EU AI Act obligations: who must do what, and when
One page that maps every obligation to your risk category, your role and your company size — based on the final, in-force text of the AI Act as amended by the Digital Omnibus.
Legal status as of: 14 July 2026
Where obligations come from
Three questions that determine everything
1.
What is the system's risk category?
Prohibited, high-risk, limited-risk (Art. 50), minimal risk — plus separate GPAI model rules. This decides WHICH obligations exist at all.
2.
What is your company's role?
Provider (you build and place the system on the market) or deployer (you use it professionally). This decides WHO performs each obligation.
3.
How big is your company?
Micro, SME, SMC or large. Size does NOT change the scope of obligations — only the form (simplified templates) and the level of penalties.
Company size never exempts you from an obligation. A 2-person startup providing a high-risk system has the same substantive obligations as a corporation — it just gets simplified forms and lower fines.
Provider or deployer?
Your role decides your obligation package
Provider
Develops an AI system (or has it developed) and places it on the market or into service under its own name.
Examples: a software house selling credit-scoring AI; a startup offering a SaaS chatbot.
Deployer
Uses an AI system in the course of professional activity (personal use is out of scope).
Examples: a company screening CVs with AI; a bank using purchased credit scoring.
The role-switch trap (Art. 25)
A deployer becomes a provider — with the full provider package — when it puts its own brand on the system, substantially modifies a high-risk system, or repurposes a system so that it becomes high-risk. Fine-tuning a model for your own product is often a substantial modification.
The obligation matrix
Obligations by risk category and role
Annex III use cases (recruitment, credit scoring, education, biometrics…) or safety components of regulated products (Annex I). Deadline: 2 Dec 2027 (Annex III) / 2 Aug 2028 (Annex I).
Provider
- Required
Risk management system
Art. 9
- Required
Data governance documentation
Art. 10
- Required
Technical documentation (Annex IV; simplified for SME/startups/SMC)
Art. 11
- Required
Automatic event logging (record-keeping)
Art. 12/19
- Required
Instructions for use for deployers
Art. 13
- Required
Human oversight designed into the system
Art. 14
- Required
Accuracy, robustness and cybersecurity
Art. 15
- Required
Quality management system (proportionate for SME/SMC)
Art. 17
- Required
Conformity assessment (Annex III: usually internal control)
Art. 43
- Required
EU Declaration of Conformity
Art. 47
- Required
CE marking
Art. 48
- Required
Registration in the EU database (Annex III)
Art. 49(1)
- Required
Post-market monitoring plan
Art. 72
- Conditional
Corrective actions + serious incident reporting
Art. 20/73
- Required
Measures supporting staff AI literacy
Art. 4
Deployer
- Required
Use per the provider's instructions (procurement docs!)
Art. 26(1)
- Required
Assign human oversight to competent staff
Art. 26(2)
- Conditional
Input data quality — when you control the data
Art. 26(4)
- Required
Monitor operation, suspend use on problems
Art. 26(5)
- Required
Keep logs for at least 6 months
Art. 26(6)
- Conditional
Inform workers before workplace deployment
Art. 26(7)
- Conditional
EU database registration — public bodies only
Art. 49(3)
- Required
Inform persons affected by the system's decisions
Art. 26(11)
- Conditional
FRIA — only certain deployers (see the FRIA section)
Art. 27
- Conditional
Report incidents to the provider and authority
Art. 26(5)
- Required
Measures supporting staff AI literacy
Art. 4
Categories stack: a high-risk system that is also e.g. a chatbot has BOTH the high-risk package AND the Art. 50 transparency obligations.
The most common misconception
FRIA — who actually needs one
A Fundamental Rights Impact Assessment (Art. 27) does NOT apply to every deployer of a high-risk system. It is mandatory only for four groups:
Bodies governed by public law
Public offices, public universities, public hospitals
Private entities providing public services
Private operators in education, healthcare, public transport
Deployers of credit-scoring AI (Annex III 5(b))
Banks, fintechs, leasing companies
Deployers of life & health insurance AI (Annex III 5(c))
Insurers pricing life or health risk
A private company using AI for recruitment (Annex III pt 4) does NOT need a FRIA — it only has the Art. 26 deployer package.
Practical status: the official AI Office FRIA template (Art. 27(5)) has still not been published — and its absence does not suspend the obligation. Attestia's FRIA wizard covers the six mandatory elements of Art. 27(1) today.
Company size
What size changes — and what it never changes
| Category | Headcount | Turnover |
|---|---|---|
| Microenterprise | < 10 | ≤ EUR 2M |
| SME | < 250 | ≤ EUR 50M |
| SMC (small mid-cap) | < 750 | ≤ EUR 150M |
| Large company | the rest | — |
What size changes (final Digital Omnibus)
- Simplified technical documentation (Art. 11) — SME + startups + SMC
- Proportionate QMS implementation (Art. 17(2)) — explicitly SME + SMC; fully simplified QMS (Art. 63) only for SMEs without partner/linked enterprises
- Penalties (Art. 99): for SMEs/startups the LOWER of the amount or % of turnover
- Priority access to regulatory sandboxes for SMEs/startups
What size never changes
- The risk classification — credit scoring is high-risk whether built by a startup or a bank
- The list of obligations — an SME provider still needs QMS, risk management, declaration, CE, registration
- The deadlines
- The Art. 5 prohibitions
Deadlines
When each obligation starts to apply
Dates below reflect the final Digital Omnibus (in force since July 2026) and are read from the same source that powers the Attestia dashboard.
- In force
Art. 5 prohibitions + AI literacy (Art. 4)
Prohibited practices banned; duty to support staff AI literacy applies to every AI system.
- In force
GPAI model obligations
Documentation, copyright policy and training-data summary for providers of general-purpose models.
- Upcoming
Art. 50 transparency
Chatbot disclosure, synthetic content marking, deepfake labelling. NOT postponed by the Digital Omnibus.
- Upcoming
Watermarking grace ends + CSAM/NCII ban applies
GenAI systems placed on the market before 2 Aug 2026 must comply with machine-readable marking; the new Art. 5 prohibition starts to apply.
- Upcoming
National AI regulatory sandboxes
Member State obligation (at least one operational sandbox) — not a company obligation.
- Upcoming
High-risk Annex III (standalone)
Recruitment, credit scoring, education, biometrics — the full provider and deployer packages, including FRIA where applicable.
- Upcoming
High-risk Annex I (embedded in products)
AI as safety components of regulated products; machinery products are carved out.
Which one is you?
Six typical situations
Poland
Polish implementing act and KRiBSI
Poland is among the first EU countries with a ready implementing act (ustawa o systemach sztucznej inteligencji). The Sejm passed it on 11 June 2026; it enters into force 14 days after publication in the Journal of Laws.
- KRiBSI — the national AI market surveillance authority and single contact point towards EU institutions; handles inspections and citizen complaints
- National regulatory sandboxes for companies
- National procedures and penalties enforcing the AI Act in Poland
Cheat sheet
Essential vs optional
Always essential (every company, today)
- AI literacy (Art. 4) — measures supporting staff competence
- Checking the system against the Art. 5 prohibitions
- Knowing your role: provider or deployer
Essential depending on category and role
- High-risk provider → the full Art. 16 package (9 document types)
- High-risk deployer → the Art. 26 package; FRIA only for four groups
- Chatbots, generated content, deepfakes → Art. 50 transparency notice
Formally optional, practically worth it
- AI procurement documents — without the provider's instructions you cannot meet Art. 26(1)
- An internal AI system register with classifications — evidence of due diligence
- Transparency Code of Practice (final, 10 Jun 2026) — a voluntary compliance path for Art. 50(2)/(4)
From reading to audit-ready in days
Attestia classifies your AI systems, tracks every deadline on this page and generates all 12 document types — self-serve, without consultants.
Attestia is a compliance automation tool, not legal advice. Review all outputs with a qualified advisor.