EU AI Act Guide

EU AI Act obligations: who must do what, and when

One page that maps every obligation to your risk category, your role and your company size — based on the final, in-force text of the AI Act as amended by the Digital Omnibus.

Legal status as of: 14 July 2026

Where obligations come from

Three questions that determine everything

1.

What is the system's risk category?

Prohibited, high-risk, limited-risk (Art. 50), minimal risk — plus separate GPAI model rules. This decides WHICH obligations exist at all.

2.

What is your company's role?

Provider (you build and place the system on the market) or deployer (you use it professionally). This decides WHO performs each obligation.

3.

How big is your company?

Micro, SME, SMC or large. Size does NOT change the scope of obligations — only the form (simplified templates) and the level of penalties.

Company size never exempts you from an obligation. A 2-person startup providing a high-risk system has the same substantive obligations as a corporation — it just gets simplified forms and lower fines.
AI Act risk map: prohibited, high-risk, limited risk / Art. 50, and minimal risk categories with deadlines

Provider or deployer?

Your role decides your obligation package

Provider

Develops an AI system (or has it developed) and places it on the market or into service under its own name.

Examples: a software house selling credit-scoring AI; a startup offering a SaaS chatbot.

Deployer

Uses an AI system in the course of professional activity (personal use is out of scope).

Examples: a company screening CVs with AI; a bank using purchased credit scoring.

The role-switch trap (Art. 25)

A deployer becomes a provider — with the full provider package — when it puts its own brand on the system, substantially modifies a high-risk system, or repurposes a system so that it becomes high-risk. Fine-tuning a model for your own product is often a substantial modification.

The obligation matrix

Obligations by risk category and role

Annex III use cases (recruitment, credit scoring, education, biometrics…) or safety components of regulated products (Annex I). Deadline: 2 Dec 2027 (Annex III) / 2 Aug 2028 (Annex I).

Provider

  • Risk management system

    Art. 9

    Required
  • Data governance documentation

    Art. 10

    Required
  • Technical documentation (Annex IV; simplified for SME/startups/SMC)

    Art. 11

    Required
  • Automatic event logging (record-keeping)

    Art. 12/19

    Required
  • Instructions for use for deployers

    Art. 13

    Required
  • Human oversight designed into the system

    Art. 14

    Required
  • Accuracy, robustness and cybersecurity

    Art. 15

    Required
  • Quality management system (proportionate for SME/SMC)

    Art. 17

    Required
  • Conformity assessment (Annex III: usually internal control)

    Art. 43

    Required
  • EU Declaration of Conformity

    Art. 47

    Required
  • CE marking

    Art. 48

    Required
  • Registration in the EU database (Annex III)

    Art. 49(1)

    Required
  • Post-market monitoring plan

    Art. 72

    Required
  • Corrective actions + serious incident reporting

    Art. 20/73

    Conditional
  • Measures supporting staff AI literacy

    Art. 4

    Required

Deployer

  • Use per the provider's instructions (procurement docs!)

    Art. 26(1)

    Required
  • Assign human oversight to competent staff

    Art. 26(2)

    Required
  • Input data quality — when you control the data

    Art. 26(4)

    Conditional
  • Monitor operation, suspend use on problems

    Art. 26(5)

    Required
  • Keep logs for at least 6 months

    Art. 26(6)

    Required
  • Inform workers before workplace deployment

    Art. 26(7)

    Conditional
  • EU database registration — public bodies only

    Art. 49(3)

    Conditional
  • Inform persons affected by the system's decisions

    Art. 26(11)

    Required
  • FRIA — only certain deployers (see the FRIA section)

    Art. 27

    Conditional
  • Report incidents to the provider and authority

    Art. 26(5)

    Conditional
  • Measures supporting staff AI literacy

    Art. 4

    Required

Categories stack: a high-risk system that is also e.g. a chatbot has BOTH the high-risk package AND the Art. 50 transparency obligations.

The most common misconception

FRIA — who actually needs one

A Fundamental Rights Impact Assessment (Art. 27) does NOT apply to every deployer of a high-risk system. It is mandatory only for four groups:

Bodies governed by public law

Public offices, public universities, public hospitals

Private entities providing public services

Private operators in education, healthcare, public transport

Deployers of credit-scoring AI (Annex III 5(b))

Banks, fintechs, leasing companies

Deployers of life & health insurance AI (Annex III 5(c))

Insurers pricing life or health risk

A private company using AI for recruitment (Annex III pt 4) does NOT need a FRIA — it only has the Art. 26 deployer package.
FRIA scope: who must carry one out and who does not — example of a private company using AI for recruitment

Practical status: the official AI Office FRIA template (Art. 27(5)) has still not been published — and its absence does not suspend the obligation. Attestia's FRIA wizard covers the six mandatory elements of Art. 27(1) today.

Company size

What size changes — and what it never changes

CategoryHeadcountTurnover
Microenterprise< 10≤ EUR 2M
SME< 250≤ EUR 50M
SMC (small mid-cap)< 750≤ EUR 150M
Large companythe rest

What size changes (final Digital Omnibus)

  • Simplified technical documentation (Art. 11) — SME + startups + SMC
  • Proportionate QMS implementation (Art. 17(2)) — explicitly SME + SMC; fully simplified QMS (Art. 63) only for SMEs without partner/linked enterprises
  • Penalties (Art. 99): for SMEs/startups the LOWER of the amount or % of turnover
  • Priority access to regulatory sandboxes for SMEs/startups

What size never changes

  • The risk classification — credit scoring is high-risk whether built by a startup or a bank
  • The list of obligations — an SME provider still needs QMS, risk management, declaration, CE, registration
  • The deadlines
  • The Art. 5 prohibitions

Deadlines

When each obligation starts to apply

Dates below reflect the final Digital Omnibus (in force since July 2026) and are read from the same source that powers the Attestia dashboard.

  1. In force

    Art. 5 prohibitions + AI literacy (Art. 4)

    Prohibited practices banned; duty to support staff AI literacy applies to every AI system.

  2. In force

    GPAI model obligations

    Documentation, copyright policy and training-data summary for providers of general-purpose models.

  3. Upcoming

    Art. 50 transparency

    Chatbot disclosure, synthetic content marking, deepfake labelling. NOT postponed by the Digital Omnibus.

  4. Upcoming

    Watermarking grace ends + CSAM/NCII ban applies

    GenAI systems placed on the market before 2 Aug 2026 must comply with machine-readable marking; the new Art. 5 prohibition starts to apply.

  5. Upcoming

    National AI regulatory sandboxes

    Member State obligation (at least one operational sandbox) — not a company obligation.

  6. Upcoming

    High-risk Annex III (standalone)

    Recruitment, credit scoring, education, biometrics — the full provider and deployer packages, including FRIA where applicable.

  7. Upcoming

    High-risk Annex I (embedded in products)

    AI as safety components of regulated products; machinery products are carved out.

Which one is you?

Six typical situations

Limited risk · provider
15-person startup with a SaaS support chatbot

Art. 50(1) disclosure that users are talking to AI + content marking if it generates content; staff AI literacy. No QMS, no declaration, no FRIA.

Deadline: 2 Aug 2026

High-risk · deployer
200-person company buys CV-screening AI

Art. 26 package: provider's instructions (procurement!), human oversight, monitoring, 6-month logs, informing workers and candidates. NO FRIA (private company, not 5(b)/(c)).

Deadline: 2 Dec 2027

High-risk · provider · SME
40-person software house builds credit scoring

Full Art. 16 package: risk management, data governance, SIMPLIFIED technical documentation, QMS, conformity assessment, EU declaration, CE, EU registration, post-market monitoring plan.

Deadline: 2 Dec 2027 · SME penalty rule

High-risk · deployer · FRIA
Bank deploys purchased credit scoring

Art. 26 package + FRIA before first use + notifying results to the authority; coordinate with the GDPR DPIA.

Deadline: 2 Dec 2027

Minimal risk · deployer
Company uses ChatGPT/Copilot for office work

AI literacy (usage policy + training). Watch for drift: using LLMs for decisions about employees jumps you to scenario B.

AI literacy: applies now

Art. 25 trap
Startup fine-tunes an open-source LLM and sells it as an HR product

Becomes a PROVIDER of a high-risk system — the full scenario C package, not scenario E.

Deadline: 2 Dec 2027

Poland

Polish implementing act and KRiBSI

Passed parliament — awaiting presidential signature

Poland is among the first EU countries with a ready implementing act (ustawa o systemach sztucznej inteligencji). The Sejm passed it on 11 June 2026; it enters into force 14 days after publication in the Journal of Laws.

  • KRiBSI — the national AI market surveillance authority and single contact point towards EU institutions; handles inspections and citizen complaints
  • National regulatory sandboxes for companies
  • National procedures and penalties enforcing the AI Act in Poland

Cheat sheet

Essential vs optional

Always essential (every company, today)

  • AI literacy (Art. 4) — measures supporting staff competence
  • Checking the system against the Art. 5 prohibitions
  • Knowing your role: provider or deployer

Essential depending on category and role

  • High-risk provider → the full Art. 16 package (9 document types)
  • High-risk deployer → the Art. 26 package; FRIA only for four groups
  • Chatbots, generated content, deepfakes → Art. 50 transparency notice

Formally optional, practically worth it

  • AI procurement documents — without the provider's instructions you cannot meet Art. 26(1)
  • An internal AI system register with classifications — evidence of due diligence
  • Transparency Code of Practice (final, 10 Jun 2026) — a voluntary compliance path for Art. 50(2)/(4)

From reading to audit-ready in days

Attestia classifies your AI systems, tracks every deadline on this page and generates all 12 document types — self-serve, without consultants.

Attestia is a compliance automation tool, not legal advice. Review all outputs with a qualified advisor.