex III. Those eight domains are biometrics, critical infrastructure, education and vocational training, employment and human resources management, access to essential services (including creditworthiness and emergency calls), law enforcement, migration and border control, and the administration of justice and democratic processes. Systems that perform profiling of natural persons are always high-risk, without exception.
AI with limited risk is subject to less stringent transparency requirements, such as the reporting requirement for chatbots. AI with minimal risk—such as spam filters or entertainment recommendation systems—is completely unregulated.
What requirements apply to high-risk AI systems?
Providers and deployers of high-risk AI systems must comply with a comprehensive set of requirements before the system may be placed on the market or put into service. The core requirements include risk management, data quality, technical documentation, and human oversight.
The main obligations are:
- Risk Management System: an ongoing system that identifies, analyzes, and manages risks throughout the entire system lifecycle
- Data quality requirements: training, validation, and test data must meet quality criteria regarding relevance, representativeness, and freedom from errors
- Technical documentation: detailed documentation on the system’s design, operation, and performance
- Transparency and user information: Deployers must receive sufficient information to be able to use the system responsibly
- Human oversight: The system must be designed so that people can monitor it, understand it, and intervene if necessary
- Accuracy, robustness, and cybersecurity: the system must perform consistently and be resistant to attempts at manipulation
- Conformity assessment: depending on the type of system, either by the provider itself or by a third party
- Registration in the EU database: high-risk systems must be registered in a central European database
An Annex III system that performs only a narrow procedural or preparatory function and does not pose a significant risk to fundamental rights may be excluded from the high-risk category, provided that the provider documents this with supporting evidence.
What are the transparency requirements for AI chatbots and assistants?
Low-risk AI systems, such as chatbots and virtual assistants, must clearly inform users that they are interacting with an AI system and not a human. This transparency requirement applies whenever there is direct contact between the system and an end user.
The disclosure requirement means that users must be informed at the time of interaction. This is not required if it is evident to a reasonable person that they are interacting with an AI system, for example, in a clearly marked automated customer service environment.
Additional obligations apply to General-Purpose AI (GPAI) models, such as large language models. All providers of GPAI models must:
- Prepare and maintain technical documentation in accordance with Annex XI
- Downstream providers shall provide information on capacities and limitations in accordance with Annex XII
- Implement a policy to comply with the Copyright Directive
- Make a summary of the training data used publicly available
Providers of models under a free and open-source license are exempt from the documentation and information requirements, unless the model poses a systemic risk. A GPAI model is classified as a model posing a systemic risk if its cumulative training compute exceeds 10 to the power of 25 floating-point operations (FLOP). Upon reaching that threshold, the provider must notify the European Commission within two weeks.
When must organizations comply with the EU AI Act?
The EU AI Act has a phased implementation timeline. Not all requirements take effect at the same time, which gives organizations the flexibility to comply in stages. The most urgent deadlines have already passed or are approaching in 2026.
The most important milestones are:
- February 2, 2025: The prohibited AI practices listed in Article 5 took effect. Organizations that were using prohibited applications should have already stopped doing so by this date.
- August 2, 2025: The requirements for providers of GPAI models took effect. This applies to organizations that offer large language models or comparable generative AI systems.
- 2026 and beyond: All requirements for high-risk AI systems will take effect. Organizations that deploy high-risk systems will need this period to put their risk management systems, documentation, and compliance assessments in order.
Until harmonized standards are available, providers can follow a code of practice to establish a presumption of conformity. This provides practical guidance for organizations that want to take action now.
What are the penalties for noncompliance with the AI Act?
The EU AI Act provides for substantial fines for organizations that violate the rules. The amount of the penalty depends on the severity of the violation and the size of the organization, with higher absolute amounts applying to large companies.
The fine structure is organized as follows:
- Prohibited AI practices: fines of up to 35 million euros or 7% of global annual revenue, whichever is higher
- Other violations of obligations: fines of up to 15 million euros or 3% of global annual revenue
- Providing inaccurate information to regulators: fines of up to 7.5 million euros or 1% of global annual revenue
Lower maximum amounts apply to small and medium-sized enterprises. In addition to financial penalties, regulators may also impose temporary or permanent market bans on non-compliant AI systems. Enforcement is the responsibility of national regulators in collaboration with the European AI Office, which is specifically responsible for overseeing GPAI models.
How Pegamento Helps with AI Compliance and the Smart Use of AI
Navigating the requirements of the EU AI Act is complex, especially if you also want to use AI to make your organization more efficient. We help Dutch organizations achieve both goals: deploying AI responsibly and in compliance with regulations, while also delivering real value.
What we can do for you:
- Agentic AI assistants that take the initiative and act on their own, rather than simply following instructions. This is what we see as the evolution from traditional RPA to Agentic AI for customer service: self-thinking assistants that handle complex tasks autonomously.
- Customized solutions using standard building blocks, so you don’t need costly custom work but still get a solution that fits your processes and systems perfectly.
- Everything under one roof: from advice on risk classification and documentation to implementation, management, and support—without complex supplier management or silos.
- An ISO 27001-certified process as the foundation for information security, supplemented by ISO 9001 and ISO 26000 for quality and social responsibility.
Would you like to know how your organization can make the transition to responsible AI while complying with the EU AI Act? Contact us, and we’d be happy to help you figure it out.
Frequently Asked Questions
How can I be sure which risk category my AI system falls into?
Start by checking whether your system is listed in Annex III of the EU AI Act, which describes the eight high-risk domains. Next, check whether the system performs profiling of natural persons—this is always considered high-risk. If you’re unsure, it’s strongly recommended that you have a formal risk analysis conducted and document the results in writing, as the burden of proof lies with the provider.
We use an AI tool from a third-party provider. Are we also responsible for compliance?
Yes, as the deployer, you share responsibility. You are required to verify that the provider has fulfilled its obligations, to use the tool in accordance with its intended purpose, and to ensure human oversight. Please note: as soon as you modify the tool, put your own name on it, or expand its use beyond the original purpose, you yourself are considered a provider with all the associated significant obligations.
What is the first concrete step my organization should take now?
Start with an AI inventory: identify all AI systems that your organization is currently developing, using, or considering implementing. Classify each system based on the risk categories outlined in the EU AI Act. This will give you immediate insight into which deadlines are relevant to you and where the highest priority lies for compliance measures.
Does the reporting requirement for chatbots also apply if we use them only internally, for example, for employees?
The transparency requirement applies to situations where end users interact directly with an AI system. In cases of internal use where employees know they are working with an AI tool, the exception may apply if it is ‘obvious to a reasonable person.’ Nevertheless, it is wise to include a clear AI disclosure even for internal tools, both for compliance and to foster trust within the organization.
What exactly does a 'substantial change' entail, and when does it suddenly make me a provider?
The EU AI Act defines a substantial change as a modification that affects the system’s compliance or alters its intended purpose, thereby placing the system in a higher risk category. Practical examples include retraining a model on new data, expanding functionality to a high-risk application, or integrating it into a new system that affects fundamental rights. When in doubt, a legal review prior to the modification is essential.
How does the EU AI Act relate to the GDPR? Do we need to manage those obligations separately?
The EU AI Act and the GDPR complement each other but are separate regulations with their own obligations. The GDPR governs the protection of personal data, while the AI Act focuses on the safety and reliability of AI systems themselves. In practice, they overlap when it comes to high-risk AI that processes personal data—think of requirements related to data quality and transparency. An integrated compliance approach that combines both laws is more efficient than treating them as completely separate.
What if my organization is already using a high-risk system that isn’t yet compliant?
The full obligations for high-risk systems will take effect in 2026, which means you still have time to get your affairs in order. Use this time to prioritize setting up a risk management system, preparing technical documentation, and establishing human oversight. Don’t wait until the deadline is approaching: conformity assessments and adapting existing systems take more time than organizations typically expect.


