AI Summary
- High-risk deadlines shift to December 2027 under the Digital Omnibus; transparency obligations apply August 2026.
- AI outputs used in the EU trigger obligations regardless of provider location.
- Article 10 mandates eight data governance practices covering annotation, bias detection, and gap analysis.
- Obligations scale by risk tier: bans, conformity assessments, transparency disclosures, or none.
- Data quality is now a legal requirement that cascades contractually to annotation and labelling partners.
Introduction
The EU AI Act is now law, and its core enforcement deadline is weeks away. If your organisation develops, deploys, or integrates AI systems that touch the European market, the regulation applies to you regardless of where your company is headquartered.
The sections below walk through the Act's structure, risk tiers, affected use cases, and the compliance timeline as amended by the May 2026 Digital Omnibus.
What Is the EU AI Act?
Adopted on 21 May 2024 and in force since 1 August 2024, the EU AI Act is the first regulation to classify and govern AI systems across an entire single market. It determines what you can build, how you must build it, and what you owe your users and regulators after deployment.
The Act doesn't regulate AI as a technology. It regulates AI applications based on the harm they can cause to individuals' health, safety, and fundamental rights. A spam filter and a hiring algorithm are both AI systems, but the Act treats them very differently.
What Does the EU AI Act Mean for Businesses?
For organisations already running AI in production, the Act introduces a compliance layer that touches the full lifecycle: training data governance, technical documentation, risk management, human oversight design, and post-market monitoring. The depth of those requirements depends on where your system falls in the Act's four-tier risk classification.
Unacceptable risk: Banned outright. Practices like social scoring, untargeted facial recognition scraping, subliminal manipulation, and workplace emotion recognition are prohibited under Article 5. These prohibitions have been enforceable since February 2025.
High risk: Regulated with conformity requirements. AI systems used for hiring decisions, credit scoring, biometric identification, educational assessment, and safety-critical infrastructure fall here. Providers must conduct conformity assessments, maintain risk management systems, and register their systems in the EU database before deployment.
Limited risk: Transparency obligations. Chatbots, deepfake generators, and other AI systems that interact directly with people must disclose that fact. Article 50 requires providers to design systems so users know they're interacting with AI, and deployers of deepfakes must label synthetic content. These transparency obligations apply across all risk tiers — a high-risk system that interacts with people carries Article 50 duties on top of its conformity requirements.
Minimal risk: Unregulated. Most AI applications currently on the market (recommendation engines, spam filters, AI-assisted video games) carry no specific obligations, though voluntary codes of conduct are encouraged.
The penalties: up to EUR 35 million or 7% of global annual turnover for prohibited-practice violations, EUR 15 million or 3% for non-compliance with high-risk or transparency obligations, and EUR 7.5 million or 1% for supplying incorrect information to authorities. For SMEs and small mid-cap companies, the lower of the two amounts in each tier applies rather than the higher.
Who Is Affected by the EU AI Act?
The Act assigns obligations based on your role in the AI value chain, not your geography. Four roles matter.
Providers develop AI systems (or have them developed) and place them on the market under their own name. They carry the bulk of compliance obligations for high-risk systems: risk management, data governance, technical documentation, conformity assessment, post-market monitoring, and quality management systems. If you train models, fine-tune foundation models for specific applications, or build AI-powered products, you are likely a provider.
Deployers use AI systems in a professional capacity. If your organisation licenses a third-party AI tool for hiring, fraud detection, or customer service, you're a deployer. Deployers must implement human oversight, retain system logs, comply with transparency obligations towards affected individuals, and conduct fundamental rights impact assessments before deployment in sensitive use cases like creditworthiness or public-sector decisions.
Importers and distributors bring AI systems into the EU market or make them available within it. They must verify that upstream providers have completed conformity assessments and that systems carry the required CE marking.
The Act also has extraterritorial reach. If you're based outside the EU but your AI system's output is used within the bloc, you're in scope. This mirrors GDPR: the location of your servers matters less than the location of the people your system affects.
General-purpose AI (GPAI) model providers face a separate set of obligations: technical documentation, copyright compliance, and training data transparency. Models classified as presenting systemic risk (currently benchmarked at 10^25 FLOPs of training compute) must also conduct adversarial testing, report incidents to the AI Office, and meet cybersecurity standards for model weights and infrastructure.
What Use Cases Are Affected?
The Act's Annex III lists eight domains where AI systems are presumptively classified as high-risk. An Article 6(3) filter allows providers to self-assess a system as non-high-risk if it performs only a narrow procedural or preparatory task that does not materially influence the relevant decision, but the exception is read strictly and any system that profiles natural persons is always high-risk regardless.
Biometrics: Remote biometric identification (beyond simple verification), biometric categorisation by sensitive attributes, and emotion recognition systems.
Critical infrastructure: AI used as a safety component in managing digital infrastructure, road traffic, and the supply of water, gas, heating, or electricity.
Education: Systems that determine admission, evaluate learning outcomes, steer learning processes, or monitor student behaviour during examinations.
Employment: AI used for recruitment screening, candidate evaluation, targeted job advertising, performance monitoring, promotion or termination decisions, and task allocation based on personal traits.
Essential public and private services: AI that assesses eligibility for public benefits, evaluates creditworthiness, prices health or life insurance, or triages emergency calls.
Law enforcement: Risk assessment tools, evidence evaluation systems, profiling during criminal investigations, and polygraph-adjacent technologies.
Migration and border control: Risk assessments for irregular migration, examination of visa and asylum applications, and identification of individuals at borders.
Administration of justice: AI used to research or interpret legal facts, support alternative dispute resolution, or influence electoral outcomes.
If your AI system touches any of these domains, the high-risk obligations presumptively apply (subject to the Article 6(3) filter described above). To quickly assess whether your specific use case is affected and what your obligations are, try our EU AI Act skill, an interactive tool that walks you through the key questions.
What Are the Obligations?
For high-risk AI systems, the Act requires providers to build compliance into the system from development through retirement.
Risk management: Establish and maintain a documented risk management system throughout the AI system's lifecycle, identifying and mitigating risks to health, safety, and fundamental rights.
Data governance (Article 10): Ensure training, validation, and testing datasets meet eight governance practices and five quality standards before the system reaches the market. This obligation is detailed enough to warrant its own section below.
Technical documentation: Prepare documentation sufficient for authorities to assess compliance, covering system architecture, training processes, and evaluation results.
Logging and traceability: Design systems to automatically record events that enable post-deployment risk identification.
Human oversight: Build systems so that human operators can oversee AI outputs, intervene when necessary, and override or shut down the system. If your team already runs human-in-the-loop workflows, the Act codifies what you're doing; if not, you'll need to design for it.
Accuracy, reliability, and cybersecurity: Meet appropriate benchmarks for each, documented and testable.
Conformity assessment: Before placing a high-risk system on the market, complete an assessment (self-assessment for most Annex III systems, third-party for biometric identification and categorisation when harmonised standards have not been applied).
Deployers carry their own obligations: implementing the human oversight measures providers designed, retaining system logs, informing affected individuals, and conducting data protection or fundamental rights impact assessments where required.
What About Non-High-Risk Systems?
Not every AI system triggers the full compliance regime above. Limited-risk systems (chatbots, deepfake generators, generative AI tools) face transparency obligations under Article 50: providers must design them so users know they're interacting with AI, and outputs must be marked as machine-generated in a detectable, machine-readable format. Deployers who publish AI-generated text on matters of public interest, or who use deepfakes, must disclose that the content is synthetic.
Minimal-risk systems carry no specific obligations under the Act. Most AI applications on the market today fall into this category. However, all organisations using AI in any capacity are subject to the AI literacy requirement (in effect since February 2025), which requires organisations to take appropriate measures to promote AI literacy among staff who work with AI systems — an obligation of effort under the Omnibus amendment, not a guarantee of any specific competency level.
What Does Article 10 Require for Training Data?
Article 10 is the most prescriptive obligation in Chapter III. It specifies eight governance practices that providers must apply to training, validation, and testing datasets: documenting data design choices and their rationale, recording data collection processes and source provenance, documenting preparation operations (annotation, labelling, cleaning, enrichment, aggregation), stating assumptions about what the data measures, assessing data availability and suitability before development begins, examining datasets for biases that could affect health, safety, or fundamental rights, implementing and testing bias mitigation measures, and identifying data gaps that prevent regulatory compliance.
It also sets five quality standards: datasets must be relevant, sufficiently representative, free of errors to the best extent possible, complete in view of the intended purpose, and statistically appropriate for the people on whom the system will be used. Data must reflect the geographical, behavioural, and functional context of the deployment setting.
For bias detection, Article 10(5) creates a legal basis for processing sensitive personal data (race, health data, sexual orientation, and other GDPR Article 9 categories) under six strict cumulative conditions. The Digital Omnibus expands this permission beyond high-risk system providers through a new Article 4a, covering deployers, non-high-risk system providers, and GPAI model providers — though it creates no positive obligation to use sensitive data for bias testing.
These requirements will flow down contractually. High-risk AI system providers will need documented annotation guidelines, annotator qualifications, inter-annotator agreement metrics, and quality assurance records, which means their data annotation and labelling partners must be prepared to supply that evidence.
What Is the Timeline?
The Act's enforcement is staggered, and recent amendments have shifted several key dates.
Already in effect (February 2025): Prohibited AI practices under Article 5 and AI literacy obligations. If your organisation uses AI, you should already have an AI literacy programme in place.
August 2025: GPAI model provider obligations took effect. If you provide or fine-tune general-purpose models, compliance is already required.
2 August 2026: Transparency obligations under Article 50 apply. All AI systems interacting with people must disclose that they are AI. Synthetic content must be machine-readably marked, with a short deferral to December 2026 for marking/watermarking obligations on systems already on the market.
2 December 2027: Under the Digital Omnibus agreement reached in May 2026, high-risk obligations for stand-alone Annex III systems (employment, credit scoring, education, etc.) are deferred from August 2026 to this date, a 16-month extension.
2 August 2028: High-risk obligations for AI systems embedded in regulated products under Annex I Section A (medical devices, radio equipment, and other harmonised-legislation products) apply. The Omnibus moved the Machinery Regulation to Annex I Section B, where sectoral rules take primacy over the AI Act's full high-risk regime.
Conclusion
The Omnibus deferral buys time, but not as much as it appears. Sixteen months is short once you account for conformity assessments, documentation build-out, and the organisational work of standing up a risk management system. Organisations that treat the deferral as a reason to postpone will find themselves in the same position GDPR laggards were in during spring 2018.
The Article 10 data governance requirements deserve particular attention. They turn training data management into a regulatory audit trail, and the documentation burden will reach annotation partners, labelling providers, and upstream GPAI model providers through contractual demands. For teams already operating with strong data foundations, much of what Article 10 requires is formalising existing practice. For everyone else, the compliance effort doubles as technical debt reduction.
To find out how the Act applies to your specific AI system, try our EU AI Act skill. It walks you through the classification, identifies your role, and maps your obligations.
Frequently Asked Questions
My company is based outside the EU. How does the EU AI Act affect me?
The Act applies to any organisation whose AI system is placed on the EU market or whose output is used by people in the EU, regardless of where the company is headquartered. Where your servers sit is irrelevant; what matters is where the AI's effects are felt.
What are the consequences for not adhering to the EU AI Act?
Fines of up to EUR 35 million or 7% of global turnover for prohibited practices, EUR 15 million or 3% for non-compliance with high-risk or transparency obligations, and EUR 7.5 million or 1% for supplying incorrect information (lower-of-the-two for SMEs). National authorities can also order non-compliant systems withdrawn from the market.
What are the key dates for adhering to the EU AI Act?
February 2025: prohibited practices and AI literacy. August 2025: GPAI model obligations. August 2026: transparency (Article 50). December 2027: high-risk Annex III systems (deferred by the Digital Omnibus). August 2028: high-risk AI in regulated products.
What aspects of the AI training lifecycle does the EU AI Act apply to?
Everything from dataset design through post-deployment monitoring. Article 10 covers training, validation, and testing data. Risk management (Article 9) runs from development through retirement. Logging, incident reporting, and post-market monitoring (Article 72) continue after deployment and may require revisiting data governance compliance when new issues surface. Rule-based systems that don't involve model training still face Article 10 requirements on their testing data.
My company fine-tunes or prompt-engineers an external AI model. How are we affected?
Prompt engineering and few-shot learning don't modify model parameters, so you're a deployer of the AI system. But building a product on the model under your own name or changing its intended purpose makes you a provider under Article 25, regardless of compute used. These are the most common paths to provider status for downstream users. Separately, fine-tuning that exceeds roughly one-third of the original training compute is an indicative criterion from non-binding Commission guidelines for when you may also become a GPAI model provider, with obligations including technical documentation and a publicly available training data summary.
My company uses AI only for internal operations. Are we still affected?
Yes. The Act defines a deployer as anyone using AI "under its authority" in a professional capacity. Internal use qualifies. Your obligations depend on the system's risk classification: an internal chatbot triggers transparency rules, while an internal hiring-screening tool is high-risk under Annex III.
Need Help Preparing Your AI Data Operations for EU AI Act Compliance?
The EU AI Act requires documented data governance, quality management, and human oversight for high-risk AI systems. Kili Technology provides the annotation and evaluation infrastructure with full traceability — from annotator-level audit trails to configurable quality workflows — that helps enterprise AI teams demonstrate compliance with the Act’s data governance requirements.
.png)

![Best On-Premise Data Labeling Platforms for Regulated Industries [2026] Guide](https://cdn.prod.website-files.com/68da32b2041c593b0511a582/6a574849a90d08dc8b9b547d_Competitor%20Article%20-%20Listicle%201%20(2).webp)

