Knowledge graph built with Google's Open Knowledge Format (OKF) · sourced from Regulation (EU) 2024/1689.
How to use it
Know the map? Now sit the exam.
The EU AI Act is roughly a fifth of the AIGP. Practise full-length, freshly sampled mock exams with a detailed explanation for every question.
Go to the AIGP mock exam →Concept index
All 68 concepts in the graph, with their article references. Click any card to open it in the graph above.
Advisory Forum
The advisory forum provides technical expertise to the Board and the Commission through a balanced selection of stakeholders from industry, start-ups, SMEs, civil society, and academia.
AI Literacy Obligation
Providers and deployers of AI systems must take measures to ensure, to their best extent, a sufficient level of AI literacy among their staff and other persons operating and using AI systems on their behalf.
AI Office
The "AI Office" is the European Commission function that contributes to the implementation, monitoring, and supervision of AI systems and general-purpose AI models and to AI governance.
AI Regulatory Sandbox
An AI regulatory sandbox is a controlled framework established by a competent authority that lets providers develop, train, test, and validate innovative AI systems for a limited time under regulatory supervision before market placement, pursuant to an agreed sandbox plan.
AI Sandbox Operational Deadline
Member States must ensure that their competent authorities establish at least one AI regulatory sandbox at national level, operational by 2 August 2026.
Annex III High-Risk Use-Case Areas
Annex III designates AI systems as high-risk across eight areas: biometrics, critical infrastructure, education and vocational training, employment and worker management, access to essential private and public services, law enforcement, migration/asylum/border control, and administration of justice and democratic processes.
Authorised Representative
An authorised representative is an EU-established natural or legal person that a third-country provider must appoint by written mandate before making a high-risk AI system or general-purpose AI model available on the Union market.
CE Marking
The CE marking is affixed by the provider to a high-risk AI system to indicate its conformity with the Regulation, visibly, legibly, and indelibly, or on the packaging or accompanying documentation where that is not possible.
Codes of Conduct (Voluntary)
The AI Office and Member States encourage voluntary codes of conduct that foster the application of the Chapter III, Section 2 requirements — and other specific commitments — to AI systems other than high-risk ones.
Codes of Practice (GPAI)
The AI Office facilitates codes of practice at Union level covering the general-purpose AI model obligations in Articles 53 and 55, which providers use to demonstrate compliance until harmonised standards are published.
Conformity Assessment Procedure
High-risk AI systems must undergo a conformity assessment before market placement — either internal control (Annex VI) or, for certain biometrics systems, third-party assessment involving a notified body (Annex VII).
Deep Fake Disclosure Obligation
Deployers of an AI system that generates or manipulates image, audio, or video content constituting a deep fake must disclose that the content has been artificially generated or manipulated.
Definition of a General-Purpose AI Model
A "general-purpose AI model" is an AI model that displays significant generality, is capable of competently performing a wide range of distinct tasks regardless of how it is placed on the market, and can be integrated into a variety of downstream systems or applications.
Definition of a Serious Incident
A "serious incident" is an incident or malfunctioning of an AI system that directly or indirectly leads to the death of or serious harm to a person's health, a serious and irreversible disruption of critical infrastructure, the infringement of fundamental-rights obligations under Union law, or serious harm to property or the environment.
Definition of an AI System
An "AI system" is a machine-based system designed to operate with varying levels of autonomy, that may exhibit adaptiveness after deployment, and that — for explicit or implicit objectives — infers from its input how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.
Definition of Systemic Risk
"Systemic risk" is a risk specific to the high-impact capabilities of general-purpose AI models that has a significant impact on the Union market through its reach, or through actual or reasonably foreseeable negative effects on public health, safety, security, fundamental rights, or society as a whole, and that can be propagated at scale across the value chain.
Deployer (Defined Role)
A "deployer" is a natural or legal person, public authority, agency, or other body using an AI system under its authority, except where the system is used in the course of a personal non-professional activity.
Deployer Obligations for High-Risk AI
Deployers of high-risk AI systems must use them in accordance with the instructions for use, assign competent human oversight, monitor operation, keep logs, and inform affected people, providers, and authorities as required.
Distributor Obligations
Before making a high-risk AI system available on the market, distributors must verify that it bears the CE marking, is accompanied by the EU declaration of conformity and instructions for use, and that the provider and importer have met their identification and quality obligations.
EU AI Act Application Dates
The AI Act entered into force on the twentieth day after its 12 July 2024 publication (1 August 2024) and applies from 2 August 2026, with the prohibitions applying from 2 February 2025, the general-purpose AI and governance rules from 2 August 2025, and the Article 6(1) high-risk product-safety obligations from 2 August 2027.
EU AI Act Scope
The AI Act applies to providers, deployers, importers, distributors, product manufacturers, and authorised representatives — wherever established — whenever an AI system is placed on the EU market, put into service in the Union, or its output is used in the Union, and to affected persons located in the Union.
EU AI Act Subject Matter
Regulation (EU) 2024/1689 (the AI Act) lays down harmonised EU rules for the placing on the market, putting into service, and use of AI systems, comprising prohibitions of certain practices, requirements for high-risk systems, transparency rules, rules for general-purpose AI models, and governance and enforcement measures.
EU Database for High-Risk AI Systems
The Commission sets up and maintains an EU database containing information on the Annex III high-risk AI systems registered under Articles 49 and 60, as well as systems concluded not to be high-risk under Article 6(3).
EU Declaration of Conformity
The provider must draw up a written, machine-readable EU declaration of conformity for each high-risk AI system, stating that it meets the Section 2 requirements, and keep it available to national competent authorities for 10 years.
European Artificial Intelligence Board
The European Artificial Intelligence Board is composed of one representative per Member State and advises and assists the Commission and Member States to ensure the consistent and effective application of the Regulation.
Fundamental Rights Impact Assessment
Before deploying certain Annex III high-risk AI systems, deployers that are public bodies, private entities providing public services, or deployers of creditworthiness and insurance-pricing systems must perform a fundamental rights impact assessment (FRIA).
GPAI Codes of Practice Deadline
The general-purpose AI model codes of practice were to be ready at the latest by 2 May 2025, and if a code cannot be finalised or is deemed inadequate by 2 August 2025 the Commission may provide common rules by implementing act.
GPAI Provider Obligations
Providers of general-purpose AI models must maintain technical documentation of the model, provide integration information and documentation to downstream providers, put in place an EU copyright-compliance policy, and publish a sufficiently detailed summary of the content used to train the model.
GPAI Systemic-Risk Classification
A general-purpose AI model is classified as having systemic risk when it has high-impact capabilities — evaluated with appropriate technical tools, benchmarks, and indicators — or when the Commission designates it, with a presumption of high-impact capabilities once training compute exceeds 10^25 floating-point operations.
GPAI Systemic-Risk Compute Threshold
A general-purpose AI model is presumed to have high-impact capabilities, and therefore systemic risk, when the cumulative amount of computation used for its training exceeds 10^25 floating-point operations (FLOP).
GPAI Systemic-Risk Notification Window
A provider whose general-purpose AI model meets the high-impact-capability condition must notify the Commission within two weeks after that requirement is met, or after it becomes known that it will be met.
GPAI Systemic-Risk Provider Obligations
In addition to the general Article 53 obligations, providers of general-purpose AI models with systemic risk must perform model evaluation and adversarial testing, assess and mitigate systemic risks at Union level, report serious incidents, and ensure adequate cybersecurity of the model and its physical infrastructure.
Harmonised Standards Presumption of Conformity
High-risk AI systems and general-purpose AI models that conform to harmonised standards whose references are published in the Official Journal are presumed to comply with the corresponding requirements or obligations, to the extent those standards cover them.
High-Risk Accuracy, Robustness and Cybersecurity
High-risk AI systems must be designed to achieve an appropriate level of accuracy, robustness, and cybersecurity, and to perform consistently in those respects throughout their lifecycle.
High-Risk AI Classification Rules
An AI system is high-risk when it is a safety component of, or is itself, a product covered by the Annex I harmonisation legislation that requires third-party conformity assessment, or when it falls within an Annex III use case — unless it poses no significant risk under the Article 6(3) exemptions and does not profile natural persons.
High-Risk AI Registration
Before placing an Annex III high-risk AI system on the market, the provider (or authorised representative) must register itself and the system in the EU database, and public-authority deployers must register their use.
High-Risk AI Requirements Overview
High-risk AI systems must comply with seven mandatory requirements set out in Chapter III, Section 2: a risk management system, data governance, technical documentation, record-keeping, transparency to deployers, human oversight, and accuracy/robustness/cybersecurity.
High-Risk Data and Data Governance
High-risk AI systems that train models with data must use training, validation, and testing data sets that are relevant, sufficiently representative, and to the best extent possible free of errors and complete for the intended purpose, subject to appropriate data governance and bias-mitigation practices.
High-Risk Human Oversight
High-risk AI systems must be designed and developed, including with appropriate human-machine interface tools, so that natural persons can effectively oversee them during use to prevent or minimise risks to health, safety, and fundamental rights.
High-Risk Log Retention Period
Automatically generated logs of a high-risk AI system, to the extent under the operator's control, must be kept for a period appropriate to the intended purpose and at least six months, unless Union or national law (in particular data-protection law) provides otherwise.
High-Risk Record-Keeping (Logging)
High-risk AI systems must technically allow for the automatic recording of events (logs) over the lifetime of the system, at a level of traceability appropriate to the intended purpose.
High-Risk Risk Management System
Providers of high-risk AI systems must establish, implement, document, and maintain a continuous, iterative risk management system that runs throughout the entire lifecycle of the system.
High-Risk Technical Documentation
The technical documentation of a high-risk AI system must be drawn up before the system is placed on the market and kept up to date, demonstrating compliance with the Section 2 requirements and containing at least the elements set out in Annex IV.
High-Risk Transparency to Deployers
High-risk AI systems must be designed to be sufficiently transparent for deployers to interpret and use their output appropriately, and must be accompanied by concise, complete, correct, and clear instructions for use.
Importer Obligations
Before placing a high-risk AI system on the market, importers must verify that the provider has carried out conformity assessment, drawn up technical documentation, affixed the CE marking and EU declaration of conformity, and appointed an authorised representative.
Informed Consent for Real-World Testing
Subjects of real-world testing outside a sandbox must give freely given, documented informed consent before participating, after being informed of the testing's nature, objectives, conditions, their rights, and how to request reversal of the system's outputs.
National Competent Authorities
Each Member State must establish or designate at least one notifying authority and at least one market surveillance authority as national competent authorities, exercising their powers independently and impartially.
Notified Body
A notified body is a conformity assessment body notified under the Regulation that performs third-party conformity assessment activities — testing, certification, and inspection — for high-risk AI systems.
Notified-Body Certificate Validity Period
Certificates issued by notified bodies are valid for the period they indicate, not exceeding five years for AI systems covered by Annex I and four years for AI systems covered by Annex III.
Penalty for Operator Obligation Breaches
Non-compliance with operator or notified-body obligations — including provider (Article 16), authorised representative (Article 22), importer (Article 23), distributor (Article 24), deployer (Article 26), and transparency (Article 50) obligations — carries administrative fines of up to EUR 15 000 000 or, for an undertaking, up to 3% of total worldwide annual turnover, whichever is higher.
Penalty for Prohibited AI Practices
Breaching the Article 5 prohibited-practice rules carries administrative fines of up to EUR 35 000 000 or, for an undertaking, up to 7% of total worldwide annual turnover for the preceding financial year, whichever is higher.
Penalty for Supplying Incorrect Information
Supplying incorrect, incomplete, or misleading information to notified bodies or national competent authorities in reply to a request carries administrative fines of up to EUR 7 500 000 or, for an undertaking, up to 1% of total worldwide annual turnover, whichever is higher.
Post-Market Monitoring
Providers must establish and document a post-market monitoring system, proportionate to the risks, that actively and systematically collects and analyses data on the performance of high-risk AI systems throughout their lifetime to evaluate continuous compliance.
Post-Remote Biometric ID Authorisation Window
When using a high-risk post-remote biometric identification system to search for a suspect or convict, the deployer must request authorisation from a judicial or binding administrative authority ex ante or without undue delay and no later than 48 hours after use.
Prohibited AI Practices
Article 5 prohibits eight categories of AI practice: harmful subliminal or manipulative techniques, exploitation of vulnerabilities, social scoring, criminal-offence risk prediction by profiling alone, untargeted facial-image scraping, emotion recognition in workplaces and schools, biometric categorisation by sensitive attributes, and — subject to narrow exceptions — real-time remote biometric identification in public spaces for law enforcement.
Provider (Defined Role)
A "provider" is a natural or legal person, public authority, agency, or other body that develops — or has developed — an AI system or general-purpose AI model and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge.
Provider Documentation Retention Period
Providers of high-risk AI systems must keep the technical documentation, quality management system documentation, notified-body decisions, and the EU declaration of conformity at the disposal of national competent authorities for 10 years after the system is placed on the market or put into service.
Provider Obligations for High-Risk AI
Providers of high-risk AI systems must ensure the system meets the Section 2 requirements, operate a quality management system, keep documentation and logs, undergo conformity assessment, draw up an EU declaration of conformity, affix the CE marking, register the system, and take corrective action when needed.
Quality Management System
Providers of high-risk AI systems must put in place a documented quality management system ensuring compliance with the Regulation, set out as written policies, procedures, and instructions.
Real-Time Biometric ID Authorisation Process
Each law-enforcement use of a real-time remote biometric identification system in a publicly accessible space requires prior authorisation by a judicial or independent administrative authority, granted only for a permitted Article 5(1)(h) objective after a fundamental-rights impact assessment and EU-database registration.
Real-Time Biometric ID Urgent Authorisation Window
In a duly justified situation of urgency, law-enforcement use of a real-time remote biometric identification system in a publicly accessible space starts before authorisation only when authorisation is requested within at most 24 hours, and use stops immediately with all data, results, and outputs deleted if that authorisation is rejected.
Real-World Testing Duration Limit
Testing of a high-risk AI system in real-world conditions must not last longer than necessary to achieve its objectives and in any case not longer than six months, which may be extended by an additional six months on prior notification to the market surveillance authority.
Responsibilities Along the AI Value Chain
A distributor, importer, deployer, or other third party is treated as the provider of a high-risk AI system — and assumes the Article 16 provider obligations — when it puts its name or trademark on the system, makes a substantial modification, or changes the intended purpose so that the system becomes high-risk.
Scientific Panel of Independent Experts
The scientific panel is a body of independent experts that supports the enforcement of the Regulation, in particular by alerting the AI Office to systemic risks of general-purpose AI models and advising on their classification.
Serious Incident Reporting
Providers of high-risk AI systems must report any serious incident to the market surveillance authorities of the Member State where it occurred, as soon as a causal link between the system and the incident is established.
Serious Incident Reporting Deadlines
A serious incident must be reported not later than 15 days after awareness; the deadline is 10 days where the incident involves the death of a person, and 2 days for a widespread infringement or a critical-infrastructure disruption.
Testing of High-Risk AI in Real-World Conditions
Providers may test Annex III high-risk AI systems in real-world conditions outside a sandbox before market placement, subject to an approved real-world testing plan and a set of protective conditions.
Transparency Obligations
Article 50 requires that people be informed when they interact with an AI system, that AI-generated synthetic audio, image, video, and text be marked machine-readably as artificial, that deployers disclose the use of emotion-recognition and biometric-categorisation systems, and that deep-fake content be disclosed.