Free Interactive Tool · EU AI Act

EU AI Act Brain

An interactive knowledge graph of Regulation (EU) 2024/1689, the EU AI Act. Every node is an article-cited concept, role, obligation or deadline; every line is a real connection. Search it, drag it, and click any node to see the rule and jump to what it links to. Built for AIGP exam prep and quick AI governance reference.

Test yourself: AIGP mock exam → Free study material

Drag nodes • scroll to zoom • click a node for details

Tags
Related
Source
Regulation (EU) 2024/1689 · id:

Knowledge graph built with Google's Open Knowledge Format (OKF) · sourced from Regulation (EU) 2024/1689.

How to use it

Search a term like "provider", "biometric" or "penalty" to spotlight the matching nodes.
Click a node to read the article-cited rule, its tags, and its linked concepts, then click a related concept to travel the graph.
Filter by colour using the legend: concepts, processes, entities and facts. Toggle a type off to declutter.
Share a concept by copying the URL after you select a node; it deep-links straight back to that node.

Know the map? Now sit the exam.

The EU AI Act is roughly a fifth of the AIGP. Practise full-length, freshly sampled mock exams with a detailed explanation for every question.

Go to the AIGP mock exam →

Concept index

All 68 concepts in the graph, with their article references. Click any card to open it in the graph above.

entityArticle 67

Advisory Forum

The advisory forum provides technical expertise to the Board and the Commission through a balanced selection of stakeholders from industry, start-ups, SMEs, civil society, and academia.

conceptArticle 4

AI Literacy Obligation

Providers and deployers of AI systems must take measures to ensure, to their best extent, a sufficient level of AI literacy among their staff and other persons operating and using AI systems on their behalf.

entityArticle 3

AI Office

The "AI Office" is the European Commission function that contributes to the implementation, monitoring, and supervision of AI systems and general-purpose AI models and to AI governance.

conceptArticle 57

AI Regulatory Sandbox

An AI regulatory sandbox is a controlled framework established by a competent authority that lets providers develop, train, test, and validate innovative AI systems for a limited time under regulatory supervision before market placement, pursuant to an agreed sandbox plan.

factArticle 57

AI Sandbox Operational Deadline

Member States must ensure that their competent authorities establish at least one AI regulatory sandbox at national level, operational by 2 August 2026.

conceptAnnex III

Annex III High-Risk Use-Case Areas

Annex III designates AI systems as high-risk across eight areas: biometrics, critical infrastructure, education and vocational training, employment and worker management, access to essential private and public services, law enforcement, migration/asylum/border control, and administration of justice and democratic processes.

entityArticle 22, Article 54

Authorised Representative

An authorised representative is an EU-established natural or legal person that a third-country provider must appoint by written mandate before making a high-risk AI system or general-purpose AI model available on the Union market.

conceptArticle 48

CE Marking

The CE marking is affixed by the provider to a high-risk AI system to indicate its conformity with the Regulation, visibly, legibly, and indelibly, or on the packaging or accompanying documentation where that is not possible.

conceptArticle 95

Codes of Conduct (Voluntary)

The AI Office and Member States encourage voluntary codes of conduct that foster the application of the Chapter III, Section 2 requirements — and other specific commitments — to AI systems other than high-risk ones.

conceptArticle 56

Codes of Practice (GPAI)

The AI Office facilitates codes of practice at Union level covering the general-purpose AI model obligations in Articles 53 and 55, which providers use to demonstrate compliance until harmonised standards are published.

processArticle 43

Conformity Assessment Procedure

High-risk AI systems must undergo a conformity assessment before market placement — either internal control (Annex VI) or, for certain biometrics systems, third-party assessment involving a notified body (Annex VII).

factArticle 50

Deep Fake Disclosure Obligation

Deployers of an AI system that generates or manipulates image, audio, or video content constituting a deep fake must disclose that the content has been artificially generated or manipulated.

conceptArticle 3

Definition of a General-Purpose AI Model

A "general-purpose AI model" is an AI model that displays significant generality, is capable of competently performing a wide range of distinct tasks regardless of how it is placed on the market, and can be integrated into a variety of downstream systems or applications.

conceptArticle 3

Definition of a Serious Incident

A "serious incident" is an incident or malfunctioning of an AI system that directly or indirectly leads to the death of or serious harm to a person's health, a serious and irreversible disruption of critical infrastructure, the infringement of fundamental-rights obligations under Union law, or serious harm to property or the environment.

conceptArticle 3

Definition of an AI System

An "AI system" is a machine-based system designed to operate with varying levels of autonomy, that may exhibit adaptiveness after deployment, and that — for explicit or implicit objectives — infers from its input how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.

conceptArticle 3

Definition of Systemic Risk

"Systemic risk" is a risk specific to the high-impact capabilities of general-purpose AI models that has a significant impact on the Union market through its reach, or through actual or reasonably foreseeable negative effects on public health, safety, security, fundamental rights, or society as a whole, and that can be propagated at scale across the value chain.

entityArticle 3

Deployer (Defined Role)

A "deployer" is a natural or legal person, public authority, agency, or other body using an AI system under its authority, except where the system is used in the course of a personal non-professional activity.

conceptArticle 26

Deployer Obligations for High-Risk AI

Deployers of high-risk AI systems must use them in accordance with the instructions for use, assign competent human oversight, monitor operation, keep logs, and inform affected people, providers, and authorities as required.

conceptArticle 24

Distributor Obligations

Before making a high-risk AI system available on the market, distributors must verify that it bears the CE marking, is accompanied by the EU declaration of conformity and instructions for use, and that the provider and importer have met their identification and quality obligations.

factArticle 113

EU AI Act Application Dates

The AI Act entered into force on the twentieth day after its 12 July 2024 publication (1 August 2024) and applies from 2 August 2026, with the prohibitions applying from 2 February 2025, the general-purpose AI and governance rules from 2 August 2025, and the Article 6(1) high-risk product-safety obligations from 2 August 2027.

conceptArticle 2

EU AI Act Scope

The AI Act applies to providers, deployers, importers, distributors, product manufacturers, and authorised representatives — wherever established — whenever an AI system is placed on the EU market, put into service in the Union, or its output is used in the Union, and to affected persons located in the Union.

concept

EU AI Act Subject Matter

Regulation (EU) 2024/1689 (the AI Act) lays down harmonised EU rules for the placing on the market, putting into service, and use of AI systems, comprising prohibitions of certain practices, requirements for high-risk systems, transparency rules, rules for general-purpose AI models, and governance and enforcement measures.

conceptArticle 71

EU Database for High-Risk AI Systems

The Commission sets up and maintains an EU database containing information on the Annex III high-risk AI systems registered under Articles 49 and 60, as well as systems concluded not to be high-risk under Article 6(3).

conceptArticle 47, Annex V

EU Declaration of Conformity

The provider must draw up a written, machine-readable EU declaration of conformity for each high-risk AI system, stating that it meets the Section 2 requirements, and keep it available to national competent authorities for 10 years.

entityArticle 65, Article 66

European Artificial Intelligence Board

The European Artificial Intelligence Board is composed of one representative per Member State and advises and assists the Commission and Member States to ensure the consistent and effective application of the Regulation.

processArticle 27

Fundamental Rights Impact Assessment

Before deploying certain Annex III high-risk AI systems, deployers that are public bodies, private entities providing public services, or deployers of creditworthiness and insurance-pricing systems must perform a fundamental rights impact assessment (FRIA).

factArticle 56

GPAI Codes of Practice Deadline

The general-purpose AI model codes of practice were to be ready at the latest by 2 May 2025, and if a code cannot be finalised or is deemed inadequate by 2 August 2025 the Commission may provide common rules by implementing act.

conceptArticle 53

GPAI Provider Obligations

Providers of general-purpose AI models must maintain technical documentation of the model, provide integration information and documentation to downstream providers, put in place an EU copyright-compliance policy, and publish a sufficiently detailed summary of the content used to train the model.

conceptArticle 51

GPAI Systemic-Risk Classification

A general-purpose AI model is classified as having systemic risk when it has high-impact capabilities — evaluated with appropriate technical tools, benchmarks, and indicators — or when the Commission designates it, with a presumption of high-impact capabilities once training compute exceeds 10^25 floating-point operations.

factArticle 51

GPAI Systemic-Risk Compute Threshold

A general-purpose AI model is presumed to have high-impact capabilities, and therefore systemic risk, when the cumulative amount of computation used for its training exceeds 10^25 floating-point operations (FLOP).

factArticle 52

GPAI Systemic-Risk Notification Window

A provider whose general-purpose AI model meets the high-impact-capability condition must notify the Commission within two weeks after that requirement is met, or after it becomes known that it will be met.

conceptArticle 55

GPAI Systemic-Risk Provider Obligations

In addition to the general Article 53 obligations, providers of general-purpose AI models with systemic risk must perform model evaluation and adversarial testing, assess and mitigate systemic risks at Union level, report serious incidents, and ensure adequate cybersecurity of the model and its physical infrastructure.

conceptArticle 40, Article 41

Harmonised Standards Presumption of Conformity

High-risk AI systems and general-purpose AI models that conform to harmonised standards whose references are published in the Official Journal are presumed to comply with the corresponding requirements or obligations, to the extent those standards cover them.

conceptArticle 15

High-Risk Accuracy, Robustness and Cybersecurity

High-risk AI systems must be designed to achieve an appropriate level of accuracy, robustness, and cybersecurity, and to perform consistently in those respects throughout their lifecycle.

conceptArticle 6, Annex III

High-Risk AI Classification Rules

An AI system is high-risk when it is a safety component of, or is itself, a product covered by the Annex I harmonisation legislation that requires third-party conformity assessment, or when it falls within an Annex III use case — unless it poses no significant risk under the Article 6(3) exemptions and does not profile natural persons.

conceptArticle 49

High-Risk AI Registration

Before placing an Annex III high-risk AI system on the market, the provider (or authorised representative) must register itself and the system in the EU database, and public-authority deployers must register their use.

conceptArticle 8

High-Risk AI Requirements Overview

High-risk AI systems must comply with seven mandatory requirements set out in Chapter III, Section 2: a risk management system, data governance, technical documentation, record-keeping, transparency to deployers, human oversight, and accuracy/robustness/cybersecurity.

conceptArticle 10

High-Risk Data and Data Governance

High-risk AI systems that train models with data must use training, validation, and testing data sets that are relevant, sufficiently representative, and to the best extent possible free of errors and complete for the intended purpose, subject to appropriate data governance and bias-mitigation practices.

conceptArticle 14

High-Risk Human Oversight

High-risk AI systems must be designed and developed, including with appropriate human-machine interface tools, so that natural persons can effectively oversee them during use to prevent or minimise risks to health, safety, and fundamental rights.

factArticle 19, Article 26

High-Risk Log Retention Period

Automatically generated logs of a high-risk AI system, to the extent under the operator's control, must be kept for a period appropriate to the intended purpose and at least six months, unless Union or national law (in particular data-protection law) provides otherwise.

conceptArticle 12

High-Risk Record-Keeping (Logging)

High-risk AI systems must technically allow for the automatic recording of events (logs) over the lifetime of the system, at a level of traceability appropriate to the intended purpose.

conceptArticle 9

High-Risk Risk Management System

Providers of high-risk AI systems must establish, implement, document, and maintain a continuous, iterative risk management system that runs throughout the entire lifecycle of the system.

conceptArticle 11, Annex IV

High-Risk Technical Documentation

The technical documentation of a high-risk AI system must be drawn up before the system is placed on the market and kept up to date, demonstrating compliance with the Section 2 requirements and containing at least the elements set out in Annex IV.

conceptArticle 13

High-Risk Transparency to Deployers

High-risk AI systems must be designed to be sufficiently transparent for deployers to interpret and use their output appropriately, and must be accompanied by concise, complete, correct, and clear instructions for use.

conceptArticle 23

Importer Obligations

Before placing a high-risk AI system on the market, importers must verify that the provider has carried out conformity assessment, drawn up technical documentation, affixed the CE marking and EU declaration of conformity, and appointed an authorised representative.

conceptArticle 61

Informed Consent for Real-World Testing

Subjects of real-world testing outside a sandbox must give freely given, documented informed consent before participating, after being informed of the testing's nature, objectives, conditions, their rights, and how to request reversal of the system's outputs.

entityArticle 70

National Competent Authorities

Each Member State must establish or designate at least one notifying authority and at least one market surveillance authority as national competent authorities, exercising their powers independently and impartially.

entityArticle 3

Notified Body

A notified body is a conformity assessment body notified under the Regulation that performs third-party conformity assessment activities — testing, certification, and inspection — for high-risk AI systems.

factArticle 44

Notified-Body Certificate Validity Period

Certificates issued by notified bodies are valid for the period they indicate, not exceeding five years for AI systems covered by Annex I and four years for AI systems covered by Annex III.

factArticle 99

Penalty for Operator Obligation Breaches

Non-compliance with operator or notified-body obligations — including provider (Article 16), authorised representative (Article 22), importer (Article 23), distributor (Article 24), deployer (Article 26), and transparency (Article 50) obligations — carries administrative fines of up to EUR 15 000 000 or, for an undertaking, up to 3% of total worldwide annual turnover, whichever is higher.

factArticle 99

Penalty for Prohibited AI Practices

Breaching the Article 5 prohibited-practice rules carries administrative fines of up to EUR 35 000 000 or, for an undertaking, up to 7% of total worldwide annual turnover for the preceding financial year, whichever is higher.

factArticle 99

Penalty for Supplying Incorrect Information

Supplying incorrect, incomplete, or misleading information to notified bodies or national competent authorities in reply to a request carries administrative fines of up to EUR 7 500 000 or, for an undertaking, up to 1% of total worldwide annual turnover, whichever is higher.

conceptArticle 72

Post-Market Monitoring

Providers must establish and document a post-market monitoring system, proportionate to the risks, that actively and systematically collects and analyses data on the performance of high-risk AI systems throughout their lifetime to evaluate continuous compliance.

factArticle 26

Post-Remote Biometric ID Authorisation Window

When using a high-risk post-remote biometric identification system to search for a suspect or convict, the deployer must request authorisation from a judicial or binding administrative authority ex ante or without undue delay and no later than 48 hours after use.

conceptArticle 5

Prohibited AI Practices

Article 5 prohibits eight categories of AI practice: harmful subliminal or manipulative techniques, exploitation of vulnerabilities, social scoring, criminal-offence risk prediction by profiling alone, untargeted facial-image scraping, emotion recognition in workplaces and schools, biometric categorisation by sensitive attributes, and — subject to narrow exceptions — real-time remote biometric identification in public spaces for law enforcement.

entityArticle 3

Provider (Defined Role)

A "provider" is a natural or legal person, public authority, agency, or other body that develops — or has developed — an AI system or general-purpose AI model and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge.

factArticle 18

Provider Documentation Retention Period

Providers of high-risk AI systems must keep the technical documentation, quality management system documentation, notified-body decisions, and the EU declaration of conformity at the disposal of national competent authorities for 10 years after the system is placed on the market or put into service.

conceptArticle 16

Provider Obligations for High-Risk AI

Providers of high-risk AI systems must ensure the system meets the Section 2 requirements, operate a quality management system, keep documentation and logs, undergo conformity assessment, draw up an EU declaration of conformity, affix the CE marking, register the system, and take corrective action when needed.

conceptArticle 17

Quality Management System

Providers of high-risk AI systems must put in place a documented quality management system ensuring compliance with the Regulation, set out as written policies, procedures, and instructions.

processArticle 5

Real-Time Biometric ID Authorisation Process

Each law-enforcement use of a real-time remote biometric identification system in a publicly accessible space requires prior authorisation by a judicial or independent administrative authority, granted only for a permitted Article 5(1)(h) objective after a fundamental-rights impact assessment and EU-database registration.

factArticle 5

Real-Time Biometric ID Urgent Authorisation Window

In a duly justified situation of urgency, law-enforcement use of a real-time remote biometric identification system in a publicly accessible space starts before authorisation only when authorisation is requested within at most 24 hours, and use stops immediately with all data, results, and outputs deleted if that authorisation is rejected.

factArticle 60

Real-World Testing Duration Limit

Testing of a high-risk AI system in real-world conditions must not last longer than necessary to achieve its objectives and in any case not longer than six months, which may be extended by an additional six months on prior notification to the market surveillance authority.

conceptArticle 25

Responsibilities Along the AI Value Chain

A distributor, importer, deployer, or other third party is treated as the provider of a high-risk AI system — and assumes the Article 16 provider obligations — when it puts its name or trademark on the system, makes a substantial modification, or changes the intended purpose so that the system becomes high-risk.

entityArticle 68

Scientific Panel of Independent Experts

The scientific panel is a body of independent experts that supports the enforcement of the Regulation, in particular by alerting the AI Office to systemic risks of general-purpose AI models and advising on their classification.

processArticle 73

Serious Incident Reporting

Providers of high-risk AI systems must report any serious incident to the market surveillance authorities of the Member State where it occurred, as soon as a causal link between the system and the incident is established.

factArticle 73

Serious Incident Reporting Deadlines

A serious incident must be reported not later than 15 days after awareness; the deadline is 10 days where the incident involves the death of a person, and 2 days for a widespread infringement or a critical-infrastructure disruption.

processArticle 60

Testing of High-Risk AI in Real-World Conditions

Providers may test Annex III high-risk AI systems in real-world conditions outside a sandbox before market placement, subject to an approved real-world testing plan and a set of protective conditions.

conceptArticle 50

Transparency Obligations

Article 50 requires that people be informed when they interact with an AI system, that AI-generated synthetic audio, image, video, and text be marked machine-readably as artificial, that deployers disclose the use of emotion-recognition and biometric-categorisation systems, and that deep-fake content be disclosed.