Who is concerned?
The AI Act applies to any AI system placed on the EU market or used by EU-located deployers, regardless of where the provider is based.
- Providers of high-risk AI systems (Annex III : biometric ID, critical infrastructure management, education, employment, essential services, law enforcement, migration, justice, democratic processes)
- Deployers of high-risk AI systems — companies using high-risk AI for their operations
- General-purpose AI providers (GPAI) — including foundation models with systemic risk
- Limited-risk AI providers — subject to transparency obligations (chatbots, deepfakes)
What it requires (high-level)
- Risk tier classification : unacceptable (banned), high-risk, limited-risk, minimal-risk.
- High-risk obligations : risk management system, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy/robustness/cybersecurity.
- Fundamental Rights Impact Assessment (FRIA, Art. 27) — for high-risk AI in public services.
- GPAI provider obligations : technical documentation, copyright compliance, transparency about training data summary.
- Systemic risk obligations : additional model evaluation, adversarial testing, incident reporting.
Penalty exposure
- €35M or 7% of global annual turnover for prohibited practices.
- €15M or 3% for high-risk non-compliance.
- €7.5M or 1% for incorrect information to authorities.
Highest penalty regime in the EU regulatory landscape.
How NexCyber helps with AI Act
- Risk tier classifier — input your AI system specs, get classification + obligations checklist.
- FRIA template — guided assessment for high-risk public-service deployers.
- GPAI transparency dossier — training data summary, copyright compliance documentation.
- EU AI Office reporting — pre-filled templates for systemic risk evaluations.
The clock : AI Act prohibitions in force since 2 Feb 2025. GPAI obligations from 2 Aug 2026. Full high-risk obligations from 2 Aug 2027.