EuroComply
Zarejestruj się

EU AI Act

Akt w sprawie sztucznej inteligencji (Rozporządzenie (UE) 2024/1689, Akt o AI) jest pierwszym kompleksowym aktem prawnym regulującym systemy sztucznej inteligencji w UE. Klasyfikuje systemy AI według poziomu ryzyka — praktyki zakazane, wysokie ryzyko, ograniczone ryzyko, minimalne ryzyko — i nakłada obowiązki skalowane stosownie do przypisanego poziomu. Stosowanie etapowe: Artykuł 4 (umiejętności w zakresie AI) i Artykuł 5 (zakazane praktyki) od 2 lutego 2025 r.; Artykuł 53 (modele AI ogólnego przeznaczenia) od 2 sierpnia 2025 r.; Artykuł 6 i Załącznik III (obowiązki dla systemów wysokiego ryzyka) od 2 sierpnia 2026 r.; Załącznik I (systemy wysokiego ryzyka wbudowane w produkty regulowane) od 2 sierpnia 2027 r. Maksymalna kara: 35 mln EUR lub 7 % całkowitego rocznego światowego obrotu za zakazane praktyki (Artykuł 99).

Free EU AI Act Compliance Checker

What does AI Act require and when does it apply?

AI Act applies to Technology and Healthcare organisations across all EU member states. The key deadline is August 2, 2026 (high-risk systems). Non-compliance carries a maximum penalty of €35M or 7% of global turnover. Core obligations include classify ai systems by risk tier and implement risk management systems.

  • Classify AI systems by risk tier
  • Implement risk management systems
  • Ensure transparency and human oversight
  • Register high-risk systems in EU database
  • Conduct fundamental rights impact assessments
DeadlineAugust 2, 2026 (high-risk systems)
Max fine€35M or 7% of global turnover
Primary sectorsTechnology, Healthcare, Financial Services
Source: Official Journal of the EU — EU AI ActReviewed:
TL;DR

AI Act: €35M or 7% of global turnover max fine

AI Act applies to Technology and Healthcare organisations in all EU member states. Key deadline: August 2, 2026 (high-risk systems).

Source: Official Journal of the European Union — EU AI Act

Who does AI Act apply to?

Akt o AI stosuje się do wszystkich uczestników łańcucha wartości AI, którzy wprowadzają systemy AI do obrotu na rynku UE, oddają je do użytku w UE lub których wyniki są wykorzystywane w UE — nawet jeżeli dostawca lub podmiot stosujący mają siedzibę poza UE.

  • Dostawcy wprowadzający systemy AI do obrotu na rynku UE lub oddający je do użytku w UE
  • Podmioty stosujące z siedzibą lub miejscem prowadzenia działalności w UE, korzystające z systemów AI w ramach działalności zawodowej
  • Importerzy i dystrybutorzy systemów AI w UE
  • Dostawcy i podmioty stosujące z państw trzecich, gdy wyniki systemu AI są wykorzystywane w UE
  • Dostawcy modeli AI ogólnego przeznaczenia (GPAI), z dodatkowymi zasadami dla modeli stwarzających ryzyko systemowe
Source: Regulation (EU) 2024/1689 — EUR-Lex Official Journal — Artykuł 2 (Zakres stosowania)Reviewed:

What are the penalties for AI Act non-compliance?

Akt o AI stosuje trójstopniowy system kar. Najwyższy poziom dotyczy stosowania zakazanych praktyk w zakresie AI. Poziom środkowy obejmuje nieprzestrzeganie obowiązków mających zastosowanie do systemów wysokiego ryzyka i modeli GPAI. Najniższy poziom dotyczy dostarczania organom nieprawidłowych lub wprowadzających w błąd informacji.

Maximum fine€35 million or 7% of global annual turnover, whichever is higher
Source: Regulation (EU) 2024/1689 — EUR-Lex Official Journal — Artykuł 99 (Kary)Reviewed:

When does AI Act apply?

Akt o AI wszedł w życie 1 sierpnia 2024 r. i jest stosowany etapami. Zakazy dotyczące praktyk o niedopuszczalnym ryzyku oraz obowiązek w zakresie umiejętności związanych z AI obowiązują jako pierwsze; następnie wchodzą w życie przepisy dotyczące modeli GPAI; główny zbiór obowiązków dla systemów wysokiego ryzyka stosuje się od 2 sierpnia 2026 r.; obowiązki dla systemów wysokiego ryzyka wbudowanych w produkty regulowane — od 2 sierpnia 2027 r.

  • 2024-08-01 — Entry into force
  • 2025-02-02 — Prohibitions (Article 5) and AI-literacy obligation (Article 4) apply
  • 2025-08-02 — Obligations for General-Purpose AI (GPAI) models apply
  • 2026-08-02 — Most obligations for high-risk AI systems apply
  • 2027-08-02 — High-risk obligations for Annex I-listed products apply
Source: Regulation (EU) 2024/1689 — EUR-Lex Official Journal — Artykuł 113 (Wejście w życie i stosowanie)Reviewed:

Jak ustalić, czy system AI jest systemem wysokiego ryzyka w rozumieniu Aktu o AI

Artykuły 6 i 7 oraz Załącznik III określają logikę klasyfikacji systemów wysokiego ryzyka. Poniższa procedura pozwala uzyskać uzasadnioną i możliwą do obrony kwalifikację.

  1. 1

    Sprawdź wykazy produktów objętych przepisami bezpieczeństwa w Załączniku I

    Jeżeli system AI jest elementem bezpieczeństwa lub stanowi sam w sobie produkt objęty unijnym sektorowym prawodawstwem harmonizacyjnym wymienionym w Załączniku I (np. wyroby medyczne, maszyny, zabawki) i produkt ten podlega ocenie zgodności przez stronę trzecią, system AI jest systemem wysokiego ryzyka w rozumieniu Artykułu 6 ust. 1.

  2. 2

    Sprawdź kategorie zastosowań z Załącznika III

    Jeżeli system AI jest stosowany w jednym z ośmiu obszarów wymienionych w Załączniku III (biometria, infrastruktura krytyczna, edukacja, zatrudnienie, usługi podstawowe, egzekwowanie prawa, migracja i kontrola graniczna, wymiar sprawiedliwości), jest co do zasady systemem wysokiego ryzyka zgodnie z Artykułem 6 ust. 2.

  3. 3

    Zastosuj wyjątki z Artykułu 6 ust. 3

    System objęty Załącznikiem III nie jest systemem wysokiego ryzyka, jeżeli wykonuje wyłącznie wąskie zadanie proceduralne, usprawnia wcześniejszą pracę człowieka, wykrywa wzorce decyzyjne lub wykonuje zadanie przygotowawcze — pod warunkiem że nie profiluje osób fizycznych. Udokumentuj rozumowanie.

  4. 4

    Zarejestruj i udokumentuj

    Jeżeli system pozostaje systemem wysokiego ryzyka, zarejestruj go w unijnej bazie danych (Artykuł 71) i sporządź dokumentację techniczną zgodnie z Załącznikiem IV przed wprowadzeniem go do obrotu.

35 mln EUR lub 7 % obrotu

Maksymalna administracyjna kara pieniężna przewidziana w Akcie o AI za stosowanie zakazanych praktyk w zakresie AI wymienionych w Artykule 5 (najwyższy z trzech poziomów kar).

Rozporządzenie (UE) 2024/1689, Artykuł 99 ust. 3

EU AI Act for SMEsRegulation (EU) 2024/1689, Articles 2, 3, 4, 6, 26 and Annex III

The EU AI Act applies to SMEs that provide or deploy AI systems affecting people in the EU. Most SMEs start as deployers: they must inventory AI use, train staff, classify risk, keep evidence, and meet high-risk obligations where Annex III applies.

2026-08-02High-risk AI obligations

Most Annex III high-risk AI obligations apply, including documentation, oversight, logs and risk management.

Source: Regulation (EU) 2024/1689, Article 113

AI Act SME action checklist

Action checklist
Build an AI system inventory

List every internal and customer-facing AI tool, owner, vendor, purpose, data categories, user group and deployment status.

Articles 3, 4, 26

Classify each use case by risk tier

Separate prohibited, high-risk, limited-risk and minimal-risk use. Pay special attention to Annex III areas such as employment, education, credit, health and essential services.

Articles 5, 6, 50 and Annex III

Document deployer responsibilities

Assign a human owner, define intended use, keep logs where available, follow provider instructions and record monitoring decisions.

Article 26

Train staff and keep evidence

Provide AI literacy training to staff who procure, use, supervise or govern AI tools. Retain completion records and training content.

Article 4

Request vendor documentation

Collect provider instructions, risk classification, data information, transparency notices, security controls and incident handling commitments.

Articles 13, 15, 16, 26

Prepare high-risk evidence

For Annex III systems, document human oversight, accuracy monitoring, data governance, incident escalation and fundamental-rights impact assessment triggers.

Articles 9-15, 26, 27, 73

EU AI Act application timeline

Updated 2026-05-12: The AI Act originally set many obligations to apply from 2 August 2026. Some high-risk obligations may be subject to amendment. See per-obligation status below.
In forceAdoptedPolitical agreementExpectedSubject to formal adoption

AI Act enters into force

GovernanceIn forceArt. 113

Regulation (EU) 2024/1689 entered into force on the twentieth day following its publication in the Official Journal on 12 July 2024. The Regulation applies in phases over subsequent years pursuant to Article 113.

Applies to: All providers, deployers, importers and distributors of AI systems and GPAI models in the EU market

Prohibited AI practices ban applies

Prohibited practicesIn forceArt. 5Art. 113(1)

Article 5 prohibitions on unacceptable-risk AI systems become enforceable: subliminal manipulation, exploitation of vulnerabilities, social scoring by public authorities, real-time remote biometric identification in public spaces (with limited exceptions), emotion recognition in workplace and education, AI-based profiling to predict offences, and untargeted facial image scraping.

Applies to: All providers and deployers of AI systems in the EU

Note: Already in force since 2 February 2025. Verified against Art. 113(1) — six months after entry into force.

AI literacy obligation applies

AI literacyIn forceArt. 4Art. 113(1)

Article 4 requires providers and deployers to take measures to ensure a sufficient level of AI literacy for their staff and persons operating AI systems on their behalf. This obligation became binding on 2 February 2025 alongside the prohibited practices prohibition.

Applies to: All providers and deployers of AI systems in the EU

Note: Already in force since 2 February 2025. Verified against Art. 113(1) — six months after entry into force.

GPAI model obligations apply

GPAIIn forceArt. 53Art. 55Art. 56+3 more

Chapter V provisions for providers of general-purpose AI models become applicable: technical documentation (Annex XI/XII), transparency information, copyright summary, and — for systemic-risk models — adversarial testing, incident notification, and cybersecurity measures. Codes of practice for GPAI model providers must also be finalised under Article 56.

Applies to: Providers of general-purpose AI models made available in the EU; providers of GPAI models with systemic risk

Note: Verified against Art. 113(3) — twelve months after entry into force (1 August 2024 + 12 months = 2 August 2025). NOTE: the task brief references Art. 113(c) but the phased dates are set out in Article 113 paragraphs, not lettered sub-provisions in the OJ text. This date is confirmed from the regulation text.

High-risk AI obligations — Annex III systems

High-risk AIExpectedArt. 6Art. 9Art. 10+11 more

Full obligations for high-risk AI systems listed in Annex III become applicable: risk management system (Art. 9), data governance (Art. 10), technical documentation (Art. 11), record-keeping (Art. 12), transparency (Art. 13), human oversight (Art. 14), accuracy and robustness (Art. 15), quality management (Art. 17), conformity assessment (Art. 43), EU database registration (Art. 71), and post-market monitoring (Art. 72). Annex III categories include biometrics, critical infrastructure, employment/HR tools, education/vocational training, essential private and public services, law enforcement, migration and asylum, and administration of justice.

Applies to: Providers and deployers of high-risk AI systems listed in Annex III (biometrics, critical infrastructure, employment, education, essential services, law enforcement, migration, justice)

Note: Verification needed — The original date (2 August 2026) is set by Art. 113(6) — 24 months after entry into force. The European Commission's Omnibus simplification package (COM(2025)87, February 2025) proposed amendments. A political agreement on certain Omnibus elements was reported but, as of 2026-05-12, formal adoption of amendments to Regulation (EU) 2024/1689 that would alter this date has not been confirmed in the Official Journal. This milestone remains at 2026-08-02 until a revised regulation is published. Human review required before asserting postponement.

High-risk AI obligations — Annex I product-safety AI

High-risk AIExpectedArt. 6(1)Annex IAnnex III+1 more

AI systems that are safety components of products covered by the Union harmonisation legislation listed in Annex I (e.g. machinery, medical devices, automotive) must comply. These systems must also pass conformity assessment under the applicable sectoral legislation.

Applies to: Providers of AI systems that are safety components of products under Annex I sectoral legislation (machinery, medical devices, lifts, radio equipment, etc.)

Note: Same caveats as Annex III milestone. Verification needed for any Commission-proposed postponement prior to asserting a revised date.

GPAI models already on market before Aug 2025 must comply

GPAIExpectedArt. 113(3)Chap. V

General-purpose AI models that were placed on the market before 2 August 2025 must comply with the Chapter V GPAI obligations by this date. This is the transitional grace period for legacy GPAI models.

Applies to: Providers of general-purpose AI models that were on the EU market before 2 August 2025 and have not yet complied with Chapter V obligations

Note: Verified against Art. 113(3) — 36 months after entry into force (1 August 2024 + 36 months = 2 August 2027).

Source: Regulation (EU) 2024/1689, Article 113 · Last checked: 2026-05-12

Deadline

August 2, 2026 (high-risk systems)

Max Fine

€35M or 7% of global turnover

Sectors Affected

Technology, Healthcare, Financial Services

35 mln EUR lub 7 % obrotu

Maksymalna administracyjna kara pieniężna przewidziana w Akcie o AI za stosowanie zakazanych praktyk w zakresie AI wymienionych w Artykule 5 (najwyższy z trzech poziomów kar).

Rozporządzenie (UE) 2024/1689, Artykuł 99 ust. 3

Key regulatory facts: EU AI Act
Official nameRegulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act)
Reg. No.(EU) 2024/1689
CELEX32024R1689
Typeregulation
In force2024-08-01
Applies from2026-08-02
Max fine€35 million or 7% of global annual turnover, whichever is higher
Authorities
European AI Office (EU)
National competent authorities (member-state)
European Data Protection Supervisor (EU)for EU institutions, bodies and agencies
Source(EU) 2024/1689 — EUR-Lex Official Journal

How do I comply with AI Act?

  • Classify AI systems by risk tier
  • Implement risk management systems
  • Ensure transparency and human oversight
  • Register high-risk systems in EU database
  • Conduct fundamental rights impact assessments

Does AI Act apply to your business?

Find out in 2 minutes with our free regulation checker.

Check now — free

AI Act by Country

🇩🇪

Germany

🇫🇷

France

🇳🇱

Netherlands

🇪🇸

Spain

🇮🇹

Italy

🇦🇹

Austria

🇧🇪

Belgium

🇵🇱

Poland

🇸🇪

Sweden

🇮🇪

Ireland

🇵🇹

Portugal

🇩🇰

Denmark

🇫🇮

Finland

🇨🇿

Czech Republic

🇷🇴

Romania

🇭🇺

Hungary

🇸🇰

Slovakia

🇧🇬

Bulgaria

🇭🇷

Croatia

🇬🇷

Greece

🇱🇺

Luxembourg

🇪🇪

Estonia

🇱🇻

Latvia

🇱🇹

Lithuania

🇸🇮

Slovenia

🇲🇹

Malta

Explore AI Act in depth

Penalties & Fines

Maximum fine tiers, Article-by-Article breakdown, and mitigation factors.

Enforcement Timeline

Key dates, application milestones, and per-Member-State transposition status.

AI Act by Industry

💻

SaaS & Software

💳

Fintech & Financial Services

🏥

Healthcare & MedTech

🏭

Manufacturing & Industry

🛒

E-commerce & Retail

🎓

EdTech & Education

🚚

Logistics & Transport

Energy & Utilities

📡

Telecoms & Media

👥

HR & Recruitment

⚖️

Legal & Professional Services

🏛️

Public Sector & NGOs

AI Act by Role

SME Startups

The AI Act applies in full to SMEs, but recital 165 and Article 62 instruct member states to provide proportionate support — priority access to regulatory sandboxes, free SME-specific guidance, and simplified technical-documentation routes for microenterprises. The substantive obligations themselves do not shrink with company size.

Related Regulations

GDPR

GDPR governs the processing of personal data of EU residents. It requires lawful basis for processing, data subject rights, breach notification, and accountability measures.

NIS2

NIS2 expands cybersecurity obligations to essential and important entities across critical sectors. It mandates risk management, incident reporting, and supply chain security.

CRA

The CRA establishes cybersecurity requirements for products with digital elements sold in the EU. Manufacturers must ensure security by design and provide vulnerability handling.

Explore AI Act in depth

Penalties & Fines

See enforcement patterns, fine tier tables, and real enforcement cases across EU member states.

Deadline Timeline

Key milestones, implementation phases, and country-specific deadlines and phased rollout dates.

Industry Guides

Sector-specific AI Act guidance for SaaS, fintech, healthcare, and other affected industries.

Next step — classify

Classify your AI systems

Use the free regulation checker to find out exactly which AI Act obligations apply to your business in 2 minutes.

Classify your AI systems

Check Your Compliance Obligations

Find out which AI Act obligations apply to your organisation in under 2 minutes.

Run AI Act Compliance Checker

Recent AI Act Articles

How to Classify Your AI System Under the EU AI Act: A Step-by-Step Guide

8 Jun 2026

What Is the EU AI Act? A Complete Guide for Businesses

8 Jun 2026

How to Build an AI Literacy Program Under Article 4

8 Jun 2026

Frequently Asked Questions

What is the EU AI Act and what does it require?
The EU AI Act (Regulation 2024/1689) classifies AI systems by risk level. Prohibited AI practices apply from February 2025. General Purpose AI model obligations apply from August 2025. High-risk AI system requirements — conformity assessments, documentation, human oversight — apply from August 2026. Providers of high-risk AI in healthcare, employment, critical infrastructure, and law enforcement face the strictest requirements. The AI Office (European Commission) enforces GPAI model rules; national market surveillance authorities enforce rules for other AI systems.
What is an EU AI Act compliance checklist for 2026?
An EU AI Act compliance checklist for 2026: (1) Map all AI systems to the risk classification tiers — prohibited, high-risk, limited-risk, minimal-risk; (2) For high-risk systems, implement a risk management system (Article 9), technical documentation (Article 11), quality management (Article 17), and post-market monitoring (Article 72); (3) Register high-risk systems in the EU AI database for in-scope sectors; (4) For GPAI models above 10²⁵ FLOPs training compute, comply with systemic risk obligations (Article 55); (5) Establish AI literacy programmes for staff under Article 4.
When does EU AI Act enforcement start in 2026?
EU AI Act enforcement is phased: prohibited AI practices apply from 2 February 2025; GPAI model obligations (Articles 51–56) from 2 August 2025; high-risk AI system rules for Annexes I and III sectors (healthcare, employment, education, critical infrastructure, law enforcement) from 2 August 2026. AI systems used as safety components of products covered by existing EU sectoral legislation face additional deadlines aligned with product safety laws. Member states must designate national competent authorities to enforce the Act.
How do I classify high-risk AI systems under the EU AI Act?
Under EU AI Act Annex III, AI systems are classified as high-risk when deployed in: biometric identification and categorisation; critical infrastructure management; education and vocational training; employment and HR management; essential private and public services (including credit scoring); law enforcement; migration and asylum management; and administration of justice. An AI system is also high-risk if it is a safety component of a product covered by existing EU product safety legislation. Article 6(3) allows providers to self-assess that an Annex III system is not high-risk if it poses no significant risk to health, safety, or fundamental rights.
What does Article 10 of the EU AI Act require for data governance?
Article 10 of the EU AI Act requires providers of high-risk AI systems to apply data governance practices to training, validation, and testing datasets. Datasets must be examined for possible biases; data collection must be lawful; datasets must be relevant, sufficiently representative, and as free of errors as possible. Article 10(5) permits temporary processing of special categories of personal data for bias detection only, subject to appropriate technical and organisational measures. Compliance requires documented dataset cards describing provenance, curation methodology, and bias testing outcomes.
What AI Act compliance software is available for a German GmbH?
For a German GmbH, EU AI Act compliance software must cover: AI system risk classification (Annex III mapping), technical documentation generation (Article 11), conformity assessment tracking, and Article 4 AI literacy records. EuroComply is incorporated in Portugal (EU sovereign), uses Mistral AI (French SAS) for AI inference, is hosted in Frankfurt, and covers the full AI Act risk classification workflow from €49/month. The BfDI is the relevant data protection authority for AI systems processing personal data in Germany. For very small GmbHs under 10 employees, EuroComply's free tier covers one AI system classification.

For informational purposes only. This is not legal advice — consult qualified legal counsel.

Last verified: · Source: EUR-Lex 32024R1689 · Editorial policy