The EU AI Act, term by term
Every key concept in the EU AI Act, defined in plain English and linked to the detail — from provider and deployer to conformity assessment, FRIA and GPAI.
Core concepts
AI system
Art. 3(1)An AI system is a machine-based system that, for explicit or implicit objectives, infers from its input how to generate outputs such as predictions, content, recommendations or decisions that can influence physical or virtual environments.
EU AI Act
Reg. (EU) 2024/1689The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive law on artificial intelligence. It regulates AI by risk tier and applies extraterritorially to anyone whose AI, or its output, is used in the EU.
Extraterritoriality
Art. 2The EU AI Act applies regardless of where a company is established: if an AI system is placed on the EU market, or its output is used in the EU, the provider or deployer is in scope — even a US or UK company.
General-purpose AI (GPAI) model
Art. 3(63)A general-purpose AI model is trained on broad data at scale, displays significant generality, and can competently perform a wide range of distinct tasks — for example a large language model or a multimodal foundation model.
Systemic risk (GPAI)
Art. 51, 55A general-purpose AI model is presumed to carry systemic risk when the cumulative compute used to train it exceeds 10²⁵ floating-point operations, triggering stricter obligations under Article 55.
Risk tiers
Annex III
Annex IIIAnnex III is the list of high-risk use cases in the EU AI Act, covering eight areas: biometrics, critical infrastructure, education, employment, essential services (incl. credit scoring), law enforcement, migration, and administration of justice & democracy.
High-risk AI system
Annex III / Art. 6High-risk AI systems are those listed in Annex III (e.g. employment, credit scoring, biometrics, education, essential services) or that are safety components of regulated products. They carry the Act's heaviest obligations.
Limited-risk AI
Art. 50Limited-risk AI systems — such as chatbots and generative-content tools — are not high-risk but must meet transparency obligations under Article 50: people must be told when they interact with AI or see AI-generated content.
Minimal-risk AI
Minimal-risk AI covers everything not prohibited, high-risk or subject to transparency duties — for example spam filters or AI in video games. It carries no mandatory obligations under the EU AI Act.
Prohibited AI practices
Art. 5Article 5 bans certain AI uses outright, including social scoring, untargeted facial-image scraping, most emotion recognition at work or school, and certain manipulative or exploitative systems. The ban has applied since 2 February 2025.
Operator roles
Authorised representative
Art. 22An authorised representative is an EU-established entity appointed by a non-EU provider of a high-risk AI system (Article 22) or GPAI model (Article 54) to keep documentation available and act as the contact point for authorities.
Deployer
Art. 3(4)A deployer uses an AI system under its own authority in a professional activity — for example a company running an AI hiring tool it did not build. Deployers of high-risk AI have duties under Article 26.
Distributor
Art. 3(7)A distributor makes an AI system available on the EU market without being the provider or importer — typically a reseller or channel partner. Article 24 requires it to verify CE marking and documentation before distributing.
GPAI model provider
Art. 53–55A GPAI model provider places a general-purpose AI model on the EU market. It must meet Articles 53–55: technical documentation, downstream information, a copyright policy, a training-data summary, and — for systemic-risk models — stricter testing and cybersecurity.
Importer
Art. 3(6)An importer is an EU-established operator that places on the EU market an AI system bearing the name or trademark of a provider established outside the EU. Article 23 makes it verify conformity before selling.
Provider
Art. 3(3)A provider develops an AI system (or GPAI model) and places it on the market or puts it into service under its own name or trademark. Providers of high-risk systems carry the heaviest obligation set (Article 16).
Substantial modification
Art. 25A substantial modification is a change to a high-risk AI system — to its intended purpose or one affecting its compliance — that was not foreseen in the original conformity assessment, triggering a fresh assessment.
Obligations
AI literacy
Art. 4Article 4 requires providers and deployers to ensure that staff and others operating or using AI systems on their behalf have a sufficient level of AI literacy. It has applied since 2 February 2025 and cuts across all risk tiers.
Data governance
Art. 10Article 10 requires that training, validation and test datasets for high-risk AI are relevant, sufficiently representative, and examined for possible biases that could affect health, safety or fundamental rights.
Fundamental Rights Impact Assessment (FRIA)
Art. 27A FRIA (Article 27) is an assessment certain deployers of high-risk AI — public bodies and providers of essential private/public services — must complete before first use, documenting how the deployment could affect people's fundamental rights and how risks are mitigated.
Human oversight
Art. 14Article 14 requires high-risk AI systems to be designed so that natural persons can effectively oversee them — understanding the system, monitoring its operation, interpreting outputs, and intervening or stopping it.
Post-market monitoring
Art. 72Article 72 requires providers of high-risk AI to run a documented plan that actively and systematically collects and reviews real-world performance data after the system is on the market.
Record-keeping (logging)
Art. 12Article 12 requires high-risk AI systems to automatically record events (logs) over their lifetime, ensuring a level of traceability appropriate to the system's intended purpose.
Risk management system
Art. 9Article 9 requires providers of high-risk AI to establish, run and document a continuous, iterative risk-management process across the whole system lifecycle — identifying, evaluating and mitigating risks to health, safety and fundamental rights.
Serious incident reporting
Art. 73Article 73 requires providers of high-risk AI to report serious incidents to the relevant market-surveillance authority, generally without undue delay and within set deadlines (as short as immediately, up to 15 days depending on severity).
Transparency obligations
Art. 50Article 50 requires that people are told when they interact with an AI system (e.g. a chatbot), when content is AI-generated or manipulated (deepfakes), and when emotion-recognition or biometric-categorisation systems are used.
Documents & conformity
CE marking
Art. 48Article 48 requires the CE marking to be affixed to a high-risk AI system (or its documentation) to signal that it conforms to the EU AI Act. It is the visible sign that conformity assessment and the declaration of conformity are complete.
Conformity assessment
Art. 43A conformity assessment (Article 43) is the process by which a provider demonstrates a high-risk AI system meets the Act's requirements before it is placed on the market — either via internal control (Annex VI) or a notified body (Annex VII).
EU database registration
Art. 49Article 49 requires providers (and certain deployers) of high-risk AI systems to register the system in a public EU database before it is placed on the market or put into service.
EU declaration of conformity
Art. 47Article 47 requires the provider of a high-risk AI system to draw up a written EU declaration of conformity stating that the system meets the Act's requirements, and to keep it for ten years after the system is placed on the market.
Notified body
Annex VIIA notified body is an independent, accredited organisation designated to carry out third-party conformity assessments (Annex VII) for high-risk AI systems in the specific cases where self-assessment is not sufficient.
Technical documentation (Annex IV)
Art. 11 / Annex IVArticle 11 and Annex IV require providers of high-risk AI to draw up technical documentation before the system is placed on the market, describing the system, its development, performance, risk management and compliance — kept up to date.
Training-data summary
Art. 53(1)(d)Article 53 requires GPAI model providers to draw up and make publicly available a sufficiently detailed summary of the content used to train the model, using a template provided by the AI Office.
Governance
AI regulatory sandbox
Art. 57An AI regulatory sandbox (Article 57) is a controlled environment set up by national authorities that lets providers develop, test and validate innovative AI systems under regulatory supervision before market entry. SMEs and start-ups get priority access.
Emotion recognition
Art. 5 / Annex III(1)Emotion-recognition systems infer a person's emotions from biometric data. The EU AI Act prohibits their use in the workplace and in education (Article 5); elsewhere they are generally high-risk under Annex III.
European AI Office
The European AI Office, within the European Commission, oversees the implementation and enforcement of the EU AI Act — especially for general-purpose AI models — and helps develop codes of practice and guidance.
Real-time remote biometric identification
Art. 5Real-time remote biometric identification (RBI) is identifying people from biometric data at a distance, live, in publicly accessible spaces. Its use by law enforcement is prohibited by Article 5 except in narrowly defined, authorised situations.