Back to index

Table of contents

Chapter I: General Provisions

Article 1: Subject Matter

Article 2: Scope

Article 3: Definitions

Article 4: AI literacy

Chapter II: Prohibited Artificial Intelligence Practices

Article 5: Prohibited Artificial Intelligence Practices

Chapter III: High-Risk AI System

Section 1: Classification of AI Systems as High-Risk

Article 6: Classification Rules for High-Risk AI Systems

Article 7: Amendments to Annex III

Section 2: Requirements for High-Risk AI Systems

Article 8: Compliance with the Requirements

Article 9: Risk Management System

Article 10: Data and Data Governance

Article 11: Technical Documentation

Article 12: Record-Keeping

Article 13: Transparency and Provision of Information to Deployers

Article 14: Human Oversight

Article 15: Accuracy, Robustness and Cybersecurity

Section 3: Obligations of Providers and Deployers of High-Risk AI Systems and Other Parties

Article 16: Obligations of Providers of High-Risk AI Systems

Article 17: Quality Management System

Article 18: Documentation Keeping

Article 19: Automatically Generated Logs

Article 20: Corrective Actions and Duty of Information

Article 21: Cooperation with Competent Authorities

Article 22: Authorised Representatives of providers of high-risk AI systems

Article 23: Obligations of Importers

Article 24: Obligations of Distributors

Article 25: Responsibilities Along the AI Value Chain

Article 26: Obligations of Deployers of High-Risk AI Systems

Article 27: Fundamental Rights Impact Assessment for High-Risk AI Systems

Section 4: Notifying Authorities and Notified Bodies

Article 28: Notifying Authorities

Article 29: Application of a Conformity Assessment Body for Notification

Article 30: Notification Procedure

Article 31: Requirements Relating to Notified Bodies

Article 32: Presumption of Conformity with Requirements Relating to Notified Bodies

Article 33: Subsidiaries of and Subcontracting by Notified Bodies

Article 34: Operational Obligations of Notified Bodies

Article 35: Identification Numbers and Lists of Notified Bodies Designated Under this Regulation

Article 36: Changes to Notifications

Article 37: Challenge to the Competence of Notified Bodies

Article 38: Coordination of Notified Bodies

Article 39: Conformity Assessment Bodies of Third Countries

Section 5: Standards, Conformity Assessment, Certificates, Registration

Article 40: Harmonised Standards and Standardisation Deliverables

Article 41: Common Specifications

Article 42: Presumption of Conformity with Certain Requirements

Article 43: Conformity Assessment

Article 44: Certificates

Article 45: Information Obligations of Notified Bodies

Article 46: Derogation from Conformity Assessment Procedure

Article 47: EU Declaration of Conformity

Article 48: CE Marking

Article 49: Registration

Chapter IV: Transparency Obligations for Providers and Deployers of Certain AI Systems and GPAI Models

Article 50: Transparency Obligations for Providers and Users of Certain AI Systems and GPAI Models

Chapter V: General Purpose AI Models

Section 1: Classification Rules

Article 51: Classification of General-Purpose AI Models as General Purpose AI Models with Systemic Risk

Article 52: Procedure

Section 2: Obligations for Providers of General Purpose AI Models

Article 53: Obligations for Providers of General Purpose AI Models

Article 54: Authorised Representative

Section 3: Obligations for Providers of General Purpose AI Models with Systemic Risk

Article 55: Obligations for Providers of General-Purpose AI Models with Systemic Risk

Article 56: Codes of Practice

Chapter VI: Measures in Support of Innovation

Article 57: AI Regulatory Sandboxes

Article 58: Detailed arrangements for and functioning of AI regulatory sandboxes

Article 59: Further Processing of Personal Data for Developing Certain AI Systems in the Public Interest in the AI Regulatory Sandbox

Article 60: Testing of High-Risk AI Systems in Real World Conditions Outside AI Regulatory Sandboxes

Article 61: Informed consent to participate in testing in real world conditions outside AI regulatory sandboxes

Article 62: Measures for Providers and Deployers, in Particular SMEs, Including Start-Ups

Article 63: Derogations for specific operators

Chapter VII: Governance

Section 1: Governance at Union Level

Article 64: AI Office

Article 65: Establishment and Structure of the European Artificial Intelligence Board

Article 66: Tasks of the Board

Article 67: Advisory Forum

Article 68: Scientific Panel of Independent Experts

Article 69: Access to the Pool of Experts by the Member States

Section 2: National Competent Authorities

Article 70: Designation of National Competent Authorities and Single Point of Contact

Chapter VIII: EU Database for High-Risk AI Systems

Article 71: EU Database for High-Risk AI Systems Listed in Annex III

Chapter IX: Post-Market Monitoring, Information Sharing, Market Surveillance

Section 1: Post-Market Monitoring

Article 72: Post-Market Monitoring by Providers and Post-Market Monitoring Plan for High-Risk AI Systems

Section 2: Sharing of Information on Serious Incidents

Article 73: Reporting of Serious Incidents

Section 3: Enforcement

Article 74: Market Surveillance and Control of AI Systems in the Union Market

Article 75: Mutual Assistance, Market Surveillance and Control of General Purpose AI Systems

Article 76: Supervision of Testing in Real World Conditions by Market Surveillance Authorities

Article 77: Powers of Authorities Protecting Fundamental Rights

Article 78: Confidentiality

Article 79: Procedure for Dealing with AI Systems Presenting a Risk at National Level

Article 80: Procedure for Dealing with AI Systems Classified by the Provider as a Not High-Risk in Application of Annex III

Article 81: Union Safeguard Procedure

Article 82: Compliant AI Systems Which Present a Risk

Article 83: Formal Non-Compliance

Article 84: Union AI Testing Support Structures

Section 4: Remedies

Article 85: Right to Lodge a Complaint with a Market Surveillance Authority

Article 86: A Right to Explanation of Individual Decision-Making

Article 87: Reporting of Breaches and Protection of Reporting Persons

Section 5: Supervision, Investigation, Enforcement and Monitoring in Respect of Providers of General Purpose AI Models

Article 88: Enforcement of Obligations on Providers of General Purpose AI Models

Article 89 : Monitoring Actions

Article 90: Alerts of Systemic Risks by the Scientific Panel

Article 91: Power to Request Documentation and Information

Article 92: Power to Conduct Evaluations

Article 93: Power to Request Measures

Article 94: Procedural Rights of Economic Operators of the General Purpose AI Model

Chapter X: Codes of Conduct and Guidelines

Article 95: Codes of Conduct for Voluntary Application of Specific Requirements

Article 96: Guidelines from the Commission on the Implementation of this Regulation

Chapter XI: Delegation of Power and Committee Procedure

Article 97: Exercise of the Delegation

Article 98: Committee Procedure

Chapter XII: Confidentiality and Penalties

Article 99: Penalties

Article 100: Administrative Fines on Union Institutions, Agencies and Bodies

Article 101: Fines for Providers of General Purpose AI Models

Chapter XIII: Final Provisions

Article 102: Amendment to Regulation (EC) No 300/2008

Article 103: Amendment to Regulation (EU) No 167/2013

Article 104: Amendment to Regulation (EU) No 168/2013

Article 105: Amendment to Directive 2014/90/EU

Article 106: Amendment to Directive (EU) 2016/797

Article 107: Amendment to Regulation (EU) 2018/858

Article 108: Amendment to Regulation (EU) 2018/1139

Article 109: Amendment to Regulation (EU) 2019/2144

Article 110: Amendment to Directive (EU) 2020/1828

Article 111: AI Systems Already Placed on the Market or put into Service

Article 112: Evaluation and Review

Article 113: Entry into Force and Application

Annexes

Annex I: List of Union Harmonisation Legislation

Annex II: List of Criminal Offences

Annex III: High-Risk AI Systems

Annex IV: Technical Documentation

Annex V: EU Declaration of Conformity

Annex VI: Conformity Assessment Procedure Based on Internal Control

Annex VII: Conformity Based on Assessment of Quality Management System and Assessment of Technical Documentation

Annex VIII: Information to be Submitted upon the Registration of High-Risk AI Systems

Annex IX: Information to be Submitted upon the Registration of High-Risk AI Systems

Annex X: Union Legislation on Large-Scale IT Systems in the Area of Freedom, Security and Justice

Annex XI: Technical Documentation Referred to in Article 53(1a)

Annex XII: Transparency Information Referred to in Article 53(1b)

Annex XIII: Criteria for the Designation of General Purpose AI models with Systemic Risk

Search within the Act

article

Part of Chapter I: General Provisions

Article 3: Definitions

Feedback – We are working to improve this tool. Please send feedback to Risto Uuk at risto@futureoflife.org

For the purpose of this Regulation, the following definitions apply:

(1) ‘AI system’ means a machine-based system designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments;

(1a) ‘risk’ means the combination of the probability of an occurrence of harm and the severity of that harm;

(2) ‘provider’ means a natural or legal person, public authority, agency or other body that develops an AI system or a general purpose AI model or that has an AI system or a general purpose AI model developed and places them on the market or puts the system into service under its own name or trademark, whether for payment or free of charge;

(4) ‘deployer means any natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity;

(5) ‘authorised representative’ means any natural or legal person located or established in the Union who has received and accepted a written mandate from a provider of an AI system or a general purpose AI model to, respectively, perform and carry out on its behalf the obligations and procedures established by this Regulation;

(6) ‘importer’ means any natural or legal person located or established in the Union that places on the market an AI system that bears the name or trademark of a natural or legal person established outside the Union;

(7) ‘distributor’ means any natural or legal person in the supply chain, other than the provider or the importer, that makes an AI system available on the Union market;

(8) ‘operator’ means the provider, the product manufacturer, the deployer, the authorised representative, the importer or the distributor;

(9) ‘placing on the market’ means the first making available of an AI system or a general purpose AI model on the Union market;

(10) ‘making available on the market’ means any supply of an AI system or a general purpose AI model for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;

(11) ‘putting into service’ means the supply of an AI system for first use directly to the deployer or for own use in the Union for its intended purpose;

(12) ‘intended purpose’ means the use for which an AI system is intended by the provider, including the specific context and conditions of use, as specified in the information supplied by the provider in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation;

(13) ‘reasonably foreseeable misuse’ means the use of an AI system in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems, including other AI systems;

(14) ‘safety component of a product or system’ means a component of a product or of a system which fulfils a safety function for that product or system, or the failure or malfunctioning of which endangers the health and safety of persons or property;

(15) ‘instructions for use’ means the information provided by the provider to inform the user of in particular an AI system’s intended purpose and proper use;

(16) ‘recall of an AI system’ means any measure aimed at achieving the return to the provider or taking it out of service or disabling the use of an AI system made available to deployers;

(17) ‘withdrawal of an AI system’ means any measure aimed at preventing an AI system in the supply chain being made available on the market;

(18) ‘performance of an AI system’ means the ability of an AI system to achieve its intended purpose;

(19) ‘notifying authority’ means the national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring;

(20) ‘conformity assessment’ means the process of demonstrating whether the requirements set out in Chapter III, Section 2 of this Regulation relating to a high-risk AI system have been fulfilled;

(21) ‘conformity assessment body’ means a body that performs third-party conformity assessment activities, including testing, certification and inspection;

(22) ‘notified body’ means a conformity assessment body notified in accordance with this Regulation and other relevant Union harmonisation legislation;

(23) ‘substantial modification’ means a change to the AI system after its placing on the market or putting into service which is not foreseen or planned in the initial conformity assessment by the provider and as a result of which the compliance of the AI system with the requirements set out in Chapter III, Section 2 of this Regulation is affected or results in a modification to the intended purpose for which the AI system has been assessed;

(24) ‘CE marking of conformity’ (CE marking) means a marking by which a provider indicates that an AI system is in conformity with the requirements set out in Chapter III, Section 2 of this Regulation and other applicable Union legislation harmonising the conditions for the marketing of products (‘Union harmonisation legislation’) providing for its affixing;

(25) ‘post-market monitoring system’ means all activities carried out by providers of AI systems to collect and review experience gained from the use of AI systems they place on the market or put into service for the purpose of identifying any need to immediately apply any necessary corrective or preventive actions;

(26) ‘market surveillance authority’ means the national authority carrying out the activities and taking the measures pursuant to Regulation (EU) 2019/1020;

(27) ‘harmonised standard’ means a European standard as defined in Article 2(1)(c) of Regulation (EU) No 1025/2012;

(28) ‘common specification’ means a set of technical specifications, as defined in point 4 of Article 2 of Regulation (EU) No 1025/2012 providing means to comply with certain requirements established under this Regulation;

(29) ‘training data’ means data used for training an AI system through fitting its learnable parameters;

(30) ‘validation data’ means data used for providing an evaluation of the trained AI system and for tuning its non-learnable parameters and its learning process, among other things, in order to prevent underfitting or overfitting; whereas the validation dataset is a separate dataset or part of the training dataset, either as a fixed or variable split;

(31) ‘testing data’ means data used for providing an independent evaluation of the AI system in order to confirm the expected performance of that system before its placing on the market or putting into service;

(32) ‘input data’ means data provided to or directly acquired by an AI system on the basis of which the system produces an output;

(33) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, such as facial images or dactyloscopic data;

(33a) ‘biometric identification’ means the automated recognition of physical, physiological, behavioural, and psychological human features for the purpose of establishing an individual’s identity by comparing biometric data of that individual to stored biometric data of individuals in a database;

(33c) ‘biometric verification’ means the automated verification of the identity of natural persons by comparing biometric data of an individual to previously provided biometric data (one-to-one verification, including authentication);

(33d) ‘special categories of personal data’ means the categories of personal data referred to in Article 9(1) of Regulation (EU) 2016/679, Article 10 of Directive (EU) 2016/680 and Article 10(1) of Regulation (EU) 2018/1725;

(33e) ‘sensitive operational data’ means operational data related to activities of prevention, detection, investigation and prosecution of criminal offences, the disclosure of which can jeopardise the integrity of criminal proceedings.

(34) ‘emotion recognition system’ means an AI system for the purpose of identifying or inferring emotions or intentions of natural persons on the basis of their biometric data;

(35) ‘biometric categorisation system’ means an AI system for the purpose of assigning natural persons to specific categories on the basis of their biometric data unless ancillary to another commercial service and strictly necessary for objective technical reasons;

(36) ‘remote biometric identification system’ means an AI system for the purpose of identifying natural persons, without their active involvement, typically at a distance through the comparison of a person’s biometric data with the biometric data contained in a reference database;

(37) ‘‘real-time’ remote biometric identification system’ means a remote biometric identification system whereby the capturing of biometric data, the comparison and the identification all occur without a significant delay. This comprises not only instant identification, but also limited short delays in order to avoid circumvention.

(38) ‘‘post’ remote biometric identification system’ means a remote biometric identification system other than a ‘real-time’ remote biometric identification system;

(39) ‘publicly accessible space’ means any publicly or privately owned physical place accessible to an undetermined number of natural persons, regardless of whether certain conditions for access may apply, and regardless of the potential capacity restrictions;

(40) ‘law enforcement authority’ means:

(a) any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; or

(b) any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

(41) ‘law enforcement’ means activities carried out by law enforcement authorities or on their behalf for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

(42) ‘Artificial Intelligence Office’ means the Commission’s function of contributing to the implementation, monitoring and supervision of AI systems, general purpose AI models and AI governance. References in this Regulation to the Artificial Intelligence office shall be understood as references to the Commission.

(43) ‘national competent authority’ means any of the following: the notifying authority and the market surveillance authority. As regards AI systems put into service or used by EU institutions, agencies, offices and bodies, any reference to national competent authorities or market surveillance authorities in this Regulation shall be understood as referring to the European Data Protection Supervisor;

(44) ‘serious incident’ means any incident or malfunctioning of an AI system that directly or indirectly leads to any of the following:

(a) the death of a person or serious damage to a person’s health;

(b) a serious and irreversible disruption of the management and operation of critical infrastructure.

(ba) breach of obligations under Union law intended to protect fundamental rights;

(bb) serious damage to property or the environment.

(44a) ‘personal data’ means personal data as defined in Article 4, point (1) of Regulation (EU) 2016/679 ;

(44c) ‘non-personal data’ means data other than personal data as defined in point (1) of Article 4 of Regulation (EU) 2016/679;

(be) ‘profiling’ means any form of automated processing of personal data as defined in point (4) of Article 4 of Regulation (EU) 2016/679; or in the case of law enforcement authorities – in point 4 of Article 3 of Directive (EU) 2016/680 or, in the case of Union institutions, bodies, offices or agencies, in point 5 Article 3 of Regulation (EU) 2018/1725;

(bf) ‘real world testing plan’ means a document that describes the objectives, methodology, geographical, population and temporal scope, monitoring, organisation and conduct of testing in real world conditions;

(44 eb) ‘sandbox plan’ means a document agreed between the participating provider and the competent authority describing the objectives, conditions, timeframe, methodology and requirements for the activities carried out within the sandbox.

(bg) ‘AI regulatory sandbox’ means a concrete and controlled framework set up by a competent authority which offers providers or prospective providers of AI systems the possibility to develop, train, validate and test, where appropriate in real world conditions, an innovative AI system, pursuant to a sandbox plan for a limited time under regulatory supervision.

(bh) ‘AI literacy’ refers to skills, knowledge and understanding that allows providers, users and affected persons, taking into account their respective rights and obligations in the context of this Regulation, to make an informed deployment of AI systems, as well as to gain awareness about the opportunities and risks of AI and possible harm it can cause.

(bi) ‘testing in real world conditions’ means the temporary testing of an AI system for its intended purpose in real world conditions outside of a laboratory or otherwise simulated environment with a view to gathering reliable and robust data and to assessing and verifying the conformity of the AI system with the requirements of this Regulation; testing in real world conditions shall not be considered as placing the AI system on the market or putting it into service within the meaning of this Regulation, provided that all conditions under Article 57 or Article 60 are fulfilled;

(bj) ‘subject’ for the purpose of real world testing means a natural person who participates in testing in real world conditions;

(bk) ‘informed consent’ means a subject’s freely given, specific, unambiguous and voluntary expression of his or her willingness to participate in a particular testing in real world conditions, after having been informed of all aspects of the testing that are relevant to the subject’s decision to participate;

(bl) “deep fake” means AI generated or manipulated image, audio or video content that resembles existing persons, objects, places or other entities or events and would falsely appear to a person to be authentic or truthful

(44e) ‘widespread infringement’ means any act or omission contrary to Union law that protects the interest of individuals:

(a) which has harmed or is likely to harm the collective interests of individuals residing in at least two Member States other than the Member State, in which:

(i) the act or omission originated or took place;

(ii) the provider concerned, or, where applicable, its authorised representative is established; or,

(iii) the deployer is established, when the infringement is committed by the deployer;

(b) which protects the interests of individuals, that have caused, cause or are likely to cause harm to the collective interests of individuals and that have common features, including the same unlawful practice, the same interest being infringed and that are occurring concurrently, committed by the same operator, in at least three Member States;

(44h) ‘critical infrastructure’ means an asset, a facility, equipment, a network or a system, or a part of thereof, which is necessary for the provision of an essential service within the meaning of Article 2(4) of Directive (EU) 2022/2557;

(44b) ‘general purpose AI model’ means an AI model, including when trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable to competently perform a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications. This does not cover AI models that are used before release on the market for research, development and prototyping activities.

(44c) ‘high-impact capabilities’ in general purpose AI models means capabilities that match or exceed the capabilities recorded in the most advanced general purpose AI models.

(44d) ‘systemic risk at Union level’ means a risk that is specific to the high-impact capabilities of general purpose AI models, having a significant impact on the internal market due to its reach, and with actual or reasonably foreseeable negative effects on public health, safety, public security, fundamental rights, or the society as a whole, that can be propagated at scale across the value chain.

(44e) ‘general purpose AI system’ means an AI system which is based on a general purpose AI model , that has the capability to serve a variety of purposes, both for direct use as well as for integration in other AI systems;

(44f) ’floating-point operation’ means any mathematical operation or assignment involving floating-point numbers, which are a subset of the real numbers typically represented on computers by an integer of fixed precision scaled by an integer exponent of a fixed base.

(44g) ‘downstream provider’ means a provider of an AI system, including a general purpose AI system, which integrates an AI model, regardless of whether the model is provided by themselves and vertically integrated or provided by another entity based on contractual relations.

The text used in this tool is the ‘Artificial Intelligence Act, Text of the provisional agreement, 2 February 2024’, which was officially announced in this press release. Interinstitutional File: 2021/0106(COD)

Where new Articles have been added in later versions, and important fixes have been made, these changes have been replicated in the AI Act Explorer too. Also, in the 'Texts Adopted' from March 2024, many items were re-named or re-numbered, and items in the AI Act Explorer were updated accordingly. This means the content on our site no longer matches exactly with any official AI Act draft – it is a hybrid of multiple drafts. If you find an important update in a later draft that has not been updated in our tool, please let us know.

When a final draft is available, all of the text in the AI Act Explorer will be updated to reflect it.