Obligations Overview

A concise overview of who must comply with what, and under which articles.

High-Risk

High-Risk AI Systems

Obligation	Who Must Comply	Articles	Deadline
Register high-risk AI system in EU database	Provider	Art. 71	Before placing on market
Conduct conformity assessment and draw up EU declaration of conformity	Provider	Art. 43 Art. 47	Before placing on market
Establish quality management system (QMS)	Provider	Art. 17	Before placing on market
Create and maintain technical documentation	Provider	Art. 11	Ongoing
Implement post-market monitoring system	Provider	Art. 72	After placing on market
Conduct fundamental rights impact assessment (FRIA)	Deployer (public bodies and certain private operators)	Art. 27	Before deployment
Implement human oversight measures	Deployer	Art. 14 Art. 26	During deployment
Inform workers/their representatives about AI use	Deployer	Art. 26	Before deployment
Notify serious incidents and malfunctions to authorities	Provider	Art. 73	Within 15 days

Transparency Req.

Transparency Obligations

Obligation	Who Must Comply	Articles	Deadline
Inform users they are interacting with an AI system	Provider / Deployer	Art. 50	At first interaction
Mark AI-generated synthetic content (watermarking/labelling)	Provider	Art. 50	Ongoing
Disclose deepfakes to affected persons	Deployer	Art. 50	At time of use

GPAI

General-Purpose AI Models

Obligation	Who Must Comply	Articles	Deadline
Maintain technical documentation (Annex XI)	GPAI Provider	Art. 53	Ongoing
Publish training data summary	GPAI Provider	Art. 53	Before making model available
Implement copyright compliance policy	GPAI Provider	Art. 53	Ongoing
Conduct adversarial testing (red-teaming) for systemic risks	GPAI Provider (systemic risk)	Art. 55	Before and after release
Report serious incidents to AI Office	GPAI Provider (systemic risk)	Art. 55	Without undue delay
Ensure adequate cybersecurity for model and infrastructure	GPAI Provider (systemic risk)	Art. 55	Ongoing