EuroComply
Konto erstellen

EU AI Act

Die Verordnung über künstliche Intelligenz (Verordnung (EU) 2024/1689, KI-Verordnung) ist das erste umfassende KI-Regelwerk weltweit. Sie regelt risikobasiert Entwicklung, Einsatz und Überwachung von KI-Systemen, die auf dem EU-Markt bereitgestellt oder eingesetzt werden — unabhängig von dem Sitzland des Anbieters. Hochrisiko-KI (Anhang III: Biometrie, kritische Infrastruktur, Bildung, Beschäftigung, wesentliche Dienste, Strafverfolgung, Grenzkontrolle, Rechtspflege) unterliegt Konformitätsbewertung, technischer Dokumentation und Registrierungspflicht mit Stichtag 2. August 2026. In Deutschland sind die Bundesnetzagentur (BNetzA) als zentrale Marktüberwachungsbehörde, das BSI (Cybersicherheit), die BfDI (Datenschutz) und sektorale Aufsichten zuständig. Höchste Geldbuße: 35 Millionen EUR oder 7 % des weltweiten Jahresumsatzes.

Free EU AI Act Compliance Checker

What does AI Act require and when does it apply?

AI Act applies to Technology and Healthcare organisations across all EU member states. The key deadline is August 2, 2026 (high-risk systems). Non-compliance carries a maximum penalty of €35M or 7% of global turnover. Core obligations include classify ai systems by risk tier and implement risk management systems.

  • Classify AI systems by risk tier
  • Implement risk management systems
  • Ensure transparency and human oversight
  • Register high-risk systems in EU database
  • Conduct fundamental rights impact assessments
DeadlineAugust 2, 2026 (high-risk systems)
Max fine€35M or 7% of global turnover
Primary sectorsTechnology, Healthcare, Financial Services
Source: Official Journal of the EU — EU AI ActReviewed:
TL;DR

AI Act: €35M or 7% of global turnover max fine

AI Act applies to Technology and Healthcare organisations in all EU member states. Key deadline: August 2, 2026 (high-risk systems).

Source: Official Journal of the European Union — EU AI Act

Who does AI Act apply to?

Die KI-Verordnung gilt für alle Akteure der KI-Wertschöpfungskette — Anbieter, Betreiber, Einführer, Distributoren — wenn KI-Systeme auf dem EU-Markt bereitgestellt oder in der EU eingesetzt werden oder ihre Ausgaben in der EU verwendet werden, unabhängig vom Sitzland des Anbieters. Verboten sind spezifische KI-Praktiken (Art. 5), Hochrisiko-Systeme (Anhang III) unterliegen Konformitätsbewertung und Dokumentation.

  • Anbieter, die KI-Systeme auf dem EU-Markt bereitstellen oder in Betrieb nehmen
  • Betreiber mit Niederlassung in der EU, die Hochrisiko-KI verwenden, oder Betreiber außerhalb der EU, wenn Auswirkungen in der EU entstehen
  • Einführer und Distributoren von KI-Systemen in die oder innerhalb der EU
  • Nicht-EU-Anbieter und -Betreiber, deren KI-Ausgaben bestimmungsgemäß in der EU verwendet werden
  • Acht Hochrisiko-Bereiche (Anhang III) + Allzweck-KI-Modelle (GPAI) mit zusätzlichen Pflichten nach Art. 51 ff.
Source: Regulation (EU) 2024/1689 — EUR-Lex Official Journal — Artikel 2 (Anwendungsbereich) und Anhang IIIReviewed:

What are the penalties for AI Act non-compliance?

Die KI-Verordnung wendet ein dreistufiges Bußgeldsystem an. Verstöße gegen verbotene KI-Praktiken (Art. 5) können bis zu 35 Millionen EUR oder 7 % des weltweiten Jahresumsatzes betragen — jeweils der höhere Betrag. Verstöße gegen Hochrisiko-Pflichten (Konformitätsbewertung, Anhang-IV-Dokumentation, Risikomanagement) können bis zu 15 Millionen EUR oder 3 % erreichen. Falsche oder irreführende Mitteilungen gegenüber Behörden werden mit bis zu 7,5 Millionen EUR oder 1 % geahndet.

Maximum fine€35 million or 7% of global annual turnover, whichever is higher
Source: Regulation (EU) 2024/1689 — EUR-Lex Official Journal — Artikel 99 (Bußgelder)Reviewed:

When does AI Act apply?

Die KI-Verordnung trat am 1. August 2024 in Kraft. Verbotene Praktiken nach Art. 5 gelten seit dem 2. Februar 2025; Pflichten für Allzweck-KI-Modelle (GPAI) seit dem 2. August 2025. Die zentrale Frist für Hochrisiko-KI nach Anhang III ist der 2. August 2026 — bis zu diesem Datum müssen Anhang-IV-Dokumentation, Konformitätsbewertung und Registrierung in der EU-Datenbank abgeschlossen sein. Anhang-I-Hochrisiko-Systeme (eingebettet in regulierte Produkte) folgen am 2. August 2027.

  • 2024-08-01 — Entry into force
  • 2025-02-02 — Prohibitions (Article 5) and AI-literacy obligation (Article 4) apply
  • 2025-08-02 — Obligations for General-Purpose AI (GPAI) models apply
  • 2026-08-02 — Most obligations for high-risk AI systems apply
  • 2027-08-02 — High-risk obligations for Annex I-listed products apply
Source: Regulation (EU) 2024/1689 — EUR-Lex Official Journal — Artikel 113 (Inkrafttreten und Anwendung)Reviewed:

Wie erstellen Sie die technische Dokumentation nach Anhang IV der KI-Verordnung

Art. 11 KI-Verordnung in Verbindung mit Anhang IV verpflichtet Anbieter von Hochrisiko-KI-Systemen zur Erstellung und Pflege einer technischen Dokumentation, die der Marktüberwachungsbehörde auf Anforderung vorzulegen ist. Anhang IV gliedert sich in neun Pflichtbereiche; die folgenden Schritte fassen die Umsetzung zusammen.

  1. 1

    Allgemeine Systembeschreibung erstellen

    Zweckbestimmung, Anbieter- und Versionsangaben, Hard- und Softwarearchitektur, Schnittstellen zu anderen Systemen sowie Hauptanwendungsfälle beschreiben.

  2. 2

    Entwicklungsmethode und Datengrundlage dokumentieren

    Verwendete Lernmethoden, Trainings-, Validierungs- und Testdatensätze, Datenherkunft und -auswahl, Bereinigungs- und Annotationsverfahren sowie Maßnahmen zur Daten-Governance nach Art. 10 darlegen.

  3. 3

    Risikomanagementsystem beschreiben

    Risiken für Gesundheit, Sicherheit und Grundrechte über den gesamten Lebenszyklus identifizieren, bewerten und mindern. Verbleibende Restrisiken müssen vertretbar sein und in der Gebrauchsanweisung kommuniziert werden (Art. 9).

  4. 4

    Genauigkeit, Robustheit und Cybersicherheit nachweisen

    Leistungskennzahlen, Maßnahmen gegen Bias, gegen adversariale Angriffe und gegen Datenvergiftung darstellen — einschließlich der entsprechenden Testverfahren nach Art. 15.

  5. 5

    Transparenz und menschliche Aufsicht regeln

    Gebrauchsanweisung für Betreiber, Möglichkeiten der menschlichen Aufsicht und Eingriffe nach Art. 14 sowie Logging- und Aufzeichnungspflichten nach Art. 12 dokumentieren.

  6. 6

    Konformitätserklärung und CE-Kennzeichnung anbringen

    Nach erfolgreicher Konformitätsbewertung die EU-Konformitätserklärung nach Art. 47 ausstellen, CE-Kennzeichnung anbringen und im EU-Datenbank-System nach Art. 49 registrieren.

35 Mio. EUR oder 7 %

Höchste Bußgeldstufe nach Art. 99 Abs. 3 KI-Verordnung: bis zu 35 Mio. EUR oder bis zu 7 % des weltweiten Vorjahresumsatzes — je nachdem, welcher Betrag höher ist — bei Verstößen gegen das Verbot bestimmter KI-Praktiken nach Art. 5 (z. B. Social Scoring durch Behörden, ungezielte Gesichtserkennungs-Datenbanken).

Verordnung (EU) 2024/1689, Art. 99

EU AI Act for SMEsRegulation (EU) 2024/1689, Articles 2, 3, 4, 6, 26 and Annex III

The EU AI Act applies to SMEs that provide or deploy AI systems affecting people in the EU. Most SMEs start as deployers: they must inventory AI use, train staff, classify risk, keep evidence, and meet high-risk obligations where Annex III applies.

2026-08-02High-risk AI obligations

Most Annex III high-risk AI obligations apply, including documentation, oversight, logs and risk management.

Source: Regulation (EU) 2024/1689, Article 113

AI Act SME action checklist

Action checklist
Build an AI system inventory

List every internal and customer-facing AI tool, owner, vendor, purpose, data categories, user group and deployment status.

Articles 3, 4, 26

Classify each use case by risk tier

Separate prohibited, high-risk, limited-risk and minimal-risk use. Pay special attention to Annex III areas such as employment, education, credit, health and essential services.

Articles 5, 6, 50 and Annex III

Document deployer responsibilities

Assign a human owner, define intended use, keep logs where available, follow provider instructions and record monitoring decisions.

Article 26

Train staff and keep evidence

Provide AI literacy training to staff who procure, use, supervise or govern AI tools. Retain completion records and training content.

Article 4

Request vendor documentation

Collect provider instructions, risk classification, data information, transparency notices, security controls and incident handling commitments.

Articles 13, 15, 16, 26

Prepare high-risk evidence

For Annex III systems, document human oversight, accuracy monitoring, data governance, incident escalation and fundamental-rights impact assessment triggers.

Articles 9-15, 26, 27, 73

EU AI Act application timeline

Updated 2026-05-12: The AI Act originally set many obligations to apply from 2 August 2026. Some high-risk obligations may be subject to amendment. See per-obligation status below.
In forceAdoptedPolitical agreementExpectedSubject to formal adoption

AI Act enters into force

GovernanceIn forceArt. 113

Regulation (EU) 2024/1689 entered into force on the twentieth day following its publication in the Official Journal on 12 July 2024. The Regulation applies in phases over subsequent years pursuant to Article 113.

Applies to: All providers, deployers, importers and distributors of AI systems and GPAI models in the EU market

Prohibited AI practices ban applies

Prohibited practicesIn forceArt. 5Art. 113(1)

Article 5 prohibitions on unacceptable-risk AI systems become enforceable: subliminal manipulation, exploitation of vulnerabilities, social scoring by public authorities, real-time remote biometric identification in public spaces (with limited exceptions), emotion recognition in workplace and education, AI-based profiling to predict offences, and untargeted facial image scraping.

Applies to: All providers and deployers of AI systems in the EU

Note: Already in force since 2 February 2025. Verified against Art. 113(1) — six months after entry into force.

AI literacy obligation applies

AI literacyIn forceArt. 4Art. 113(1)

Article 4 requires providers and deployers to take measures to ensure a sufficient level of AI literacy for their staff and persons operating AI systems on their behalf. This obligation became binding on 2 February 2025 alongside the prohibited practices prohibition.

Applies to: All providers and deployers of AI systems in the EU

Note: Already in force since 2 February 2025. Verified against Art. 113(1) — six months after entry into force.

GPAI model obligations apply

GPAIIn forceArt. 53Art. 55Art. 56+3 more

Chapter V provisions for providers of general-purpose AI models become applicable: technical documentation (Annex XI/XII), transparency information, copyright summary, and — for systemic-risk models — adversarial testing, incident notification, and cybersecurity measures. Codes of practice for GPAI model providers must also be finalised under Article 56.

Applies to: Providers of general-purpose AI models made available in the EU; providers of GPAI models with systemic risk

Note: Verified against Art. 113(3) — twelve months after entry into force (1 August 2024 + 12 months = 2 August 2025). NOTE: the task brief references Art. 113(c) but the phased dates are set out in Article 113 paragraphs, not lettered sub-provisions in the OJ text. This date is confirmed from the regulation text.

High-risk AI obligations — Annex III systems

High-risk AIExpectedArt. 6Art. 9Art. 10+11 more

Full obligations for high-risk AI systems listed in Annex III become applicable: risk management system (Art. 9), data governance (Art. 10), technical documentation (Art. 11), record-keeping (Art. 12), transparency (Art. 13), human oversight (Art. 14), accuracy and robustness (Art. 15), quality management (Art. 17), conformity assessment (Art. 43), EU database registration (Art. 71), and post-market monitoring (Art. 72). Annex III categories include biometrics, critical infrastructure, employment/HR tools, education/vocational training, essential private and public services, law enforcement, migration and asylum, and administration of justice.

Applies to: Providers and deployers of high-risk AI systems listed in Annex III (biometrics, critical infrastructure, employment, education, essential services, law enforcement, migration, justice)

Note: Verification needed — The original date (2 August 2026) is set by Art. 113(6) — 24 months after entry into force. The European Commission's Omnibus simplification package (COM(2025)87, February 2025) proposed amendments. A political agreement on certain Omnibus elements was reported but, as of 2026-05-12, formal adoption of amendments to Regulation (EU) 2024/1689 that would alter this date has not been confirmed in the Official Journal. This milestone remains at 2026-08-02 until a revised regulation is published. Human review required before asserting postponement.

High-risk AI obligations — Annex I product-safety AI

High-risk AIExpectedArt. 6(1)Annex IAnnex III+1 more

AI systems that are safety components of products covered by the Union harmonisation legislation listed in Annex I (e.g. machinery, medical devices, automotive) must comply. These systems must also pass conformity assessment under the applicable sectoral legislation.

Applies to: Providers of AI systems that are safety components of products under Annex I sectoral legislation (machinery, medical devices, lifts, radio equipment, etc.)

Note: Same caveats as Annex III milestone. Verification needed for any Commission-proposed postponement prior to asserting a revised date.

GPAI models already on market before Aug 2025 must comply

GPAIExpectedArt. 113(3)Chap. V

General-purpose AI models that were placed on the market before 2 August 2025 must comply with the Chapter V GPAI obligations by this date. This is the transitional grace period for legacy GPAI models.

Applies to: Providers of general-purpose AI models that were on the EU market before 2 August 2025 and have not yet complied with Chapter V obligations

Note: Verified against Art. 113(3) — 36 months after entry into force (1 August 2024 + 36 months = 2 August 2027).

Source: Regulation (EU) 2024/1689, Article 113 · Last checked: 2026-05-12

Deadline

August 2, 2026 (high-risk systems)

Max Fine

€35M or 7% of global turnover

Sectors Affected

Technology, Healthcare, Financial Services

35 Mio. EUR oder 7 %

Höchste Bußgeldstufe nach Art. 99 Abs. 3 KI-Verordnung: bis zu 35 Mio. EUR oder bis zu 7 % des weltweiten Vorjahresumsatzes — je nachdem, welcher Betrag höher ist — bei Verstößen gegen das Verbot bestimmter KI-Praktiken nach Art. 5 (z. B. Social Scoring durch Behörden, ungezielte Gesichtserkennungs-Datenbanken).

Verordnung (EU) 2024/1689, Art. 99

Key regulatory facts: EU AI Act
Official nameRegulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act)
Reg. No.(EU) 2024/1689
CELEX32024R1689
Typeregulation
In force2024-08-01
Applies from2026-08-02
Max fine€35 million or 7% of global annual turnover, whichever is higher
Authorities
European AI Office (EU)
National competent authorities (member-state)
European Data Protection Supervisor (EU)for EU institutions, bodies and agencies
Source(EU) 2024/1689 — EUR-Lex Official Journal

How do I comply with AI Act?

  • Classify AI systems by risk tier
  • Implement risk management systems
  • Ensure transparency and human oversight
  • Register high-risk systems in EU database
  • Conduct fundamental rights impact assessments

Does AI Act apply to your business?

Find out in 2 minutes with our free regulation checker.

Check now — free

AI Act by Country

🇩🇪

Germany

🇫🇷

France

🇳🇱

Netherlands

🇪🇸

Spain

🇮🇹

Italy

🇦🇹

Austria

🇧🇪

Belgium

🇵🇱

Poland

🇸🇪

Sweden

🇮🇪

Ireland

🇵🇹

Portugal

🇩🇰

Denmark

🇫🇮

Finland

🇨🇿

Czech Republic

🇷🇴

Romania

🇭🇺

Hungary

🇸🇰

Slovakia

🇧🇬

Bulgaria

🇭🇷

Croatia

🇬🇷

Greece

🇱🇺

Luxembourg

🇪🇪

Estonia

🇱🇻

Latvia

🇱🇹

Lithuania

🇸🇮

Slovenia

🇲🇹

Malta

Explore AI Act in depth

Penalties & Fines

Maximum fine tiers, Article-by-Article breakdown, and mitigation factors.

Enforcement Timeline

Key dates, application milestones, and per-Member-State transposition status.

AI Act by Industry

💻

SaaS & Software

💳

Fintech & Financial Services

🏥

Healthcare & MedTech

🏭

Manufacturing & Industry

🛒

E-commerce & Retail

🎓

EdTech & Education

🚚

Logistics & Transport

Energy & Utilities

📡

Telecoms & Media

👥

HR & Recruitment

⚖️

Legal & Professional Services

🏛️

Public Sector & NGOs

AI Act by Role

SME Startups

The AI Act applies in full to SMEs, but recital 165 and Article 62 instruct member states to provide proportionate support — priority access to regulatory sandboxes, free SME-specific guidance, and simplified technical-documentation routes for microenterprises. The substantive obligations themselves do not shrink with company size.

Related Regulations

GDPR

GDPR governs the processing of personal data of EU residents. It requires lawful basis for processing, data subject rights, breach notification, and accountability measures.

NIS2

NIS2 expands cybersecurity obligations to essential and important entities across critical sectors. It mandates risk management, incident reporting, and supply chain security.

CRA

The CRA establishes cybersecurity requirements for products with digital elements sold in the EU. Manufacturers must ensure security by design and provide vulnerability handling.

Explore AI Act in depth

Penalties & Fines

See enforcement patterns, fine tier tables, and real enforcement cases across EU member states.

Deadline Timeline

Key milestones, implementation phases, and country-specific deadlines and phased rollout dates.

Industry Guides

Sector-specific AI Act guidance for SaaS, fintech, healthcare, and other affected industries.

Next step — classify

Classify your AI systems

Use the free regulation checker to find out exactly which AI Act obligations apply to your business in 2 minutes.

Classify your AI systems

Check Your Compliance Obligations

Find out which AI Act obligations apply to your organisation in under 2 minutes.

Run AI Act Compliance Checker

Recent AI Act Articles

How to Classify Your AI System Under the EU AI Act: A Step-by-Step Guide

8 Jun 2026

What Is the EU AI Act? A Complete Guide for Businesses

8 Jun 2026

How to Build an AI Literacy Program Under Article 4

8 Jun 2026

Frequently Asked Questions

What is the EU AI Act and what does it require?
The EU AI Act (Regulation 2024/1689) classifies AI systems by risk level. Prohibited AI practices apply from February 2025. General Purpose AI model obligations apply from August 2025. High-risk AI system requirements — conformity assessments, documentation, human oversight — apply from August 2026. Providers of high-risk AI in healthcare, employment, critical infrastructure, and law enforcement face the strictest requirements. The AI Office (European Commission) enforces GPAI model rules; national market surveillance authorities enforce rules for other AI systems.
What is an EU AI Act compliance checklist for 2026?
An EU AI Act compliance checklist for 2026: (1) Map all AI systems to the risk classification tiers — prohibited, high-risk, limited-risk, minimal-risk; (2) For high-risk systems, implement a risk management system (Article 9), technical documentation (Article 11), quality management (Article 17), and post-market monitoring (Article 72); (3) Register high-risk systems in the EU AI database for in-scope sectors; (4) For GPAI models above 10²⁵ FLOPs training compute, comply with systemic risk obligations (Article 55); (5) Establish AI literacy programmes for staff under Article 4.
When does EU AI Act enforcement start in 2026?
EU AI Act enforcement is phased: prohibited AI practices apply from 2 February 2025; GPAI model obligations (Articles 51–56) from 2 August 2025; high-risk AI system rules for Annexes I and III sectors (healthcare, employment, education, critical infrastructure, law enforcement) from 2 August 2026. AI systems used as safety components of products covered by existing EU sectoral legislation face additional deadlines aligned with product safety laws. Member states must designate national competent authorities to enforce the Act.
How do I classify high-risk AI systems under the EU AI Act?
Under EU AI Act Annex III, AI systems are classified as high-risk when deployed in: biometric identification and categorisation; critical infrastructure management; education and vocational training; employment and HR management; essential private and public services (including credit scoring); law enforcement; migration and asylum management; and administration of justice. An AI system is also high-risk if it is a safety component of a product covered by existing EU product safety legislation. Article 6(3) allows providers to self-assess that an Annex III system is not high-risk if it poses no significant risk to health, safety, or fundamental rights.
What does Article 10 of the EU AI Act require for data governance?
Article 10 of the EU AI Act requires providers of high-risk AI systems to apply data governance practices to training, validation, and testing datasets. Datasets must be examined for possible biases; data collection must be lawful; datasets must be relevant, sufficiently representative, and as free of errors as possible. Article 10(5) permits temporary processing of special categories of personal data for bias detection only, subject to appropriate technical and organisational measures. Compliance requires documented dataset cards describing provenance, curation methodology, and bias testing outcomes.
What AI Act compliance software is available for a German GmbH?
For a German GmbH, EU AI Act compliance software must cover: AI system risk classification (Annex III mapping), technical documentation generation (Article 11), conformity assessment tracking, and Article 4 AI literacy records. EuroComply is incorporated in Portugal (EU sovereign), uses Mistral AI (French SAS) for AI inference, is hosted in Frankfurt, and covers the full AI Act risk classification workflow from €49/month. The BfDI is the relevant data protection authority for AI systems processing personal data in Germany. For very small GmbHs under 10 employees, EuroComply's free tier covers one AI system classification.

For informational purposes only. This is not legal advice — consult qualified legal counsel.

Last verified: · Source: EUR-Lex 32024R1689 · Editorial policy