Skip to main content
EU

EU AI Act High-Risk AI Obligations: Compliance Deadlines and What They Require

A structured reference covering the EU AI Act's high-risk AI system obligations, the August 2025 compliance deadline for providers and deployers, and what each obligation category requires in practice.

Published

Entry details

Effective date / deadline
2025-08-02
Primary source
View primary source →

Overview

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024. Its obligations are phased across multiple dates. The deadline most immediately relevant to organizations deploying AI in legal, HR, credit, education, and other high-stakes contexts is 2 August 2025 — when the full set of obligations for providers and deployers of high-risk AI systems listed in Annex III becomes enforceable.

This entry maps what those obligations are, who they bind, and how they differ between providers (those who place systems on the market) and deployers (those who put systems into service within their own operations). It also notes the earlier prohibition deadline that preceded it and the later GPAI obligations that follow.

Implementation Timeline

The Act structures its rollout across four distinct dates. Each phase activates a different tier of obligations.

EU AI Act phased implementation schedule. Source: Regulation (EU) 2024/1689, Articles 113–114.
DateWhat ActivatesWho Is Bound
1 Aug 2024Act enters into force; EU AI Office establishedAll parties (awareness/preparation phase)
2 Feb 2025Prohibited AI practices (Article 5) become enforceable; AI literacy obligations (Article 4) applyAll providers and deployers in EU market
2 Aug 2025High-risk AI obligations (Annex III systems) fully enforceable; GPAI model obligations beginProviders and deployers of Annex III high-risk systems; GPAI model providers
2 Aug 2026High-risk AI obligations extend to systems listed in Annex I (regulated product safety legislation)Providers of embedded high-risk AI in regulated products (medical devices, machinery, vehicles, etc.)
2 Aug 2027Obligations apply to high-risk AI systems that are components of large-scale EU IT systemsProviders of AI used in Schengen, Eurodac, and related systems

What Counts as a High-Risk AI System Under Annex III

Annex III lists eight categories. Not every AI system that touches these domains is automatically high-risk — Article 6(3) provides a self-assessment pathway through which providers can determine that a system, despite falling within an Annex III category, does not pose significant risk. But that determination must be documented and registered.

  • Biometric identification and categorization of natural persons
  • Management and operation of critical infrastructure
  • Education and vocational training (e.g., exam scoring, student assessment)
  • Employment, workers management, and access to self-employment (e.g., CV screening, performance monitoring)
  • Access to and enjoyment of essential private services and public services and benefits (e.g., credit scoring, insurance risk assessment)
  • Law enforcement (e.g., predictive policing, evidence evaluation)
  • Migration, asylum, and border control management
  • Administration of justice and democratic processes (e.g., AI assisting courts in fact-finding or applying law to facts)

The eighth category — administration of justice — is directly relevant to legal AI tools. AI systems that assist courts or tribunals in researching and interpreting the law or applying the law to facts fall within Annex III(8). Tools used purely for administrative tasks (scheduling, document formatting) are not captured, but tools that generate legal analysis intended to inform judicial or quasi-judicial decisions likely are.

Core Obligations for Providers of High-Risk AI Systems

"Provider" under the Act means the entity that develops or has a system developed and places it on the EU market or puts it into service. This includes vendors selling AI tools to law firms, courts, or government agencies.

Risk Management System (Article 9)

Providers must establish, implement, document, and maintain a risk management system throughout the lifecycle of the AI system. This is an ongoing process, not a one-time audit. It must identify and analyze known and reasonably foreseeable risks, estimate and evaluate those that may emerge during use, and adopt appropriate risk mitigation measures.

Data and Data Governance (Article 10)

Training, validation, and testing datasets must meet quality criteria: relevance, representativeness, freedom from errors, and completeness. Providers must implement data governance practices and document the data collection and preparation processes. Bias examination is explicitly required where the system may produce discriminatory outputs.

Technical Documentation (Article 11 and Annex IV)

Providers must prepare and maintain technical documentation before placing the system on the market. Annex IV specifies what this must contain: general description of the system, its intended purpose, the version history, description of the elements of the system and development process, information on training methodologies and datasets, accuracy metrics, and known limitations.

Transparency and Instructions for Use (Article 13)

High-risk AI systems must be designed to be sufficiently transparent that deployers can interpret outputs and use them appropriately. Instructions for use must include: the identity and contact details of the provider, the system's capabilities and limitations, the level of accuracy and robustness, any known circumstances that may lead to risks, human oversight measures, and expected lifetime of the system.

Human Oversight (Article 14)

This is one of the most operationally demanding requirements. High-risk AI systems must be designed so that natural persons can oversee them during use. The system must allow the person responsible for oversight to understand the system's capabilities and limitations, detect and address anomalies, disregard or override outputs, and intervene or interrupt operation.

Accuracy, Robustness, and Cybersecurity (Article 15)

Systems must achieve appropriate levels of accuracy, robustness, and cybersecurity throughout their lifecycle. The technical documentation must specify the accuracy metrics used and the level achieved. For systems that continue learning after deployment, providers must address the risk of feedback loops and bias accumulation.

Conformity Assessment and CE Marking (Articles 16, 43)

Before placing a high-risk AI system on the EU market, providers must complete a conformity assessment. For most Annex III systems, this is a self-assessment procedure — providers assess conformity against the requirements in Articles 9–15, compile the technical documentation, and register the system in the EU database. CE marking applies where the AI system is also subject to other EU harmonized legislation (e.g., medical device regulation). Third-party assessment by a notified body is mandatory only for biometric identification systems not used for law enforcement.

EU Database Registration (Article 71)

Providers of Annex III high-risk AI systems must register the system in the EU database before placing it on the market. The database is maintained by the EU AI Office. Registration requires providing the information specified in Annex VIII, including system name, version, intended purpose, risk category, conformity assessment procedure used, and contact details.

Obligations for Deployers of High-Risk AI Systems

"Deployer" means any entity using a high-risk AI system under its own authority — a law firm using a vendor's AI tool, a court using a legal research platform, or an HR department using an AI hiring tool. Deployer obligations are distinct from provider obligations and are often underappreciated in compliance planning.

Deployer obligations under EU AI Act Article 26. Effective 2 August 2025 for Annex III systems.
ObligationArticleWhat Deployers Must Do
Technical and organizational measuresArt. 26(1)Implement measures described in the provider's instructions for use
Human oversight assignmentArt. 26(2)Assign human oversight to competent persons with necessary authority and resources
Fundamental rights impact assessmentArt. 27Conduct and document an FRIA before deploying systems in certain contexts (public bodies and private entities providing public services)
Logging and recordkeepingArt. 26(6)Retain logs generated by the system for at least 6 months (where technically feasible and under deployer control)
Worker and individual notificationArt. 26(7)Inform workers and individuals subject to decisions made with the system, in accordance with applicable law
Incident reportingArt. 26(5)Report serious incidents to the provider and relevant market surveillance authority
Suspension of useArt. 26(3)Suspend or discontinue use if the system presents a risk; cooperate with authorities

Penalties for Non-Compliance

The Act establishes a tiered penalty structure. Violations of the high-risk AI obligations in Articles 9–15 carry fines of up to €15 million or 3% of total worldwide annual turnover, whichever is higher. Violations of the prohibited practices in Article 5 carry fines up to €35 million or 7% of worldwide turnover. Providing incorrect or misleading information to national authorities carries fines up to €7.5 million or 1% of turnover.

For SMEs and startups, the applicable fine is the lower of the percentage-based cap or the fixed-amount cap. National market surveillance authorities are responsible for enforcement within each member state; the EU AI Office has enforcement competence for GPAI model providers and for systemic risk cases.

Relationship to GDPR and Existing Compliance Frameworks

The AI Act does not replace GDPR. Both apply concurrently to high-risk AI systems that process personal data. In practice, the Article 10 data governance requirements and the Article 27 FRIA overlap with GDPR Article 35 DPIAs, but they are not identical. Organizations should map the two frameworks against each other rather than assuming one satisfies the other.

For legal AI tools specifically, there is also potential interaction with confidentiality obligations under national bar rules and attorney-client privilege. The Act's transparency and logging requirements could create tension with privilege claims if log data contains client-identifying information. This intersection has not yet been addressed in guidance from the EU AI Office as of the current date.

Status as of Q2 2026

The 2 August 2025 deadline has passed. National market surveillance authorities across EU member states are in varying stages of readiness. The EU AI Office published its first set of guidelines on prohibited AI practices in February 2025, and guidance on high-risk AI system obligations has been released in draft and final form through 2025. The EU database for high-risk AI systems was opened for registration ahead of the August 2025 deadline.

Primary Source

Providers of high-risk AI systems listed in Annex III shall, before placing those systems on the market or putting them into service, ensure that those systems undergo the relevant conformity assessment procedure in accordance with Article 43.

Regulation (EU) 2024/1689, Article 16(f), OJ L 2024/1689, 12 July 2024

Full regulatory text is available at the EUR-Lex official publication of Regulation (EU) 2024/1689. The EU AI Office's compliance guidance and database registration portal are accessible through the EU AI Office official site.

  • California's AI Ethics Rulemaking: How Six Proposed Rule Amendments Would Make 'Should' Into 'Must'

    California has moved further than any other state toward binding attorney AI ethics obligations, with the California Supreme Court directing COPRAC to codify AI guidance into six proposed amendments to the Rules of Professional Conduct. This article traces the regulatory arc from the 2023 Practical Guidance through the 2026 proposed amendments, explains the practical compliance implications of each 'should-to-must' shift, and clarifies what is already binding versus still pending for California attorneys and law firm compliance officers.

  • ABA Formal Opinion 512: What Generative AI Ethics Rules Actually Require of Attorneys

    ABA Formal Opinion 512, issued in July 2024, is the ABA Standing Committee on Ethics and Professional Responsibility's first comprehensive guidance on generative AI use by lawyers. This entry records its obligations, scope, and practical implications across competence, confidentiality, supervision, and candor duties.

  • Florida Bar AI Ethics Opinion: Attorney Competence and Confidentiality Requirements

    The Florida Bar's 2024 ethics opinion on AI use addresses attorney competence, client confidentiality, and supervision obligations when deploying AI tools in legal practice. This entry records the opinion's scope, key obligations, and primary source reference.

← AI Regulation & Ethics Rules

Corrections & feedback

Submit corrections, report new regulatory developments, or flag jurisdiction-specific clarifications. Comments are moderated. Nothing in comments constitutes legal or compliance advice.

Comments

Join the discussion with an anonymous comment.

Loading comments...