---
title: EU AI Act (Regulation 2024/1689)
type: concept
tags: [ai-act, aia, eu-regulation, high-risk-ai, human-oversight, post-market-monitoring, legal, regulatory-risk]
sources: ["[[sources/2023-lazcoz-dehert-humans-in-gdpr-and-aia-governance]]", "[[sources/2025-navaie-iapp-engineering-gdpr-compliance-agentic-ai]]", "[[sources/2026-bcc26-eu-digital-regulation-interpretation-to-implementation]]"]
created: 2026-04-27
updated: 2026-04-27
---

# EU AI Act (Reg. 2024/1689)

The EU's horizontal regulation of AI systems — adopted 2024, with **most high-risk system obligations becoming fully applicable in August 2026**. Establishes risk-tiered obligations for AI providers and users (= deployers), with the heaviest duties on *high-risk AI systems*.

## Risk tiers

| Tier | Examples | Treatment |
|---|---|---|
| **Unacceptable risk** | Social scoring by public authorities; real-time biometric ID for law enforcement (with narrow exceptions); manipulation; emotion recognition at workplace/school | Prohibited (Art. 5) |
| **High risk** | Annex III categories: recruitment, education, credit-scoring, biometric ID, law enforcement, migration, justice administration; safety components of products under EU harmonisation legislation (Annex II) | Full obligations: risk management (Art. 9), data governance (Art. 10), technical documentation (Art. 11), record-keeping/logs (Art. 12), transparency (Art. 13), **human oversight (Art. 14)**, accuracy/robustness/cybersecurity (Art. 15), conformity assessment, post-market monitoring (Art. 72) |
| **Limited risk** | Chatbots, deepfakes | Transparency duties (Art. 50) |
| **Minimal risk** | Most AI applications | Voluntary codes |

## Core obligations for high-risk AI systems relevant to process-automation

### Article 14 — Human oversight (the "Art. 22 GDPR sibling")
High-risk AI systems must be designed and developed so that they can be effectively overseen by natural persons. The natural person assigned must be able to:
- Understand capacities/limitations.
- Remain aware of [[concepts/automation-bias|automation bias]].
- Correctly interpret outputs.
- Decide not to use / override / reverse output.
- Intervene via stop button.

Per [[sources/2023-lazcoz-dehert-humans-in-gdpr-and-aia-governance|Lazcoz & de Hert 2023]]: this **extends** GDPR Art. 22 by placing oversight obligations at the **development stage** (providers, Art. 16) — Recital 73 (formerly 48) explicitly requires "appropriate human oversight measures" identified by the provider before the system is placed on the market. GDPR Art. 22 only addresses the use stage.

### Article 12 — Logs and record-keeping
High-risk AI systems must automatically record events ("logs") to ensure traceability of the system's functioning. These logs serve post-market monitoring and conformity assessment.

Per [[sources/2025-navaie-iapp-engineering-gdpr-compliance-agentic-ai|Navaie 2025]], Art. 12 logs and DPIA evidence converge — the same execution trace can serve both regimes.

### Article 29(6) — DPIA bridge
Users (deployers) of high-risk AI systems must use the information provided under Art. 13(3)(d) (about human-oversight measures) to comply with their **DPIA obligation under Art. 35 GDPR**. Explicit statutory bridge to GDPR.

### Article 72 — Post-market monitoring
Providers must establish a post-market monitoring system to actively and systematically collect, document, and analyse data on system performance throughout its lifetime, evaluating continuous compliance.

## Key dates and status (per [[sources/2026-bcc26-eu-digital-regulation-interpretation-to-implementation|BCC26 Jan 2026]])

| Date | Event |
|---|---|
| 2024 | Adoption (Reg. 2024/1689) |
| Feb 2025 | Prohibited practices + AI literacy obligations applied |
| Aug 2025 | Rules for general-purpose AI models in full force |
| Nov 2025 | Digital Omnibus Package proposed — softens AI literacy from mandatory to non-binding; may delay further |
| **Aug 2026** | Most high-risk AI system obligations become fully applicable (subject to Omnibus delay) |

## Connection to GDPR

The AIA does *not* replace GDPR — it stacks on top. A high-risk AI system processing personal data is subject to:
- **GDPR**: Art. 5 principles, Art. 6 lawful basis, Art. 9 special-category data, Art. 22 ADM, Art. 25 privacy-by-design/default, Art. 35 DPIA, Chapter V transfers.
- **AI Act**: Art. 9 risk management, Art. 14 human oversight, Art. 12 logs, Art. 72 post-market monitoring.

The two regimes are **complementary** — AIA addresses the system; GDPR addresses personal data processing. Compliance with one does not satisfy the other.

## Connection to DORA / NIS2

For high-risk AI systems used in regulated sectors (financial services, critical infrastructure, healthcare):
- [[concepts/dora|DORA]] adds ICT operational-resilience obligations (financial sector).
- [[concepts/nis2|NIS2]] adds cybersecurity and supply-chain obligations (cross-sector).

A **single supply-chain glitch or AI algorithmic error** can trigger simultaneous reporting requirements across all three regimes — each with its own timeline, materiality test, and regulatory body. Compliance teams must map controls *once* and demonstrate *many* (cross-mapping principle).

## Risk for AI-driven process automation

[[concepts/agentic-bpm|Agentic BPM]] systems operating in Annex III sectors (recruitment, credit, education, biometric ID) are presumptively high-risk. Implications:
- DPIA + AIA conformity assessment both required.
- Human oversight design from development stage.
- Post-market monitoring with automatic logs.
- Quality management system (Art. 17 AIA).
- CE marking before placement on market.

## Related

[[concepts/gdpr-article-22]] · [[concepts/automated-decision-making]] · [[concepts/human-oversight]] · [[concepts/dpia]] · [[concepts/dora]] · [[concepts/nis2]] · [[concepts/automation-bias]] · [[concepts/agentic-bpm]]