Free tool

AI Act Obligations Checker

Your duties under the EU AI Act turn on two things: your role and your risk tier. Tell us both and see exactly what applies to you - article by article - and from when. You get a plain-English verdict and a tailored checklist, all on this page.

Not sure what tier your system is? Start with the risk classifier.

Step 1 of 3

What is your role in relation to the AI system?

The Act assigns duties by role (Article 3). The provider, who builds and brands the AI, carries the heaviest load. A deployer uses it under its own authority. Importers and distributors move it along the chain.

How duties are assigned

Obligations by role and tier

The Act crosses your role (provider, deployer, importer, distributor) with your risk tier to set your duties. Here are the headline duties for the most common combinations.

TL;DR

Under the EU AI Act, the high-risk provider carries the fullest duties - from risk management and technical documentation to conformity assessment, CE marking and post-market monitoring. The high-risk deployer uses the system per instructions, keeps human oversight and logs, informs affected people, and runs a Fundamental Rights Impact Assessment where it is a public body or uses the system for credit or insurance. Limited / transparency systems carry Article 50 disclosure duties, minimal-risk systems carry none, and general-purpose AI model providers follow a separate track. Most duties apply from 2 August 2026.

High-risk provider

You develop and brand the high-risk AI system.

The fullest set of duties, across the lifecycle: risk management (Art. 9), data governance (Art. 10), technical documentation (Art. 11), logging (Art. 12), instructions for use (Art. 13), human oversight (Art. 14), accuracy and cybersecurity (Art. 15), a quality management system (Art. 17), conformity assessment (Art. 43), CE marking and declaration of conformity (Arts. 47-48), registration (Art. 49), and post-market monitoring (Arts. 72-73).

High-risk deployer

You use the high-risk system under your own authority.

Use it per the instructions, assign human oversight, keep input data representative, monitor and suspend if needed, keep logs for at least six months, and inform affected workers and people. Public bodies and credit / insurance uses must also run a Fundamental Rights Impact Assessment (Art. 27).

Limited / transparency (any role)

Your system is a chatbot, generates content, or recognises emotion.

The Article 50 disclosure and labelling duties: tell users they are dealing with AI, machine-readably mark AI-generated content (provider), disclose deepfakes (deployer), and inform people exposed to emotion recognition or biometric categorisation.

GPAI model provider

You provide a general-purpose AI model, such as an LLM.

The separate Chapter V track: technical documentation, downstream information, a copyright policy and a training-data summary (Art. 53), plus model evaluation, systemic-risk mitigation and incident reporting (Art. 55) if the model poses systemic risk.

Why role and tier matter most

Two questions decide most of your AI Act duties. The first is your tier: a prohibited practice cannot be made compliant, a high-risk system carries the fullest duties, a limited / transparency system mainly has to be open about what it is, and a minimal-risk system has no mandatory duties at all. The second is your role: the provider, who builds and brands the AI, shoulders far more than a deployer, who uses it. Regulation (EU) 2024/1689, Article 16

For a high-risk system, the provider runs the full programme - risk management, data governance, technical documentation, logging, instructions for use, human oversight, accuracy and cybersecurity, a quality management system, conformity assessment, CE marking, registration and post-market monitoring. A deployer's duties are lighter but real: use the system as instructed, keep effective human oversight, retain logs, and inform the workers and individuals affected. Regulation (EU) 2024/1689, Article 26

Some deployers carry an extra duty: public bodies and public-service providers, and anyone using a high-risk system for credit scoring or insurance risk assessment and pricing, must complete a Fundamental Rights Impact Assessment before deployment. Regulation (EU) 2024/1689, Article 27 Providers of general-purpose AI models sit on a separate track, with documentation, downstream information, a copyright policy and a training-data summary, plus systemic-risk duties for the largest models. Regulation (EU) 2024/1689, Article 53

One part of the timeline is still moving

A proposed Digital Omnibus on AI, in provisional political agreement as of May 2026, would postpone stand-alone Annex III high-risk obligations from 2 August 2026 to 2 December 2027, shorten the transparency grace period, and add a ninth Article 5 prohibition. It is not law yet, so we treat 2 August 2026 as the operative date in this tool. We will update this page if it is adopted.

Obligations questions people ask

What are the high-risk provider obligations?

A provider of a high-risk AI system carries the fullest set of duties in the Act. These include a risk management system (Article 9), data and data governance (Article 10), technical documentation per Annex IV (Article 11), record-keeping and automatic logging (Article 12), transparency and instructions for use (Article 13), human oversight by design (Article 14), accuracy, robustness and cybersecurity (Article 15), a quality management system (Article 17), a conformity assessment before market placement (Article 43), an EU declaration of conformity and CE marking (Articles 47-48), registration in the EU database (Article 49), and post-market monitoring with serious-incident reporting (Articles 72-73). A non-EU provider must also appoint an EU authorised representative (Article 22).

What does a high-risk deployer have to do?

A deployer uses a high-risk AI system under its own authority and has lighter but real duties under Article 26: use the system in line with the provider's instructions, assign human oversight to competent and trained people, make sure input data it controls is relevant and representative, monitor operation and suspend use if risks arise, keep the system's logs for at least six months, inform affected workers and their representatives before workplace deployment, and inform people subject to high-risk decisions. Public bodies, and deployers using the system for credit scoring or insurance pricing, must also carry out a Fundamental Rights Impact Assessment (Article 27).

What is a Fundamental Rights Impact Assessment (FRIA)?

A FRIA is an assessment that certain deployers of high-risk AI must complete before putting the system into use, under Article 27. It applies to deployers that are public bodies or public-service providers, and to systems used for credit scoring or for life and health insurance risk assessment and pricing. It is a deployer duty, not a provider duty, though providers can help by giving clear instructions for use.

What must a general-purpose AI model provider do?

Under Article 53, every GPAI model provider must keep technical documentation of the model, give downstream providers the information they need to integrate it, put in place a policy to comply with EU copyright law (including text-and-data-mining opt-outs), and publish a summary of the content used for training. If the model crosses the systemic-risk threshold (training compute above 10^25 FLOP), Article 55 adds model evaluation and adversarial testing, systemic-risk assessment and mitigation, serious-incident reporting to the AI Office, and adequate cybersecurity. The GPAI Code of Practice is the main tool for showing compliance. These rules have applied since 2 August 2025.

This is guidance to help you understand the EU AI Act, not legal advice. For decisions specific to your business, confirm with the official sources we link or a qualified adviser.

Sources

[1]Regulation (EU) 2024/1689 (EU AI Act), full text on EUR-Lexretrieved 9 Jun 2026
[2]AI Act, Article 16 - obligations of providers of high-risk AI systemsretrieved 9 Jun 2026
[3]AI Act, Article 26 - obligations of deployers of high-risk AI systemsretrieved 9 Jun 2026