{"id":32296,"date":"2026-07-12T08:00:00","date_gmt":"2026-07-12T06:00:00","guid":{"rendered":"https:\/\/pegamento.nl\/niet-gecategoriseerd\/which-ai-systems-are-covered-by-the-ai-act-and-which-are-not\/"},"modified":"2026-07-12T10:00:32","modified_gmt":"2026-07-12T08:00:32","slug":"which-ai-systems-are-covered-by-the-ai-act-and-which-are-not","status":"publish","type":"post","link":"https:\/\/pegamento.nl\/en\/contact-center\/which-ai-systems-are-covered-by-the-ai-act-and-which-are-not\/","title":{"rendered":"Which AI systems are covered by the AI Act, and which are not?"},"content":{"rendered":"<p>Not all AI systems are covered by the <a href=\"https:\/\/pegamento.nl\/en\/ai-powered-intelligence\/\">AI Act<\/a>. The European AI Regulation uses a risk-based approach: the greater the potential risk an AI application poses to people or society, the stricter the rules. Most AI applications that companies use on a daily basis fall into the lowest risk category and are barely regulated. In this article, we answer the most frequently asked questions about the scope of the AI Act.   <\/p>\n<h2>What criteria determine whether an AI system falls under the AI Act?<\/h2>\n<p>Whether an AI system falls under the AI Act depends on two factors: the system\u2019s risk level and the role your organization plays in its development or use. The AI Act classifies all AI applications into four risk categories: prohibited, high-risk, limited-risk, and minimal or no risk. <\/p>\n<p>The regulation applies to providers who place AI systems on the EU market, as well as importers, distributors, and deployers who put AI systems into service. Organizations outside the EU are also subject to the regulation if their systems are used within the European Union. The role you play in the supply chain determines which obligations specifically apply to you.  <\/p>\n<p>The intended use is also important. If you modify a system so that it becomes high-risk, or if you put your own name on it, you automatically become a provider, with all the associated obligations. The same applies if you change the purpose of a system in such a way that it falls into a higher risk category.  <\/p>\n<h2>Which AI applications are completely prohibited under the AI Act?<\/h2>\n<p>A limited category of AI applications is completely prohibited under the AI Act. These prohibitions take effect on February 2, 2025, and target applications that seriously violate fundamental rights or human dignity. <\/p>\n<p>The following practices are prohibited:<\/p>\n<ul>\n<li>Subliminal or manipulative techniques that influence behavior without a person&#8217;s awareness and cause significant harm<\/li>\n<li>Exploiting vulnerabilities based on age, disability, or socioeconomic status<\/li>\n<li>Social scoring by governments based on personal behavior<\/li>\n<li>Predictive policing based solely on profiling, without concrete evidence<\/li>\n<li>Creating facial recognition databases through undirected scraping of the internet or camera footage<\/li>\n<li>Emotion recognition in the workplace or in educational institutions, except for medical or security purposes<\/li>\n<li>Biometric categorization to infer sensitive characteristics such as race, political views, or sexual orientation<\/li>\n<li>Real-time remote biometric identification in public spaces for law enforcement purposes, except in strictly defined exceptional circumstances<\/li>\n<\/ul>\n<p>That last exception, for law enforcement purposes, requires prior authorization by a judicial or independent administrative authority, a fundamental rights impact assessment, and registration in the EU database. In emergency situations, authorization must be requested within 24 hours. <\/p>\n<h2>Which AI systems are considered high-risk, and what are the requirements?<\/h2>\n<p>An AI system is considered high-risk if it is a safety component of a product subject to European harmonization legislation, or if it falls under one of the eight use cases listed in Annex III of the AI Act. High-risk AI is subject to strict obligations for providers and users. <\/p>\n<p>The eight areas listed in Annex III are:<\/p>\n<ol>\n<li>Biometrics<\/li>\n<li>Critical Infrastructure<\/li>\n<li>Education and Vocational Training<\/li>\n<li>Employment and Human Resources Management<\/li>\n<li>Access to essential services, including credit, insurance, and emergency calls<\/li>\n<li>Law Enforcement<\/li>\n<li>Migration and Border Control<\/li>\n<li>The Administration of Justice and Democratic Processes<\/li>\n<\/ol>\n<p>Systems that perform only a narrow procedural or preparatory task and do not pose a significant risk to fundamental rights may be excluded from the high-risk category, provided that the provider documents this with supporting evidence. However, systems that perform profiling of natural persons are always considered high-risk, without exception. <\/p>\n<p>The requirements for high-risk AI are extensive: a robust risk management system, technical documentation, automatic logging of activities, transparency toward users, human oversight, and registration in the EU database. Most of the requirements for Annex III systems will take effect on August 2, 2026. <\/p>\n<h2>Which AI systems are exempt from the AI Act?<\/h2>\n<p>AI systems with minimal or no risk are exempt from most of the obligations under the AI Act. This is by far the largest category and encompasses the vast majority of AI applications that companies use today, such as spam filters, recommendation algorithms, and simple automation tools. <\/p>\n<p>In addition to the risk category, there are specific exemptions based on use or context:<\/p>\n<ul>\n<li><strong>Scientific research and development:<\/strong> AI systems developed exclusively for research purposes and not yet placed on the market fall outside the scope of the regulation.<\/li>\n<li><strong>Military and national security applications:<\/strong> AI used exclusively for military or national security purposes is not covered by the AI Act.<\/li>\n<li><strong>Personal use:<\/strong> AI systems that you use exclusively for your own personal use are exempt.<\/li>\n<li><strong>Open-source GPAI models:<\/strong> Providers of General Purpose AI models under a free and open-source license are exempt from documentation and information requirements, unless the model poses a systemic risk.<\/li>\n<\/ul>\n<p>It is still a good idea to document why you reached that conclusion, even for low-risk applications. That way, in the event of an audit, you can demonstrate that you made the assessment deliberately. <\/p>\n<h2>Do generative AI and large language models also fall under the AI Act?<\/h2>\n<p>Yes, generative AI and large language models fall under the AI Act, but under a separate regime: the GPAI (General Purpose AI) rules. This regime applies to models with broad applicability that can perform a wide range of tasks and be integrated into various systems, such as large language models. <\/p>\n<p>All providers of GPAI models must meet a number of basic requirements:<\/p>\n<ul>\n<li>Prepare and keep technical documentation up to date<\/li>\n<li>Inform downstream providers about capacities and limitations<\/li>\n<li>Implement a policy to comply with the Copyright Directive<\/li>\n<li>Make a summary of the training data used publicly available<\/li>\n<\/ul>\n<p>If the cumulative training computation exceeds 10 to the power of 25 floating-point operations (FLOP), a model is classified as a model posing <strong>a systemic risk<\/strong>. Such models are subject to additional obligations: model evaluations using advanced testing protocols, mitigation of systemic risks, immediate reporting of serious incidents to the AI Office, and an adequate level of cybersecurity. The provider must notify the European Commission within two weeks once that threshold is reached.  <\/p>\n<p>The GPAI requirements take effect on August 2, 2025. GPAI models that were already on the market before that date must be compliant by August 2, 2027, at the latest. <\/p>\n<h2>What are the consequences if an AI system does not comply with the AI Act?<\/h2>\n<p>The consequences of noncompliance with the AI Act can be significant. The fine structure is tiered and depends on the severity of the violation. For small and medium-sized enterprises, the fine is always the lesser of a fixed amount or a percentage of annual revenue.  <\/p>\n<p>The three categories of fines are:<\/p>\n<ul>\n<li><strong>Violations of prohibited practices (Article 5):<\/strong> up to 35 million euros or 7% of global annual revenue, whichever is higher<\/li>\n<li><strong>Non-compliance with other obligations:<\/strong> up to 15 million euros or 3% of global annual revenue<\/li>\n<li><strong>Inaccurate or misleading information provided to authorities:<\/strong> up to 7.5 million euros or 1% of global annual revenue<\/li>\n<\/ul>\n<p>The oversight of high-risk AI falls under the jurisdiction of national market surveillance authorities. In January 2026, Finland became the first EU member state to formally grant enforcement powers to its national authority. The European AI Office oversees GPAI models in all 27 member states. GPAI providers may be fined by the European Commission up to a maximum of 15 million euros or 3% of their global annual turnover.   <\/p>\n<p>In addition to financial penalties, non-compliance can lead to market bans, reputational damage, and a loss of customer trust. Identifying early on which AI systems you use and which category they fall into is therefore a wise first step. <\/p>\n<h2>How Pegamento Helps with AI Act Compliance<\/h2>\n<p>The AI Act sets out clear requirements for how you deploy, document, and manage AI. If you use AI applications in customer interactions, process automation, or decision support, it is important to know which risk category they fall under and what obligations apply. We provide organizations with concrete guidance on this:  <\/p>\n<ul>\n<li><strong>Insight into Your AI Portfolio:<\/strong> Together, we\u2019ll identify which AI systems you use and how they are classified under the AI Act<\/li>\n<li><strong>Responsible Use of Agentic AI:<\/strong> Our <a href=\"https:\/\/pegamento.nl\/en\/agentic-ai-for-customer-service\/\">Agentic AI for customer service<\/a> is designed with transparency and human oversight as core principles, ensuring that you meet the requirements for low- and high-risk applications<\/li>\n<li><strong>Documentation and governance:<\/strong> We provide support in drafting technical documentation and establishing an internal AI governance process<\/li>\n<li><strong>Everything under one roof:<\/strong> from consulting and implementation to management and compliance support, without having to manage multiple vendors<\/li>\n<\/ul>\n<p>Would you like to know where your organization stands right now in terms of AI Act compliance? <a href=\"https:\/\/pegamento.nl\/en\/contact-2\/\">Contact us<\/a>, and we\u2019d be happy to help you figure it out.<\/p>\n        <div class=\"wp-block-seoaic-faq-block\">\n            <h2 class=\"seoaic-faq-section-title\">Frequently Asked Questions<\/h2>\n                            <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        How do I determine which risk category my AI system falls into?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        Start by reviewing the prohibited practices listed in Article 5 of the AI Act. If your system does not fall under any of those, check whether it is a safety component of a regulated product or is listed in Annex III. If that is not the case either, there is a good chance your system falls into the minimal or no-risk category. Always document your reasoning in writing so that, in the event of an audit, you can demonstrate that you made the assessment deliberately and with sound reasoning.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        We use an AI tool from a third-party supplier. Are we also responsible for AI Act compliance?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        Yes, as a deployer\u2014the party that puts an AI system into use\u2014you have your own obligations under the AI Act, even if you did not develop the system yourself. For high-risk AI, your responsibilities include ensuring human oversight, complying with the provider\u2019s instructions for use, and reporting serious incidents. Check with your supplier to determine the system\u2019s risk category and request the corresponding technical documentation.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        What is the difference between a provider and a deployer, and why does it matter?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        A provider develops an AI system and places it on the market or puts it into service; a deployer purchases an existing system and uses it for their own purposes. This distinction is crucial because providers bear the most stringent obligations, such as providing technical documentation, conducting conformity assessments, and registering the system in the EU database. If, due to modifications or a name change, you effectively become the provider of a system, then all associated provider obligations automatically apply to you.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        Our organization uses ChatGPT or a similar GPAI model. What obligations apply to us in that case?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        If you purchase and use a GPAI model such as ChatGPT within your organization, you are the deployer and not the provider of the model itself. The GPAI obligations, such as technical documentation and copyright policies, rest with the provider (OpenAI, Google, etc.). Your responsibility as a deployer is to assess the purpose for which you are using the model: if you use it as part of a high-risk application, the high-risk obligations still apply to you as the deployer.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        What are the most common mistakes organizations make when assessing their AI Act obligations?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        A common mistake is assuming that a system is automatically low-risk simply because it\u2019s used internally or is small in scale\u2014the AI Act focuses on the intended use and the impact, not on the size. Another common mistake is overlooking the deployer\u2019s obligations: even if you don\u2019t develop anything yourself, you still have specific responsibilities regarding oversight and incident reporting for high-risk AI. Finally, organizations often underestimate when modifying an existing system makes them a provider.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        By when must my organization be compliant with the AI Act?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        The AI Act has a phased implementation. The prohibited practices take effect as of February 2, 2025. The GPAI obligations apply starting August 2, 2025, with a transition period until August 2, 2027, for models that were already on the market before that date. The obligations for high-risk AI systems listed in Annex III take effect on August 2, 2026. It\u2019s wise to start taking stock of your AI portfolio now, so you can take the right steps well in advance.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        What does a practical first-step plan for AI Act compliance look like?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        Start with an AI inventory: identify which AI systems your organization uses, who you purchase them from, and for what purpose you use them. Next, classify each system based on the risk categories and determine which role you play (provider, deployer, importer). Document your assessments in writing and prioritize the systems that may be high-risk, as those carry the most stringent obligations and the most urgent deadlines.                    <\/p>\n                <\/div>\n                        <\/div>\n        ","protected":false},"excerpt":{"rendered":"<p>The AI Act does not apply to all systems \u2014 find out which AI applications are prohibited, high-risk, or exempt.<\/p>\n","protected":false},"author":2,"featured_media":32297,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[500],"tags":[],"class_list":["post-32296","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-contact-center"],"_links":{"self":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/posts\/32296","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/comments?post=32296"}],"version-history":[{"count":1,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/posts\/32296\/revisions"}],"predecessor-version":[{"id":32298,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/posts\/32296\/revisions\/32298"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/media\/32297"}],"wp:attachment":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/media?parent=32296"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/categories?post=32296"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/tags?post=32296"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}