INITIALIZING SYSTEM
luglio 03, 2026

EU AI Act Compliance: Obligations, Risks and Documentation

A.I. Featured New
Author: Studio Legale SG SERAFIN

Regulation (EU) 2024/1689, known as the AI Act, entered into force on August 1, 2024, and represents the world's first comprehensive regulatory framework for artificial intelligence. Built on a risk-based approach, it imposes differentiated obligations on providers, deployers, importers, and distributors, with sanctions reaching up to €35 million or 7% of global annual turnover. The provisional agreement on the Digital Omnibus, reached on May 7, 2026 and confirmed by the European Parliament on June 16, 2026, has revised certain key deadlines without altering the substantive architecture of the Regulation. This article provides a practical guide to the obligations, risks, and documentation requirements that law firms and their clients need to understand.

1. The Risk Framework: The Regulatory Pyramid

The AI Act classifies artificial intelligence systems into four risk tiers, each with a distinct legal regime. From the prohibited tier at the top to minimal risk at the base, the compliance burden decreases progressively while the range of affected organisations broadens.

RISK ARCHITECTURE — EU AI ACT UNACCEPTABLE RISK ⛔ Prohibited — Art. 5 HIGH RISK Annex III + Annex I Stringent obligations — Arts. 10-15, 26 LIMITED RISK Chatbots, Deepfakes, AI-generated Content Transparency obligations — Art. 50 MINIMAL OR NO RISK Spam filters, AI video games, productivity tools No specific obligations MAX €35M or 7% t/o

2. The Application Timeline (Updated: Digital Omnibus 2026)

The AI Act does not apply all at once: its provisions enter into force in progressive waves, calibrated to the severity of risk. The Digital Omnibus — a provisional agreement reached on May 7, 2026 between the EU Council and the European Parliament, confirmed in plenary on June 16, 2026 — has postponed deadlines for high-risk systems without modifying the substantive content of the obligations.

Aug 2024 Entry into force Reg. 2024/1689 Feb 2025 Prohibited practices Art. 5 — bans operative Aug 2025 GPAI obligations Governance + AI Literacy ◀ NOW Jul 2026 Dec 2026 Watermarking + Transparency Art. 50 §2 AI content Dec 2027 High Risk Annex III Digital Omnibus (was Aug 2026) Aug 2028 High Risk Annex I Regulated products ⚡ Digital Omnibus: revised deadlines
Practical note for law firms: The Digital Omnibus deferral is not a regulatory amnesty. AI Literacy obligations (Art. 4), bans on prohibited practices (Art. 5), and transparency rules for chatbots and AI-generated content are already fully operative. The time gained should be invested in preparing the technical file — not in delay.

3. Obligations by Risk Category: Reference Table

The following table, compiled from the text of Regulation (EU) 2024/1689, summarises the main obligations by risk tier and by role (provider or deployer). It is a first-orientation operational tool and does not replace specialist legal advice.

Tier Use Case Examples Key Obligations (Provider) Obligations (Deployer) Deadline
⛔ Unacceptable Social scoring, subliminal manipulation, real-time biometric ID in public spaces (with exceptions) Absolute ban on placing the system on the market Absolute ban on use From 2.2.2025
🔴 High Risk CV screening, credit scoring, critical infrastructure, student assessment, biometrics Technical documentation (Art. 11), risk management (Art. 9), data governance (Art. 10), EU registration (Art. 49), CE marking, human oversight (Art. 14) Compliant use per instructions, FRIA (Art. 27), operational monitoring, incident reporting 2.12.2027 (Annex III) · 2.8.2028 (Annex I)
🟡 Limited Chatbots, virtual assistants, AI-generated content (text, images, video, audio) Disclose AI interaction to users (Art. 50), watermarking of synthetic content by Dec 2026 Disclosure to end users, labelling of deepfakes and AI-generated texts on matters of public interest From 2.8.2026 · Watermarking: 2.12.2026
🟢 Minimal Spam filters, AI video games, generic productivity tools, content recommendation engines No specific obligations (voluntary codes of conduct, Art. 69) AI Literacy mandatory for staff (Art. 4 — already in force) AI Literacy: already in force
🔵 GPAI ChatGPT, Gemini, Claude, Copilot, Llama (general-purpose AI models) Technical documentation, copyright transparency, training data summary, systemic risk assessment if FLOP ≥ 10²⁵ Transparency obligations toward users (as deployer of the GPAI model) From 2.8.2025

4. Technical Documentation: The Core of Compliance

Article 11 of the Regulation requires that technical documentation for a high-risk AI system be prepared before the system is placed on the market and kept continuously up to date. The minimum content is set out in Annex IV and covers elements that law firms and their clients must master in order to structure the compliance file correctly.

ANNEX IV — MINIMUM CONTENT OF THE TECHNICAL FILE General Description Purpose, logic, categories of affected persons, scope of use. System Architecture Technical specs, training data, performance metrics and testing results. Risk Management System per Art. 9: identify, assess, mitigate risks throughout the lifecycle. Human Oversight Measures per Art. 14: controls, override capability and system shut-down. Conformity Assessment Procedure per Art. 43: internal (Annex VI) or notified body (Annex VII). Logging & Retention Automatic event logging (Art. 12), documentation retention: 10 years. SME / START-UP NOTE SMEs, including start-ups, may provide the Annex IV elements in a simplified form (Art. 11 §3). The Commission will define a simplified template. The Digital Omnibus extends these benefits to medium-sized enterprises (up to 500 employees).

5. Providers and Deployers: Distinct Obligations, Shared Accountability

One of the most critical distinctions in the AI Act concerns the qualification of the obligated party. A law firm that integrates third-party AI tools into its workflows is, in almost all cases, a deployer — with its own autonomous set of obligations separate from those of the system manufacturer.

Criterion Provider (Manufacturer) Deployer (User)
Definition Develops and places the AI system on the market under its own name or brand Uses the AI system under its own authority in a professional context
Documentation Technical file (Annex IV), EU declaration of conformity, EU database registration Usage logs, FRIA (if public authority or financial/insurance scoring), instructions for use
Risk of becoming a Provider N/A A deployer that affixes its own brand or substantially modifies the system becomes a Provider in all respects (Art. 25)
AI Literacy Must ensure adequate training for staff interacting with AI (Art. 4) Identical obligation (Art. 4) — already in force. Absence is treated as an aggravating factor
Human oversight Must design the system to allow effective human oversight (Art. 14) Must ensure that competent persons actually exercise oversight (Art. 26)

6. The Sanctions Regime: A Three-Tier System

Article 99 of the Regulation structures sanctions into three graduated bands, proportionate to the severity of the infringement. For SMEs and start-ups, the proportionality principle applies: the sanction imposed is the lower of the absolute amounts and the turnover percentages.

Band Infringement Maximum Sanction Legal Reference
Band I — Maximum Use of prohibited AI practices (social scoring, manipulation, unlawful biometric ID) € 35,000,000
or 7% of global annual turnover
Art. 99 §3 · Art. 5
Band II — High Breach of high-risk system obligations (documentation, data governance, transparency), GPAI obligations € 15,000,000
or 3% of global annual turnover
Art. 99 §4
Band III — Base Supplying false, incomplete, or misleading information to competent authorities or notified bodies € 7,500,000
or 1% of global annual turnover
Art. 99 §5

7. Operational Checklist: What to Do Now

The deferral of high-risk system deadlines does not remove the need to begin the compliance journey immediately. The actions listed below are independent of the calendar and form the foundation of any AI governance strategy for a law firm or the clients it advises.

# Action Urgency Reference
01 AI Systems Inventory — Map all AI systems in use (proprietary or third-party) IMMEDIATE Art. 26 · Art. 49
02 Risk Classification — Verify whether systems fall under Annex III or Annex I IMMEDIATE Art. 6 · Annex III
03 AI Literacy — Launch a documented training programme for all staff interacting with AI ALREADY IN FORCE Art. 4
04 Prohibited Practices Check — Categorically exclude the use of systems classified as unacceptable risk ALREADY IN FORCE Art. 5
05 Technical File — Begin preparing the file for high-risk systems now (do not wait until 2027) BY END 2025 Art. 11 · Annex IV
06 AI Content Watermarking — Ensure AI-generated content is identifiable by December 2026 DEC 2026 Art. 50 §2
07 Internal AI Governance Policy — Adopt a company policy governing the use of AI tools HIGH PRIORITY Art. 26 · GDPR
08 GDPR Coordination — Verify synergies between AI Act obligations and GDPR (esp. Art. 10 and FRIA/DPIA) HIGH PRIORITY Art. 27 · GDPR

8. Conclusions: Compliance as Competitive Advantage

The AI Act is not merely a set of bureaucratic constraints: it is the regulatory framework within which the competitiveness of law firms and businesses will be determined over the coming years. The Digital Omnibus has shifted certain deadlines, but it has not altered the direction of travel. Organisations that use this time to structure their AI governance — mapping systems in use, training staff, preparing the technical file and aligning obligations with the GDPR — will reach 2027 with a significant advantage over those who have treated the deferral as authorisation to delay.

For law firms, AI Act compliance is also a strategic positioning opportunity: clients seeking advice on AI governance look for counterparts who have already gained direct, practical experience in the field. Being compliant — and being able to demonstrate it — is the most compelling professional credential available.

Transparency notice: This article has been prepared on the basis of Regulation (EU) 2024/1689 (official EUR-Lex text), the provisional Digital Omnibus agreement of May 7, 2026 (confirmed by the European Parliament on June 16, 2026), and verified specialist legal sources. The information reflects the regulatory position as of July 2026. For specific compliance matters, specialist legal advice is essential.
← Post precedente Post successivo →

// Commenti

Recent Intelligence

Latest
Articles

Loading...
│ IN EVIDENZA │