The terms an AI governance team actually uses, defined in plain language by practitioners. For the full walk-through, see the EU AI Act practitioner's guide.
Regulation (EU) 2024/1689, a binding European law that governs artificial intelligence systems by the risk they pose. It applies directly across all EU member states and places obligations on both the organizations that build AI and those that use it.
A machine-based system that operates with some autonomy, may adapt after deployment, and infers from its input how to generate outputs such as predictions, content, recommendations, or decisions. Software that only executes fixed human-written rules is generally outside the definition.
An organization that develops an AI system, or has one developed, and places it on the market or puts it into service under its own name or trademark. Providers carry the build-side obligations, including running a quality management system, conformity assessment, and CE marking.
An organization that uses an AI system under its own authority in a professional context. Deployers carry use-side duties such as following the instructions for use, assigning competent human oversight, monitoring operation, and informing affected people.
The Act's central mechanism, sorting each AI system into one of four levels: prohibited practices, high-risk, limited-risk transparency, and minimal risk. The tier decides how much obligation attaches to the system.
The set of AI uses banned outright under Article 5, including manipulative techniques that cause significant harm, social scoring, untargeted scraping of facial images, and certain biometric uses. For a prohibited practice there is no compliance path.
An AI system that is either a safety component of a regulated product or falls within one of the eight Annex III areas. High-risk systems are permitted but carry the full requirement set and a conformity assessment before they reach the market.
The list of eight use areas that make an AI system high-risk: biometrics, critical infrastructure, education, employment, essential services and benefits, law enforcement, migration and border control, and the administration of justice and democratic processes.
The tier of duties under Article 50 that apply on top of any other tier. They include telling people they are interacting with AI, labelling synthetic content, and disclosing emotion-recognition or biometric-categorisation operation to the people exposed to it.
The tier covering AI that does not fall into the other three. It carries no specific AI Act obligation beyond the AI-literacy duty. Most ordinary business AI sits here, and the right move is still to record the classification.
The Article 50 duty to make certain AI use visible. People must be told when they are interacting with an AI system, and AI-generated audio, image, video, and text must be marked as artificially generated in a machine-readable form.
General-purpose AI: a model trained on broad data that can perform a wide range of tasks and be built into many downstream systems. GPAI model providers owe a baseline of technical documentation, downstream information, a copyright policy, and a training-content summary.
The common industry term for a large model trained on broad data and adaptable to many tasks. Under the Act these are addressed as general-purpose AI models, with heavier duties where they carry systemic risk.
A general-purpose AI model judged to pose risk at Union level, presumed when the compute used to train it exceeds a defined threshold or where the Commission designates it. These models carry extra duties including documented adversarial testing and incident reporting.
The process under Article 43 by which a provider confirms a high-risk system meets the requirement set before market. For most Annex III systems it is an internal-control assessment the provider performs; certain biometric systems may require a notified body.
The conformity mark used across regulated products in Europe, affixed to a high-risk AI system under Article 48 to show it has passed conformity assessment. A notified body's identification number follows the mark where a notified body was involved.
The signed statement under Article 47, kept for ten years, in which a provider declares that a high-risk AI system meets the Act's requirements. It is signed only once every conformity gap is closed.
The central registry under Article 49 where providers register high-risk AI systems before market and public-authority deployers register their use. Sensitive law-enforcement and border-control systems are recorded in a secure non-public section.
An accredited independent organization authorised to perform third-party conformity assessment of certain high-risk AI systems. It is used where the provider cannot rely on internal-control assessment alone.
The European Commission body that oversees general-purpose AI models, supports consistent application of the Act, and receives serious-incident reports for systemic-risk GPAI models.
Fundamental Rights Impact Assessment: an assessment under Article 27 that certain deployers must perform before first use of a high-risk system, focused on its impact on people's rights. It can complement a GDPR data-protection impact assessment.
The documented system under Article 72 by which a provider collects and analyses performance data across a high-risk system's life, so problems that surface only in real use are caught and addressed.
An event linked to an AI system that leads to death, serious harm to health, serious disruption of critical infrastructure, or breach of fundamental-rights obligations. Providers must report serious incidents to the national authority under Article 73, on a tight reporting clock.
The duty under Article 4 on providers and deployers to ensure a sufficient level of skill and understanding among the staff who operate an AI system, so they can use it appropriately and recognise its limits.
The identification of people from biometric data, such as facial features, captured at a distance without their active involvement and processed without significant delay. Its real-time use in public spaces for law enforcement is a prohibited practice subject to narrow exceptions.
The Article 14 requirement that a high-risk system be designed so people can understand its limits, counter automation bias, interpret and override its output, and stop the system when needed.
A change to a high-risk AI system significant enough to affect its compliance or purpose. Under Article 25 it can turn a deployer into a provider, and it triggers a fresh conformity assessment.
The fines under Article 99, tied to global turnover. The top exposure, for breaching the prohibited-practice rules, is up to EUR 35 million or 7 percent of total worldwide annual turnover, whichever is higher. Other operator breaches and information failures carry lower caps.
Compliance Command Center turns these concepts into a board-ready EU AI Act program, run by practitioners and backed by software. Rupture Labs maps your AI systems to the Act's risk tiers and assembles the conformity evidence the Regulation asks for.
See Compliance Command Center Read the guides