Regulation (EU) 2024/1689

EU AI Act compliance, article by article.

The EU AI Act is the world's first horizontal regulation of artificial intelligence — staggered into force from 2025-02-02 through 2027-08-02, with high-risk system obligations enforceable from 2026-08-02. This pillar covers each article we have a tool for: what it actually says, when it applies, what non-compliance costs, and the open-source evidence that gets produced today.

Source: Regulation (EU) 2024/1689 (EU AI Act), CELEX:32024R1689 — Official Journal of the European Union.

Enforcement timeline (Article 113)

Four staggered application dates between 2025 and 2027.

Date	What enforces	Status
2025-02-02	Articles 1–5 — including Article 4 (AI literacy) and Article 5 (prohibited practices)	Enforced
2025-08-02	Article 53 (GPAI obligations), governance provisions, penalties (Articles 99 and 101)	Enforced
2026-08-02	Most remaining provisions including Articles 6–15 — high-risk system requirements (risk management, data governance, technical documentation, accuracy)	Upcoming
2027-08-02	Article 6(1) and Annex I — high-risk products covered by sector-specific Union harmonisation legislation	Upcoming

Per Article 113. Cross-checked against Regulation (EU) 2024/1689 Article 113 (Official Journal).

Articles AiExponent has tools for

Pick an article. See what it requires. Generate the evidence.

Each spoke quotes the regulation verbatim, names the penalty band, and links to the open-source tool that produces the audit-ready evidence — plus the AskAjay framework for programme-level work.

Enforced 2025-02-02

Article 5 — Prohibited AI practices

Article 5 of the EU AI Act prohibits eight categories of AI practice — subliminal manipulation, exploitation of vulnerabilities, social scoring of natural persons based on social behaviour or personal characteristics, real-time remote biometric identification in public spaces (with narrow exceptions), biometric categorisation inferring sensitive characteristics, emotion inference at work or in education, untargeted facial-image scraping, and individual criminal-risk profiling. The prohibitions are absolute and have been enforceable since 2 February 2025.

→LitmusAI

Upcoming 2026-08-02

Article 9 — Risk management system

Article 9 of the EU AI Act requires a documented, lifecycle-long risk management system for high-risk AI systems — not a one-time assessment. It must identify foreseeable risks to health, safety, and fundamental rights, evaluate them under intended use and reasonably foreseeable misuse, adopt targeted mitigation measures, and produce testing evidence sufficient to defend the residual-risk judgement. Enforceable from 2 August 2026.

→RiskForge

Enforced 2025-08-02

Article 10 — Data and data governance

Article 10 of the EU AI Act requires high-risk AI providers to govern training, validation, and testing data — including quality criteria, examination for bias and protected attributes, and representativeness for the intended purpose. Datasets must be appropriate to the geographical, contextual, behavioural or functional setting in which the system is intended to be used (Art. 10(4)). Enforceable from 2 August 2026.

→License Compliance CheckerIn development

Upcoming

Article 11 — Technical documentation

Article 11 of the EU AI Act requires that technical documentation for high-risk AI systems is drawn up before the system is placed on the market and kept up to date throughout its lifecycle. The documentation must cover the elements set out in Annex IV — system description, design specification, monitoring functioning, performance metrics, and any change-management. Enforceable from 2 August 2026.

→Agentic Document AnalyserIn development

Upcoming 2026-08-02

Article 15 — Accuracy, robustness, and cybersecurity

Article 15 of the EU AI Act requires high-risk AI systems to achieve appropriate accuracy, robustness, and cybersecurity, and to perform consistently in those respects throughout the lifecycle. Accuracy metrics must be declared in the instructions for use; robustness must extend to errors, faults, and inconsistencies including adversarial inputs. Enforceable from 2 August 2026.

→RAG Benchmarking

Upcoming

Article 19 — Automatically generated logs

Article 19 of the EU AI Act requires providers of high-risk AI systems to keep the logs automatically generated by the system, when those logs are under their control. The logs must be preserved for a period appropriate to the intended purpose of the system — at least six months, unless otherwise provided in applicable Union or national law — and supplied to competent authorities on request. Enforceable from 2 August 2026.

→Agentic Document AnalyserIn development

Enforced 2025-08-02

Article 53 — Obligations for providers of general-purpose AI models

Article 53 of the EU AI Act requires providers of general-purpose AI models to keep up-to-date Annex XI technical documentation, put in place a copyright policy aligned with Directive (EU) 2019/790 Article 4(3), and publish a sufficiently detailed training-data summary using the AI Office template. The obligations have been enforceable since 2 August 2025; non-compliance is sanctionable by the European Commission under Article 101(1).

→License Compliance Checker

When the findings land on a governance desk

Tools surface problems. Programmes solve them.

The articles above translate into evidence packs an engineering team can ship. The next step — programme design, board narrative, regulator engagement — is the work AskAjay covers, the advisory arm of AI Exponent LLC.

Explore advisory at AskAjay.ai →