EU AI Act FAQ

This EU AI Act FAQ delivers direct operational answers for teams implementing the law in 2026. Prohibitions, definitions, AI literacy (Article 4), and general-purpose AI (GPAI) model obligations are already in force. Transparency rules (Article 50), most high-risk AI systems listed in Annex III, and enforcement begin 2 August 2026. Rules for high-risk AI embedded in regulated products follow on 2 August 2027.[1][2]

The Digital Omnibus proposal (November 2025) and subsequent Council and Parliament positions (March 2026) suggest timeline adjustments linked to standards availability, simplifications for small mid-caps, and new prohibitions such as non-consensual intimate imagery (“nudifier”) systems. These remain in negotiation and are clearly labeled below as proposal or negotiation status. This page clusters questions by timing/scope, roles/classification, literacy/transparency, and sector-specific evidence. It prioritizes what you must do now with current law.[3]782651)

Law status box (May 2026) Current law (in force): Chapters I–II (2 Feb 2025): definitions, Article 4 AI literacy, Article 5 prohibitions. GPAI obligations (Chapter V) and governance (2 Aug 2025). Article 50 transparency, Annex III high-risk rules, and national/EU enforcement (2 Aug 2026). Regulated-product high-risk rules (2 Aug 2027). Proposal/negotiation status: Digital Omnibus amendments linking high-risk application to harmonised standards and support tools, extended SME flexibilities to small mid-caps, fixed later dates proposed by Parliament (e.g. Dec 2027 for some Annex III systems), and new nudifier ban. These have not been adopted; trilogue negotiations are underway. Check official sources regularly. No certification or guaranteed compliance is offered here—this page supports readiness and evidence workflows only.

Read current-law answers first. Any reference to possible changes under the Digital Omnibus or ongoing negotiations is explicitly labeled “proposal stage” or “negotiation status (2026)”. Jump to the cluster that matches your role or priority:

• Timing and scope → regulators, compliance leads, programme managers
• Roles and classification → legal, procurement, product teams
• Literacy and transparency → people/HR, marketing, communications, content teams
• Sector and evidence questions → HR/recruitment, education, publishing, vendor management, deployers using chatbots or generative tools

Use the topic map below to reach the most relevant deeper guide, tool, or sample. All answers focus on practical implementation, required artefacts, and evidence you can generate today. Links lead to operational resources such as the Evidence Scanner for use-case mapping.

What applies under the EU AI Act right now in April 2026? Current law: Prohibitions on unacceptable-risk practices, the legal definitions, the AI system concept, and Article 4 AI literacy obligations have applied since 2 February 2025. GPAI model obligations (technical documentation, downstream information, copyright policy, training-data summary) have applied since 2 August 2025. Most remaining obligations, including Article 50 transparency and Annex III high-risk rules, apply from 2 August 2026.[1][4] Next step: Map your current uses with the EU AI Act Evidence Scanner.

When does Article 50 transparency apply? Current law: Article 50 transparency obligations for providers and deployers of certain AI systems (interactive, generative content, deepfakes, certain text publications) apply from 2 August 2026. A voluntary Code of Practice (second draft published March 2026) is under development to help with marking and labelling.[5] Next step: Prepare disclosures early using Article 50 transparency obligations explained.

Has anything changed because of the Digital Omnibus? Negotiation status (2026): The Commission’s November 2025 Digital Omnibus proposal seeks to link application of certain high-risk rules to the availability of harmonised standards and support tools, introduce a maximum 16-month adjustment window, extend certain SME simplifications to small mid-cap companies, and clarify overlaps with sectoral product legislation. Council and Parliament have adopted positions; trilogues are active. These amendments are not yet law. Continue preparing for the existing 2026 dates while monitoring official updates. Next step: Track changes via What the EU AI Act is and how to use it operationally.

Do prohibitions apply to every AI system today? Current law: Only the eight listed unacceptable-risk practices in Article 5 have been prohibited since 2 February 2025. Guidelines on prohibited practices and the AI system definition help determine applicability. Most everyday AI tools are not prohibited. Next step: Run suspected high-risk or prohibited uses through the Evidence Scanner.

When must Member States have AI regulatory sandboxes ready? Current law: Member States should have at least one sandbox operational from 2 August 2026 alongside the majority of rules. Next step: Explore innovation measures in What the EU AI Act is and how to use it operationally.

What is the final full application date under current law? Current law: Rules for high-risk AI systems embedded in regulated products (e.g. medical devices, machinery under sectoral legislation) apply from 2 August 2027. Proposal stage: Parliament’s position suggests certain high-risk dates could shift to December 2027 or August 2028. Not yet adopted.

Do GPAI obligations apply retroactively to models released before August 2025? Current law: Providers of GPAI models placed on the market before 2 August 2025 must comply by 2 August 2027. Models placed after 2 August 2025 must comply immediately upon placement. Next step: If you are a provider or downstream integrator, use the GPAI section of the scanner.

Does the AI Act apply to research and development activities? Current law: Pure R&D and prototyping before market placement or putting into service are excluded. Once a system is placed on the EU market or used in the EU, obligations apply. Military, defence, and national security systems are also excluded.

How does the law treat AI agents or agentic systems? Current law (per official FAQ): AI agents are not a separate category. They are typically covered as either an AI system or built on GPAI models. Relevant obligations (prohibitions, high-risk if applicable, transparency if interacting with people or generating content, systemic-risk measures for underlying GPAI) apply according to the final artefact and use. No new rules invented for agents.

What counts as “putting into service” for timing purposes? Current law: The moment an AI system is used under the deployer’s control in the EU for its intended purpose. This triggers deployer obligations even if the provider is non-EU.

Who is a “provider” versus a “deployer”? Current law: The provider develops the AI system or GPAI model and places it on the market or puts it into service under its own name. The deployer uses the AI system under its authority and control. Obligations differ significantly—providers carry most upstream duties (documentation, conformity, CE marking for high-risk); deployers focus on monitoring, human oversight, and correct use. Do not blur these roles. Next step: Clarify your role with the EU AI Act Evidence Scanner.

Can a company be both provider and deployer? Current law: Yes, if you fine-tune a GPAI model significantly and then use the resulting system internally or release it, you may assume provider responsibilities for the modified system.

What are the obligations of importers and distributors? Current law: Importers and distributors must verify that providers have fulfilled upstream obligations, ensure correct labelling and documentation accompanies the system, and take corrective action if needed. They act as intermediaries in the value chain.

How does the AI Act apply to non-EU companies? Current law: The regulation applies if you place an AI system or GPAI model on the EU market, put it into service in the EU, or if the output of the system is used in the EU. Non-EU GPAI providers must appoint an authorised representative in the Union. See dedicated non-EU guidance. Next step: How the EU AI Act reaches companies outside the EU.

What is the difference between an AI system and a GPAI model? Current law: A GPAI model displays significant generality, is trained with large volumes of data using self-supervision at scale, and can perform a wide range of distinct tasks. It is typically integrated into downstream AI systems. An AI system is the final product or service that uses one or more models to achieve a specific purpose. Guidelines provide technical criteria (e.g. training compute >10^23 FLOP plus flexible modalities as an indicative threshold). Next step: Use the scanner to classify your artefacts.

When is a fine-tuned GPAI model considered a new provider? Current law (per guidelines): Significant modifications that create a new model with distinct capabilities or systemic-risk profile generally make the fine-tuner a provider. Minor customisation or prompting does not.

Does a product manufacturer using AI as a safety component become a provider? Current law: Yes, if they place the product with the integrated AI on the market under their name, they assume provider obligations for the AI component in addition to sectoral product rules.

What documentation must a GPAI provider supply to downstream deployers? Current law (since Aug 2025): Sufficient information and technical documentation so downstream providers can understand capabilities, limitations, and comply with their own obligations. A public summary of training content is also required.

How do you determine if an AI system is high-risk? Current law: Check Annex III use cases (employment, education, essential services, law enforcement, biometrics, critical infrastructure, administration of justice, etc.) or if it is a safety component of a regulated product. Article 6 provides the classification rules. Guidelines on the AI system definition help edge cases.

Can a non-EU deployer be caught by the Act? Current law: Yes, if the deployer uses the AI system in the EU or the output produces effects in the EU.

What exactly does Article 4 AI literacy require? Current law (in force since 2 Feb 2025): Providers and deployers must ensure a sufficient level of AI literacy among staff and other persons dealing with the operation or use of AI systems on their behalf. Measures must take into account technical knowledge, experience, education, training, the context of use, and the persons affected. There is no obligation to measure knowledge via tests, no mandatory AI officer, and no official certificate. National market surveillance authorities enforce it. Replicating published practices from the Commission repository does not automatically prove compliance.[6] Next step: Build your matrix with the AI Literacy Planner and see Article 4 AI literacy: what you actually need to do.

Is AI literacy only for technical staff? Current law: No. It covers anyone dealing with the AI system on behalf of the provider or deployer, including contractors, certain clients in context-specific cases, and those interpreting outputs. It supports effective human oversight and transparency.

Do we need to train every employee on every AI tool? Current law: No. The level must be “sufficient” relative to the specific system, role, and risk. Targeted, role-based training is appropriate.

What are the main Article 50 transparency obligations? Current law (applies 2 Aug 2026):

• Providers of interactive AI systems must inform users they are interacting with AI (unless obvious).
• Providers of AI-generated/manipulated content must enable detection via machine-readable marking.
• Deployers of emotion-recognition or biometric categorisation systems must inform exposed individuals.
• Deployers of deepfake systems or AI-generated text on matters of public interest must disclose artificial origin (with exceptions for artistic, satirical, or human-reviewed editorial content).

Information must be clear and accessible. A Code of Practice supports practical marking/labelling.[5]

Do all generative AI outputs need visible watermarks today? Current law: No—the obligation begins 2 August 2026. The voluntary Code of Practice (second draft March 2026) promotes interoperable technical solutions such as secured metadata, watermarking, and an optional EU icon. Open standards and flexibility are emphasised to reduce burden.

What is a “deep fake” under Article 50? Current law: AI-generated or manipulated image, audio, or video that resembles an existing person, object, place, or event and would falsely appear authentic or truthful to a person. Deployers must inform recipients of its artificial character (exceptions apply).

Does Article 50 apply to internal enterprise chatbots? Current law: If the chatbot interacts with natural persons, the provider must inform users it is AI (unless obvious). Deployers must ensure the information duty is met in practice.

Are there exceptions for creative or satirical content? Current law (and Code of Practice direction): Artistic, creative, satirical, or fictional works are generally exempt from certain labelling if the context makes the artificial nature obvious. Human-reviewed editorial publications on public-interest matters may also be exempt.

How should transparency information be delivered? Current law: In a clear, accessible format appropriate to the modality (e.g. on-screen notice, metadata, audible statement). The Code of Practice aims for consistent icons and machine-readable signals that work across platforms.

What misconceptions exist about AI literacy certificates? Common misconception: Many assume Article 4 requires formal certification or a dedicated AI officer. Official Q&A clarifies there is neither. Focus on practical skills, context-aware training, and documentation of measures taken.

Is AI used in recruitment high-risk? Current law: Yes—AI systems used for recruitment, promotion, task allocation, or termination decisions that affect access to employment or self-employment are listed in Annex III and classified as high-risk. Providers must meet conformity, documentation, risk management, data quality, transparency-to-deployers, human oversight, robustness, and logging obligations. Deployers must perform fundamental-rights impact assessments (FRIA) in many cases. Next step: Generate evidence pack with EU AI Act Evidence Scanner.

What evidence should HR teams collect for recruitment AI? Current law: Deployers should keep records of use, human oversight decisions, bias checks, impact assessments, and instructions given to the system. Request technical documentation from the provider. Log outputs and override decisions.

How should organisations handle chatbots under current and upcoming rules? Current law (now): Avoid prohibited manipulative practices. From August 2026: Ensure users know they are interacting with AI; if the chatbot generates content that could be deepfake-like or public-interest text, add appropriate disclosures. Maintain literacy among staff using or overseeing the bot.

Do marketing teams using generative AI for campaigns need to disclose everything? Current law (from 2026): When generating or manipulating images, video, audio, or text intended to inform the public on matters of public interest, deployers must disclose artificial origin unless exceptions apply. Purely creative advertising may not trigger the public-interest rule but still benefits from clear labelling to avoid deception. Providers must enable machine-readable marking.

What transparency duties apply to publishers using AI-generated content? Current law (from 2026): Deployers must inform audiences when content is AI-generated or manipulated if it concerns matters of public interest and has not undergone human review with editorial responsibility. Many newsrooms already maintain editorial oversight processes that can qualify for the exception.

How does the AI Act affect education providers? Current law: AI systems used to determine access to education, evaluate learning outcomes, or assess student behaviour are high-risk under Annex III. Strict obligations apply. General classroom tools may trigger only transparency or literacy requirements. Prohibited emotion recognition in education institutions (with narrow safety/medical exceptions) has been banned since February 2025.

What vendor due diligence should deployers perform? Current law: Request technical documentation, conformity declarations (for high-risk), information on capabilities and limitations, and training-data summaries (for GPAI). Assess whether the vendor is the provider or an intermediary. Document the diligence process as evidence of reasonable care. For non-EU vendors, confirm authorised representative where required. Next step: Use a standardised questionnaire generated via the Evidence Scanner and store responses as part of your compliance artefacts. See also How the EU AI Act reaches companies outside the EU.

Should companies ban all generative AI tools to stay safe? Current law: No. A blanket ban is rarely proportionate. Instead classify uses, apply appropriate transparency and literacy measures, and prohibit only those falling under Article 5. Many low-risk uses are encouraged with proper safeguards.

What evidence is needed to show compliance with Article 4 AI literacy? Current law: Records of training delivered, role-specific content, attendance or completion logs, and how content was tailored to technical knowledge and context. The Commission repository of practices offers examples, but you must demonstrate sufficiency for your specific systems and people. No single template is mandated.

How should publishers document deepfake or AI-content labelling? Current law (from 2026): Retain records of which content was labelled, the method used (icon, disclaimer, metadata), exceptions claimed, and any human-review process. Machine-readable marking helps downstream detection.

Do SMEs have lighter obligations? Current law: Certain documentation and conformity-assessment simplifications exist for SMEs and start-ups. The Digital Omnibus proposal (negotiation status) seeks to extend analogous flexibilities to small mid-cap companies. These do not remove core safety or transparency duties.

What should vendors include in responses to customer AI Act questionnaires? Practical evidence: Scope of the offered system/model, classification (GPAI or AI system, high-risk or not), applicable obligations, summary of risk management or transparency measures, training-data summary (for GPAI), and any Code of Practice adherence. Provide only what you are legally required or contractually committed to share; protect trade secrets.

How do FRIA (fundamental rights impact assessments) fit into sector use cases? Current law: Deployers of high-risk systems listed in Annex III must perform a FRIA before first use (with some exceptions). It identifies affected rights, risks, and mitigation steps. HR, education, and public-service sectors are most affected. Template approaches and examples are emerging via official guidance.

Can companies rely on the official compliance checker alone? Current law: The EU beta compliance checker is a helpful self-assessment aid but does not replace internal evidence, documentation, or due diligence. Use it as one input alongside the Evidence Scanner for structured artefact generation.

What should education institutions prioritise before August 2026? Current actions: Complete literacy training for staff and students where appropriate, classify all AI tools (high-risk exam scoring, admissions, plagiarism detection), prepare human oversight processes, and ensure transparency for interactive tutoring systems. Prohibited emotion-recognition systems must already be removed or modified.

How should marketing and communications teams prepare transparency statements? Current actions: Draft reusable disclaimers and icon libraries, decide placement standards (image captions, video end-cards, metadata), train creators on when disclosure is required versus when artistic exceptions apply, and test machine-readable marking on common generative platforms.

• Treating every generative AI tool as high-risk or assuming all outputs need visible watermarks today (Article 50 starts August 2026).
• Blurring provider and deployer roles, leading to missed documentation or incorrect allocation of FRIA responsibility.
• Assuming Article 4 AI literacy is satisfied by sending a generic e-learning module without tailoring to context or roles.
• Waiting for final standards before any preparation—current GPAI, literacy, and prohibition obligations are already live.
• Failing to request technical documentation or training summaries from GPAI vendors, leaving deployers unable to meet their own duties.
• Confusing “proposal stage” Digital Omnibus changes with current law and delaying necessary 2026 preparations.
• Not documenting literacy measures, transparency logs, or human oversight decisions, leaving teams without defensible evidence during authority requests.
• Over-relying on vendor claims of “compliant” without verifying classification and receiving concrete artefacts.

1. Run all current and planned AI uses through the EU AI Act Evidence Scanner to classify risk, assign roles, and auto-generate an evidence register.
2. Document your organisation’s role (provider, deployer, importer, etc.) for each system and map value-chain responsibilities.
3. Deliver and record role-based AI literacy training before expanding use; tailor content to technical depth and context.
4. For any GPAI models you provide or integrate, prepare or request technical documentation, copyright policy summary, and training-content summary.
5. Draft and test Article 50 transparency notices, labelling processes, and deepfake disclosures ready for August 2026.
6. For high-risk uses (especially recruitment, education, essential services), begin risk management, data governance, and FRIA planning.
7. Establish a vendor diligence template that requests classification, documentation, and limitation information; store responses centrally.
8. Review all prohibited-practice risks (manipulation, emotion recognition in workplace/education, social scoring, untargeted biometric scraping) and remove or redesign any non-compliant systems.
9. Set up a monitoring process to track official updates on Digital Omnibus negotiations and standards availability.
10. Create a living compliance evidence folder linked to the scanner output so auditors or authorities receive consistent, up-to-date artefacts.

Ready to turn these answers into evidence? Start with the free Evidence Scanner to classify your use cases and generate a tailored readiness report in minutes: EU AI Act Evidence Scanner.

Need targeted support? Build your AI literacy matrix Article 4 AI literacy: what you actually need to do or prepare Article 50 disclosures with the dedicated generator. For non-EU or GPAI-specific flows, see How the EU AI Act reaches companies outside the EU.

Bookmark this page and return after each major milestone (August 2026, standards release, final Omnibus outcome). The law is phased—steady, evidence-based preparation beats last-minute panic.