{"id":4448,"date":"2026-06-27T03:11:41","date_gmt":"2026-06-27T03:11:41","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/27\/what-does-eu-ai-act-compliance-require\/"},"modified":"2026-06-27T03:11:41","modified_gmt":"2026-06-27T03:11:41","slug":"what-does-eu-ai-act-compliance-require","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/27\/what-does-eu-ai-act-compliance-require\/","title":{"rendered":"What Does EU AI Act Compliance Require?"},"content":{"rendered":"<p>For teams <a href=\"https:\/\/www.docker.com\/blog\/what-is-ai-governance\/\" target=\"_blank\" rel=\"noreferrer noopener\">building AI-governed systems,<\/a> the EU AI Act adds compliance obligations to every stage of the development lifecycle, from documenting training data to reporting incidents in production. With phased enforcement already underway, now is the time to assess where your workflows stand.<\/p>\n<p>The EU AI Act (<a href=\"https:\/\/eur-lex.europa.eu\/eli\/reg\/2024\/1689\/oj\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Regulation (EU) 2024\/1689<\/a>) is the world\u2019s first comprehensive AI regulation. It entered into force in August 2024 with requirements rolling out in phases through 2027. The Act applies, among others, to any organization that places an AI system on the EU market, deployers of AI systems established in the EU, or whose AI system\u2019s output is used in the EU, regardless of where that organization is headquartered.<\/p>\n<p>This guide covers what each risk tier requires, the full compliance timeline (including the 2026 Digital Omnibus adjustments), transparency obligations, penalties, and what compliance looks like for the teams building and operating AI systems.<\/p>\n<div class=\"wp-block-ponyo-zeta organism toc-exclude\">\n<blockquote class=\"container\">\n<h2 class=\"wp-block-ponyo-heading text-lg\">\n        Key takeaways<br \/>\n    <\/h2>\n<ul class=\"wp-block-list\">\n<li>The EU AI Act uses a four-tier risk model; your obligations depend on how your system is classified.<\/li>\n<li>Prohibited practices and GPAI rules are already in effect; high-risk deadlines run through 2027.<\/li>\n<li>Article 50 regarding deepfake and synthetic content labeling obligations take effect August 2, 2026.<\/li>\n<li>Penalties reach \u20ac35 million or 7% of global turnover, enforced by national authorities and the EU AI Office.<\/li>\n<\/ul>\n<\/blockquote>\n<\/div>\n<h2 class=\"wp-block-heading\"><strong>The four risk tiers<\/strong><\/h2>\n<p>The AI Act takes a risk-based approach. Every AI system falls into one of four categories, and the category determines the regulatory obligations that apply. This classification drives the entire compliance process.<\/p>\n<div class=\"wp-block-ponyo-image\">\n                <img data-opt-id=1109946753  fetchpriority=\"high\" decoding=\"async\" width=\"2320\" height=\"1218\" src=\"https:\/\/www.docker.com\/app\/uploads\/2026\/06\/EU-AI-Act-Risk-Classification-2320x1218.png\" class=\"fade-in\" alt=\"EU AI Act Risk Classification tiers with brief descriptions including Unacceptable risk, High risk, Limited risk, and Minimal risk.\" title=\"- EU AI Act Risk Classification\" \/>\n        <\/div>\n<h3 class=\"wp-block-heading\">1. Unacceptable risk (prohibited)<\/h3>\n<p>AI systems in this tier are banned outright under Article 5. These prohibitions have been in effect since February 2, 2025. The prohibited practices include:<\/p>\n<ul class=\"wp-block-list\">\n<li>Subliminal, manipulative, or deceptive techniques that distort behavior and cause significant harm<\/li>\n<li>Exploitation of vulnerabilities related to age, disability, or socioeconomic circumstances<\/li>\n<li>Social scoring systems that evaluate individuals based on social behavior or personal traits<\/li>\n<li>Predictive policing based solely on profiling or personality traits<\/li>\n<li>Untargeted scraping of facial images from the internet or CCTV to build facial recognition databases<\/li>\n<li>Emotion recognition in workplaces and educational institutions (except for medical or safety reasons)<\/li>\n<li>Biometric categorization to deduce or infer certain protected characteristics (except for labelling or filtering of lawfully acquired biometric datasets)<\/li>\n<li>Real-time remote biometric identification in publicly accessible spaces for law enforcement, with narrow exceptions for missing persons, imminent threats, and serious crime investigations<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\">2. High risk (regulated)<\/h3>\n<p>High-risk AI systems are subject to the most extensive compliance obligations. The Act identifies two paths to high-risk classification:<\/p>\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/artificialintelligenceact.eu\/annex\/1\/\" rel=\"nofollow noopener\" target=\"_blank\"><strong>Annex I syst<\/strong><\/a><strong><a href=\"https:\/\/artificialintelligenceact.eu\/annex\/1\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">e<\/a><\/strong><a href=\"https:\/\/artificialintelligenceact.eu\/annex\/1\/\" rel=\"nofollow noopener\" target=\"_blank\"><strong>ms<\/strong><\/a><strong>: <\/strong>AI used as a safety component or product covered by existing EU product safety legislation (medical devices, machinery, vehicles) that requires a third-party conformity assessment.<\/li>\n<li><a href=\"https:\/\/artificialintelligenceact.eu\/annex\/3\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><strong>Annex III systems<\/strong><\/a><strong>: <\/strong>AI used in eight sensitive areas: biometrics, critical infrastructure, education, employment, essential public and private services, law enforcement, migration and border control, and administration of justice.<\/li>\n<\/ul>\n<p>Any AI system used to profile individuals within an Annex III use case is automatically classified as high-risk, regardless of other exemptions. Providers who believe their Annex III system is not high-risk must document that assessment before placing it on the market.<\/p>\n<p>This is the tier that puts the heaviest demands on your logging, testing, and documentation pipelines.<\/p>\n<div class=\"style-plain wp-block-ponyo-houston\">\n<div class=\"wp-block-ponyo-icon\">\n<\/div>\n<p><strong>Annex III exceptions: <\/strong>An AI system listed under Annex III is <a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/library\/draft-commission-guidelines-classification-high-risk-ai-systems\" rel=\"nofollow noopener\" target=\"_blank\">not considered high-risk<\/a> if it performs a narrow procedural task, improves a previously completed human activity, detects decision-making patterns without replacing human judgment, or performs a preparatory task for an Annex III assessment.<\/p>\n<\/div>\n<h3 class=\"wp-block-heading\">3. Limited risk (transparency risk)<\/h3>\n<p>AI systems in this tier face requirements focused on transparency and disclosure. Under Article 50, deployers must ensure that <a href=\"https:\/\/artificialintelligenceact.eu\/article\/50\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">users know they are interacting with an AI system<\/a> (e.g., chatbots), and providers of generative AI must mark synthetic content as AI-generated. This tier is where deepfake obligations sit, covered in detail below.<\/p>\n<p>For software engineers, this comes down to marking generated content in a machine-readable way and surfacing the disclosure where users actually see it.<\/p>\n<h3 class=\"wp-block-heading\">4. Minimal risk (unregulated)<\/h3>\n<p>The majority of AI systems currently on the market, including spam filters, AI-enabled games, and recommendation engines, fall here. No specific regulatory obligations apply, though the Act encourages voluntary codes of conduct.<\/p>\n<h2 class=\"wp-block-heading\">The compliance timeline<\/h2>\n<p>The EU AI Act\u2019s requirements take effect in phases, not all at once. Some obligations are already enforceable. Others will not apply until late 2027.<\/p>\n<div class=\"wp-block-ponyo-table\" data-highlighted-columns=\"null\" data-highlighted-rows=\"null\">\n<table class=\"responsive-table\">\n<tbody class=\"wp-block-ponyo-table-body\" data-highlighted-columns=\"[]\" data-highlighted-rows=\"[0]\">\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>Date<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>What takes effect<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>August 1, 2024<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>AI Act enters into force (Regulation (EU) 2024\/1689 published).<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>February 2, 2025<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Prohibited AI practices under Article 5 become unlawful. AI literacy obligations begin (Article 4).<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>August 2, 2025<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>General-purpose AI (GPAI) model obligations take effect (Chapter V). Governance bodies established. Penalty provisions become applicable. Code of Practice for GPAI published.<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>August 2, 2026<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>General date of application of the AI Act. Transparency obligations under Article 50 take effect, including deepfake labeling and synthetic content marking. Member States must have at least one AI regulatory sandbox operational.<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>December 2, 2026*<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Machine-readable marking obligations under Article 50(2) apply to AI systems, including GPAI systems, which have been placed on the market before August 2, 2026 (four-month grace period). Article 5 prohibition on AI-generated non-consensual intimate imagery and child sexual abuse material becomes applicable.<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>August 2, 2027<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Obligations for high-risk AI systems embedded in regulated products under Annex I (Article 6(1)). GPAI models placed on the market before August 2025 must be in compliance.<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>December 2, 2027*<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Standalone Annex III high-risk AI system requirements take full effect (risk management, conformity assessment, technical documentation, CE marking, EU database registration).<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>August 2, 2028*<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>High-risk AI systems that are components of products covered by Annex I product safety legislation.<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<div class=\"style-plain wp-block-ponyo-houston\">\n<div class=\"wp-block-ponyo-icon\">\n<\/div>\n<p><strong>*Omnibus adjustment:<\/strong> The Digital Omnibus package revised these high-risk deadlines, moving the Annex III standalone high-risk deadline from August 2026 to December 2, 2027, and the Annex I embedded high-risk deadline from August 2027 to August 2, 2028. The European Parliament approved the package on <a href=\"https:\/\/www.gibsondunn.com\/eu-ai-act-omnibus-agreement-postponed-high-risk-deadlines-and-other-key-changes\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">June 16, 2026<\/a>.<\/p>\n<\/div>\n<h2 class=\"wp-block-ponyo-heading text-lg\">\n        Obligations for high-risk systems by role<br \/>\n    <\/h2>\n<p>The EU AI Act distinguishes between providers, deployers, importers, and distributors. Their obligations differ by role.<\/p>\n<div class=\"wp-block-ponyo-image\">\n                <img data-opt-id=52967597  fetchpriority=\"high\" decoding=\"async\" width=\"2320\" height=\"1218\" src=\"https:\/\/www.docker.com\/app\/uploads\/2026\/06\/docker_The-Four-Operator-Roles-Under-the-EU-AI-Act-2320x1218.jpg\" class=\"fade-in\" alt=\"Definitions for the four operator roles under the EI AI Act.\" title=\"- docker The Four Operator Roles Under the EU AI Act\" \/>\n        <\/div>\n<div data-wp-context='{ \"autoclose\": false, \"accordionItems\": [] }' data-wp-interactive=\"core\/accordion\" role=\"group\" class=\"wp-block-accordion is-layout-flow wp-block-accordion-is-layout-flow\">\n<div data-wp-class--is-open=\"state.isOpen\" data-wp-context='{ \"id\": \"accordion-item-1\", \"openByDefault\": false }' data-wp-init=\"callbacks.initAccordionItems\" data-wp-on-window--hashchange=\"callbacks.hashChange\" class=\"wp-block-accordion-item is-layout-flow wp-block-accordion-item-is-layout-flow\">\n<h3 class=\"wp-block-accordion-heading\"><button aria-expanded=\"false\" aria-controls=\"accordion-item-1-panel\" data-wp-bind--aria-expanded=\"state.isOpen\" data-wp-on--click=\"actions.toggle\" data-wp-on--keydown=\"actions.handleKeyDown\" type=\"button\" class=\"wp-block-accordion-heading__toggle\"><span class=\"wp-block-accordion-heading__toggle-title\">Providers<\/span><span class=\"wp-block-accordion-heading__toggle-icon\" aria-hidden=\"true\">+<\/span><\/button><\/h3>\n<div aria-labelledby=\"accordion-item-1\" data-wp-bind--inert=\"!state.isOpen\" role=\"region\" class=\"wp-block-accordion-panel is-layout-flow wp-block-accordion-panel-is-layout-flow\">\n<p>Providers of high-risk AI systems carry the heaviest compliance burden. Among other obligations, they must:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Risk management system: <\/strong>Establish and maintain a risk management process throughout the AI system\u2019s lifecycle, not just at launch.<\/li>\n<li><strong>Data governance: <\/strong>Ensure that training, validation, and testing datasets are subject to appropriate data governance and management practices and are relevant, sufficiently representative, and as free of errors as possible. Where these datasets contain personal data, the GDPR also applies: you need a lawful basis, data minimization, and, for any special-category data used to detect and correct bias, the specific safeguards.<\/li>\n<li><strong>Technical documentation: <\/strong>Produce documentation that demonstrates compliance and provides authorities with the information to assess it. It shall contain, at minimum, the elements contained in Annex IV.<\/li>\n<li><strong>Record-keeping and documentation: <\/strong>Design the system to automatically log events relevant to identifying risks and tracking modifications. Providers must keep certain documents for up to 10 years at the disposal of the competent authorities.<\/li>\n<li><strong>Transparency and instructions for use: <\/strong>Provide deployers with clear documentation on the system\u2019s capabilities, limitations, intended use, and human oversight requirements, which allows deployers to interpret a system\u2019s output and use it appropriately.<\/li>\n<li><strong>Human oversight: <\/strong>Design the system so that deployers can implement effective human oversight during use.<\/li>\n<li><strong>Accuracy, robustness, and cybersecurity: <\/strong>Achieve appropriate performance levels across all three dimensions.<\/li>\n<li><strong>Quality management system: <\/strong>Establish and document a QMS that covers the full compliance process.<\/li>\n<li><strong>Corrective actions<\/strong>: Take necessary corrective action in case of suspected non-conformity of the AI system with the AI Act, including bringing it into conformity, withdrawing it, disabling it or recall it, as appropriate.<\/li>\n<li><strong>Cooperation with authorities<\/strong>: Provide information and documentation necessary to competent authorities and giving access to automatically generated logs, upon request, to demonstrate conformity of the AI system with the AI Act.<\/li>\n<li><strong>Authorized representatives<\/strong>: Providers established in third-party countries must appoint a representative established in the Union prior to making the high-risk AI system available on the Union market.<\/li>\n<li><strong>Conformity assessment: <\/strong>Ensure that the appropriate conformity assessment procedure is completed prior to placing the AI system on the market. Additionally, drawing up an EU declaration of conformity, affix CE marking, and register the system in the EU database before placing it on the market.<\/li>\n<li><strong>Post-market monitoring<\/strong>: Providers shall establish and document a post-market monitoring system in a\u00a0manner that is proportionate to the nature of the AI technologies and the risks of the high-risk AI system.<\/li>\n<li><strong>Reporting<\/strong>: Providers shall report any serious incident to the market surveillance authorities. The AI Act establishes different terms for reporting, which vary according to the incident\u2019s severity.\u00a0<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<div data-wp-context='{ \"autoclose\": false, \"accordionItems\": [] }' data-wp-interactive=\"core\/accordion\" role=\"group\" class=\"wp-block-accordion is-layout-flow wp-block-accordion-is-layout-flow\">\n<div data-wp-class--is-open=\"state.isOpen\" data-wp-context='{ \"id\": \"accordion-item-2\", \"openByDefault\": false }' data-wp-init=\"callbacks.initAccordionItems\" data-wp-on-window--hashchange=\"callbacks.hashChange\" class=\"wp-block-accordion-item is-layout-flow wp-block-accordion-item-is-layout-flow\">\n<h3 class=\"wp-block-accordion-heading\"><button aria-expanded=\"false\" aria-controls=\"accordion-item-2-panel\" data-wp-bind--aria-expanded=\"state.isOpen\" data-wp-on--click=\"actions.toggle\" data-wp-on--keydown=\"actions.handleKeyDown\" type=\"button\" class=\"wp-block-accordion-heading__toggle\"><span class=\"wp-block-accordion-heading__toggle-title\">Deployers<\/span><span class=\"wp-block-accordion-heading__toggle-icon\" aria-hidden=\"true\">+<\/span><\/button><\/h3>\n<div aria-labelledby=\"accordion-item-2\" data-wp-bind--inert=\"!state.isOpen\" role=\"region\" class=\"wp-block-accordion-panel is-layout-flow wp-block-accordion-panel-is-layout-flow\">\n<p>Deployers are natural or legal persons, public authorities, agencies or other bodies that use an AI system under its authority. Those using AI systems in the course of a personal non-professional activity are not considered deployers. Under <a href=\"https:\/\/artificialintelligenceact.eu\/article\/26\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Article 26<\/a>, deployers of high-risk systems must:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Use the system as instructed:<\/strong> Operate it the way the provider\u2019s instructions for use specify.<\/li>\n<li><strong>Assign human oversight:<\/strong> Put oversight in the hands of people with the competence and authority to exercise it.<\/li>\n<li><strong>Govern input data:<\/strong> Where the deployer controls the input data, make sure it\u2019s relevant and sufficiently representative for the system\u2019s intended purpose.<\/li>\n<li><strong>Monitor and escalate:<\/strong> Monitor the operation of the AI system, and if it starts to present a risk, notify the provider or the distributor and the market surveillance authority and suspend use.<\/li>\n<li><strong>Keep logs:<\/strong> Retain the logs the system generates automatically, to the extent they\u2019re under the deployer\u2019s control, for at least six months.<\/li>\n<li><strong>Notify the workforce:<\/strong> Tell affected workers and their representatives before a high-risk system goes live in the workplace.<\/li>\n<li><strong>Inform affected people:<\/strong> When an <a href=\"https:\/\/artificialintelligenceact.eu\/annex\/3\/\" rel=\"nofollow noopener\" target=\"_blank\">Annex III<\/a> system makes decisions, or assists in making decisions, about individuals, those individuals have to be told. This overlaps with GDPR transparency and where the system makes solely automated decisions with legal or similarly significant effects, so coordinate the AI Act notice with your GDPR notices.<\/li>\n<li><strong>Support data protection assessments:<\/strong> Use the information the provider supplies to meet any data protection impact assessment obligation under the GDPR.<\/li>\n<li><strong>Cooperate with authorities:<\/strong> Work with competent authorities on any action they take regarding the system.<\/li>\n<li><strong>Register, if public:<\/strong> Public authorities must register the deployment in the <a href=\"https:\/\/artificialintelligenceact.eu\/article\/71\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">EU database<\/a> and shall not run a system while it isn\u2019t.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/artificialintelligenceact.eu\/article\/27\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Article 27<\/a> adds a fundamental rights impact assessment for a narrower group: public bodies, private entities providing public services, and deployers using Annex III systems for credit scoring or insurance pricing. Before first use, they document how the system will be used, who it could affect, the risks involved, and the human oversight in place, then file the results with the market surveillance authority.<\/p>\n<p>For engineering teams, most of these duties come down to monitoring, log retention, and the ability to suspend a system fast. They get solved in your infrastructure, not in a policy document.<\/p>\n<div class=\"style-plain wp-block-ponyo-houston\">\n<div class=\"wp-block-ponyo-icon\">\n<\/div>\n<p><strong>Important: <\/strong>Under the EU AI Act, operators in the AI-value chain can be considered both providers and deployers. Put your name on a high-risk system, modify one substantially, or repurpose a non-high-risk system into a high-risk use, and you\u2019re reclassified as a provider with the full obligation set (Article 25).<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div data-wp-context='{ \"autoclose\": false, \"accordionItems\": [] }' data-wp-interactive=\"core\/accordion\" role=\"group\" class=\"wp-block-accordion is-layout-flow wp-block-accordion-is-layout-flow\">\n<div data-wp-class--is-open=\"state.isOpen\" data-wp-context='{ \"id\": \"accordion-item-3\", \"openByDefault\": false }' data-wp-init=\"callbacks.initAccordionItems\" data-wp-on-window--hashchange=\"callbacks.hashChange\" class=\"wp-block-accordion-item is-layout-flow wp-block-accordion-item-is-layout-flow\">\n<h3 class=\"wp-block-accordion-heading\"><button aria-expanded=\"false\" aria-controls=\"accordion-item-3-panel\" data-wp-bind--aria-expanded=\"state.isOpen\" data-wp-on--click=\"actions.toggle\" data-wp-on--keydown=\"actions.handleKeyDown\" type=\"button\" class=\"wp-block-accordion-heading__toggle\"><span class=\"wp-block-accordion-heading__toggle-title\">Importers<\/span><span class=\"wp-block-accordion-heading__toggle-icon\" aria-hidden=\"true\">+<\/span><\/button><\/h3>\n<div aria-labelledby=\"accordion-item-3\" data-wp-bind--inert=\"!state.isOpen\" role=\"region\" class=\"wp-block-accordion-panel is-layout-flow wp-block-accordion-panel-is-layout-flow\">\n<p>Importers are the EU-based persons or organizations that place a non-EU provider\u2019s high-risk AI system on the market, and <a href=\"https:\/\/artificialintelligenceact.eu\/article\/23\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Article 23<\/a> makes them a checkpoint for conformity before the system reaches EU users. Importers must:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Verify conformity before import:<\/strong> Confirm the provider has completed the <a href=\"https:\/\/artificialintelligenceact.eu\/article\/43\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">conformity assessment<\/a>, drawn up the technical documentation (<a href=\"https:\/\/artificialintelligenceact.eu\/annex\/4\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Annex IV<\/a>), affixed CE marking with the EU declaration of conformity and instructions for use, and appointed an <a href=\"https:\/\/artificialintelligenceact.eu\/article\/22\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">authorized representative<\/a>.<\/li>\n<li><strong>Block non-conforming systems:<\/strong> If there\u2019s reason to believe a system isn\u2019t in conformity, or its documentation is falsified, don\u2019t place it on the market until it\u2019s corrected. If the system presents a risk, inform the provider, the authorized representative, and the market surveillance authorities.<\/li>\n<li><strong>Add contact details:<\/strong> Put the importer\u2019s name, registered trade name or trademark, and contact address on the system, its packaging, or its accompanying documentation.<\/li>\n<li><strong>Protect compliance in storage and transit:<\/strong> Make sure storage and transport conditions under the importer\u2019s responsibility don\u2019t compromise the system\u2019s compliance.<\/li>\n<li><strong>Keep records for 10 years:<\/strong> Retain a copy of the notified-body certificate (where applicable), the instructions for use, and the EU declaration of conformity for 10 years after the system is placed on the market or put into service.<\/li>\n<li><strong>Respond to authorities:<\/strong> On a reasoned request, give competent authorities the information and documentation needed to demonstrate conformity, in a language they can readily understand.<\/li>\n<li><strong>Cooperate with authorities:<\/strong> Work with competent authorities on any action they take to reduce or mitigate the risks of a system the importer placed on the market.<\/li>\n<\/ul>\n<p>An importer that puts its own name or trademark on a high-risk system, or substantially modifies one already on the market, is <a href=\"https:\/\/artificialintelligenceact.eu\/article\/25\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">reclassified as a provider<\/a> and takes on the full provider obligation set (Article 25).<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div data-wp-context='{ \"autoclose\": false, \"accordionItems\": [] }' data-wp-interactive=\"core\/accordion\" role=\"group\" class=\"wp-block-accordion is-layout-flow wp-block-accordion-is-layout-flow\">\n<div data-wp-class--is-open=\"state.isOpen\" data-wp-context='{ \"id\": \"accordion-item-4\", \"openByDefault\": false }' data-wp-init=\"callbacks.initAccordionItems\" data-wp-on-window--hashchange=\"callbacks.hashChange\" class=\"wp-block-accordion-item is-layout-flow wp-block-accordion-item-is-layout-flow\">\n<h3 class=\"wp-block-accordion-heading\"><button aria-expanded=\"false\" aria-controls=\"accordion-item-4-panel\" data-wp-bind--aria-expanded=\"state.isOpen\" data-wp-on--click=\"actions.toggle\" data-wp-on--keydown=\"actions.handleKeyDown\" type=\"button\" class=\"wp-block-accordion-heading__toggle\"><span class=\"wp-block-accordion-heading__toggle-title\">Distributors<\/span><span class=\"wp-block-accordion-heading__toggle-icon\" aria-hidden=\"true\">+<\/span><\/button><\/h3>\n<div aria-labelledby=\"accordion-item-4\" data-wp-bind--inert=\"!state.isOpen\" role=\"region\" class=\"wp-block-accordion-panel is-layout-flow wp-block-accordion-panel-is-layout-flow\">\n<p>Distributors are the other parties in the supply chain who make a high-risk system available on the EU market. Their duties under <a href=\"https:\/\/artificialintelligenceact.eu\/article\/24\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Article 24<\/a> overlap with an importer\u2019s but focus on what happens at and after the point of sale. Distributors must:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Verify documentation before distribution:<\/strong> Confirm the system bears CE marking, comes with the EU declaration of conformity and instructions for use, and that the provider and importer have met their own obligations.<\/li>\n<li><strong>Block non-conforming systems:<\/strong> If there\u2019s reason to believe a system isn\u2019t in conformity, don\u2019t make it available until it\u2019s corrected. If it presents a risk, inform the provider or importer.<\/li>\n<li><strong>Protect compliance in storage and transit:<\/strong> Make sure storage and transport conditions under the distributor\u2019s responsibility don\u2019t compromise the system\u2019s compliance.<\/li>\n<li><strong>Act on non-conformity after sale:<\/strong> If a system already made available turns out to be non-conforming, take corrective action to fix, withdraw, or recall it, or ensure the provider or importer does. If it presents a risk, immediately inform the provider or importer and the competent authorities.<\/li>\n<li><strong>Respond to authorities:<\/strong> On a reasoned request, provide the information and documentation on these actions needed to demonstrate conformity.<\/li>\n<li><strong>Cooperate with authorities:<\/strong> Work with competent authorities on any action they take regarding a system the distributor made available.<\/li>\n<\/ul>\n<p>The same reclassification rule applies: a distributor that brands a high-risk system as its own or substantially modifies one already on the market becomes a provider under Article 25.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<h2 class=\"wp-block-heading\">Deepfake and transparency obligations (Article 50)<\/h2>\n<p>Article 50 creates specific transparency requirements for AI systems that interact with people or generate synthetic content. These obligations generally <a href=\"https:\/\/artificialintelligenceact.eu\/article\/50\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">apply from <strong>August 2, 2026<\/strong><\/a> and are relevant regardless of the system\u2019s risk classification.<\/p>\n<h3 class=\"wp-block-heading\">Who must comply<\/h3>\n<ul class=\"wp-block-list\">\n<li><strong>Providers of AI systems that interact directly with people <\/strong>must ensure that individuals are informed they\u2019re interacting with an AI system, unless this is obvious from the circumstances.<\/li>\n<li><strong>Providers of AI systems that generate synthetic content <\/strong>(audio, image, video, or text) must mark that output in a machine-readable format that\u2019s detectable as AI-generated or manipulated. The marking must be effective, interoperable, robust, and reliable.<\/li>\n<li><strong>Deployers who use AI to create deepfakes <\/strong>must disclose that the content has been artificially generated or manipulated. The Act defines a deepfake as AI-generated or manipulated image, audio, or video\u00a0content that resembles existing persons, objects, places, or events and would falsely appear authentic.<\/li>\n<li><strong>Deployers who publish AI-generated text on matters of public interest <\/strong>must label it as AI-generated, unless the content has been through human editorial review and a natural or legal person holds editorial responsibility.<\/li>\n<li><strong>Deployers of emotion recognition or biometric categorisation systems<\/strong> must inform the people exposed to the system that it\u2019s operating, and handle their personal data in line with the GDPR.<\/li>\n<\/ul>\n<div class=\"style-plain wp-block-ponyo-houston\">\n<div class=\"wp-block-ponyo-icon\">\n<\/div>\n<p><strong>Artistic exception regarding deepfakes: <\/strong>When AI-generated content is part of an evidently artistic, creative, satirical, or fictional work, only minimal and non-intrusive disclosure is required. The deepfake labeling obligation still applies, but the disclosure format can be lighter.<\/p>\n<\/div>\n<h3 class=\"wp-block-heading\">The Code of Practice for transparency<\/h3>\n<p>The European Commission developed a <a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/policies\/code-practice-ai-generated-content\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Code of Practice on marking and labeling AI-generated content<\/a> to operationalize Articles 50(2) through 50(5). The code provides practical and technical guidance for real-world implementation of the marking and disclosure requirements. Its final version was published on June 10, 2026.<\/p>\n<h2 class=\"wp-block-heading\">General-purpose AI model obligations<\/h2>\n<p>Chapter V of the Act creates a separate set of obligations for providers of general-purpose AI (GPAI) models. These rules have been applicable since August 2, 2025 (models placed on the market before that date have until August 2, 2027 to comply). The <a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/policies\/guidelines-gpai-providers\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">European Commission has published guidelines<\/a> to support providers in meeting these requirements.<\/p>\n<div class=\"style-plain wp-block-ponyo-houston\">\n<div class=\"wp-block-ponyo-icon\">\n<\/div>\n<p><strong>General-purpose AI models<\/strong> are the <a href=\"https:\/\/artificialintelligenceact.eu\/article\/3\/\" rel=\"nofollow noopener\" target=\"_blank\">broad, multi-purpose models<\/a> that show significant generality, perform a wide range of distinct tasks, and can be used directly as well as integrated into other AI systems.<\/p>\n<\/div>\n<h3 class=\"wp-block-heading\">All GPAI model providers<\/h3>\n<p>Every provider of a GPAI model must draw up and maintain technical documentation (which shall contain at minimum the information set out in Annex VI), provide information and documentation to downstream providers integrating the model, establish a policy to respect the EU Copyright Directive, and publish a sufficiently detailed summary of the content used for training.<\/p>\n<p>Providers of free and open-license GPAI models (where parameters, architecture, and usage information are publicly available) do not need to comply with the\u00a0obligations regarding technical documentation and provision of information to downstream providers, unless the model presents a systemic risk.<\/p>\n<h3 class=\"wp-block-heading\">GPAI models with systemic risk<\/h3>\n<p>A GPAI model is presumed to carry systemic risk if it was trained using more than 10\u00b2\u2075 floating point operations (FLOPs) of compute. That bar was set to capture the frontier models of the day: GPT-4 is <a href=\"https:\/\/epoch.ai\/data-insights\/models-over-1e25-flop\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">widely estimated to sit above it<\/a>, while the earlier GPT-3 was trained on roughly 30 times less. The Commission can also designate other models as systemic on criteria like the number of end users, high-impact capabilities, or output modalities.<\/p>\n<p>Providers of systemic-risk models carry every GPAI obligation above, plus four more:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Model evaluation:<\/strong> Run model evaluations, including adversarial testing.<\/li>\n<li><strong>Risk mitigation:<\/strong> Assess and mitigate the systemic risks the model could pose.<\/li>\n<li><strong>Incident reporting:<\/strong> Track and report serious incidents to the <a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/policies\/ai-office\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">AI Office<\/a>.<\/li>\n<li><strong>Cybersecurity:<\/strong> Maintain an adequate level of protection for the model.<\/li>\n<\/ul>\n<p>A voluntary <a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/policies\/contents-code-gpai\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Code of Practice for general-purpose AI models<\/a> was published in July 2025. Following a code of practice creates a presumption of conformity until European harmonized standards are in place.<\/p>\n<h2 class=\"wp-block-heading\">Penalties and enforcement<\/h2>\n<p>The EU AI Act establishes a <a href=\"https:\/\/artificialintelligenceact.eu\/article\/99\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">three-tier penalty structure<\/a> under Article 99, designed to be effective, proportionate, and dissuasive.<\/p>\n<div class=\"wp-block-ponyo-table\" data-highlighted-columns=\"null\" data-highlighted-rows=\"null\">\n<table class=\"responsive-table\">\n<tbody class=\"wp-block-ponyo-table-body\" data-highlighted-columns=\"[]\" data-highlighted-rows=\"[0]\">\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>Violation<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>Maximum fine<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>Turnover threshold<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>Prohibited AI practices (Article 5)<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>\u20ac35 million<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>7% of global annual turnover<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>High-risk AI system non-compliance (specific provisions)<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>\u20ac15 million<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>3% of global annual turnover<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>Supplying incorrect or misleading information to authorities<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>\u20ac7.5 million<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>1% of global annual turnover<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>Enforcement is split between the European AI Office, which oversees GPAI model providers, and national competent authorities in each Member State, which handle all other operators. <\/p>\n<p>Each Member State must designate at least one national authority for implementation and market surveillance. The penalty provisions are designed to account for the interests of small and medium-sized enterprises and startups, and Member States report annually to the Commission on fines issued.<\/p>\n<h2 class=\"wp-block-heading\">What compliance looks like for engineering teams<\/h2>\n<p>The EU AI Act\u2019s requirements are written in regulatory language, but they translate to concrete engineering concerns. If your team builds or deploys AI systems that serve EU users, here\u2019s where the Act\u2019s obligations intersect with your development workflow.<\/p>\n<h3 class=\"wp-block-heading\">Inventory and classification come first<\/h3>\n<p>Compliance starts with knowing what you have. Every AI system the organization builds, uses, or procures needs to be cataloged and classified against the Act\u2019s risk tiers. Record, for each system, whether it processes personal data and link the entry to your GDPR records of\u00a0processing (Article 30) so the AI inventory and the privacy record stay aligned. <\/p>\n<p>This is not a legal exercise alone. Engineering teams are typically the only ones who understand the actual capabilities, data flows, and deployment contexts of the systems they build. If your organization has an AI governance framework in place, the AI inventory is usually its foundation.<\/p>\n<h3 class=\"wp-block-heading\">Audit trails are non-negotiable<\/h3>\n<p>The Act requires automatic event logging for high-risk systems and structured documentation across almost every tier. This means every decision an AI system makes, the categories of data sources it accesses, and every action it takes needs to be logged in a way that is auditable.\u00a0<\/p>\n<p>Teams already <a href=\"https:\/\/www.docker.com\/blog\/how-to-secure-ai-agents\/\">shipping AI agents<\/a> need structured event capture of system actions, including timestamp, session context, the tool or rule invoked, and the agent or service identity, scoped to system-health and security telemetry rather than individual worker performance. Exporting these logs to existing SIEM and compliance systems closes the gap between agent behavior and audit requirements.<\/p>\n<h3 class=\"wp-block-heading\">Prepare your risk management system<\/h3>\n<p>Article 9 requires a continuous risk management process, including control measures for risks that can\u2019t be removed by design.\u00a0<\/p>\n<p>The ability to enforce policies is the mechanism that makes your chosen controls binding at the moment the agent acts, therefore acting as a risk mitigating strategy. This can happen at the agent level, by applying policies and rules to sandboxed agents, and at the tool level, with policies applied to the gateway that manages agent tool access.<\/p>\n<h3 class=\"wp-block-heading\">Runtime isolation supports human oversight<\/h3>\n<p>The EU AI Act requires that high-risk AI systems be designed for human oversight, and that deployers can intervene during operation. For agentic workloads, where AI acts autonomously, this maps directly to runtime isolation: running agents inside <a href=\"https:\/\/www.docker.com\/products\/docker-sandboxes\/\" target=\"_blank\" rel=\"noreferrer noopener\">sandboxed environments<\/a> where network access, filesystem scope, and tool permissions are policy-controlled.\u00a0<\/p>\n<p>If an agent exceeds its intended scope, isolation constrains the blast radius. This is the mechanism that makes oversight enforceable at the infrastructure level.<\/p>\n<h3 class=\"wp-block-heading\">Transparency can be instrumented<\/h3>\n<p>Article 50\u2019s deepfake and synthetic content marking requirements are a metadata problem. Providers need to embed machine-readable markers in generated content, and deployers need to surface human-readable disclosures.\u00a0<\/p>\n<p>For teams building generative AI systems, this means integrating content provenance marking (such as C2PA or IPTC standards) into the generation pipeline. Where generated content depicts a real, identifiable person, it is also personal data under the GDPR, so the marking is necessary but not sufficient and the usual lawful-basis and rights obligations still apply. The <a href=\"https:\/\/www.docker.com\/products\/ai-governance\/\" target=\"_blank\" rel=\"noreferrer noopener\">AI governance controls<\/a> your organization uses can enforce these policies at the platform layer rather than relying on each application to implement them independently.<\/p>\n<h3 class=\"wp-block-heading\">Use the official compliance tools<\/h3>\n<p>The European Commission has launched the <a href=\"https:\/\/ai-act-service-desk.ec.europa.eu\/en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">AI Act Service Desk<\/a>, a single information platform that includes an official <a href=\"https:\/\/ai-act-service-desk.ec.europa.eu\/en\/eu-ai-act-compliance-checker\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Compliance Checker<\/a> to help organizations determine which obligations apply to their AI systems, an <a href=\"https:\/\/artificialintelligenceact.eu\/ai-act-explorer\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">AI Act Explorer<\/a> for navigating the full regulation text, and a helpdesk for submitting questions. These tools are free, official, and available in English, French, and German (with all 24 EU languages planned for 2026).<\/p>\n<h2 class=\"wp-block-heading\">Start building compliance into your AI infrastructure<\/h2>\n<p>EU AI Act compliance is not a document you file. It\u2019s a set of technical controls, organizational processes, and audit practices that need to be embedded in how your team builds and operates AI systems.<\/p>\n<p>To make things easier, Docker AI Governance supports operationalizing these requirements. It does not replace the human oversight, classification, and legal accountability the AI Act assigns to providers and deployers, and customer code, configurations, and telemetry are not used to train Docker\u2019s or third-party models. Instead, Docker AI Governance includes sandbox-based runtime isolation for\u00a0blast-radius risk mitigation and real time monitoring, policy enforcement across network, filesystem, and MCP tool access, and structured audit logging that exports to existing SIEM and compliance systems.<\/p>\n<p>Explore <a href=\"https:\/\/www.docker.com\/products\/ai-governance\/\" target=\"_blank\" rel=\"noreferrer noopener\">Docker AI Governance<\/a> to see how runtime policy, audit trails, and agent isolation support the regulatory controls the EU AI Act requires.<\/p>\n<h2 class=\"wp-block-heading\">Frequently asked questions<\/h2>\n<div class=\"wp-block-ponyo-dominique organism\">\n<div class=\"container faq-list\">\n<div class=\" fade-in wp-block-ponyo-frank\">\n<h3 class=\"frank-heading\">\n        Does the EU AI Act apply to companies outside the EU?<br \/>\n        <span class=\"closed\"><br \/>\n<\/span><br \/>\n        <span class=\"open\"><br \/>\n<\/span><br \/>\n    <\/h3>\n<div class=\"content-outer\">\n<div class=\"content-inner\">\n<p>Yes. Under Article 2, the EU AI Act applies to providers and deployers of AI systems regardless of whether they\u2019re established in the EU. You are in scope if you place an AI system on the EU market, or if the system\u2019s output is used in the EU.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\" fade-in wp-block-ponyo-frank\">\n<h3 class=\"frank-heading\">\n        Is there an official EU AI Act compliance checker?<br \/>\n        <span class=\"closed\"><br \/>\n<\/span><br \/>\n        <span class=\"open\"><br \/>\n<\/span><br \/>\n    <\/h3>\n<div class=\"content-outer\">\n<div class=\"content-inner\">\n<p>The European Commission\u2019s <a href=\"https:\/\/ai-act-service-desk.ec.europa.eu\/en\/eu-ai-act-compliance-checker\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">AI Act Service Desk<\/a> includes a Compliance Checker tool that helps organizations determine which obligations apply to their AI systems. It walks through a series of questions about the system\u2019s purpose, deployment context, and risk profile to identify relevant articles and requirements.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\" fade-in wp-block-ponyo-frank\">\n<h3 class=\"frank-heading\">\n        What are the EU AI Act deepfake requirements?<br \/>\n        <span class=\"closed\"><br \/>\n<\/span><br \/>\n        <span class=\"open\"><br \/>\n<\/span><br \/>\n    <\/h3>\n<div class=\"content-outer\">\n<div class=\"content-inner\">\n<p>Under Article 50, providers of AI systems that generate synthetic audio, image, video, or text must mark the output in a machine-readable format as AI-generated. Deployers who use AI to create deepfakes (content resembling existing persons or events that would falsely appear authentic) must disclose that the content is artificially generated, even when the content is lawful. Artistic, creative, and satirical uses require only minimal disclosure. <\/p>\n<p>These obligations take effect on August 2, 2026. Where a deepfake depicts a real, identifiable person, that content is also personal data under the GDPR, so labeling is necessary but not sufficient.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\" fade-in wp-block-ponyo-frank\">\n<h3 class=\"frank-heading\">\n        What is the difference between the AI Act and the Cyber Resilience Act?<br \/>\n        <span class=\"closed\"><br \/>\n<\/span><br \/>\n        <span class=\"open\"><br \/>\n<\/span><br \/>\n    <\/h3>\n<div class=\"content-outer\">\n<div class=\"content-inner\">\n<p>The <a href=\"https:\/\/www.docker.com\/blog\/eu-cyber-resilience-act-overview\/\" target=\"_blank\" rel=\"noreferrer noopener\">EU Cyber Resilience Act<\/a> (CRA) targets products with digital elements and focuses on cybersecurity requirements across their lifecycle. The AI Act specifically targets AI systems and AI models, with requirements that scale based on risk classification. A product could be subject to both regulations, for example an AI-powered medical device that is both a product with digital elements (CRA) and a high-risk AI system (AI Act).<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\" fade-in wp-block-ponyo-frank\">\n<h3 class=\"frank-heading\">\n        When do the high-risk AI system rules actually take effect?<br \/>\n        <span class=\"closed\"><br \/>\n<\/span><br \/>\n        <span class=\"open\"><br \/>\n<\/span><br \/>\n    <\/h3>\n<div class=\"content-outer\">\n<div class=\"content-inner\">\n<p>The timeline depends on the type of high-risk system. Under the Digital Omnibus package, approved by the European Parliament on June 16, 2026, standalone Annex III high-risk systems must comply by December 2, 2027. Annex I embedded high-risk systems (products covered by EU product safety legislation) must comply by August 2, 2028. Check the <a href=\"https:\/\/artificialintelligenceact.eu\/implementation-timeline\/\" rel=\"nofollow noopener\" target=\"_blank\">official implementation timeline<\/a> for the latest confirmed dates.<\/p>\n<\/div>\n<\/div>\n<\/div><\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>For teams building AI-governed systems, the EU AI Act adds compliance obligations to every stage of the development lifecycle, from [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4449,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[4],"tags":[],"class_list":["post-4448","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-docker"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4448","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=4448"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4448\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/4449"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=4448"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=4448"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=4448"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}