Yes — the EU AI Act applies to both those who build AI systems (providers) and those who use them in a professional context (deployers). If your organisation uses AI tools in your operations — for example, to screen job applicants, assess credit risk, monitor employee performance, or triage customer requests — you are a deployer under the Act.
The scope is broad. Article 2 extends the Act to any organisation that deploys AI systems within the EU, regardless of where the provider is based. If the outputs of an AI system affect people in the EU, the Act likely applies. Even purely internal uses, such as automated HR processes or supply chain tools, fall within scope if the system is classified as high-risk.
There is an important nuance: deployers of high-risk AI carry a distinct set of obligations (Article 26) that differ from those placed on providers (Article 16). You are not responsible for the technical design of the AI system, but you are responsible for how you use it — including ensuring it is used in accordance with the provider's instructions, that human oversight is maintained, and that you can demonstrate compliance to a regulator.
If you are a small or medium-sized enterprise (SME), there are some procedural accommodations, but the substantive obligations still apply. The key question is not whether you built the AI, but whether you deploy it in a high-risk use case within the EU.
ComplianceCore helps deployers map their AI tool portfolio against the risk classification framework and identify exactly which obligations apply. Our assessment starts with a structured inventory of all AI tools in use.
Relevant provisions: Articles 2, 3(4), 16, 26, EU AI Act
The EU AI Act creates two distinct roles — provider and deployer — each with different compliance obligations.
A provider is any organisation that develops an AI system and places it on the market or puts it into service, whether for sale, free distribution, or internal use. Providers bear the heaviest obligations: they must conduct conformity assessments, maintain technical documentation, register high-risk systems in the EU database, and affix a CE mark where required (Articles 16–27, Article 49). They are responsible for the technical design, training data, accuracy, and robustness of the AI.
A deployer is any organisation that uses an AI system in the course of its professional activities — under its own authority and on its own behalf. Deployers do not develop the AI; they operate it. Their obligations are defined primarily in Article 26. These include: implementing the provider's instructions for use; ensuring human oversight; monitoring the system for unexpected behaviour; informing employees and affected individuals where required; and, for certain systems, conducting a Fundamental Rights Impact Assessment (FRIA) under Article 27.
Many organisations are both. If your company builds internal AI tools, you are a provider of those tools. If you then deploy those tools within your own operations, you are also a deployer.
One important grey zone: if you substantially modify a third-party AI system — for example, fine-tuning a foundation model for a specific use case — you may be reclassified as a provider for that modified system. Article 25 sets out the conditions for this shift in responsibility.
Understanding your role is the first step in any compliance programme. ComplianceCore's intake assessment maps your AI portfolio to provider, deployer, or dual-role status before scoping obligations.
Relevant provisions: Articles 3(3), 3(4), 16, 25, 26, 27, EU AI Act
The EU AI Act entered into force on 1 August 2024 and is being phased in over a 36-month transition period. The timeline differs by risk category.
February 2025 — Prohibitions on unacceptable-risk AI systems (Article 5) became enforceable. Any AI practices listed as prohibited — such as real-time biometric surveillance in public spaces (with narrow exceptions) or social scoring — were banned from this date.
August 2025 — Provisions on general-purpose AI (GPAI) models, including obligations on providers of powerful GPAI models (Articles 51–55), became applicable. Governance rules for national competent authorities also became effective.
August 2026 — This is the key deadline for deployers of high-risk AI. Full obligations under Article 26 apply from this date. This includes all Annex III high-risk use cases such as AI used in employment, education, access to essential services, and law enforcement. Member State authorities are expected to begin supervising compliance around this date.
August 2027 — Certain AI systems embedded in regulated products (Annex I machinery directives) have an extended transition period.
Importantly, August 2026 is closer than it appears. Building a compliant programme — inventorying AI tools, classifying risk, implementing oversight procedures, and producing audit-ready documentation — typically takes 6–12 months for a mid-sized organisation. Starting now is the minimum viable timeline.
ComplianceCore is designed to accelerate this process. Our structured assessments produce an Article 26 compliance map within days, not months.
Relevant provisions: Article 113 (entry into force and application); Recitals 162–166, EU AI Act
Article 26 is the core compliance provision for organisations that deploy high-risk AI systems but did not build them. It contains six principal obligations.
1. Use in accordance with instructions. You must operate the AI system within the scope defined by the provider's instructions for use. Deploying the system outside its intended purpose — for example, using a fraud-detection model to screen job applicants — shifts compliance risk to you.
2. Human oversight. You must implement measures ensuring that qualified human beings can effectively monitor the system's operation, intervene, and override outputs where necessary. This is not a formality — you must designate specific people with the competence and authority to act.
3. Monitor for risks. You must monitor the AI system for unusual behaviour or unexpected risks in your operational context and report serious incidents or malfunctions to the provider and, where required, the national competent authority (Article 73).
4. Data governance. Where you control the input data, you must ensure it is relevant and sufficiently representative for the system's intended purpose (Article 26(4)).
5. Transparency to affected individuals. Where required by the Act — for example in certain employment or access-to-services contexts — you must inform individuals that they are subject to a decision supported by AI, and provide meaningful information about the system (Articles 26(6), 50).
6. Fundamental Rights Impact Assessment (FRIA). Certain public bodies and private organisations deploying Annex III AI in employment, education, or public services must complete a FRIA before deployment (Article 27).
Non-compliance with Article 26 can result in fines of up to €15 million or 3% of global annual turnover, whichever is higher.
Relevant provisions: Articles 26, 27, 50, 73, EU AI Act
The EU AI Act classifies AI systems as high-risk if they fall into one of two categories.
Category 1 — Safety components in regulated products. AI systems that are a safety component in products already governed by EU harmonised legislation listed in Annex I (for example, machinery, medical devices, aviation equipment, or motor vehicles). If an AI system is embedded in such a product, it is likely high-risk.
Category 2 — Annex III use cases. These are standalone AI systems used in specific high-stakes domains. Annex III lists eight areas:
• Biometric identification and categorisation • Management and operation of critical infrastructure • Education and vocational training • Employment, worker management, and access to self-employment • Access to essential services (credit, insurance, public benefits) • Law enforcement • Migration and asylum management • Administration of justice and democratic processes
Within each area, only specific applications are high-risk. For employment, AI used in recruitment, CV screening, promotion decisions, and performance monitoring is high-risk. An AI scheduling tool that does not directly inform HR decisions may not be.
Article 6(3) introduced a self-classification pathway: even if your AI falls within Annex III, you may determine it is not high-risk if it performs a narrow preparatory task, is used to improve a previously completed human decision, or poses minimal risk. However, this determination must be documented and submitted to the EU AI database.
When in doubt, apply the precautionary approach — classify as high-risk and apply Article 26 obligations. ComplianceCore's risk classification module guides you through this determination systematically.
Relevant provisions: Articles 6, Annex I, Annex III, EU AI Act
The EU AI Act establishes a tiered penalty regime based on the severity of the infringement.
Tier 1 — Prohibited AI practices (Article 5): up to €35 million or 7% of global annual turnover, whichever is higher. This applies to the most serious violations — deploying AI systems that are outright banned, such as real-time biometric surveillance in public spaces (with narrow exceptions) or AI used for social scoring.
Tier 2 — Other substantive infringements: up to €15 million or 3% of global annual turnover, whichever is higher. This covers violations of Article 26 deployer obligations, failure to implement human oversight, non-compliance with transparency requirements, and failure to conduct a required FRIA. For most deployers, this is the relevant penalty tier.
Tier 3 — Supplying incorrect or misleading information to authorities: up to €7.5 million or 1% of global annual turnover, whichever is higher.
For SMEs and startups, the absolute caps (€7.5M, €15M, €35M) apply rather than the turnover percentages, which is a more favourable treatment in practice.
Beyond fines, non-compliant AI systems can be suspended or withdrawn from the market by national competent authorities. Serious incidents must be reported within defined timeframes (Article 73), and failure to report compounds liability.
Enforcement is handled by national authorities designated under Article 70 in each Member State. First enforcement actions are expected after August 2026. Regulated sectors (banking, insurance, healthcare) may face parallel enforcement from sectoral supervisors.
ComplianceCore's compliance programme produces documentation that demonstrates good-faith efforts, which regulators are required to take into account when assessing penalties.
Relevant provisions: Articles 5, 73, 99, 101, EU AI Act
No — GDPR compliance is necessary but not sufficient for EU AI Act compliance. The two regimes share common principles but have distinct requirements that do not overlap cleanly.
Where they align: Both regimes require data minimisation, transparency to affected individuals, and risk assessments before deploying systems that process personal data. Your GDPR Data Protection Impact Assessment (DPIA) process, privacy notices, and data governance practices provide a useful foundation.
Where the AI Act goes further:
Technical documentation. The AI Act requires providers (and, indirectly, deployers demanding it from providers) to maintain detailed documentation of model architecture, training data, accuracy metrics, and robustness testing. GDPR does not require this level of technical transparency.
Human oversight. Article 26 mandates specific human review mechanisms for high-risk AI decisions. GDPR Article 22 gives individuals rights regarding automated decisions but does not mandate ongoing operational oversight.
Fundamental Rights Impact Assessment (FRIA). This is a separate obligation from a DPIA. While a DPIA focuses on personal data risks, a FRIA requires analysis of broader impacts on fundamental rights including non-discrimination, access to justice, and socio-economic status.
AI-specific risk classification. GDPR does not classify AI systems by risk tier. The AI Act's Annex III classification requires a distinct analysis not addressed by GDPR.
Incident reporting. The AI Act establishes its own serious incident reporting regime (Article 73) alongside — not instead of — GDPR breach notification requirements.
Organisations with mature GDPR programmes have a head start, but should expect additional work — particularly around Article 26 oversight mechanisms and FRIA completion.
Relevant provisions: EU AI Act Articles 11, 26, 27, 73; GDPR Articles 22, 35
A Fundamental Rights Impact Assessment (FRIA) is a structured analysis required under Article 27 of the EU AI Act. It evaluates how a high-risk AI system may affect the fundamental rights of people within scope — going beyond data protection to include rights such as non-discrimination, access to justice, freedom of expression, and equal access to essential services.
Who is required to complete a FRIA? Article 27 applies to deployers that are:
• Public bodies deploying any Annex III high-risk AI system, OR • Private organisations deploying high-risk AI in specific contexts: credit and financial services (Annex III.5(b)), life and health insurance (Annex III.5(c)), and private operators providing public-interest services in employment (Annex III.4) or education (Annex III.3).
If you are a public authority using AI in benefits administration, law enforcement, or immigration, a FRIA is mandatory. If you are a private company using AI for credit scoring, insurance underwriting, or workforce management at scale, you likely fall within scope.
What does a FRIA contain? Article 27 requires the FRIA to cover: a description of the deployer and intended use; relevant fundamental rights likely to be affected; potential impacts on those rights and mitigations; a description of monitoring and redress processes; and confirmation of human oversight mechanisms.
What a FRIA is not: A DPIA is not a FRIA, though they can be conducted jointly where both are required (Article 27(4)). The FRIA has a broader scope than privacy impact alone.
ComplianceCore includes a FRIA template aligned to Article 27 requirements. Our assessment workflow identifies whether you are within scope and guides you through the mandatory content.
Relevant provisions: Articles 26(9), 27, EU AI Act
A ComplianceCore assessment is designed to be fast without sacrificing accuracy. Most organisations complete the core assessment in 3–5 business days, with structured outputs ready within the same week.
What you do: You complete our guided questionnaire, which covers your AI tool inventory, intended use cases, affected populations, and existing governance controls. The questionnaire is structured around the EU AI Act's key provisions — risk classification, Article 26 obligations, and FRIA triggers. For most organisations, this takes 2–4 hours of focused input from a DPO, compliance lead, or operations team.
What we produce:
• Risk classification report — each AI system in your portfolio mapped to prohibited, high-risk, limited-risk, or minimal-risk under the Act, with citations to the relevant Annex III category or Article 6 reasoning. • Article 26 gap analysis — a structured review of which deployer obligations you currently meet, which have gaps, and what remediation steps are required. • FRIA determination — a scoped analysis of whether a Fundamental Rights Impact Assessment is required, and if so, a draft FRIA aligned to Article 27. • Compliance roadmap — a prioritised action plan with timelines, ownership assignments, and a summary suitable for board-level reporting. • Audit-ready documentation — all outputs formatted to demonstrate compliance to a national competent authority.
For organisations that want ongoing monitoring, our Continuous Compliance tier provides quarterly re-assessments as AI portfolios evolve and regulatory guidance is updated.
There are no long consulting engagements. ComplianceCore is built to give compliance teams the tools and documentation they need, not to replace them.
Relevant provisions: Articles 26, 27, Annex III, EU AI Act
When a national competent authority conducts a supervisory review, they will expect your organisation to demonstrate compliance through documented evidence, not assertions. Articles 26, 27, and 73 make clear what the substantive record must show.
Evidence that deployers should maintain:
1. AI system inventory. A current register of all AI systems in use, their provider, the use case, and the risk classification applied. This demonstrates you have scoped your obligations and identified which systems require Article 26 compliance.
2. Article 26 compliance documentation. Records showing that you have implemented the provider's instructions for use; designated responsible human oversight personnel with named roles; and established monitoring and intervention procedures. This should include policy documents, role designations, and any training provided to staff.
3. FRIA completion. If Article 27 applies, a completed and dated FRIA with evidence of the analysis and any mitigating measures taken.
4. Incident log. A record of any serious incidents, malfunctions, or unexpected outputs — including what happened, how you identified it, and what you did in response (Article 73). A well-maintained log demonstrates an active monitoring programme, not just a record of failures.
5. Provider cooperation records. Evidence that you have communicated with AI providers about technical documentation, instructions for use, and any reported issues. Article 26 requires deployers to cooperate with authorities, and your correspondence with providers is part of that cooperation.
6. Board or management sign-off. Evidence that senior leadership has reviewed and approved the compliance programme. Regulators treat this as an indicator of organisational commitment and governance maturity.
ComplianceCore produces all of these artefacts as structured, downloadable outputs. Our documentation is formatted to meet the evidentiary expectations of EU supervisory authorities and can be updated as your AI portfolio evolves.
Relevant provisions: Articles 26, 27, 73, 74, EU AI Act
Ready to assess your compliance?
ComplianceCore guides you through the full Article 26 assessment in under 2 hours, producing audit-ready documentation for your AI portfolio.